Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Reconnaissance
  6. /
  7. Network Service Discovery & Fingerprinting
  8. /
  9. SAP Internet Graphic Server (IGS)
Edit page

SAP Internet Graphic Server (IGS)

Description

To quote SAP “The Internet Graphics Service (IGS) constitutes the infrastructure to enable the application developers to display graphics in an Internet browser with a minimum of effort. The IGS has been integrated in the different SAP UI technologies from HTML GUI to Web Dynpro ABAP/Java and provides a server architecture where data from an SAP system or another source can be used to generate graphical or non-graphical output.” When certain patches are missing the IGS can be vulnerable to various attacks yielding for example to arbitrary remote file manipulation or denial of service.

The SAP Internet Graphics Server (IGS) provides services to generate web graphics. It can run standalone or integrated in an SAP system. When certain patches are missing the IGS can be vulnerable to various attacks yielding for example to arbitrary remote file manipulation or denial of service. In the last years, various vulnerabilities have been identified which can cause critical damage to the SAP system or lead to a full system compromise. Besides generating web graphics, IGS can be also used for generating compressed archives and much more. At Troopers 18, a talk has been given about a more in depth research on the service and the impact of the vulnerabilities. The talk can be found here.

With IGS 6.40 >= Patch 16 or IGS 7.00 >= Patch 4 SAP has disabled the HTTP based administration commands by default. With the profile parameter igs/listener/http = 4$(SAPSYSTEM)80,administration the HTTP based administration commands can be enabled. The HTTP based administration commands are not protected by any authentication mechanism. Due to a misconfiguration or manipulation of the system, the administrative commands could be still enabled.

Common used Network Ports:

  • 4XX00 (Internet Graphics Server Multiplexer)
  • 4XX01 - 4XX79 (Internet Graphics Server Portwatcher)
  • 4XX80 - 4XX99 (Internet Graphics Server HTTP service)

Options

  • Shodan:
    • "Server: SAP Internet Graphics Server"
  • Hunter.how Query:
    • web.body="SAP IGS"&&header.server="SAP Internet Graphics Server"
  • Nmap:
    • nmap -sV -R -p4xx80-4xx99 -Pn <Target Address(es)/Domain Name>
    • nmap -sSVC -n -Pn -p<port/portrange> --datadir . <Target Address(es)/Domain Name> (NMAP ERPscan probes)
  • nuclei templates
  • Metasploit Module:
    • auxiliary/admin/sap/sap_igs_xmlchart_xxe

References