Professional Documents
Culture Documents
in
security
to
secure
investments
Alexander
Polyakov
CTO
at
ERPScan
About
ERPScan
2
What
is
SAP
?
Shut
up
And
Pay
3
Really
4
Agenda
• Intro
• SAP
security
history
• SAP
on
the
Internet
• Top
10
latest
interes8ng
aPacks
• DEMOs
• Conclusion
5
3
areas
of
SAP
Security
2002
Business
logic
security
(SOD)
Solu8on:
GRC
Prevents
a3acks
or
mistakes
made
2008
ABAP
Code
security
Solu8on:
Code
audit
Prevents
a3acks
or
mistakes
made
by
developers
2010
Applica3on
pla4orm
security
Prevents
unauthorized
access
both
insiders
and
remote
Solu8on:
Vulnerability
Assessment
and
Monitoring
a3ackers
6
Talks
about
SAP
security
35
30
Most
popular:
• BlackHat
25
• HITB
• Troopers
20
• RSA
• Source
15
• DeepSec
• etc.
10
5
0
2006
2007
2008
2009
2010
2011
2012
7
SAP
Security
notes
900
800
700
600
500
By
April
26,
2012,
a
total
of
2026
notes
400
300
200
100
0
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
8
SAP
vulnerabili.es
by
type
9
SAP
on
the
Internet
•
We
have
collected
data
about
SAP
systems
in
the
WEB
•
Have
various
stats
by
countries,
applica8ons,
versions
•
Informa8on
from
Google,
Shodan,
Nmap
scan
MYTH:
SAP
systems
a9acks
available
only
for
insiders
10
SAP
on
the
Internet
12
Top
10
vulnerabili.es
2011-‐2012
1.
Authen8ca8on
Bypass
via
Verb
tampering
2.
Authen8ca8on
Bypass
via
the
Invoker
servlet
3.
Buffer
overflow
in
ABAP
Kernel
4.
Code
execu8on
via
TH_GREP
5.
MMC
read
SESSIONID
6.
Remote
portscan
7.
Encryp8on
in
SAPGUI
8.
BAPI
XSS/SMBRELAY
9.
XML
Blowup
DOS
10.
GUI
Scrip8ng
DOS
13
10
–
GUI-‐Scrip.ng
DOS:
Descrip.on
New
• SAP
users
can
run
scripts
which
automate
their
user
func8ons
• A
script
has
the
same
rights
in
SAP
as
the
user
who
launched
it
• Security
message
which
is
shown
to
user
can
be
turned
off
in
the
registry
• Almost
any
user
can
use
SAP
Messages
(SM02
transac8on)
• It
is
possible
to
run
DOS
aPack
on
any
user
using
a
simple
script
14
10
–
GUI-‐scrip.ng:
Other
a9acks
Script
can
be
uploaded
using:
– SAPGUI
Ac8veX
vulnerability
– Teensy
USB
flash
– Any
other
method
of
client
exploita8on
Other
a9acks
like
changing
banking
accounts
in
LFBK
also
possible
15
10
–
GUI-‐scrip.ng:
Business
risks
Sabotage – High
Espionage – No
Fraud – No
16
10
–
GUI-‐scrip.ng:
Preven.on
17
9
–
XML
Blowup
DOS:
Descrip.on
New
• WEBRFC
interface
can
be
used
to
run
RFC
func8ons
• By
default
any
user
can
have
access
• Even
without
S_RFC
auth
• SAP
NetWeaver
is
vulnerable
to
malformed
XML
packets
• It
is
possible
to
run
DOS
aPack
on
server
using
simple
script
• It
is
possible
to
run
over
the
Internet!
Author: Alexey Tyurin (ERPScan)
18
9
–
XML
Blowup
DOS:
Demo
19
9
–
XML
Blowup
DOS:
Business
risks
Sabotage – Cri.cal
Espionage – No
Fraud – No
20
9
–
XML
Blowup
DOS:
Preven.on
•
Disable
WEBRFC
•
Prevent
unauthorized
access
to
WEBRFC
using
S_ICF
•
Install
SAP
notes
1543318
and
1469549
21
8
–
BAPI
script
injec.on/hash
stealing
:
Descrip.on
• Possible
to
inject
JavaScript
code
or
link
to
a
fake
SMB
server
• SAP
GUI
clients
use
Windows
so
their
creden8als
will
be
transferred
to
aPackers
host.
22
8
–
BAPI
script
injec.on/hash
stealing:
Demo
New
23
8
–
BAPI
script
injec.on/hash
stealing:
Business
risks
Espionage – High
Sabotage – High
Fraud – High
24
7
–
SAP
GUI
bad
encryp.on:
Descrip.on
New
• SAP
FrontEnd
can
save
encrypted
passwords
in
shortcuts
• Shortcuts
stored
in
.sap
file
• This
password
uses
byte-‐XOR
algorithm
with
“secret”
key
• Key
has
the
same
value
for
every
installa8on
of
SAP
GUI
• Any
password
can
be
decrypted
in
1
second
25
7
–
SAP
GUI
bad
encryp.on:
Business
risks
Espionage – High
Sabotage – Medium
Fraud – High
26
7
–
SAP
GUI
bad
encryp.on:
Preven.on
27
6
–
Remote
port
scan
via
JSP:
Descrip.on
•
It
is
possible
to
scan
internal
network
from
the
Internet
•
Authen.ca.on
is
not
required
•
SAP
NetWeaver
J2EE
engine
is
vulnerable
• /ipcpricing/ui/BufferOverview.jsp?
• server=172.16.0.13
• &
port=31337
• &
password=
• &
dispatcher=
• &
targetClient=
• &
view=
Author: Alexander Polyakov (ERPScan)
28
6
–
Remote
port
scan
via
JSP:
Demo
HTTP port
29
6
–
Remote
port
scan
via
JSP:
Business
risks
Sabotage – Low
Espionage – Medium
Fraud – No
30
6
–
Remote
port
scan
via
JSP:
Preven.on
31
5
–
MMC
JSESSIONID
stealing:
Descrip.on
New
• Remote
management
of
SAP
Platorm
• By
default,
many
commands
go
without
auth
• Exploits
implemented
in
Metasploit
(by
ChrisJohnRiley)
• Most
of
the
bugs
are
informa8on
disclosure
• It
is
possible
to
find
informa8on
about
JSESSIONID
• Only
if
trace
is
ON
32
5
–
MMC
JSESSIONID
stealing:
Business
risks
Espionage – Cri.cal
Fraud – High
Sabotage – Medium
33
5
–
MMC
JSESSIONID
stealing:
Preven.on
• The
JSESSIONID
by
default
will
not
be
logged
in
log
file
• Don’t
use
TRACE_LEVEL
=
3
on
produc8on
systems
or
delete
traces
aver
use
• Other
info
hPp://help.sap.com/saphelp_nwpi71/helpdata/en/
d6/49543b1e49bc1fe10000000a114084/frameset.htm
34
4
–
Remote
command
execu.on
in
TH_GREP:
Descrip.on
35
4
–
RCE
in
TH_GREP:
Details
36
4
–
RCE
in
TH_GREP:
Demo
#1
37
4
-‐
RCE
in
TH_GREP:
More
details
38
4
–
RCE
in
TH_GREP:
Demo
#2
39
4
–
RCE
in
TH_GREP:
Business
risks
Espionage – High
Sabotage – Medium
Fraud – High
40
4
–
RFC
in
TH_GREP:
Preven.on
41
3
-‐
ABAP
Kernel
BOF:
Descrip.on
42
3
–
ABAP
Kernel
BOF:
Business
risks
Espionage – Cri.cal
Sabotage – Cri.cal
Fraud – Cri.cal
43
3
–
ABAP
Kernel
BOF:
Preven.on
44
2
–
Invoker
Servlet:
Descrip.on
45
2
-‐
Invoker
Servlet:
Details
<servlet> !
<servlet-name>CriticalAction</servlet-name> !
<servlet-class>com.sap.admin.Critical.Action</servlet-class> !
</servlet>!
<servlet-mapping> !
<servlet-name>CriticalAction</</servlet-name> !
<url-pattern>/admin/critical</url-pattern> !
</servlet-mapping!
<security-constraint>!
<web-resource-collection>!
<web-resource-name>Restrictedaccess</web-resource-name>!
<url-pattern>/admin/*</url-pattern>!
<http-method>GET</http-method>!
</web-resource-collection>!
<auth-constraint>
!<role-name>admin</role-name>
!</auth-constraint>! Author: Dmitry Chastukhin (ERPScan)
</security-constraint>!
Espionage – High
Sabotage – High
Fraud – High
47
2
-‐
Invoker
servlet:
Preven.on
•
Update
to
the
latest
patch
1467771,
1445998
•
“EnableInvokerServletGlobally”
property
of
the
servlet_jsp
must
be
“false”
If
you
can’t
install
patches
for
some
reason,
you
can
check
all
WEB.XML
files
using
ERPScan
web.xml
scanner
manually.
48
1
–
VERB
Tampering
49
1st
Place
–
Verb
Tampering
<security-constraint>!
<web-resource-collection>!
<web-resource-name>Restrictedaccess</web-resource-
name>!
<url-pattern>/admin/*</url-pattern>!
<http-method>GET</http-method>!
</web-resource-collection>!
!<auth-constraint>
!<role-name>admin</role-name>
!</auth-constraint>!
</security-constraint>! Author: Alexander Polyakov (ERPScan)
!
50
1
–
Verb
tampering:
Details
51
1
–
Verb
tampering:
Demo
52
1
–
Verb
tampering:
More
details
53
1
–
Verb
tampering:
Business
risks
Espionage – Cri.cal
Sabotage – Cri.cal
Fraud – Cri.cal
54
1st
Place
–
Verb
tampering:
Preven.on
Preven8on:
•
Install
SAP
notes
1503579,1616259
•
Install
other
SAP
notes
about
Verb
Tampering
(about
18)
•
Scan
applica8ons
using
ERPScan
WEB.XML
check
tool
or
manually
•
Secure
WEB.XML
by
dele8ng
all
<hPp-‐method>
•
Disable
the
applica8ons
that
are
not
necessary
55
Conclusion
Many
of
the
researched
things
cannot
be
disclosed
now
because
of
our
good
relaGonship
with
SAP
Security
Response
Team,
whom
I
would
like
to
thank
for
cooperaGon.
However,
if
you
want
to
see
new
demos
and
0-‐days,
follow
us
at
@erpscan
and
a3end
the
future
presentaGons:
• PHDays
in
May
(Moscow)
• Just4Mee8ng
in
July
(Portugal)
• BlackHat
USA
in
July
(Las
Vegas)
57
web:
www.erpscan.com
e-‐mail:
info@erpscan.com
sales@erpscan.com
TwiPer:
@erpscan
@sh2kerr
Greetz
to
our
crew
who
helped:
Dmitriy
Evdokimov,
Alexey
Sintsov,
Alexey
Tyurin,
Pavel
Kuzmin,
Evgeniy
Neelov.
58