An increasing number of SAP Security Notes and talks on SAP Security proves that it becomes a really hot topic nowadays. However, SAP systems attacks are still believed to be available only for insiders. The reality is not so good. There are about 5000 systems including dispatchers, message servers, SapHostcontrols, Web-services on the internet.
Top 10 vulnerabilities 2011-2012 are:
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
The presentation provides a detailed description of these attacks, its potential business risks and the way to prevent them.
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Top 10 most interesting vulnerabilities and attacks in SAP
1. Invest
in
security
to
secure
investments
Top
10
most
interes.ng
SAP
vulnerabili.es
and
a9acks
Alexander
Polyakov
CTO
at
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu8on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta.ons
key
security
conferences
worldwide
• 25
Awards
and
nomina.ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
4. Really
• The
most
popular
business
applica8on
• More
than
120000
customers
• 74%
of
Forbes
500
4
5. Agenda
• Intro
• SAP
security
history
• SAP
on
the
Internet
• Top
10
latest
interes8ng
aPacks
• DEMOs
• Conclusion
5
6. 6
3
areas
of
SAP
Security
2010
Applica3on
pla4orm
security
Prevents
unauthorized
access
both
insiders
and
remote
a3ackers
Solu8on:
Vulnerability
Assessment
and
Monitoring
2008
ABAP
Code
security
Prevents
a3acks
or
mistakes
made
by
developers
Solu8on:
Code
audit
2002
Business
logic
security
(SOD)
Prevents
a3acks
or
mistakes
made
Solu8on:
GRC
7. Talks
about
SAP
security
0
5
10
15
20
25
30
35
2006
2007
2008
2009
2010
2011
2012
Most
popular:
• BlackHat
• HITB
• Troopers
• RSA
• Source
• DeepSec
• etc.
7
8. SAP
Security
notes
0
100
200
300
400
500
600
700
800
900
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
By
April
26,
2012,
a
total
of
2026
notes
8
9. SAP
vulnerabili.es
by
type
0
50
100
150
200
250
300
350
12
-‐SQL
Inj
11
-‐
BOF
10
-‐
Denial
of
service
9
-‐
Remote
Code
Execu8on
8
-‐
Verb
tampering
7
-‐
Code
injec8on
vulnerability
6
-‐
Hard-‐coded
creden8als
5
-‐
Unauthorized
usage
of
applica8on
4
-‐
Informa8on
Disclosure
3
-‐
Missing
Auth
check
2
-‐
XSS/Unauthorised
modifica8on
of
stored
1
-‐
Directory
Traversal
Stats
from
:
• 1Q
2012
• 1Q
2010
• 4Q
2009
9
10. SAP
on
the
Internet
•
We
have
collected
data
about
SAP
systems
in
the
WEB
•
Have
various
stats
by
countries,
applica8ons,
versions
•
Informa8on
from
Google,
Shodan,
Nmap
scan
MYTH:
SAP
systems
a9acks
available
only
for
insiders
10
11. SAP
on
the
Internet
About
5000
systems
including
Dispatcher,
Message
server,
SapHostcontrol,
Web-‐
services
11
13. Top
10
vulnerabili.es
2011-‐2012
1.
Authen8ca8on
Bypass
via
Verb
tampering
2.
Authen8ca8on
Bypass
via
the
Invoker
servlet
3.
Buffer
overflow
in
ABAP
Kernel
4.
Code
execu8on
via
TH_GREP
5.
MMC
read
SESSIONID
6.
Remote
portscan
7.
Encryp8on
in
SAPGUI
8.
BAPI
XSS/SMBRELAY
9.
XML
Blowup
DOS
10.
GUI
Scrip8ng
DOS
13
14. 10
–
GUI-‐Scrip.ng
DOS:
Descrip.on
• SAP
users
can
run
scripts
which
automate
their
user
func8ons
• A
script
has
the
same
rights
in
SAP
as
the
user
who
launched
it
• Security
message
which
is
shown
to
user
can
be
turned
off
in
the
registry
• Almost
any
user
can
use
SAP
Messages
(SM02
transac8on)
• It
is
possible
to
run
DOS
aPack
on
any
user
using
a
simple
script
New
Author: Dmitry Chastukhin (ERPScan)
14
15. 10
–
GUI-‐scrip.ng:
Other
a9acks
Script
can
be
uploaded
using:
– SAPGUI
Ac8veX
vulnerability
– Teensy
USB
flash
– Any
other
method
of
client
exploita8on
Other
a9acks
like
changing
banking
accounts
in
LFBK
also
possible
15
16. 10
–
GUI-‐scrip.ng:
Business
risks
Sabotage
–
High
Ease
of
exploita.on
–
Medium
Espionage
–
No
Fraud
–
No
16
18. 9
–
XML
Blowup
DOS:
Descrip.on
• WEBRFC
interface
can
be
used
to
run
RFC
func8ons
• By
default
any
user
can
have
access
• Even
without
S_RFC
auth
• SAP
NetWeaver
is
vulnerable
to
malformed
XML
packets
• It
is
possible
to
run
DOS
aPack
on
server
using
simple
script
• It
is
possible
to
run
over
the
Internet!
New
Author: Alexey Tyurin (ERPScan)
18
20. 9
–
XML
Blowup
DOS:
Business
risks
Ease
of
exploita.on
–
Medium
Espionage
–
No
Fraud
–
No
Sabotage
–
Cri.cal
20
21. 9
–
XML
Blowup
DOS:
Preven.on
•
Disable
WEBRFC
•
Prevent
unauthorized
access
to
WEBRFC
using
S_ICF
•
Install
SAP
notes
1543318
and
1469549
21
22. 8
–
BAPI
script
injec.on/hash
stealing
:
Descrip.on
• SAP
BAPI
transac8on
fails
to
properly
sani8ze
input
• Possible
to
inject
JavaScript
code
or
link
to
a
fake
SMB
server
• SAP
GUI
clients
use
Windows
so
their
creden8als
will
be
transferred
to
aPackers
host.
Author: Dmitry Chastukhin (ERPScan)
22
23. 8
–
BAPI
script
injec.on/hash
stealing:
Demo
New
23
24. 8
–
BAPI
script
injec.on/hash
stealing:
Business
risks
Ease
of
exploita.on
–
Low
Sabotage
–
High
Espionage
–
High
Fraud
–
High
24
25. 7
–
SAP
GUI
bad
encryp.on:
Descrip.on
• SAP
FrontEnd
can
save
encrypted
passwords
in
shortcuts
• Shortcuts
stored
in
.sap
file
• This
password
uses
byte-‐XOR
algorithm
with
“secret”
key
• Key
has
the
same
value
for
every
installa8on
of
SAP
GUI
• Any
password
can
be
decrypted
in
1
second
Author: Alexey Sintsov (ERPScan)
New
25
26. 7
–
SAP
GUI
bad
encryp.on:
Business
risks
Sabotage
–
Medium
Fraud
–
High
Espionage
–
High
Ease
of
exploita.on
–
Medium
26
27. 7
–
SAP
GUI
bad
encryp.on:
Preven.on
•
Disable
password
storage
in
GUI
27
28. 6
–
Remote
port
scan
via
JSP:
Descrip.on
•
It
is
possible
to
scan
internal
network
from
the
Internet
•
Authen.ca.on
is
not
required
•
SAP
NetWeaver
J2EE
engine
is
vulnerable
• /ipcpricing/ui/BufferOverview.jsp?
• server=172.16.0.13
• &
port=31337
• &
password=
• &
dispatcher=
• &
targetClient=
• &
view=
Author: Alexander Polyakov (ERPScan)
28
29. 6
–
Remote
port
scan
via
JSP:
Demo
Port
closed
HTTP
port
SAP
port
29
30. 6
–
Remote
port
scan
via
JSP:
Business
risks
Espionage
–
Medium
Fraud
–
No
Ease
of
exploita.on
–
High
Sabotage
–
Low
30
31. 6
–
Remote
port
scan
via
JSP:
Preven.on
•
Install
SAP
notes:
1548548,
1545883,
1503856,
948851,
1545883
•
Disable
unnecessary
applica8ons
31
32. 5
–
MMC
JSESSIONID
stealing:
Descrip.on
• Remote
management
of
SAP
Platorm
• By
default,
many
commands
go
without
auth
• Exploits
implemented
in
Metasploit
(by
ChrisJohnRiley)
• Most
of
the
bugs
are
informa8on
disclosure
• It
is
possible
to
find
informa8on
about
JSESSIONID
• Only
if
trace
is
ON
Can
be
authen.cated
as
an
exis.ng
user
remotely
1) Original bug by ChrisJohnRiley
2) JSESSIONID by Alexey Sintsov and
Alexey Tyurin (ERPScan)
New
32
33. 5
–
MMC
JSESSIONID
stealing:
Business
risks
Espionage
–
Cri.cal
Sabotage
–
Medium
Fraud
–
High
Ease
of
exploita.on
–
Medium
33
34. 5
–
MMC
JSESSIONID
stealing:
Preven.on
• The
JSESSIONID
by
default
will
not
be
logged
in
log
file
• Don’t
use
TRACE_LEVEL
=
3
on
produc8on
systems
or
delete
traces
aver
use
• Other
info
hPp://help.sap.com/saphelp_nwpi71/helpdata/en/
d6/49543b1e49bc1fe10000000a114084/frameset.htm
34
35. 4
–
Remote
command
execu.on
in
TH_GREP:
Descrip.on
• RCE
vulnerability
in
RFC
module
TH_GREP
• Found
by
Joris
van
de
Vis
• SAP
was
not
properly
patched
(1433101)
• We
have
discovered
that
the
patch
can
be
bypassed
in
Windows
Original
bug
by
Joris
van
de
Vis
(erp-‐sec)
Bypass
by
Alexey
Tyurin
(ERPScan)
35
36. 4
–
RCE
in
TH_GREP:
Details
elseif
opsys
=
'Windows
NT'.
concatenate
'/c:"'
string
'"'
filename
into
grep_params
in
character
mode.
else.
/*if
linux*/
/*
185
*/
replace
all
occurrences
of
''''
in
local_string
with
'''"''"'''.
/*
186
*/
concatenate
''''
local_string
''''
filename
into
grep_params
/*
187*/
in
character
mode.
/*
188*/
endif.
/*
188*/
36
38. 4
-‐
RCE
in
TH_GREP:
More
details
4
ways
to
execute
vulnerable
program
• Using
transac8on
"Se37“
• Using
transac8on
“SM51“
(thanks
to
Felix
Granados)
• Using
remote
RFC
call
"TH_GREP"
• Using
SOAP
RFC
call
"TH_GREP"
via
web
38
40. 4
–
RCE
in
TH_GREP:
Business
risks
Sabotage
–
Medium
Fraud
–
High
Espionage
–
High
Ease
of
exploita.on
–
medium
40
41. 4
–
RFC
in
TH_GREP:
Preven.on
•
Install
SAP
notes
1580017,
1433101
•
Prevent
access
to
cri8cal
transac8ons
and
RFC
func8ons
•
Check
the
ABAP
code
of
your
Z-‐transac8ons
for
similar
vulnerabili8es
41
42. 3
-‐
ABAP
Kernel
BOF:
Descrip.on
• Presented
by
Andreas
Wiegenstein
at
BlackHat
EU
2011
• Buffer
overflow
in
SAP
kernel
func8on
C_SAPGPARAM
•
When
NAME
field
is
more
than
108
chars
• Can
be
exploited
by
calling
an
FM
which
uses
C_SAPGPARAM
• Example
of
report
–
RSPO_R_SAPGPARAM
Author: (VirtualForge)
42
43. 3
–
ABAP
Kernel
BOF:
Business
risks
Espionage
–
Cri.cal
Ease
of
exploita.on
–
Medium
Fraud
–
Cri.cal
Sabotage
–
Cri.cal
43
44. 3
–
ABAP
Kernel
BOF:
Preven.on
•
Install
SAP
notes:
-‐
1493516
–
Correc8ng
buffer
overflow
in
ABAP
system
call
-‐
1487330
–
Poten8al
remote
code
execu8on
in
SAP
Kernel
•
Prevent
access
to
cri8cal
transac8ons
and
RFC
func8ons
•
Check
the
ABAP
code
of
your
Z-‐transac8ons
for
cri8cal
calls
44
45. 2
–
Invoker
Servlet:
Descrip.on
• Rapidly
calls
servlets
by
their
class
name
• Published
by
SAP
in
their
security
guides
• Possible
to
call
any
servlet
from
the
applica8on
• Even
if
it
is
not
declared
in
WEB.XML
Can
be
used
for
auth
bypass
45
47. 2
–
Invoker
servlet:
Business
risks
Ease
of
use
–
Very
easy!
Espionage
–
High
Sabotage
–
High
Fraud
–
High
47
48. 2
-‐
Invoker
servlet:
Preven.on
•
Update
to
the
latest
patch
1467771,
1445998
•
“EnableInvokerServletGlobally”
property
of
the
servlet_jsp
must
be
“false”
If
you
can’t
install
patches
for
some
reason,
you
can
check
all
WEB.XML
files
using
ERPScan
web.xml
scanner
manually.
48
50. 1st
Place
–
Verb
Tampering
<security-constraint>!
<web-resource-collection>!
<web-resource-name>Restrictedaccess</web-resource-
name>!
<url-pattern>/admin/*</url-pattern>!
<http-method>GET</http-method>!
</web-resource-collection>!
!<auth-constraint>
!<role-name>admin</role-name>
!</auth-constraint>!
</security-constraint>!
!
What
if
we
use
HEAD
instead
of
GET
?
Author: Alexander Polyakov (ERPScan)
50
51. 1
–
Verb
tampering:
Details
Remotely
without
authen.ca.on!
51
• CTC
–
Secret
interface
for
managing
J2EE
engine
• Can
be
accessed
remotely
• Can
run
user
management
ac8ons:
– Add
users
– Add
to
groups
– Run
OS
commands
– Start/Stop
J2EE
53. 1
–
Verb
tampering:
More
details
53
If
patched,
can
be
bypassed
by
the
Invoker
servlet!
54. 1
–
Verb
tampering:
Business
risks
Espionage
–
Cri.cal
Sabotage
–
Cri.cal
Fraud
–
Cri.cal
Ease
of
use
–
Very
easy!
54
55. 1st
Place
–
Verb
tampering:
Preven.on
Preven8on:
•
Install
SAP
notes
1503579,1616259
•
Install
other
SAP
notes
about
Verb
Tampering
(about
18)
•
Scan
applica8ons
using
ERPScan
WEB.XML
check
tool
or
manually
•
Secure
WEB.XML
by
dele8ng
all
<hPp-‐method>
•
Disable
the
applica8ons
that
are
not
necessary
55
56. Conclusion
It
is
possible
to
be
protected
from
almost
all
those
kinds
of
issues
and
we
are
working
hard
with
SAP
to
make
it
secure
SAP
Guides
It’s
all
in
your
hands
Regular
Security
assessments
ABAP
Code
review
Monitoring
technical
security
Segrega.on
of
Du.es
56
57. Future
work
Many
of
the
researched
things
cannot
be
disclosed
now
because
of
our
good
relaGonship
with
SAP
Security
Response
Team,
whom
I
would
like
to
thank
for
cooperaGon.
However,
if
you
want
to
see
new
demos
and
0-‐days,
follow
us
at
@erpscan
and
a3end
the
future
presentaGons:
• PHDays
in
May
(Moscow)
• Just4Mee8ng
in
July
(Portugal)
• BlackHat
USA
in
July
(Las
Vegas)
57
58.
Greetz
to
our
crew
who
helped:
Dmitriy
Evdokimov,
Alexey
Sintsov,
Alexey
Tyurin,
Pavel
Kuzmin,
Evgeniy
Neelov.
web:
www.erpscan.com
e-‐mail:
info@erpscan.com
sales@erpscan.com
TwiPer:
@erpscan
@sh2kerr
58