SlideShare ist ein Scribd-Unternehmen logo

All about SAP Security (except authorizations

J
jvandevis

This presentation tries to raise awareness on SAP Security (Platform security). Some default settings that might need adjustment are shown.

BusinessTechnologie
1 von 16
Downloaden Sie, um offline zu lesen
www.erp-sec.com All about SAP Security (except authorizations) 1
DISCLAIMERS Disclaimer 1: This presentation is not comprehensive, SAP platform security is a very wide area of expertise (focus is on part of the Abap stack here) Disclaimer2: We do not encourage Hacking/Cracking whatsoever in ANY form. This presentation is here to help you gain inside and get awareness on some specific SAP platform security and into the minds of seasoned computer criminals, so that you can forestall their attempts and pre- empt all harmful attacks. Hacking IS illegal!
TOPICS COVERED Following topics are covered and „glued together‟ into a scenario: ”How to get rich in 5 simple steps” (OK, that can be less, but where‟s the fun in that?!) 1 Use Default users 2 Use OS command execution 3 Use Password parameters 4 Use The power of RFC calls 5 Use SAP Gateway Meet FBI‟s most wanted BlackHat hacker: Miss G! 3
Miss G! 4
1.Default Accounts Risk:Well, that‟s an open door! Mitigation: •Rsusr003 to check •Deactivate sap* by setting parameter login/no_automatic_user_sapstar = 1 and create SAP* in clients where it does not exist •Change passwords/Lock accounts •Not only on PRD, but on the ENTIRE landscape •Don‟t delete SAP*/DDIC •Don‟t forget TMSADM! More info: •http://help.sap.com •Oss note1568362
DEMO: Default Accounts
2. OS command execution Info: SM49/SM69, RSBDCOS0 are known and can be protected. But other flaws exist in SAP that allow OS command injection. Just reported 5 vulnerable FM‟s to SAP Security team. Risk: Execution of OS commands is dangerous when done from application level since the <SID>adm user is highly privileged and has a database trust. Become the <SID>adm user and the DB is yours !! Mitigation: •PATCH, make sure security notes are implemented, secure <SID>adm with strong authentication, and don‟t give SAP_ALL. More info: •http://www.bizec.org/wiki/Controlled_Operating_System_(OS)_Command_Execution •The SAP Security notes
DEMO: OS command execution
3. Password parameters Info: Some default password parameters have settings that need to be adjusted. Two important ones: • login/password_downwards_compatibility = 1 • login/min_password_lng = 6 Risk: Weak password hashes can be easily bruteforced Mitigation: If your landscape is NW 7.0 or newer; set parameter login/password_downwards_compatibility = 0, delete old hashes and make sure hashes are protected in USR tables or disable passwords if you use SSO. No SSO? Set login/min_password_lng >= 8 More info: http://help.sap.com/saphelp_nw70/helpdata/en/22/41c43ac23cef2fe10000000a11408 4/content.htm
DEMO: Password parameters
4. The power of RFC calls Info: Many times I hear “It is only a system user, so it cannot be abused”. Think again! And no SAP system is needed for that, there are RFCSDK‟s for many programming languages! Risk:Almost any action/transaction in SAP can also be performed by RFC Calls via non-dialog--users. Mitigation: • Implement SAP Gateway protection. It can by DEFAULT be used to execute remote OS commands as <SID>ADM • Make sure to implement proper network segmentation with Firewalls, so no RFC calls can be made from frontends • Protect non-dialog users by using strong passwords (and do not give them SAP_ALL) •only create RFC destinations with stored credentials or system trust from systems of higher security classification to systems of lower security classification (e.g. from PRD -> DEV, never trust DEV systems in a PRD system, never EVER have a RFC with SAP_ALL user from Sandbox to PRD, etc.)
DEMO: The power of RFC calls
5. SAP Gateway Info: This component handles RFC traphic. It exists on all SAP ABAP systems and even on some JAVA nowadays. By default it is totally unprotected Risk: Execution of OS commands as <SID>adm user (remember the DB trust!?). This component has a HIGH risk. Mitigation: •Implement ACL via reg_info and sec_info. •Network segementation to prevent RFC execution from user network •Much more specific information, see SAP Security guides
5. SAP Gateway DEMO: The Gateway
5. SAP Gateway DEMO: The Gateway
5. SAP Gateway Questions? THANK YOU! Any Questions?

Empfohlen

Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatn|u - The Open Security Community
 
Tập san TTC số 2, tháng 9, năm 2014
Tập san TTC số 2, tháng 9, năm 2014Tập san TTC số 2, tháng 9, năm 2014
Tập san TTC số 2, tháng 9, năm 2014Tien Dao
 
SAP_SEC
SAP_SECSAP_SEC
SAP_SECtouseefy2k
 
Las Bibliotecas virtuales
Las Bibliotecas virtuales Las Bibliotecas virtuales
Las Bibliotecas virtuales investigacion tecnicas
 
Resume__SAP Sec Sch_Card
Resume__SAP Sec Sch_CardResume__SAP Sec Sch_Card
Resume__SAP Sec Sch_CardMohammed Nayeem Ahmed AR
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksVirtual Forge
 
SAP SNC – Customer Collaboration
SAP SNC – Customer CollaborationSAP SNC – Customer Collaboration
SAP SNC – Customer CollaborationVasanth S Vasanth
 
Controlling 2012 Impact of SAP HANA
Controlling 2012 Impact of SAP HANAControlling 2012 Impact of SAP HANA
Controlling 2012 Impact of SAP HANAJohn Jordan
 

Empfohlen

Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatn|u - The Open Security Community
 
Tập san TTC số 2, tháng 9, năm 2014
Tập san TTC số 2, tháng 9, năm 2014Tập san TTC số 2, tháng 9, năm 2014
Tập san TTC số 2, tháng 9, năm 2014Tien Dao
 
SAP_SEC
SAP_SECSAP_SEC
SAP_SECtouseefy2k
 
Las Bibliotecas virtuales
Las Bibliotecas virtuales Las Bibliotecas virtuales
Las Bibliotecas virtuales investigacion tecnicas
 
Resume__SAP Sec Sch_Card
Resume__SAP Sec Sch_CardResume__SAP Sec Sch_Card
Resume__SAP Sec Sch_CardMohammed Nayeem Ahmed AR
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksVirtual Forge
 
SAP SNC – Customer Collaboration
SAP SNC – Customer CollaborationSAP SNC – Customer Collaboration
SAP SNC – Customer CollaborationVasanth S Vasanth
 
Controlling 2012 Impact of SAP HANA
Controlling 2012 Impact of SAP HANAControlling 2012 Impact of SAP HANA
Controlling 2012 Impact of SAP HANAJohn Jordan
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfCecilSu
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
DB2 Systems Programming Tools of the Trade NA07B03
DB2 Systems Programming Tools of the Trade NA07B03DB2 Systems Programming Tools of the Trade NA07B03
DB2 Systems Programming Tools of the Trade NA07B03Linda Hagedorn
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...akquinet enterprise solutions GmbH
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry AboutIndus Khaitan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyData Analytics Company - 47Billion Inc.
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 

Weitere ähnliche Inhalte

Ähnlich wie All about SAP Security (except authorizations

Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfCecilSu
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
DB2 Systems Programming Tools of the Trade NA07B03
DB2 Systems Programming Tools of the Trade NA07B03DB2 Systems Programming Tools of the Trade NA07B03
DB2 Systems Programming Tools of the Trade NA07B03Linda Hagedorn
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...akquinet enterprise solutions GmbH
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry AboutIndus Khaitan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 

Ähnlich wie All about SAP Security (except authorizations (20)

An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine.
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdf
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
DB2 Systems Programming Tools of the Trade NA07B03
DB2 Systems Programming Tools of the Trade NA07B03DB2 Systems Programming Tools of the Trade NA07B03
DB2 Systems Programming Tools of the Trade NA07B03
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP Backdoors
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 

Kürzlich hochgeladen

Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 

Kürzlich hochgeladen (20)

Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 

All about SAP Security (except authorizations

  • 1. www.erp-sec.com All about SAP Security (except authorizations) 1
  • 2. DISCLAIMERS Disclaimer 1: This presentation is not comprehensive, SAP platform security is a very wide area of expertise (focus is on part of the Abap stack here) Disclaimer2: We do not encourage Hacking/Cracking whatsoever in ANY form. This presentation is here to help you gain inside and get awareness on some specific SAP platform security and into the minds of seasoned computer criminals, so that you can forestall their attempts and pre- empt all harmful attacks. Hacking IS illegal!
  • 3. TOPICS COVERED Following topics are covered and „glued together‟ into a scenario: ”How to get rich in 5 simple steps” (OK, that can be less, but where‟s the fun in that?!) 1 Use Default users 2 Use OS command execution 3 Use Password parameters 4 Use The power of RFC calls 5 Use SAP Gateway Meet FBI‟s most wanted BlackHat hacker: Miss G! 3
  • 5. 1.Default Accounts Risk:Well, that‟s an open door! Mitigation: •Rsusr003 to check •Deactivate sap* by setting parameter login/no_automatic_user_sapstar = 1 and create SAP* in clients where it does not exist •Change passwords/Lock accounts •Not only on PRD, but on the ENTIRE landscape •Don‟t delete SAP*/DDIC •Don‟t forget TMSADM! More info: •http://help.sap.com •Oss note1568362
  • 7. 2. OS command execution Info: SM49/SM69, RSBDCOS0 are known and can be protected. But other flaws exist in SAP that allow OS command injection. Just reported 5 vulnerable FM‟s to SAP Security team. Risk: Execution of OS commands is dangerous when done from application level since the <SID>adm user is highly privileged and has a database trust. Become the <SID>adm user and the DB is yours !! Mitigation: •PATCH, make sure security notes are implemented, secure <SID>adm with strong authentication, and don‟t give SAP_ALL. More info: •http://www.bizec.org/wiki/Controlled_Operating_System_(OS)_Command_Execution •The SAP Security notes
  • 8. DEMO: OS command execution
  • 9. 3. Password parameters Info: Some default password parameters have settings that need to be adjusted. Two important ones: • login/password_downwards_compatibility = 1 • login/min_password_lng = 6 Risk: Weak password hashes can be easily bruteforced Mitigation: If your landscape is NW 7.0 or newer; set parameter login/password_downwards_compatibility = 0, delete old hashes and make sure hashes are protected in USR tables or disable passwords if you use SSO. No SSO? Set login/min_password_lng >= 8 More info: http://help.sap.com/saphelp_nw70/helpdata/en/22/41c43ac23cef2fe10000000a11408 4/content.htm
  • 11. 4. The power of RFC calls Info: Many times I hear “It is only a system user, so it cannot be abused”. Think again! And no SAP system is needed for that, there are RFCSDK‟s for many programming languages! Risk:Almost any action/transaction in SAP can also be performed by RFC Calls via non-dialog--users. Mitigation: • Implement SAP Gateway protection. It can by DEFAULT be used to execute remote OS commands as <SID>ADM • Make sure to implement proper network segmentation with Firewalls, so no RFC calls can be made from frontends • Protect non-dialog users by using strong passwords (and do not give them SAP_ALL) •only create RFC destinations with stored credentials or system trust from systems of higher security classification to systems of lower security classification (e.g. from PRD -> DEV, never trust DEV systems in a PRD system, never EVER have a RFC with SAP_ALL user from Sandbox to PRD, etc.)
  • 12. DEMO: The power of RFC calls
  • 13. 5. SAP Gateway Info: This component handles RFC traphic. It exists on all SAP ABAP systems and even on some JAVA nowadays. By default it is totally unprotected Risk: Execution of OS commands as <SID>adm user (remember the DB trust!?). This component has a HIGH risk. Mitigation: •Implement ACL via reg_info and sec_info. •Network segementation to prevent RFC execution from user network •Much more specific information, see SAP Security guides
  • 14. 5. SAP Gateway DEMO: The Gateway
  • 15. 5. SAP Gateway DEMO: The Gateway
  • 16. 5. SAP Gateway Questions? THANK YOU! Any Questions?