A tale of ‘Site-wide Account Takeover’ - Breaking Enterprise Application (SAP)
Before we start with the technical part of the vulnerability i.e. covered below, I want to brief you about the application which was the target. It is called a ‘Unified Access’ portal for employees that provides access to IT-based applications through a single platform. The ESS application is sold by IBM and could also be integrated with SAP running Lotus Domino server.
During an ongoing Red team engagement, I came across this web application and wanted to explore the post-authentication functionalities of the application, hence I started collecting all relevant information that could lead to post-authentication functionalities.
Having no idea about the login details format which is to be passed in the login fields, I randomly created a list of all default usernames and passwords but failed to reuse the same.
We later started collecting a list of all email addresses and clear text passwords from the available data breaches and performed brute-force over the same.
Luckily one combination of email address and password worked. We later started to explore all post authentication modules, as it was a single-sign-on application we had a lot of modules to study. While exploring the application I came across multiple common web application vulnerabilities, out of which two of them proved helpful to chain the attack:
-
Post-authentication: Discovered an endpoint that provided Emails, Employee ID, Employee details, etc. Created a crawler and collected the same.
-
Pre-authentication: Discovered an endpoint to reset the password of an employee, where a valid email address and employee ID are required.
Knowing the emails and employee ID, we decided to understand the flow of a password reset functionality. I entered a valid employee ID and instead of entering a valid registered corporate email address I decided to enter my email address and hit enter. BOOM !!!
The application provided me with a new password to log in. Similarly, I created a brute force list and for test purposes, I successfully reset the passwords of 500+ accounts.
I was able to log in to anyone’s account and view their payslips, task, plans, ongoing project status, and upcoming plans. The accounts included the CEO, Executive Director, Chief Risk Officer, Cheif Technical Officer, and other Directors.
This application is being used by at least 200+ companies across the world. The vulnerability is reported to the company on which I was performing the red team assessment, the company decided to take down the portal and in future, they are going to migrate the same to another application. The same has been reported to the parent company i.e. SAP and their partner IBM.