confidence 2014: dimitriy chastuhin: all your sap p@$$w0яd z belong to us

Invest in security to secure investments

All your SAP P@$$w0ЯdZ belong to us Dmitry Chastukhin – Director of SAP pentest/research team

ERPScan

Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities

• Developing software for SAP security monitoring

• Talks at 40+ security conferences worldwide: BlackHat (US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.

• First to develop software for NetWeaver J2EE assessment

• The only solution to assess all areas of SAP security

• Research team with experience in different areas of security from ERP and web security to mobile, embedded devices, and critical infrastructure, accumulating their knowledge on SAP research.

• Local partner : PBSG. www.pbsg.pl

2 erpscan.com ERPScan — invest in security to secure investments

http://www.pbsg.pl/

http://www.pbsg.pl/

http://www.pbsg.pl/

http://www.pbsg.pl/

http://www.pbsg.pl/

Dmitry Chastukhin

Business application security

expert

Yet another security researcher


SAP

• The most popular business application

• More than 250000 customers worldwide

• More than 83 % of Forbes 500 run SAP

• More than 40 % of ERP market in Poland


SAP security

Espionage • Stealing financial information • Stealing corporate secrets • Stealing supplier and customer lists • Stealing HR data

Fraud • False transactions • Modification of master data

Sabotage • Denial of service • Modification of financial reports • Access to technology network (SCADA) by trust relations


Is it remotely exploitable?

> 5000 non-web SAP services exposed in the world including Dispatcher, Message server, SapHostControl, etc.


sapscan.com

What about other services?

0

1

2

3

4

5

6

7

8

9

SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd

World


SAP MMC – overview

• MMC is installed by default on port 5<ID>13

• Used for remote management of SAP servers

• Commands executed via SOAP interface

• By default, SSL is not implemented

• Administrative password transmitted using basic auth (Base64)

• By sniffing this password, we can get full control over the server

erpscan.com 8 ERPScan — invest in security to secure investments

SAP MMC – attacks

• Many attacks can be implemented without authentication

• Attacks can be executed by sending SOAP requests

• Mostly, it is information disclosure and denial of service

• Also, OS command execution


Advanced MMC attacks

<?xml version="1.0"?>

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xs="http://www.w3.org/2001/XMLSchema">

<SOAP-ENV:Header>

<sapsess:Session

xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/">

<enableSession>true</enableSession>

</sapsess:Session>

</SOAP-ENV:Header>

<SOAP-ENV:Body>

<ns1:ReadLogFile xmlns:ns1="urn:SAPControl">

<filename>j2ee/cluster/server0/log/system/userinterface.log</filename>

<filter/>

<language/>

<maxentries>%COUNT%</maxentries>

<statecookie>EOF</statecookie>

</ns1:ReadLogFile>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>


PWN

If an attacker can read a file from server OS, they can get clear text passwords of SAP users and, as a result, compromise the SAP system


Default passwords


Default passwords

User name Password

SAP* 06071992 PASS

DDIC 19920706

TMSADM PASSWORD $1Pawd2&

EARLYWATCH SUPPORT

SAPCPIC ADMIN


Passwords on client side


SAPGUI: History of ActiveX attacks

erpscan.com 15

Date Component Author Vulnerability Link

04.01.2007 Rfcguisink Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysap-stack-overflow/

04.01.2007 Kwedit Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysap-stack-overflow/

07.11.2008 Mdrmsap Will Dormann BOF http://www.securityfocus.com/bid/32186/info

07.01.2009 Sizerone Carsten Eiram BOF http://www.securityfocus.com/bid/33148/info

31.03.2009 WebWiewer3D Will Dormann BOF http://www.securityfocus.com/bid/34310/info

15.04.2009 Kwedit Carsten Eiram Insecure Method http://secunia.com/secunia_research/2008-56/

08.06.2009 Sapirrfc Alexander Polyakov (ERPScan) BOF http://erpscan.com/advisories/dsecrg-09-015-sap-gui-6-4-buffer-overflow-vulnerability/

28.09.2009 WebWiewer3D Alexander Polyakov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-043-sap-gui-7-1-webviewer2d-activex-%e2%80%94-insecure-methods/

28.09.2009 WebWiewer2D Alexander Polyakov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-044-sap-gui-7-1-webviewer3d-activex-insecure-methods/

07.10.2009 VxFlexgrid Elazar Broad , Alexander Polyakov (ERPScan)

BOF http://erpscan.com/advisories/dsecrg-09-017-sap-gui-vsflexgrid-activex-%e2%80%94-buffer-overflow-vulnerability/

23.03.2010 BExGlobal Alexey Sintsov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-064-sap-gui-7-1-insecure-method-code-execution/

unpublished Kwedit

Alexander Polyakov, Alexey Troshichev (ERPScan)

Insecure Method

14.12.2010

RFCSDK Alexey Sintsov (ERPScan) Memory Corruption http://erpscan.com/advisories/dsecrg-09-069-sap-rfc-sdk-%e2%80%94-format-string/

14.12.2010 RFCSDK Alexey Sintsov (ERPScan) Format String http://erpscan.com/advisories/dsecrg-09-070-sap-rfc-sdk-%e2%80%94-memory-corruption/

unpublished

Alexander Polyakov (ERPScan) Insecure Method

22.12.2010 NWBC Alexey Sintsov (ERPScan) Memory Corruption http://erpscan.com/advisories/dsecrg-10-010-zdi-10-290-sap-netweaver-business-client-sapthemerepository-activex-control-remote-code-execution-vulnerability/

ERPScan — invest in security to secure investments


• Attack via ActiveX ‒ A lot of issues with RCE inside (1519966, 1327004, 1092631, …)

• Attack via client bugs ‒ Buffer overflow in saplogon.exe (1504547)

What after that?

SapLogon shortcuts!

Often, lazy users store password for SAP account in shortcuts



[System]

Name=DM0

Description=Test Sap Server

Client=800

[User]

Name=SAP*

Language=EN

Password=PW_48B7231FD1FE390C

[Function]

Title=myShortcut

Command=se16

[Configuration]

WorkDir=C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI

[Options]

Reuse=1

This is how a typical shortcut looks like…

File: <name>.sap



[Label]

Key1=myShortcut

[Command]

Key1=-

desc="Test Sap Server"

-sid="DM0"

-clt="800"

-u="SAP*"

-l="EN"

-tit="myShortcut"

-cmd="se16"

-wd="C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI"

-ok="/nse16"

-pwenc="PW_48B7231FD1FE390C"

…or like that

File: sapshortcut.ini



pwenc="PW_48B7231FD1FE390C"

PW_48B7231FD1FE390C

48B7231FD1FE390C

I used this password: 06071992

Looks like XOR encryption



• After a few experiments, we found out: – Yes, this is XOR

– Yes, the key is static for all SAPLogon

• The key is: 788113…dc49b0



• …and the PY code to decrypt

key="788…"

def sxor(s1,s2):

return ''.join(chr(ord(a) ^ ord(b)) for a,b in

zip(s1,s2))

enc_pass="PW_48B7231FD1FE390C"

dec_pass=sxor(enc_pass[3:].decode("hex"),key.decode("hex"))

print "Decoded password is: "+dec_pass


Prevention

• Don’t use SAPGUI 6.4 (there are no patches for some vulns) • Patch SAPGUI with the latest SP • Don’t store password in shortcuts (HKCU\Software\SAP\SAPShortcut\Security EnablePassword=0)

• Make sure that you do not activate the storage of passwords in SAP shortcuts • Authentication security for SAP shortcuts: http://help.sap.com/SAPHELP_NWPI71/helpdata/en/4d/dc9db9bc0e02cfe10000000a42189b/content.htm


Passwords from USR02, USH02, USRPWDHISTORY


USR02 password hash

• Well known password area

• Hash algorithm: – CODVN A

– CODVN B (MD5-based)

– CODVN D (MD5-based)

– CODVN E (MD5-based)

– CODVN F (SHA1-based)

– CODVN G (Code versions B & F)

– CODVN H (SHA-1-based)

– CODVN I (Code versions B, F & H)

• Just use John the Ripper


Prevention

• Use the latest algorithm

• SAP Note 2467: Password rules and preventing incorrect logons

• SAP Note 721119: Logon with (delivered) default user fails

• SAP Note 735356: Special character in passwords; reactivation not possible

• SAP Note 862989: New password rules as of SAP NetWeaver 2004s

• SAP Note 874738: New password hash calculation procedure (code version E)

• SAP Note 991968: Value list for login/password_hash_algorithm

• SAP Note 1023437: Downwardly incompatible passwords since NW2004s

• SAP Note 1237762: Protection against password hash attacks

• SAP Note 1300104: CUA – New password hash procedures - Background information

• SAP Note 1458262: Recommended settings for password hash algorithms

• SAP Note 1484692: Protect read access to password hash value tables

• SAP Note 1488159: SUIM – RSUSR003 – Incorrect results for CODVN = F


Passwords from RFC request



• If an attacker caches an RFC request with logon data, he will be: – Happy because he got the login and password

– Upset because the password is encrypted

– Happy because the encryption is just a XOR (lol)

– Happy because the key is static

313ec…a4021

– Very happy because he got the clear text password



• …and the PY code to decrypt

key="313e…"

def sxor(s1,s2):

return ''.join(chr(ord(a) ^ ord(b)) for a,b in

zip(s1,s2))

enc_pass=“<pwd_there>"

dec_pass=sxor(enc_pass.decode("hex"),key.decode("hex"))



Prevention

• Secure RFC connection using SNC

• SAP Security Note 1724516

• RFC and SNC: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/72/e52c4057cb185de10000000a1550b0/content.htm


erpscan.com 31

SAP Visual Admin password


SAP VisualAdmin

erpscan.com 32

• SAP Visual Admin – a remote tool for controlling J2EE Engine

• Uses the P4 protocol – SAP’s proprietary

• By default, all data transmitted in cleartext

• P4 can be configured to use SSL to prevent MitM

• Passwords are transmitted by some sort of encryption


SAP VisualAdmin data

erpscan.com 33


Insecure password encryption in P4

erpscan.com 34

/* 87 */ char mask = 43690; //aaaa hex

/* 88 */ char check = 21845; //5555 hex

/* 89 */ char[] result = new char[data.length + 1];

/* */

/* 91 */ for (int i = 0; i < data.length; ++i) {

/* 92 */ mask = (char)(mask ^ data[i]);

/* 93 */ result[i] = mask;

/* */ }

/* 95 */ result[data.length] = (char)(mask ^ check);

/* */

/* 97 */ return result;


Prevention

• Secure P4 connection using SSL


• Using P4 protocol over a secure connection: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/2d9ba88aef4bb9e10000000a42189b/content.htm


SAP JAVA Security Storage


SecStore

• The AS Java stores security-relevant information encrypted in a file in the file system

• The AS Java stores the following security-relevant information in files in the file system:

– Database user SAP<SID>DB and its password

– Database connection information

– Administrator user and its password

• Secure storage file is located at :

\usr\sap\<SID>\SYS\global\security\data\SecStore.properties


SecStore

$internal/version=Ni4zFF4wMSeaseforCCMxegAfx

admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS

admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh

jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH

admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ

$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt

$internal/mode=encrypted

admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E

• The AS Java uses the SAP Java Cryptography Toolkit to encrypt the information in the secure store using the TripleDES algorithm. The encryption is performed during the AS Java installation process

• Let’s look deeper


SecStore

• OK. TripleDES. We heed a key for decryption

• The main problem is that the key file is located in the same

directory as the encrypted data:

\usr\sap\<SID>\SYS\global\security\data\SecStore.key

• The key consists of two parts: – Version information

– Encrypted key phrase


SecStore

• Version information. It affects the TripleDES key – If version >= 7.00.000, then the Triple DES key = key phrase + <SID>

• Encrypted key phrase – By default, it is the initial password which the administrator sets up during SAP system installation. Often, this phase equals to the DB password or an SAP administrator account password (SAP*, DDIC, J2EE_Admin, etc.)

– For encrypting the key phrase, XOR algorithm with static key is used

43,-74…,-41,-67

• That’s why, if an attacker only got the SecStore.key file, they can also get access into SAP, because they have the initial password


SecStore

• OK. We have the encrypted passwords (SecStore.properties)

• We have the decrypted key (SecStore.key)

• We can get all sensitive information from Security Storage

• As I said, data’s encrypted by the TripleDES algorithm

• More precisely, the encryption uses the TripleDES algorithm in CBC mode using a secret key which is derived from a password with the SHA hash algorithm – The key is the key phrase from SecStore.key + <SID> (if version >= 7.00.000)

– The salt is the value 0000000000000000


SecStore

• We also wrote a tool which decrypts all the stuff from SAP JAVA AS Security Storage (SecStore_Cr.jar)

• Also, SAP Secure Store file can have another name (ex. JUpgrade.properties) and store other interesting data, like: – Password for SAP OS user (SIDADM)

– DB password

– DDIC password

– etc…


Prevention

• Install SAP Note 1619539 • Restrict read access to files SecStore.properties, JUpgrade.properties, and SecStore.key • Managing secure storage in the file system: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/cd/14c93ec2f7df6ae10000000a114084/content.htm


Passwords from log files


Log files

• We know about many places where SAP writes logs

• Administrator can define the verbosity level

• Attacker can found many interesting things in log files: information about the system, information about the users, even session information

• Very interesting path with logs: /sapinst_instdir/

But what about passwords?


Log files

• Passwords in SAP log files looks like that:


dev_umconfigurator.trc

Log files

• Sometimes, we can find a clear text password


sapinst_dev.<n>.log

Log files

• Sometimes, we can find an encrypted password


Log files

• Guess what type of encryption is used?

• Right! XOR with a static hardcoded key:

31…65d

• As a result, we have a decryptor: key="31…5d"

def sxor(s1,s2):

return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))

def prepare(val):

encoco=val.split("|")

rez=""

for a in encoco:

rez= rez + str(hex(int(a)).replace("0x",""))

return rez

encr=prepare(raw_input("Enter encrypted password:"))

dec_pass=sxor(encr.decode("hex"),key.decode("hex"))



Log files

• The same story with the config file

usr\sap\<SID>\config\usagetypes.properties


Prevention

• Don’t use TRACE_LEVEL = 3

• Delete traces when work is finished

• Mask security-sensitive data in HTTP access log

• Incrementing/decrementing the trace level: https://help.sap.com/saphelp_nwpi71/helpdata/en/46/962416a5a613e8e10000000a155369/content.htm


Passwords from SLD config file


SLD

• SLD is the central information repository for your system landscape

• It contains information about: – technical systems

– landscapes

– business systems

– products

– software components in your system landscape


SLD password files

• Configuration file: usr\sap\<sid>\DVEBMGS<nn>\exe\ slddest.cfg

– User name with DataSupplierLD role

– User password (wooot!)

– Host name

– Port

Encrypted by DES algorithm in the early version of SLD

Static default key is: 0A…71F

But if user specifies the key, then the key file is stored near the encrypted data file in slddest.cfg.key


SLD password files

• In the latest versions of SLD, another algorithm is used: TripleDES with hardcoded key


Prevention

• Restrict read access to file slddest.cfg and slddest.cfg.key

• Configuring sldreg and transferring data to SLD:

http://help.sap.com/saphelp_nw70/helpdata/en/42/ea5ff4b5d61bd9e10000000a11466f/content.htm


Passwords from ABAP SecStore


Password from RSECTAB

• The secure storage is a component of the SAP Web Application Server ABAP

• It allows the encrypted storage of sensitive data that SAP applications require when logging into other systems

• These SAP applications use the storage to store passwords: – RFC destinations

– Exchange Infrastructure (XI)

– LDAP system users

– SAPphone

– SAPconnect

– CCMS (Generic Request and Message Generator)

• Table RSECTAB select rawtohex(DATA) from SAPSR3.RSECTAB



• TripleDES 3DES mode: DES-EDE3

• The triple DES algorithm uses the DES-EDE3 method where a 24 byte key is supplied. This means there are three DES operations in the sequence encrypt-decrypt-encrypt with the three different keys. The first key will be bytes 1 to 8, the second key bytes 9 to 16 and the third key bytes 17 to 24

• Two rounds



• First round

• Encrypt:

– char randomPrefix[2];

– char payload[109];

– char payloadLength;

– char magicLocal[4];

– char magicGlobalSalted[4];

– char recordIdentifierA7Hash[16];



• Key for the first round of encryption base on default key: Key’def[1] = Keydef[1] ^ (Hsup[0] & 0xF0)

Key’def[6] = Keydef[6] ^ (Hsup[0] & 0x0F)

Key’def[7] = Keydef[7] ^ (Hsup[3] & 0xF0)






• Where Hsup is md5(sidA7[3]+insnoA7[10])



• Second round

• Encrypt all data with the default key



• What about the default key?

• It is encrypted via 3DES-EDE2, too

• But the key for this encryption is hardcoded


Prevention

• Change the default key


• Choosing your own key: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/f73d41945bdb2be10000000a1550b0/content.htm


Passwords from DBCON table


DBCON table

• SAP has a connection with different DBs

• Administrator can manage this connection via the transaction DBCO

• All DB connections information is stored encrypted in the table DBCON (Description of Database Connections)


DBCON table


DBCON table

• Encrypted data looks like:

V01/0030ZctvSB67Wv1OuVLazse4ORik

– BASE64 + DES

– hardcoded key: 59A…70E

– decrypted data includes static salt: BE HAPPY


Prevention

• Restrict access to the table DBCON

• Restrict access to the transaction DBCO

• SAP Security Notes 1638280 and 1823566


Passwords from HANA


SAP HANA

• User details (including passwords) stored in hdbuserstore

• Located in the /usr/sap/hdbclient directory

• About hdbuserstore: ‒ SSFS_HDB.DAT

‒ with user data

‒ with keys


SAP HANA

• SSFS_HDB.DAT

• Signature: RSecSSFsData

• 3DES

• Default key is the same as in the ABAP Security Storage


SAP HANA

• SAP HANA – in memory database

• But it drops some data into FS – Backup

– Savepoint

“The SAP HANA database holds the bulk of its data in memory for maximum performance, but it still uses persistent disk storage to provide a fallback in case

of failure. Data is automatically saved from memory to disk at regular savepoints. The data belonging to a savepoint represents a consistent state of

the data on disk and remains so until the next savepoint operation has completed., After a power failure, the database can be restarted like any disk-

based database and returns to its last consistent state”

– SAP HANA Security Guide


SAP HANA

• “Data volume encryption ensures that anyone who can access the data volumes on disk using operating system commands cannot see the actual data. If data volumes are encrypted, all pages that reside in the data area on disk are encrypted using the AES-256-CBC algorithm.”

• “After data volume encryption has been enabled, an initial page key is automatically generated. Page keys are never readable in plain text, but are encrypted themselves using a dedicated persistence encryption root key.”


SAP HANA

“SAP HANA uses SAP NetWeaver SSFS to protect the root encryption keys that are used to protect all encryption keys used in the SAP HANA system from

unauthorized access.”

• SSFS_HDB.DAT – HDB_SERVER/PERSISTENCE/ROOTKEY

– HDB_SERVER/DPAPI

• The persistence encryption feature does not encrypt the following data: – Database redo log files

– Database backups

– Database traces


Prevention

• Change the encryption key after installation

• Restrict access to the key file

• Restrict access to the DAT file

• Security guide for HANA (p. 71) http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf

• Secure storage in the file system: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/a0/82dd0abbde4696b98a8be133b27f3b/content.htm


Etc..

• ICF Password Repository – ICFSECPASSWD

• FI module passwords – FIEB_PASSWORD

• Oracle Fail Safe – Stores passwords inside the ENVIRONMENT variable (Note 1764043 p. 4)

• SAP BusinessObjects LCMuser – hardcoded SVN user – \SAP BusinessObjects Enterprise

XI.0\LCM_repository\svn_repository\conf

• SAP BusinessObjects axis2 login:password – axis2.xml

Just try to grep DB using the word “password”


Conclusion

It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure

SAP guides

It’s all in your hands

Regular security assessments

ABAP code review

Monitoring technical security

Segregation of duties

Security events monitoring

Web: www.erpscan.com e-mail: [email protected] Twitter: @erpscan @_chipik

confidence 2014: dimitriy chastuhin: all your sap p@$$w0яd z belong to us

Technology