confidence 2014: dimitriy chastuhin: all your sap p@$$w0яd z belong to us
DESCRIPTION
Nowadays, everyone knows about the great importance of SAP systems and the critical data processed by them. Large companies install SAP Security Notes regularly so as not to repeat the mistake of Nvidia. One bug is not enough anymore to get access to all corporate SAP systems. Pentesters frequently find themselves in a situation where the OS of an SAP server has been compromised successfully, but they have not got an access to the ERP system. In addition, it is rather common to have an unprivileged account, which give them access to the encrypted password, but not to the whole system. Sometimes they even try to break into other systems with help of the passwords, which users usually use in the systems they’ve already broken, but they can’t, because they need them to be decrypted first. Where do we find the treasured password to access the financial transactions and revenues of NASDAQ monsters? Where and how does SAP store user passwords? Are all passwords stored as hashes, or can attackers find passwords in plaintext? This talk reviews the many places where SAP stores critical credentials, such as usernames and passwords, and, which is more interesting, the way it stores them. Methods of retrieving them will be described, and decryption utilities will be presented. SAP GUI shortcuts, RFC connections, SAP Security Storage, logs, traces, Database links, SAP HANA Storage, you name it – all varieties of SAP modules will be discussed in this talk.TRANSCRIPT
Invest in security to secure investments
All your SAP P@$$w0ЯdZ belong to us Dmitry Chastukhin – Director of SAP pentest/research team
ERPScan
Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities
• Developing software for SAP security monitoring
• Talks at 40+ security conferences worldwide: BlackHat (US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.
• First to develop software for NetWeaver J2EE assessment
• The only solution to assess all areas of SAP security
• Research team with experience in different areas of security from ERP and web security to mobile, embedded devices, and critical infrastructure, accumulating their knowledge on SAP research.
• Local partner : PBSG. www.pbsg.pl
2 erpscan.com ERPScan — invest in security to secure investments
Dmitry Chastukhin
Business application security
expert
Yet another security researcher
3 erpscan.com ERPScan — invest in security to secure investments
SAP
• The most popular business application
• More than 250000 customers worldwide
• More than 83 % of Forbes 500 run SAP
• More than 40 % of ERP market in Poland
4 erpscan.com ERPScan — invest in security to secure investments
SAP security
Espionage • Stealing financial information • Stealing corporate secrets • Stealing supplier and customer lists • Stealing HR data
Fraud • False transactions • Modification of master data
Sabotage • Denial of service • Modification of financial reports • Access to technology network (SCADA) by trust relations
5 erpscan.com ERPScan — invest in security to secure investments
Is it remotely exploitable?
> 5000 non-web SAP services exposed in the world including Dispatcher, Message server, SapHostControl, etc.
6 erpscan.com ERPScan — invest in security to secure investments
sapscan.com
What about other services?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd
World
7 erpscan.com ERPScan — invest in security to secure investments
SAP MMC – overview
• MMC is installed by default on port 5<ID>13
• Used for remote management of SAP servers
• Commands executed via SOAP interface
• By default, SSL is not implemented
• Administrative password transmitted using basic auth (Base64)
• By sniffing this password, we can get full control over the server
erpscan.com 8 ERPScan — invest in security to secure investments
SAP MMC – attacks
• Many attacks can be implemented without authentication
• Attacks can be executed by sending SOAP requests
• Mostly, it is information disclosure and denial of service
• Also, OS command execution
erpscan.com 9 ERPScan — invest in security to secure investments
Advanced MMC attacks
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<sapsess:Session
xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/">
<enableSession>true</enableSession>
</sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:ReadLogFile xmlns:ns1="urn:SAPControl">
<filename>j2ee/cluster/server0/log/system/userinterface.log</filename>
<filter/>
<language/>
<maxentries>%COUNT%</maxentries>
<statecookie>EOF</statecookie>
</ns1:ReadLogFile>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
erpscan.com 10 ERPScan — invest in security to secure investments
PWN
If an attacker can read a file from server OS, they can get clear text passwords of SAP users and, as a result, compromise the SAP system
11 erpscan.com ERPScan — invest in security to secure investments
Default passwords
erpscan.com 12 ERPScan — invest in security to secure investments
Default passwords
User name Password
SAP* 06071992 PASS
DDIC 19920706
TMSADM PASSWORD $1Pawd2&
EARLYWATCH SUPPORT
SAPCPIC ADMIN
13 erpscan.com ERPScan — invest in security to secure investments
Passwords on client side
erpscan.com 14 ERPScan — invest in security to secure investments
SAPGUI: History of ActiveX attacks
erpscan.com 15
Date Component Author Vulnerability Link
04.01.2007 Rfcguisink Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysap-stack-overflow/
04.01.2007 Kwedit Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysap-stack-overflow/
07.11.2008 Mdrmsap Will Dormann BOF http://www.securityfocus.com/bid/32186/info
07.01.2009 Sizerone Carsten Eiram BOF http://www.securityfocus.com/bid/33148/info
31.03.2009 WebWiewer3D Will Dormann BOF http://www.securityfocus.com/bid/34310/info
15.04.2009 Kwedit Carsten Eiram Insecure Method http://secunia.com/secunia_research/2008-56/
08.06.2009 Sapirrfc Alexander Polyakov (ERPScan) BOF http://erpscan.com/advisories/dsecrg-09-015-sap-gui-6-4-buffer-overflow-vulnerability/
28.09.2009 WebWiewer3D Alexander Polyakov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-043-sap-gui-7-1-webviewer2d-activex-%e2%80%94-insecure-methods/
28.09.2009 WebWiewer2D Alexander Polyakov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-044-sap-gui-7-1-webviewer3d-activex-insecure-methods/
07.10.2009 VxFlexgrid Elazar Broad , Alexander Polyakov (ERPScan)
BOF http://erpscan.com/advisories/dsecrg-09-017-sap-gui-vsflexgrid-activex-%e2%80%94-buffer-overflow-vulnerability/
23.03.2010 BExGlobal Alexey Sintsov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-064-sap-gui-7-1-insecure-method-code-execution/
unpublished Kwedit
Alexander Polyakov, Alexey Troshichev (ERPScan)
Insecure Method
14.12.2010
RFCSDK Alexey Sintsov (ERPScan) Memory Corruption http://erpscan.com/advisories/dsecrg-09-069-sap-rfc-sdk-%e2%80%94-format-string/
14.12.2010 RFCSDK Alexey Sintsov (ERPScan) Format String http://erpscan.com/advisories/dsecrg-09-070-sap-rfc-sdk-%e2%80%94-memory-corruption/
unpublished
Alexander Polyakov (ERPScan) Insecure Method
22.12.2010 NWBC Alexey Sintsov (ERPScan) Memory Corruption http://erpscan.com/advisories/dsecrg-10-010-zdi-10-290-sap-netweaver-business-client-sapthemerepository-activex-control-remote-code-execution-vulnerability/
ERPScan — invest in security to secure investments
Passwords on client side
• Attack via ActiveX ‒ A lot of issues with RCE inside (1519966, 1327004, 1092631, …)
• Attack via client bugs ‒ Buffer overflow in saplogon.exe (1504547)
What after that?
SapLogon shortcuts!
Often, lazy users store password for SAP account in shortcuts
16 erpscan.com ERPScan — invest in security to secure investments
Passwords on client side
[System]
Name=DM0
Description=Test Sap Server
Client=800
[User]
Name=SAP*
Language=EN
Password=PW_48B7231FD1FE390C
[Function]
Title=myShortcut
Command=se16
[Configuration]
WorkDir=C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI
[Options]
Reuse=1
This is how a typical shortcut looks like…
File: <name>.sap
17 erpscan.com ERPScan — invest in security to secure investments
Passwords on client side
[Label]
Key1=myShortcut
[Command]
Key1=-
desc="Test Sap Server"
-sid="DM0"
-clt="800"
-u="SAP*"
-l="EN"
-tit="myShortcut"
-cmd="se16"
-wd="C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI"
-ok="/nse16"
-pwenc="PW_48B7231FD1FE390C"
…or like that
File: sapshortcut.ini
18 erpscan.com ERPScan — invest in security to secure investments
Passwords on client side
pwenc="PW_48B7231FD1FE390C"
PW_48B7231FD1FE390C
48B7231FD1FE390C
I used this password: 06071992
Looks like XOR encryption
19 erpscan.com ERPScan — invest in security to secure investments
Passwords on client side
• After a few experiments, we found out: – Yes, this is XOR
– Yes, the key is static for all SAPLogon
• The key is: 788113…dc49b0
20 erpscan.com ERPScan — invest in security to secure investments
Passwords on client side
• …and the PY code to decrypt
key="788…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in
zip(s1,s2))
enc_pass="PW_48B7231FD1FE390C"
dec_pass=sxor(enc_pass[3:].decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
21 erpscan.com ERPScan — invest in security to secure investments
Prevention
• Don’t use SAPGUI 6.4 (there are no patches for some vulns) • Patch SAPGUI with the latest SP • Don’t store password in shortcuts (HKCU\Software\SAP\SAPShortcut\Security EnablePassword=0)
• Make sure that you do not activate the storage of passwords in SAP shortcuts • Authentication security for SAP shortcuts: http://help.sap.com/SAPHELP_NWPI71/helpdata/en/4d/dc9db9bc0e02cfe10000000a42189b/content.htm
erpscan.com 22 ERPScan — invest in security to secure investments
Passwords from USR02, USH02, USRPWDHISTORY
erpscan.com 23 ERPScan — invest in security to secure investments
USR02 password hash
• Well known password area
• Hash algorithm: – CODVN A
– CODVN B (MD5-based)
– CODVN D (MD5-based)
– CODVN E (MD5-based)
– CODVN F (SHA1-based)
– CODVN G (Code versions B & F)
– CODVN H (SHA-1-based)
– CODVN I (Code versions B, F & H)
• Just use John the Ripper
24 erpscan.com ERPScan — invest in security to secure investments
Prevention
• Use the latest algorithm
• SAP Note 2467: Password rules and preventing incorrect logons
• SAP Note 721119: Logon with (delivered) default user fails
• SAP Note 735356: Special character in passwords; reactivation not possible
• SAP Note 862989: New password rules as of SAP NetWeaver 2004s
• SAP Note 874738: New password hash calculation procedure (code version E)
• SAP Note 991968: Value list for login/password_hash_algorithm
• SAP Note 1023437: Downwardly incompatible passwords since NW2004s
• SAP Note 1237762: Protection against password hash attacks
• SAP Note 1300104: CUA – New password hash procedures - Background information
• SAP Note 1458262: Recommended settings for password hash algorithms
• SAP Note 1484692: Protect read access to password hash value tables
• SAP Note 1488159: SUIM – RSUSR003 – Incorrect results for CODVN = F
erpscan.com 25 ERPScan — invest in security to secure investments
Passwords from RFC request
erpscan.com 26 ERPScan — invest in security to secure investments
Passwords on client side
27 erpscan.com ERPScan — invest in security to secure investments
Passwords on client side
• If an attacker caches an RFC request with logon data, he will be: – Happy because he got the login and password
– Upset because the password is encrypted
– Happy because the encryption is just a XOR (lol)
– Happy because the key is static
313ec…a4021
– Very happy because he got the clear text password
28 erpscan.com ERPScan — invest in security to secure investments
Passwords on client side
• …and the PY code to decrypt
key="313e…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in
zip(s1,s2))
enc_pass=“<pwd_there>"
dec_pass=sxor(enc_pass.decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
29 erpscan.com ERPScan — invest in security to secure investments
Prevention
• Secure RFC connection using SNC
• SAP Security Note 1724516
• RFC and SNC: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/72/e52c4057cb185de10000000a1550b0/content.htm
erpscan.com 30 ERPScan — invest in security to secure investments
erpscan.com 31
SAP Visual Admin password
ERPScan — invest in security to secure investments
SAP VisualAdmin
erpscan.com 32
• SAP Visual Admin – a remote tool for controlling J2EE Engine
• Uses the P4 protocol – SAP’s proprietary
• By default, all data transmitted in cleartext
• P4 can be configured to use SSL to prevent MitM
• Passwords are transmitted by some sort of encryption
ERPScan — invest in security to secure investments
SAP VisualAdmin data
erpscan.com 33
ERPScan — invest in security to secure investments
Insecure password encryption in P4
erpscan.com 34
/* 87 */ char mask = 43690; //aaaa hex
/* 88 */ char check = 21845; //5555 hex
/* 89 */ char[] result = new char[data.length + 1];
/* */
/* 91 */ for (int i = 0; i < data.length; ++i) {
/* 92 */ mask = (char)(mask ^ data[i]);
/* 93 */ result[i] = mask;
/* */ }
/* 95 */ result[data.length] = (char)(mask ^ check);
/* */
/* 97 */ return result;
ERPScan — invest in security to secure investments
Prevention
• Secure P4 connection using SSL
• SAP Security Note 1724516
• Using P4 protocol over a secure connection: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/2d9ba88aef4bb9e10000000a42189b/content.htm
erpscan.com 35 ERPScan — invest in security to secure investments
SAP JAVA Security Storage
erpscan.com 36 ERPScan — invest in security to secure investments
SecStore
• The AS Java stores security-relevant information encrypted in a file in the file system
• The AS Java stores the following security-relevant information in files in the file system:
– Database user SAP<SID>DB and its password
– Database connection information
– Administrator user and its password
• Secure storage file is located at :
\usr\sap\<SID>\SYS\global\security\data\SecStore.properties
37 erpscan.com ERPScan — invest in security to secure investments
SecStore
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx
admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH
admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ
$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt
$internal/mode=encrypted
admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E
• The AS Java uses the SAP Java Cryptography Toolkit to encrypt the information in the secure store using the TripleDES algorithm. The encryption is performed during the AS Java installation process
• Let’s look deeper
38 erpscan.com ERPScan — invest in security to secure investments
SecStore
• OK. TripleDES. We heed a key for decryption
• The main problem is that the key file is located in the same
directory as the encrypted data:
\usr\sap\<SID>\SYS\global\security\data\SecStore.key
• The key consists of two parts: – Version information
– Encrypted key phrase
39 erpscan.com ERPScan — invest in security to secure investments
SecStore
• Version information. It affects the TripleDES key – If version >= 7.00.000, then the Triple DES key = key phrase + <SID>
• Encrypted key phrase – By default, it is the initial password which the administrator sets up during SAP system installation. Often, this phase equals to the DB password or an SAP administrator account password (SAP*, DDIC, J2EE_Admin, etc.)
– For encrypting the key phrase, XOR algorithm with static key is used
43,-74…,-41,-67
• That’s why, if an attacker only got the SecStore.key file, they can also get access into SAP, because they have the initial password
40 erpscan.com ERPScan — invest in security to secure investments
SecStore
• OK. We have the encrypted passwords (SecStore.properties)
• We have the decrypted key (SecStore.key)
• We can get all sensitive information from Security Storage
• As I said, data’s encrypted by the TripleDES algorithm
• More precisely, the encryption uses the TripleDES algorithm in CBC mode using a secret key which is derived from a password with the SHA hash algorithm – The key is the key phrase from SecStore.key + <SID> (if version >= 7.00.000)
– The salt is the value 0000000000000000
41 erpscan.com ERPScan — invest in security to secure investments
SecStore
• We also wrote a tool which decrypts all the stuff from SAP JAVA AS Security Storage (SecStore_Cr.jar)
• Also, SAP Secure Store file can have another name (ex. JUpgrade.properties) and store other interesting data, like: – Password for SAP OS user (SIDADM)
– DB password
– DDIC password
– etc…
42 erpscan.com ERPScan — invest in security to secure investments
Prevention
• Install SAP Note 1619539 • Restrict read access to files SecStore.properties, JUpgrade.properties, and SecStore.key • Managing secure storage in the file system: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/cd/14c93ec2f7df6ae10000000a114084/content.htm
erpscan.com 43 ERPScan — invest in security to secure investments
Passwords from log files
erpscan.com 44 ERPScan — invest in security to secure investments
Log files
• We know about many places where SAP writes logs
• Administrator can define the verbosity level
• Attacker can found many interesting things in log files: information about the system, information about the users, even session information
• Very interesting path with logs: /sapinst_instdir/
But what about passwords?
45 erpscan.com ERPScan — invest in security to secure investments
Log files
• Passwords in SAP log files looks like that:
46 erpscan.com ERPScan — invest in security to secure investments
dev_umconfigurator.trc
Log files
• Sometimes, we can find a clear text password
47 erpscan.com ERPScan — invest in security to secure investments
sapinst_dev.<n>.log
Log files
• Sometimes, we can find an encrypted password
48 erpscan.com ERPScan — invest in security to secure investments
Log files
• Guess what type of encryption is used?
• Right! XOR with a static hardcoded key:
31…65d
• As a result, we have a decryptor: key="31…5d"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))
def prepare(val):
encoco=val.split("|")
rez=""
for a in encoco:
rez= rez + str(hex(int(a)).replace("0x",""))
return rez
encr=prepare(raw_input("Enter encrypted password:"))
dec_pass=sxor(encr.decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
49 erpscan.com ERPScan — invest in security to secure investments
Log files
• The same story with the config file
usr\sap\<SID>\config\usagetypes.properties
50 erpscan.com ERPScan — invest in security to secure investments
Prevention
• Don’t use TRACE_LEVEL = 3
• Delete traces when work is finished
• Mask security-sensitive data in HTTP access log
• Incrementing/decrementing the trace level: https://help.sap.com/saphelp_nwpi71/helpdata/en/46/962416a5a613e8e10000000a155369/content.htm
erpscan.com 51 ERPScan — invest in security to secure investments
Passwords from SLD config file
erpscan.com 52 ERPScan — invest in security to secure investments
SLD
• SLD is the central information repository for your system landscape
• It contains information about: – technical systems
– landscapes
– business systems
– products
– software components in your system landscape
53 erpscan.com ERPScan — invest in security to secure investments
SLD password files
• Configuration file: usr\sap\<sid>\DVEBMGS<nn>\exe\ slddest.cfg
– User name with DataSupplierLD role
– User password (wooot!)
– Host name
– Port
Encrypted by DES algorithm in the early version of SLD
Static default key is: 0A…71F
But if user specifies the key, then the key file is stored near the encrypted data file in slddest.cfg.key
54 erpscan.com ERPScan — invest in security to secure investments
SLD password files
• In the latest versions of SLD, another algorithm is used: TripleDES with hardcoded key
55 erpscan.com ERPScan — invest in security to secure investments
Prevention
• Restrict read access to file slddest.cfg and slddest.cfg.key
• Configuring sldreg and transferring data to SLD:
http://help.sap.com/saphelp_nw70/helpdata/en/42/ea5ff4b5d61bd9e10000000a11466f/content.htm
erpscan.com 56 ERPScan — invest in security to secure investments
Passwords from ABAP SecStore
erpscan.com 57 ERPScan — invest in security to secure investments
Password from RSECTAB
• The secure storage is a component of the SAP Web Application Server ABAP
• It allows the encrypted storage of sensitive data that SAP applications require when logging into other systems
• These SAP applications use the storage to store passwords: – RFC destinations
– Exchange Infrastructure (XI)
– LDAP system users
– SAPphone
– SAPconnect
– CCMS (Generic Request and Message Generator)
• Table RSECTAB select rawtohex(DATA) from SAPSR3.RSECTAB
58 erpscan.com ERPScan — invest in security to secure investments
Password from RSECTAB
59 erpscan.com ERPScan — invest in security to secure investments
Password from RSECTAB
60 erpscan.com ERPScan — invest in security to secure investments
Password from RSECTAB
• TripleDES 3DES mode: DES-EDE3
• The triple DES algorithm uses the DES-EDE3 method where a 24 byte key is supplied. This means there are three DES operations in the sequence encrypt-decrypt-encrypt with the three different keys. The first key will be bytes 1 to 8, the second key bytes 9 to 16 and the third key bytes 17 to 24
• Two rounds
61 erpscan.com ERPScan — invest in security to secure investments
Password from RSECTAB
• First round
• Encrypt:
– char randomPrefix[2];
– char payload[109];
– char payloadLength;
– char magicLocal[4];
– char magicGlobalSalted[4];
– char recordIdentifierA7Hash[16];
62 erpscan.com ERPScan — invest in security to secure investments
Password from RSECTAB
• Key for the first round of encryption base on default key: Key’def[1] = Keydef[1] ^ (Hsup[0] & 0xF0)
Key’def[6] = Keydef[6] ^ (Hsup[0] & 0x0F)
Key’def[7] = Keydef[7] ^ (Hsup[3] & 0xF0)
Key’def[10] = Keydef[10] ^ (Hsup[1] & 0xF0)
Key’def[13] = Keydef[13] ^ (Hsup[1] & 0x0F)
Key’def[16] = Keydef[16] ^ (Hsup[4] & 0x0F)
Key’def[19] = Keydef[19] ^ (Hsup[2] & 0xF0)
Key’def[20] = Keydef[20] ^ (Hsup[2] & 0x0F)
• Where Hsup is md5(sidA7[3]+insnoA7[10])
63 erpscan.com ERPScan — invest in security to secure investments
Password from RSECTAB
64 erpscan.com ERPScan — invest in security to secure investments
Password from RSECTAB
• Second round
• Encrypt all data with the default key
65 erpscan.com ERPScan — invest in security to secure investments
Password from RSECTAB
• What about the default key?
• It is encrypted via 3DES-EDE2, too
• But the key for this encryption is hardcoded
66 erpscan.com ERPScan — invest in security to secure investments
Prevention
• Change the default key
• SAP Security Note 1902611
• Choosing your own key: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/f73d41945bdb2be10000000a1550b0/content.htm
erpscan.com 67 ERPScan — invest in security to secure investments
Passwords from DBCON table
erpscan.com 68 ERPScan — invest in security to secure investments
DBCON table
• SAP has a connection with different DBs
• Administrator can manage this connection via the transaction DBCO
• All DB connections information is stored encrypted in the table DBCON (Description of Database Connections)
69 erpscan.com ERPScan — invest in security to secure investments
DBCON table
70 erpscan.com ERPScan — invest in security to secure investments
DBCON table
• Encrypted data looks like:
V01/0030ZctvSB67Wv1OuVLazse4ORik
– BASE64 + DES
– hardcoded key: 59A…70E
– decrypted data includes static salt: BE HAPPY
71 erpscan.com ERPScan — invest in security to secure investments
Prevention
• Restrict access to the table DBCON
• Restrict access to the transaction DBCO
• SAP Security Notes 1638280 and 1823566
erpscan.com 72 ERPScan — invest in security to secure investments
Passwords from HANA
erpscan.com 73 ERPScan — invest in security to secure investments
SAP HANA
• User details (including passwords) stored in hdbuserstore
• Located in the /usr/sap/hdbclient directory
• About hdbuserstore: ‒ SSFS_HDB.DAT
‒ with user data
‒ with keys
74 erpscan.com ERPScan — invest in security to secure investments
SAP HANA
• SSFS_HDB.DAT
• Signature: RSecSSFsData
• 3DES
• Default key is the same as in the ABAP Security Storage
75 erpscan.com ERPScan — invest in security to secure investments
SAP HANA
• SAP HANA – in memory database
• But it drops some data into FS – Backup
– Savepoint
“The SAP HANA database holds the bulk of its data in memory for maximum performance, but it still uses persistent disk storage to provide a fallback in case
of failure. Data is automatically saved from memory to disk at regular savepoints. The data belonging to a savepoint represents a consistent state of
the data on disk and remains so until the next savepoint operation has completed., After a power failure, the database can be restarted like any disk-
based database and returns to its last consistent state”
– SAP HANA Security Guide
76 erpscan.com ERPScan — invest in security to secure investments
SAP HANA
• “Data volume encryption ensures that anyone who can access the data volumes on disk using operating system commands cannot see the actual data. If data volumes are encrypted, all pages that reside in the data area on disk are encrypted using the AES-256-CBC algorithm.”
• “After data volume encryption has been enabled, an initial page key is automatically generated. Page keys are never readable in plain text, but are encrypted themselves using a dedicated persistence encryption root key.”
77 erpscan.com ERPScan — invest in security to secure investments
SAP HANA
“SAP HANA uses SAP NetWeaver SSFS to protect the root encryption keys that are used to protect all encryption keys used in the SAP HANA system from
unauthorized access.”
• SSFS_HDB.DAT – HDB_SERVER/PERSISTENCE/ROOTKEY
– HDB_SERVER/DPAPI
• The persistence encryption feature does not encrypt the following data: – Database redo log files
– Database backups
– Database traces
78 erpscan.com ERPScan — invest in security to secure investments
Prevention
• Change the encryption key after installation
• Restrict access to the key file
• Restrict access to the DAT file
• Security guide for HANA (p. 71) http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
• Secure storage in the file system: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/a0/82dd0abbde4696b98a8be133b27f3b/content.htm
erpscan.com 79 ERPScan — invest in security to secure investments
Etc..
• ICF Password Repository – ICFSECPASSWD
• FI module passwords – FIEB_PASSWORD
• Oracle Fail Safe – Stores passwords inside the ENVIRONMENT variable (Note 1764043 p. 4)
• SAP BusinessObjects LCMuser – hardcoded SVN user – \SAP BusinessObjects Enterprise
XI.0\LCM_repository\svn_repository\conf
• SAP BusinessObjects axis2 login:password – axis2.xml
Just try to grep DB using the word “password”
80 erpscan.com ERPScan — invest in security to secure investments
Conclusion
It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure
SAP guides
It’s all in your hands
Regular security assessments
ABAP code review
Monitoring technical security
Segregation of duties
Security events monitoring
Web: www.erpscan.com e-mail: [email protected] Twitter: @erpscan @_chipik