2. DISCLAIMERS
Disclaimer 1: This presentation is not comprehensive, SAP
platform security is a very wide area of expertise (focus is on
part of the Abap stack here)
Disclaimer2: We do not encourage Hacking/Cracking
whatsoever in ANY form. This presentation is here to help
you gain inside and get awareness on some specific SAP
platform security and into the minds of seasoned computer
criminals, so that you can forestall their attempts and pre-
empt all harmful attacks. Hacking IS illegal!
3. TOPICS COVERED
Following topics are covered and „glued together‟ into
a scenario: ”How to get rich in 5 simple steps”
(OK, that can be less, but where‟s the fun in that?!)
1 Use Default users
2 Use OS command execution
3 Use Password parameters
4 Use The power of RFC calls
5 Use SAP Gateway
Meet FBI‟s most wanted BlackHat hacker: Miss G!
3
5. 1.Default Accounts
Risk:Well, that‟s an open door!
Mitigation:
•Rsusr003 to check
•Deactivate sap* by setting parameter login/no_automatic_user_sapstar = 1
and create SAP* in clients where it does not exist
•Change passwords/Lock accounts
•Not only on PRD, but on the ENTIRE landscape
•Don‟t delete SAP*/DDIC
•Don‟t forget TMSADM!
More info:
•http://help.sap.com
•Oss note1568362
7. 2. OS command execution
Info: SM49/SM69, RSBDCOS0 are known and can be
protected. But other flaws exist in SAP that allow OS command
injection. Just reported 5 vulnerable FM‟s to SAP Security team.
Risk: Execution of OS commands is dangerous when done
from application level since the <SID>adm user is highly
privileged and has a database trust. Become the <SID>adm
user and the DB is yours !!
Mitigation:
•PATCH, make sure security notes are implemented, secure
<SID>adm with strong authentication, and don‟t give SAP_ALL.
More info:
•http://www.bizec.org/wiki/Controlled_Operating_System_(OS)_Command_Execution
•The SAP Security notes
9. 3. Password parameters
Info: Some default password parameters have settings that
need to be adjusted. Two important ones:
• login/password_downwards_compatibility = 1
• login/min_password_lng = 6
Risk: Weak password hashes can be easily bruteforced
Mitigation: If your landscape is NW 7.0 or newer; set
parameter login/password_downwards_compatibility = 0, delete
old hashes and make sure hashes are protected in USR tables
or disable passwords if you use SSO. No SSO? Set
login/min_password_lng >= 8
More info:
http://help.sap.com/saphelp_nw70/helpdata/en/22/41c43ac23cef2fe10000000a11408
4/content.htm
11. 4. The power of RFC calls
Info: Many times I hear “It is only a system user, so it cannot
be abused”. Think again! And no SAP system is needed for that,
there are RFCSDK‟s for many programming languages!
Risk:Almost any action/transaction in SAP can also be
performed by RFC Calls via non-dialog--users.
Mitigation:
• Implement SAP Gateway protection. It can by DEFAULT be used to execute remote
OS commands as <SID>ADM
• Make sure to implement proper network segmentation with Firewalls, so no RFC
calls can be made from frontends
• Protect non-dialog users by using strong passwords (and do not give them
SAP_ALL)
•only create RFC destinations with stored credentials or system trust from systems of
higher security classification to systems of lower security classification (e.g. from
PRD -> DEV, never trust DEV systems in a PRD system, never EVER have a RFC
with SAP_ALL user from Sandbox to PRD, etc.)
13. 5. SAP Gateway
Info: This component handles RFC traphic. It exists on all SAP
ABAP systems and even on some JAVA nowadays. By default it
is totally unprotected
Risk: Execution of OS commands as <SID>adm user
(remember the DB trust!?). This component has a HIGH risk.
Mitigation:
•Implement ACL via reg_info and sec_info.
•Network segementation to prevent RFC execution from user
network
•Much more specific information, see SAP Security guides