SAP Router Vulnerability: Remote Code Execution & Data Leaks #shorts

It's the HR productive system, where that one is running on, and it's exposed to the internet. So, think about potentially someone could find maybe vulnerability on a thing that allows to get remote code execution. Where are you? On the productive HR system. Nice. Um but that's just a potential use case, so we want to have something which is like that's a problem. 93 of those routers allowed me to dump their connection table. So, what does it mean? That SAP router has a built-in functionality, which allows it to monitor that application. Um what does it do? It just prints you that source is connected to that destination on that port. So, I get some internal insights.

This also means I know which source is allowed to which destination. I know internal IP addresses. I know public IP addresses, maybe who are connecting to that. Another one is that feature is disabled since various updates. I think they patched it around 2014. That stuff still runs there. And if I now tell you that, for example, I found some gold mining companies in China exposing their systems through that, and you could then connect to that stuff and connect to the SAP system, if someone potentially would do that, and you maybe find then some hard-coded credentials on an internal production system. What would you do?

>> [snorts] >> If you speak Chinese, you can order some gold. So, the the problem is that's like a So, I lovely call it the forgotten component, because the SAP router is quite often just thrown in the network, usually hopefully To be honest, based on my statistics, it never runs in the DMZ. Uh most mostly times runs on any production machine on the side, which is super scary. It should be running in a DMZ on a standalone box sideway, but I also found many of those running, for example, Windows Server 2003 without an SP.