The Russian security expert Alexander Polyakov of ERPScan has presented a security hole in SAP’s J2EE engine, NetWeaver, which allows an attacker to create new administrator accounts remotely. Polyakov demonstrated the hole at the Black Hat security conference in Las Vegas. He first searched, using Google, for a particular string that was typically an indicator of the Management Portal for SAP systems.
Then, using the URL from the search, he used a Perl script which executed the actual attack in two stages. First, the script would create a new user, then it would promote the new user to administrator. Using the freshly created user, it was then possible to log into the vulnerable system. According to Polyakov, the attack works even if the system’s two factor authentication (password+secret key) is enabled.
The script will be released by the researcher three months after the publication of an update by SAP, giving enough time for SAP’s customers to patch their systems. According to his calculations, around 50 per cent of all SAP installations are affected by the bug in the J2EE Engine; NetWeaver is the foundation upon which many of SAP’s products are built. The researcher would give no other details while SAP has not eliminated the vulnerability with a software update.