Professional Documents
Culture Documents
insecurity, sap vulnerabilities, sap vulnerability, sap defense, hardening sap, sap hardening, protecting sap
2008
Who is CYBSEC ?
Provides Information Security services since 1996. More than 300 customers, located in LatinAmerica, USA and Europe. Wide range of services: Strategic Management, Operation Management, Control Management, Incident Management, PCI Services, SAP Security.
2008
Who am I?
Senior Security Researcher at CYBSEC. Devoted to Penetration Testing and Vulnerability Research. Discovered vulnerabilities in Microsoft, Oracle, SAP, Watchfire, Speaker/Trainer at Blackhat, Sec-T, Hack.lu, DeepSec, Ekoparty, CIBSI,
SAP & Me
Started researching in 2005. SAP Pentesting projects (customers). Discovered more than 40 vulnerabilities in SAP software. Published Attacking the Giants: Exploiting SAP Internals. Developed sapyto, the first SAP Penetration Testing Framework. CYBSECs SAP (In)Security Training instructor.
3
Agenda
2008
Agenda
Introduction to the SAP World Why SAP Penetration Testing? PenTest Setup SAP PenTesting Discovery Phase Exploration Phase Vulnerability Assessment Phase Exploitation Phase Case Study: SAProuter Security Assessment Conclusions
2008
So what is SAP? So
SAP (Systems, Applications and Products in Data Processing) is a german company devoted to the development of business solutions. More than 41.600 customers in more than 120 countries. More than 121.000 SAP implementations around the globe. Third biggest independent software vendor (ISV). Provides different solutions: CRM, ERP, PLM, SCM, SRM, GRC, Business One, The ERP solution is composed of different functional modules (FI, CO, SD, HR, MM, etc) that implements organization business processes. Modules are linked together, integrated by the Netweaver platform. SAP runs on multiple Operating Systems and Databases.
6
2008
12
13
14
15
16
17
18
19
SAP Security is much (*much*) more than User roles and authorizations!
20
2008
PenTest Setup
Before we begin
22
PenTest Setup
2008
Preparation
What do you need? The Shopping List sapyto nmap r* tools (rsh, rlogin, rexec) SQL client tools NFS client tools SMB client & security tools BurpSuite / w3af Nessus john (patched) hydra
Try to get as much information as possible about target platforms, usage and policies before starting the assessment. Remember that everthing that breaks while you are pentesting *will* be your fault (even if someone breaks his leg).
23
sapyto
2008
sapyto
First SAP Penetration Testing Framework. Support for activities in all phases of the pentest. Open-source (and free). Plugin based. Developed in Python and C. Version 0.93 released at Blackhat Europe 07.
24
sapyto
2008
25
sapyto
2008
26
2008
Discovery Phase
Finding SAP targets
27
Discovery Phase
2008
2008
Exploration Phase
Getting as much information as possible
29
Exploration Phase
2008
30
Exploration Phase
2008
31
Exploration Phase
2008
getClients(target#0) Client 000 is Client 001 is Client 066 is Client 101 is Client 200 is } res: Ok
Exploration Phase
2008
33
Exploration Phase
2008
34
2008
35
36
user Use report RSUSR003 to check the status of default users. EARLYWATCH SAPCPIC User for the EarlyWatch Service Communication User
37
WARNING! User locking is implemented! (usually, between 3-12 tries) Ops! In versions 6.20, lock counter is not incremented through RFC. sapytos bruteLogin plugin can work in different modes: Try default users only and SAP*:PASS in detected clients. Specific credentials wordlist. Username and Password wordlists.
38
XOR
KEY[i]
39
XOR
KEY[i]
40
By exploiting Registered Servers caveats, it may be possible to obtain confidential information, DoS, perform RFC MITM and callback attacks. By exploiting Started Servers vulnerabilities, it may be possible to obtain remote code execution on misconfigured Application Servers.
(check the Attacking the Giants: Exploiting SAP Internals white-paper)
41
2008
Exploitation Phase
Getting access and beyond
42
Exploitation Phase
2008
43
Exploitation Phase
2008
On June 26 2008, a patch for John The Ripper for CODVN B and F was published.
44
Exploitation Phase
2008
On June 26, a patch for John The Ripper for CODVN B and F was published.
45
Exploitation Phase
2008
46
Exploitation Phase
2008
47
Exploitation Phase
2008
48
Exploitation Phase
2008
49
Exploitation Phase
2008
50
2008
51
SAProuter Introduction
SAProuter is an SAP program working as a proxy, which analyzes connections between SAP systems and between SAP systems and external networks.
Typical SAProuter Architecture
Internal Network External User Other Internal Systems Internet DEV QAS PRD
IntraWeb
SSH Server
SAProuter Border FW
Internal Users
Mainframe
52
SAProuter Introduction
If SAProuter is in place, clients have to specify a route string to connect.
/H/saprouter/S/3299/H/sapprd1/S/3200
Access in controlled through an ACL file called Route Permission Table. Entry format:
P/S/D src_host dst_host dst_port pwd
pass123
55
56
SAProuter Introduction
SAProuter is an SAP program working as a proxy, which analyzes connections between SAP systems and between SAP systems and external networks.
Protection / Countermeasure
Typical SAProuter Architecture
SAProuter should be implemented in a separate DMZ. Use VPNs and/or restrict connections at the border Firewall. specific targets and ports. SNC should be required.
Internet DEV QAS PRD
IntraWeb
Internal Network
External User The Route Permission Table should restrict access only to allowed parties, to Other Internal Systems
Entries containing wildcards (*) are discouraged and should be carefully analyzed.
SSH Server
SAProuter Border FW
Internal Users
Mainframe
57
2008
Conclusions
Wrapping up
58
Conclusions
2008
Conclusions
Its impossible to cover all the activities of an SAP Pentest in a one hour talk! SAP systems deal with sensitive business information and processes. The integrity, confidentiality and availability of this information is critical. SAP systems security is often overlooked during the implementation phase, in order to avoid business delays. SAP security is much more than User Roles/Profiles and Authorizations! By default, some configurations would expose the systems to high risk threats. SAP provides many ways to secure systems and communications. Administrators should enable security settings as soon as possible. Pentesting your SAP systems will let you know the current security level of your implementation (and show your managers why you need resources to secure it :P ) CYBSECs sapyto supports activities of all phases of the project. SAP Penetration Tests should be carried out in controlled environments, performed by qualified experts in the subject.
59
References
2008
References
Attacking the Giants: Exploiting SAP Internals White-paper
http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf
sapyto
http://www.cybsec.com/EN/research/sapyto.php
SAP Note 931252 - Security Note: Authority Check for Function Group SRFC. SAP Note 618516 - Security-related enhancement of RFCEXEC program. SAP Note 1237762 - ABAP systems: Protection against password hash attacks
60
2008
Questions?
61
2008
Thank you!
www.cybsec.com
62