[WEB SECURITY] Placing shells (backdoors) at web sites

MustLive mustlive at websecurity.com.ua
Sun Feb 20 16:32:28 EST 2011


Hello Sebastian!

Thanks for mentioning about this interesting aspect of SAP (never worked
with their applications). Now I'll be knowing that SAP's ABAP applications
also can be attacked via such vector.

But in my article I told about web applications. How much SAP is used in
Internet (or in Ethernet) web applications and does it have relations to web
application at all? Not too much.

In this case I told about vulnerable web application (widespread in Uanet in
particular) which stores data (which also can be program code due to logic
of the application) in MySQL. And other web applications can be vulnerable
(with similar logic).

The attack is possible due to combining of data and code into one source.
And MySQL is just an example for this case and any DBMS can be used for such
attack vector (in case of other web apps which work with other DBMS).

> Yep. And then open up the ABAP functions

Sebastian and Mike, SAP application security is another field, so earlier,
before I found this hole last year, there was no (known) such attack vector
for web applications. And from time when I found this RCE hole in CMS
WebManager-Pro, the landscape of attack vectors for web applications have
increased and from that time there is one more variant of placing shells
(backdoors) at web sites.

Which must be interesting for webappsec community. Especially for those who 
haven't worked with SAP ;-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Sebastian Schinzel" <ssc at seecurity.org>
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: <websecurity at lists.webappsec.org>
Sent: Friday, February 11, 2011 11:11 AM
Subject: Re: [WEB SECURITY] Placing shells (backdoors) at web sites


Dear Mustlive,

On Feb 10, 2011, at 8:39 PM, MustLive wrote:
> There are few variants of placing shells (as any other backdoors) at web
> sites. First two variants are known and third variant - it's new one,
> which
> I created last year, when found RCE vulnerability in CMS WebManager-Pro
> (http://websecurity.com.ua/4696/). Similar vulnerabilities also can be in
> other web applications.

The third one is long known to anyone with knowledge in SAP application
security. Applications written in ABAP, SAP's proprietary programming
language,
are stored in the Database. If an attacker gets access to the database of a
SAP
system (ABAP), he can change the code.

Cheers,
Sebastian






More information about the websecurity mailing list