Download - Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable Oracle ERPs ?
Attacks on Siebel & JD Edwards
Juan Perez-Etchegoyen - [email protected]
Jordan Santarsieri - [email protected]
October 26th, 2012
AppsecUSA 2012
2
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Disclaimer
This publication is copyright 2012 Onapsis, Inc. – All rights reserved.
This publication contains references to the products of Oracle and services mentioned herein are
trademarks or registered trademarks of Oracle in all countries all over the world.
Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for
its content, and Oracle Corporation shall not be liable for errors or omissions with respect to the
materials.
3
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Agenda
Introduction
What is Siebel?
Attacks on Siebel
What is JD-Edwards?
Attacks on JDE
Conclusions
Cyber-Attacks to SAP Systems
4
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Introduction
5
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Who is Onapsis, Inc.? Company focused in the security of ERP systems and business-critical
infrastructure (SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).
Working with Global Fortune-100 and large governmental organizations.
What does Onapsis do?
Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IPS).
ERP security consulting services.
Trainings on business-critical infrastructure security.
Who we are? Juan, CTO at Onapsis.
Jordan, Senior ERP Security Researcher
Discovered several vulnerabilities in SAP, Microsoft, IBM, Oracle...
Speakers/Trainers at BlackHat, HITB, DeepSec, Source, Ekoparty, 8dot8...
Authors of the “SAP Security In-Depth” publication.
Cyber-attacks on SAP systems
6
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications Cyber-attacks on SAP systems
A Business-Critical Infrastructure
● ERP systems store and process the most critical business
information in the Organization.
● If the ERP platform is breached, an intruder would be able to
perform different attacks such as:
ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc.
SABOTAGE: Paralyze the operation of the organization by shutting down the ERP system, disrupting interfaces with other systems and deleting critical information, etc.
FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
7
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
What
Is Siebel?
8
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
What is Siebel ?
● Siebel is a CRM system (Customer Relationship Management). The
main goal for this type of systems is to keep a record and register the
interaction (whether it’s direct or indirect) of all the clients with the
company.
● It was originally developed and owned by the “Siebel Systems”
company, but it was purchased by Oracle on September 2005 by
approximately $5.8 Billion.
● Due to the type of information that is stored on the Siebel systems,
these systems are also considered “mission-critical systems” within big
companies.
● It is used by some of the largest organizations in the world as currently
it is considered one of the most popular and mature CRM in the market.
9
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
What is Siebel ?
In a typical scenario, the Siebel application will hold data related to:
● Credit Card information
● Billing Information (Name, address, level of income)
● Family Tree (Names of your father, mother, wife, etc)
● Your habits as a consumer (Do you spend more money on Christmas?
Holidays? Which brands do you prefer?)
This kind of information highly valuable, not only for the
company, but also for a potential attacker or competitor.
10
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Attacks on
SIEBEL
11
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Discovering Siebel Servers Online
● Lots of Siebel servers are connected to the Internet, some of them
will allow you to register in the system with no requirements.
● Attackers know how to find them using regular search engines, so
the tools to do it are out there!
12
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Siebel Anonymous User
● The anonymous user is required even if the applications do not allow
access by unregistered users. When Siebel starts up, it uses the
anonymous user account to connect to the user “datasource” and
retrieve information (such as a license key) before presenting the login
page.
● If it is deleted, no one will be able to access Siebel
● At the installation time, you have to choose an already created user
that is going to be the anonymous user
13
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Demo: Anonymous user bypass
14
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Bypassing the Siebel login
● By definition, the anonymous user must have be a low-privileged
user, but … many Siebel administrators and developers configure a
high-privileged user in order to avoid configuration issues.
● As a result of this mis-configuration, the login screen can be
bypassed and an attacker might be able to take complete control of
the Siebel server remotely
●This would lead to a full compromise of the CRM and the
information stored and processed on the system.
15
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Bypassing the Siebel login
● By definition, the anonymous user must have a low level of
privileges, but … a lot of Siebel administrators and developers give out
a high level of privileges to this user in order to avoid configuration issues
● As a result of this misconfiguration, the login screen can be bypassed
and an attacker might be able to take complete control of the Siebel
server remotely
●This would lead to a full compromise of the CRM and the
information stored and processed on the system.
Protection / Countermeasure
In the Siebel configuration file, set the “anonymous user” property to a low-
privileged user.
16
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Siebel Access Control
● Siebel has two different access control methods.
● Access restriction at view level (Limit who can access the views)
● Access restriction at business component level (Limit who can
access the data)
● All those mechanism prevents unauthorized access to restricted data
that only should be available to a set of users.
17
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Siebel Query Language
● Siebel Query Language is an expression language that is used in
many locations in Siebel
● The ability to execute a query with Siebel Query Language is not
restricted by any kind of authorization check. If the functionality is
present in the applet, the user can use it (privilege independent)
● It was originally created to filter data in an applet
18
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Demo: Siebel Query Language
Injection
19
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Siebel Query Language
● Using a Siebel Query expression, a remote and authenticated attacker
will be able to bypass both authorization mechanism and retrieve all
the data from the database that is mapped in a business component
field (Except calculated fields)
● The exploitation procedure is very similar to exploit a blind SQL
injection, with a strong manual component.
20
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Siebel Query Language
● Using a Siebel Query expression, a remote and authenticated attacker
will be able to bypass both authorization mechanism and retrieve all
the data from the database that is mapped in a business component
field (Except calculated fields)
● The exploitation procedure is very similar to exploit a blind SQL
injection, with a strong manual component.
Protection / Countermeasure
Using eScript, catch the pre-query or Invoke query methods applying a custom
filter which should prevent the use of dangerous functions.
21
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
What is
JD Edwards?
22
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
What is JD Edwards ?
“Oracle's JD Edwards EnterpriseOne is an integrated applications suite
of comprehensive enterprise resource planning software that
combines business value, standards-based technology, and deep
industry experience into a business solution with a low total cost of
ownership. EnterpriseOne is the first ERP solution to run all applications
on Apple iPad. JD Edwards EnterpriseOne also delivers mobile
applications.” http://bit.ly/TBRBfD
● ERP Software widely used in specific industries (like real state).
● The current products supported by oracle are JDE EnterpriseOne and
JDE World.
● Oracle will continue developing and supporting these products for
unlimited time.
23
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
JD Edwards Infrastructure
JD Edwards infrastructure is based on a layered stack
●The communication is based on protocols like HTTP,
ODBC and JDENET.
● The communication to the database is provided by an
abstraction called JDEBase.
● JDENET is used to communicate to the Enterprise
Server. http://bitly.com/QB12xx
24
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
JDE Enterprise Server
● It’s the most important server within the whole infrastructure, as it’s the
component in charge of the execution of the Business Processes taking
place in the Company and covered by the ERP.
● Exposes the JDENET service which
is used to receive messages.
● Its configuration is driven by a text
file (JDE.ini).
● The services architecture is based on
kernel processes, where each kernel
process is a dll with the ability to
process different type of messages.
25
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
JDE Kernels
● Kernels are defined at JDE.INI and each kernel processes a range of
messages (Files MsgType.h & JDENET.H).
● For each Kernel (DLL), there is a function defined that will be called for
each message in the kernel range.
● Critical Kernels:
● Security Kernel
● System Adm. Kernel
● JDBNet Kernel
● (actually all of them are!)
● Each kernel process
provides a very specific set
of functionalities
26
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
JDENET
● Application-Level Network protocol used to communicate with the JD
Edwards Enterprise Server.
● Configured by default at TCP port 6015 to receive messages
● Also available at UDP 6015 to receive “commands”
The protocol is message-based, meaning that
you send messages (of a specific TYPE) and
each message contains different “packets” :
●nNoPacket
●nDataPacket
●nFilePacket
●nUnicodePacket
●nShortArrayPacket
● nIntArrayPacket
27
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Attacks on JDE
28
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Default Users
When JD Edwards systems are installed, several standard users are
configured in the database with default passwords (password=username):
JDE CRPCTL CRPDTA TESTCTL TESTDTA PRDCTL
PRDDTA PS900CTL PS900DTA DD900 OL900 DV900 PD900
PY900 JDEDBA APPLEAD SVM900 SY900 …
Depending on the user, it is possible to access ALL
information stored in the database.
29
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Default Users
JD Edwards systems, when installed, several standard users are configured
in the database with default passwords (password=username):
JDE CRPCTL CRPDTA TESTCTL TESTDTA PRDCTL
PRDDTA PS900CTL PS900DTA DD900 OL900 DV900 PD900
PY900 JDEDBA APPLEAD SVM900 SY900 …
Depending on the user, it is possible to access ALL
information stored in the database.
Protection / Countermeasure
Change default passwords for ALL standard users.
Additionally, avoid setting weak passwords for the database users, even though
these users are used directly or as proxy users.
30
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Control Commands
● Commands can be sent via UDP to port 6015. Some of the accepted
commands are:
SHOWCONN TOGGLE_LOG CONNECT_FROM
CONNECT_TO CONNECT_REJECT GET_WRKMGT
VIEW_KERNEL_TRACE SHUTDOWN USRBROADCAST
…
Wait a minute… did you say SHUTDOWN ???
31
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Demo: Control Commands
32
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Control Commands
● This attack can take place if a remote unauthenticated attacker is able to
reach the UDP 6015 port.
● A tiny packet containing the ASCII string “SHUTDOWN” can be created
and sent by UDP to the aforementioned port.
● The packet is received by the JDENET_n process and according its
programming, it will trigger the shutdown of itself along with all kernel
processes.
●Resulting of sending the packet, the whole JDE Enterprise Server will
shut-down breaking any interface and business process active. The
financial losses of such attack can be huge.
33
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Control Commands
● This attack can take place if a remote unauthenticated attacker is able to
reach the UDP 6015 port.
● A tiny packet containing the ASCII string “SHUTDOWN” can be created
and sent by UDP to the aforementioned port.
● The packet is received by the JDENET_n process and according its
programming, it will trigger the shutdown of itself along with all kernel
processes.
●Resulting of sending the packet, the whole JDE Enterprise Server will
shut-down breaking any interface and business process active. The
financial losses of such attack can be enormous.
Protection / Countermeasure
Apply the latest Oracle Critical Patch Update, as the fix for this attack was
released by oracle in a scheduled CPU.
34
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Sensitive Information Retrieval
● Several message types allows a potential remote unauthenticated user to
retrieve information that could be used to compromise the system.
●An example of such attack is the possibility to remotely retrieve information
from the JDE.INI file. Which holds configuration information, but also
sensitive information in clear-text, like:
● Kernel types and configuration.
● Security Server configuration.
● SSO Node information.
● Database information.
●……
35
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Demo: Sensitive Information
Retrieval
36
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Sensitive Information Retrieval
● A remote unauthenticated user that is able to reach the JDENET service
will be able to retrieve Credentials to connect to the database.
● The credentials are stored in a clear-text format, so there is no brute-force
or decryption process required.
● The attacker can then connect to the ERP system productive database
using the retrieved credentials.
● Once connected he will be able to access any business-related or
technical table. Specifically, he would be able to access the F98OWSEC
table, holding the users passwords.
Do you know which hashing mechanism is used to store these passwords?
None. User passwords are “encrypted” using XOR
37
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Sensitive Information Retrieval
● A remote unauthenticated user that is able to reach the JDENET service
will be able to retrieve Credentials to connect to the database.
● The credentials are stored in a clear-text format, so there is no brute-force
or decryption process required.
● The attacker can then connect to the ERP system productive database
using the retrieved credentials.
● Once connected he will be able to access any business-related or
technical table. Specifically, he would be able to access the F98OWSEC
table, holding the users passwords.
Do you know which hashing mechanism is used to store these passwords?
None. User passwords are “encrypted” using a XOR
Protection / Countermeasure
Apply the latest Oracle Critical Patch Update, as the fix for this attack was
released by oracle in a scheduled CPU.
38
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
The tip of the iceberg…
Onapsis is a pioneer company in analyzing the technical security of ERP
systems like SAP. To get insights of the security of other ERPs, we did a
deep research on JD Edwards, resulting in :
● Detected over 20 vulnerabilities, most of them critical.
● Oracle spent almost 2 years to fix them.
● Most of the vulnerabilities can be exploited by remote,
unauthenticated attackers.
● Several vulnerabilities were caused by design flaws.
●The last vulnerability being fixed will be released in the next CPU.
39
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
The tip of the iceberg…
The following security advisories are a sample of the ones that have
already been released by Onapsis:
● ONAPSIS-2012-007: SawKernel SET_INI Configuration Modification
● ONAPSIS-2012-006: JDENET Large Packets Denial of Service
● ONAPSIS-2012-004: SawKernel GET_INI Information Disclosure
● ONAPSIS-2012-003: SawKernel Arbitrary File Read
● ONAPSIS-2012-002: Security Kernel Remote Password Disclosure
● ONAPSIS-2012-001: JDENET Arbitrary File Write
● ONAPSIS-2011-012: JDENET Firewall Bypass
● ONAPSIS-2011-011: JDENET Buffer Overflow
● ONAPSIS-2011-010: JDENET Logging Deactivation
● ONAPSIS-2011-009: JDENET SawKernel Remote Password Disclosure
● ONAPSIS-2011-008: JDENET CallObjectKernel Remote Command Exec
● ONAPSIS-2011-007: JDENET Kernel Shutdown Denial of Service
Download them at www.onapsis.com!
40
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Conclusions
41
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Conclusions ● ERP Systems are among the most critical systems in the organization
and that makes them a really interesting target to the attackers.
● Segregation of Duties controls are necessary, but not enough!. It’s
important to protect the systems not only from the authorizations (roles
and profiles) perspective but also at the technical level.
● Attacks on vulnerabilities at the technical level are even more critical
than SoD violations, as no user is required and a full compromise of all
the information can be achieved.
● While SAP has been in the spotlight the last years, Oracle ERP
systems are also prone to highly critical vulnerabilities.
● We’ll release new modules to be used with bizploit framework soon!.
Also stay tuned for some PeopleSoft news to come.
42
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Questions? [email protected]
@jp_pereze
@jsansec
43
www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved
Attacks to SAP Web Applications
Thank you!
www.onapsis.com
Follow us! @onapsis