patch me if you can - troopers18 · patch me if you can troopers16 (sap security track) march 16,...
TRANSCRIPT
![Page 1: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/1.jpg)
Damian Poddebniak, Sebastian Schinzel, Andreas Wiegenstein
Patch me if you can
Troopers16 (SAP Security Track) March 16, 2016
Exclusively made for
![Page 2: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/2.jpg)
#SAP #Security #Research
CTO of Virtual Forge GmbH
SAP Security Researcher, active since 2003
Received credit from SAP for > 80 reported 0-day vulnerabilities
Speaker at international Conferences
Troopers, BlackHat, DeepSec, Hack in the Box, IT Defense, RSA, …
Andreas Wiegenstein
Damian Poddebniak
Research assistant at Münster University of applied sciences
Focus on IT Security and cryptography
Prof. Dr. Sebastian Schinzel
Professor for computer security at Muenster University of applied sciences
CTO of CycleSEC GmbH
![Page 3: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/3.jpg)
Agenda
1. When I grow up, I want to be a Man-in-the-Middle!
2. Integrity and authenticity of software packages
3. SAP Basics
4. Introduction SAP Patches, SMP & Download Manager
5. Security Issues
6. Conclusions
3
![Page 4: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/4.jpg)
When I grow up, I want to
be a Man-in-the-Middle!
![Page 5: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/5.jpg)
When I grow up, I want to be a Man-in-the-Middle!
5
You want to be a Man-in-the-Middle? Anyone can be a Man-in-the-Middle!
- You like coffee? Starbucks has free Wifi.
- The hotel you are (briefly) staying this night has Wifi?
- You can setup a TOR exit node
But who would download SAP software over those?
![Page 6: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/6.jpg)
When I grow up, I want to be a Man-in-the-Middle!
6
More involved ways to become a MitM
- Use one of those Cisco/Juniper/Huawei/etc. exploits to compromise router
- BGP hijacking
- DNS Spoofing, DNS Poisoning
- Man-in-the-Middle-as-a-Service, Hacking Team
Target: Administrators
![Page 7: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/7.jpg)
Integrity and authenticity
of software packages
![Page 8: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/8.jpg)
Integrity and authenticity of software packages
8
HTTP/FTP download
HTTPS/SSH download
Digitally signed package
![Page 9: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/9.jpg)
Integrity and authenticity of software packages
9
Digitally signed package
• Proof that package wasn‘t
changed since the
maintainer signed it
Signature creation: 𝑠 = ℎ𝑎𝑠ℎ(𝑚)𝑑
SAP:
public key: 𝑒𝑎
private key: 𝑑𝑎
𝑚, 𝑠
𝑚′, 𝑠‘
Customer:
public key 𝑒𝑎
Signature check: 𝑠′ = ℎ𝑎𝑠ℎ(𝑚′)𝑒
Software package 𝑚
© Mogelzahn
?
![Page 10: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/10.jpg)
Integrity and authenticity of software packages
10
Unsigned packages over HTTP
• “Dilettante is a man in the middle proxy that injects malicious codes into
JARs served by Maven Central.”
https://github.com/mveytsman/dilettante
• Buffer Overflow in HTTP parser of Debian’s APT package manager
https://lists.debian.org/debian-security-announce/2014/msg00219.html
![Page 11: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/11.jpg)
SAP Basics
![Page 12: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/12.jpg)
SAP matters
12
Why protect SAP systems?
More than 300,000 companies run SAP
SAP customers …
Transport > 1.1 billion flight passengers per year
Produce 78% of the world’s food
Produce 82 % of the world’s medical devices
74% of the world’s transaction revenue touches an SAP system
… and …
72% of the world-wide beer production depends on companies that run SAP !!!
![Page 13: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/13.jpg)
IT Complexity vs. ERP Complexity
13
Firefox [9,5]
Android [12]
MS Windows 7 [40]
MS Office 2013 [44]
MS Vista 2007 [50]
Debian 5.0 [67]
Mac OS X Tiger 10.4 [84]
SAP Business Suite [319]
Sizes of major Applications in Million Lines of Code
![Page 14: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/14.jpg)
Introduction SAP Patches,
SMP & Download Manager
![Page 15: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/15.jpg)
SAP Patches
15
There are two main ways to obtain and install SAP patches
1. SAP Service Marketplace
Download new products
Download new versions of products
Download support packages (collection of one or more patches)
Download patches
2. Transaction SNOTE
Download SAP OSS Notes (minor patches)
Implement corrections automatically / correction instructions manually
![Page 16: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/16.jpg)
SAP Service Marketplace
16
![Page 17: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/17.jpg)
SAP Service Marketplace
17
![Page 18: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/18.jpg)
SAP Service Marketplace
18
![Page 19: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/19.jpg)
SAP Service Marketplace
19
![Page 20: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/20.jpg)
SAP Download Manager
20
![Page 21: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/21.jpg)
SAP Software Archives
21
File types in the Download Basket
- CAR Archives (older format)
- SAR Archives (since R/3 Release 4.6C)
- May contain signatures : File SIGNATURE.SMF
Archives are extracted with a proprietary compression utility: SAPCAR
- Command-line tool
- Available since R/3 Release 4.6C
- See SAP Note 212876
![Page 22: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/22.jpg)
Security Issues
![Page 23: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/23.jpg)
1. Insecure Default (HTTP Connection)
23
Download Manager is installed with a default HTTP connection to Walldorf
SAP Patch: Note 2235412, Oct 2015
![Page 24: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/24.jpg)
Insecure Training (Installation guide on YouTube)
24
![Page 25: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/25.jpg)
Insecure Advice (Discussion on SCN)
25
![Page 26: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/26.jpg)
2. Insecure Password Storage (XOR)
26
Download Manager uses a trivial algorithm to obfuscate the SMP password
PW: @@@@@@
PW: AAAAAA
![Page 27: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/27.jpg)
2. Mitigation
27
SAP Patch: Notes 2074276, 2282338
![Page 28: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/28.jpg)
3. HTTP Basic Authentication used
28
Download Manager uses Basic Authentication, i.e. passwords can be stolen by MITM attacks
Fake Response …
… leaks Credentials
![Page 29: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/29.jpg)
4. How about using HTTPS?
29
SAP Patch : Note 2235412, Oct 2015
![Page 30: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/30.jpg)
TLS in a Nutshell
30
![Page 31: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/31.jpg)
TLS in a Nutshell
31
Hello, my friend! Take this certificate!
Uhm… no?!
hacker.gov
![Page 32: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/32.jpg)
CVE-2014-3577
32
![Page 33: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/33.jpg)
CVE-2014-3577
33
![Page 34: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/34.jpg)
How does it work?
String representation of distinguished name (RFC4514):
You are not the owner of service.sap.com
A CA won‘t issue such a certificate for you!
34
O=SAP, OU=ABAP Security Unit, CN=service.sap.com, …
![Page 35: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/35.jpg)
How does it work?
What about this one?
You are the owner of hacker.gov…
A CA will issue such a certificate for you!
35
O=Hacker Inc., OU=CN=service.sap.com, Code network, CN=hacker.gov, …
![Page 36: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/36.jpg)
How does it work?
1) Find „CN=“ and extract Value:
Value „service.sap.com“
2) Validate common name against domain name
Configured Value matches extracted Value!
36
„O=Hacker Inc., OU=CN=service.sap.com, Code Network, CN=hacker.gov, …“
![Page 37: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/37.jpg)
TLS in a Nutshell
37
Hello, my friend! Take this certificate!
LGTM!
hacker.gov
![Page 38: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/38.jpg)
There is a Catch…
Preliminaries:
Basic understanding of ASN.1 (DER) and X.509 required
Contraints:
Suitable CA*…
Some cash required…
38
*issuing such certificates is not really a CA‘s fault!
![Page 39: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/39.jpg)
Presence of the Vulnerability
SAP Download Manager used HttpClient v4.0 since 08.2009
CVE-2014-3577 was released 08.2014
Apache HttpComponents HttpClient < 4.3.5
HttpAsyncClient <4.0.2
Vulnerability in SAP Download Manager was patched 11.2015
Vulnerability existed over 6 years…
…and over 15 months after CVE release
39
SAP Patch: Notes 2235412, 2282338
![Page 40: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/40.jpg)
A Note on PKIs
TLS is awesome, but…
…it may not solve all your problems!
40
![Page 41: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/41.jpg)
A Note on PKIs - Imagination…
41
![Page 42: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/42.jpg)
A Note on PKIs - Reality…
42
EFF SSL Ob
servato
ry TOD
O: G
ENEH
MIG
UN
G!!!
http
s://ww
w.eff.o
rg/files/colo
ur_m
ap_o
f_cas.pd
f
![Page 43: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/43.jpg)
A Note on PKIs
We DO NOT SAY that any CA might be vulnerable!
We JUST SAY that there are over 650 of them*…
43
*https://www.eff.org/de/observatory
Look for: „Certificate Authority Collapse“
![Page 44: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/44.jpg)
Signatures to the Rescue
Usage of signatures
Each SAP download package should be signed
Signature must be validated with public key in application
Transmitting signed packages over TLS even better!
Authentication*2 + Integrity*2 + Confidentiality
44
![Page 45: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/45.jpg)
Signature Validation with SAPCAR
We took a quick look on SAPCAR, too
Signature checking „looks good“
How to invoke:
.\sapcar.exe -tVvf <package.sar>
Caution:
Not every package has a signature…
45
See SAP Note 2178665
![Page 46: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/46.jpg)
Insecure Default (before September 2015)
46
checked 2015-03-03
Product Download over HTTP?
Download over HTTPS (TLS)?
Packages digitally signed?
Microsoft Windows No Yes (Mandatory) Yes (check mandatory)
Apple OS X No Yes (Mandatory) Yes (check mandatory)
Ubuntu Yes (Standard) Yes (Optional) Yes (check mandatory)
SAP Yes (Standard) Yes (Optional) Yes (check optional)
![Page 47: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/47.jpg)
State after September 2015
47
checked 2015-03-03
Product Download over HTTP?
Download over HTTPS (TLS)?
Packages digitally signed?
Microsoft Windows No Yes (Mandatory) Yes (check mandatory)
Apple OS X No Yes (Mandatory) Yes (check mandatory)
Ubuntu Yes (Standard) Yes (Optional) Yes (check mandatory)
SAP No Yes (Mandatory) Yes (check optional)
![Page 48: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/48.jpg)
5. Protocol downgrade // Arbitrary redirects (1)
48
Download Manager falls down to HTTP in case of insecure download locations
![Page 49: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/49.jpg)
5. Protocol downgrade // Arbitrary redirects (2)
49
The actual SAR packet (= the patch) is downloaded via HTTP !
![Page 50: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/50.jpg)
5. Protocol downgrade Visibility
50
Everyone sniffing web traffic will notice protocol downgrades
SAP Patch: Note 2235412, Oct 2015
![Page 51: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/51.jpg)
6. Directory Traversal & extension control
51
Download Manager accepts filename +extension for local storage of downloaded package
SAP Patch: Note 2235412, Oct 2015
![Page 52: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/52.jpg)
Conclusions
![Page 53: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/53.jpg)
Conclusion #1 - SMP Passwords
53
SAP Customers: Reset the password of your SAP SMP accounts used in Download Manager
![Page 54: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/54.jpg)
Conclusion #2 - SMP Authorizations
54
SAP customers: Reduce the authorization objects of SMP accounts used in Download Manager
Only select „Software Download“
![Page 55: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/55.jpg)
Conclusion
55
Transport security for software package distribution channels • Costs next to nothing, easy to deploy (Let‘s encrypt)
• So many ways to make attacker‘s live hard:
certificate pinning, HSTS, TLS 1.2, PFS, ...
• Must be default if not mandatory
Digital signatures for software packages • Adds trust to software packages
• Must be mandatory, especially for critical software as SAP
![Page 56: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/56.jpg)
BIZEC.org
Joint SAP Security Research
![Page 57: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/57.jpg)
Thank you for your attention.
Questions ?
Andreas Wiegenstein
@codeprofiler
Sebastian Schinzel
@seecurity
Now or
later
Damian Poddebniak [email protected]
![Page 58: Patch me if you can - TROOPERS18 · Patch me if you can Troopers16 (SAP Security Track) March 16, ... Hacking Team Target ... Reduce the authorization objects of SMP accounts used](https://reader030.vdocuments.us/reader030/viewer/2022021717/5b329c997f8b9aa0238c6b7e/html5/thumbnails/58.jpg)
Disclaimer
58
© 2016 Virtual Forge GmbH and FH Münster. All rights reserved.
Information contained in this publication is subject to change without prior notice.
These materials are provided by Virtual Forge and FH Münster and serve only as information.
SAP, ABAP and other named SAP products and services as well as their respective logos are trademarks or
registered trademarks of SAP SE in Germany and other countries worldwide.
All other names of products and services are trademarks of their respective companies.
Virtual Forge and FH Münster accept no liability or responsibility for errors or omissions in this publication. From the
information contained in this publication, no further liability is assumed. No part of this publication may be
reproduced or transmitted in any form or for any purpose without the express permission of Virtual Forge
GmbH, Germany or FH Münster. The General Terms and Conditions of Virtual Forge apply.