pen testing sap critical information exposed
TRANSCRIPT
Pentesting SAPCritical information exposed
Sergio [email protected]@serj_ab
Nahuel D. Sá[email protected]
2www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Disclaimer
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp,
SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP
products and services mentioned herein are trademarks or registered trademarks of SAP
AG in Germany and in several other countries all over the world.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports,
Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and
services mentioned herein are trademarks or registered trademarks of Business Objects in
the United States and/or other countries.
SAP AG is neither the author nor the publisher of this publication and is not responsible for
its content, and SAP Group shall not be liable for errors or omissions with respect to the
materials.
3www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Who is Onapsis, Inc.? Company focused in the security of ERP systems and
business-critical infrastructure (SAP®, Siebel®, Oracle® E-Business SuiteTM,
PeopleSoft®, JD Edwards® …). Working with Global Fortune-100 and large governmental
organizations. What does Onapsis do?
● Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA).● ERP security consulting services.● Trainings on business-critical infrastructure security. Who are we?
Sergio – Exploit writer & Researcher
Nahuel – Researcher & Security consultant
We reported several vulnerabilities to SAP
Contributors of Onapsis ERP Security Blog
Authors of “SAP Security In Depth” and Hackin9 publications
4www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Agenda
Introduction
Pentesting SAP platforms● SAP Router● Oracle external authentication mechanism● Gateway● CTC servlet
Conclusions
Extras● Password cracking● Default Passwords
5www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
IntroductionWhat are we talking about ?
6www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
So…what is SAP?
SAP (Systems, Applications and Products in Data Processing) is a
german company devoted to the development of business solutions.● Founded in 1972.● Almost 60.000 employees.*● More than 183.000 customers.*● Third biggest independent software vendor (ISV).
Introduction
● http://www.sap.com/customer-showcase/index.epx● http://en.wikipedia.org/wiki/SAP_AG
7www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
SAP Solutions
Enterprise Solutions ● SAP CRM (Customer Relationship Management).● SAP ERP (Enterprise Resource Planning).● SAP PLM (Product Lifecycle Management).● SAP SCM (Supply Chain Management).● SAP SRM (Supplier Relationship Management).
Business Solutions ● SAP GRC (Government, Risk and Compliance).● SAP Business One● …
Introduction
8www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
SAP NetWeaver
SAP NetWeaver is the SAP technological integration platform, on top of
which, enterprise and business solutions are developed and run.
Service Oriented Architecture (SOA).
Introduction
SAP Netweaver
9www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
System, Landscape and Main Components
Introduction
10www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
We have to protect our systems...but from what/who?
External attackers vs. Internal attackers.
Lonely attackers vs. Criminal organizations.
Security is build upon three concepts:● Confidentiality. Espionage● Integrity. Fraud● Availability. Sabotage
Introduction
11www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Segregation of Duties is not enough!
While SoD is of absolute importance, there are many threats which
involve higher levels of risk.
Many of these threats are unknown for Information Security officers,
Financial and Auditing officers and SAP administration staff.
This talk will show you how the cyber-attackers can
break into our systems even if we have well
implemented SoD controls.
Introduction
12www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Pentesting SAPOr… the attacker’s point of view
13www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
SAProuterThe gate to the kingdom
Pentesting SAP
14www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Application-Level Gateways
Beyond firewalls, which protect traffic at network level, it is important to
restrict requests based on their content.
SAP provides two different application-level gateways:● SAProuter● SAP Web Dispatcher
Pentesting SAP – SAProuter
15www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
SAProuter
SAProuter is an SAP program working as a reverse proxy, which
analyzes connections between SAP systems and between SAP
systems and external networks.
It is designed to analyze and restrict SAP network traffic which was
allowed to pass through the firewall.
SAProuter does not replace the firewall,
it complements it!
Pentesting SAP – SAProuter
16www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
SAProuter
Therefore, SAProuter can be used for:● Filter requests based on IP addresses and/or protocol.● Log connections to SAP systems.● Enforce security, requiring the use of a secret password for the
communication.● Require communications using Secure Network Communications
(SNC).
Pentesting SAP – SAProuter
17www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Using and Configuring SAProuter
Route Permission Table Examples:
D host1 host2 serviceX
P 192.168.1.*host2 * pass123
S 10.1.*.* 10.1.2.* *
P * * testpwd
D * * *
P 192.168.1.*sapsrv1 * *
P 192.168.1.*sapsrv2 * *
P 192.168.1.*sapsrv3 * *
P 192.168.1.*sapsrv4 * *
P * * * *
Pentesting SAP – SAProuter
18www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Getting Information From the SAProuter
It is possible to perform info requests to the SAProuter and obtain some
useful information from it:
P req_host saprouter 3299 pass
It is possible to request this information remotely.
(The SAProuter must permit the connection)
Pentesting SAP – SAProuter
19www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedSAP® Security In-Depth
DEMO(Getting SAProuter
information)
Pentesting SAP – SAProuter
20www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Tunneling Protocols Through SAProuter
SAProuter can be used to protocol tunneling. It allows external users
standing outside the internal network to reach internal systems using
specific protocols. If misconfigured, this feature can be abused by an
external attacker to gain access to company’s internal network.
Example:
Pentesting SAP – SAProuter
Firewall only allows
SAProuter port
SAProuter configured to tunnel SSH
P * SAPsystemA 22
21www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Tunneling Protocols Through SAProuter
SAProuter can be used to protocol tunneling. It allows external users
standing outside the internal network to reach internal systems using
specific protocols. If misconfigured, this feature can be abused by an
external attacker to gain access to company’s internal network.
Example:
Pentesting SAP – SAProuter
Attacker can reach the SAP system through the SAProuter using SSH
22www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
DEMO(Tunneling Protocols)
Pentesting SAP – SAProuter
23www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Oracle External Authentication Mechanism
Or.. Things made easy
Pentesting SAP
24www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Oracle External Authentication Mechanism
Oracle is the most used database in SAP implementations
One of the most common attacks
It is easy to perform
Impact: Total control over the SAP system
Based on the abuse of trust
relationships between the
SAP System and the
Oracle database
Pentesting SAP – Oracle Ext. Auth. Mechanism
25www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Oracle external authentication process
Username: <sid>adm
Steps:
1 – The application server logs in the DB server as <sid>adm user.
Pentesting SAP – Oracle Ext. Auth. Mechanism
26www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Oracle external authentication process
Steps:
1 – The application server logs in the DB server as <sid>adm user.
Encrpyted password
2 – SAPSR3’s user password is retrieved from SAPUSER table and decrypted.
Pentesting SAP – Oracle Ext. Auth. Mechanism
27www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Oracle external authentication process
Steps:
1 – The application server logs in the DB server as <sid>adm user.
SAPSR3/<pass>
2 – SAPSR3’s user password is retrieved from SAPUSER table and decrypted.
3 – The application server logs in the DB server as SAPSR3 using the decrypted password.
Pentesting SAP – Oracle Ext. Auth. Mechanism
28www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
DEMO(Oracle External Auth.)
Pentesting SAP – Oracle Ext. Auth. Mechanism
29www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
SAP + Oracle Authentication Procedure
SAP connects to the database as the OPS$<username> (eg:
OPS$<SID>adm).
Retrieves user and password from table SAPUSER.
Re-connects to the database, using the retrieved credentials.
USERID PASSWD
SAPSR3-CRYPT V01/0050ZctvSB67Wv3RWjDBSeLpWwHrWNj05AXb6NEprbkD
Pentesting SAP – Oracle Ext. Auth. Mechanism
30www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
So, what is all this about the OPS$ Mechanism??
There is a special Oracle configuration parameter named
REMOTE_OS_AUTHENT.
If set to TRUE, Oracle “trusts” that the remote system has authenticated the
user used for the SQL connection (!)
The user is created as “indentified externally” in the Oracle database.
Oracle recommendation: remote_os_authent = false
SAP default and necessary configuration: remote_os_authent = true
Protection: Restricting who can connect to the Oracle Database
tcp.validnode_checking = yes
tcp.invited_nodes = (192.168.1.102, …)
Pentesting SAP – Oracle Ext. Auth. Mechanism
31www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
GatewayComplex attacks involve complex solutions
Pentesting SAP
32www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Interface Security: RFC
The Remote Function Call (RFC) is the most widely used interface in
SAP deployments.
Pentesting SAP – Gateway
33www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Advanced Attacks: Setup
Scenario:
We only need to obtain an ID about current deployment.
How do we get it?● Network sniffing (RFC is clear-text!).● The Gateway Monitor.● Kidnapping the SAP administrator. (No step-by-step demonstration )
Pentesting SAP – Gateway
34www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Evil Twin
Registration of External Servers can be done remotely.
ACL for registration process is implemented through the reg_info file.
By default, registration for everyone is allowed. (Registration Party!)
External Servers can register several times with the same Program ID.
ANY External Server can register with that ID!
Attack:● Connect to licit Registered Server, ID=REG1 (blocking connections).● Register External Server with ID=REG1.● Drink some beer while watching calls arriving to our Evil Twin
Server...
Pentesting SAP – Gateway
35www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
ID=REG1
ID=REG1
Evil Twin illustrated…
- Legimate External RFC Server registers at SAP R/3 Gateway.
- Innocent lamb connection establishment...
- Client performs RFC call and Server answers politely.
RESPONSE
- An external RFC malicious client/server appears in scene...
(don’t be afraid, it’s controlled)
- The attacker connects with the original RFC server,
preventing him from serving requests from other clients.
- Now, the same malicious client/server connects with the SAP
R/3 Gateway, registering itself with the same ID as the
original external server
- All future connections to the REG1 server will be attended
by the evil one.
RCF Call
SAP GW
Pentesting SAP – Gateway
36www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
A Wiser (and Stealth) Evil Twin: MITM Attacks
Proof of Concept.
Attack:
● Connect to licit Registered Server, ID=REG1 (blocking connections).● Register External Server with ID=REG1.● Receive RFC call. ● Log / Modify Parameters values.● Use established connection with licit Registered Server to forward the (possible
modified) RFC call.● Get results and send them to the original client. ● Disconnect from the licit Registered Server.● Back to Step 1.
Pentesting SAP – Gateway
37www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
ID=REG1
ID=REG1
- So we have the same scenario, legitimate client and
External RFC Server, the SAP R/3 Server and the SAP Gateway
RESPONSE
- Here we go again, blocking valid connections to the
innocent External RCF Server
- Now, the same malicious client/server connects with the
SAP R/3 Gateway, and register itself with the same ID as
the original external server.
- This time, every RFC call received is Logged/Modified, and
forwarded to the original external server.
RCF Call
SAP GWRCF ModifiedCall
A Wiser (and Stealth) Evil Twin: MITM Attacks
ModifiedRESPONSE
Pentesting SAP – Gateway
38www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Server
Function 1
Attacking the Application Server with a Registered Server
RFC Interface allows client / servers to perform “callbacks”.
RFC Call
RFC ServerRFC Client
RFC CallClient
Function 1Send data
Send result
Pentesting SAP – Gateway
Client Code
39www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Attacking the Application Server with a Registered Server
We can perform “callbacks” to the RFC partner (in this case, SAP
App. Server)
The RFC Call is executed in the context of the original R/3 call.
Impact depends on authorizations of the R/3 user (SAP_ALL?).
Attack:
● Connect to licit Registered Server, ID=REG1 (blocking connections).● Start an Evil Twin.● Receive RFC call. ● Perform RFC callback. ● If user has SAP_ALL...Bingo!
Pentesting SAP – Gateway
40www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
ID=REG1
ID=REG1
- Yes, again the same scenario: the valid client, the valid
External RFC Server, the SAP R/3 Server and the SAP
Gateway
RESPONSE
- Here we are again, blocking valid connections to the
innocent External RCF Server.
- Again, the same malicious client/server connects with the
SAP R/3 server, and register itself with the ID of the
original external server.
RCF Call
SAP GW
Attacking the R/3 with a Registered Server
PoisonedRCF Callback
- But now, when a RFC call is received, we perform a
callback…- SAP R/3 Application Server OWNED!!
Pentesting SAP – Gateway
41www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
DEMO(Callback)
Pentesting SAP – Gateway
42www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Securing Gateway
secinfo
USER=*, USER-HOST=allowedHost1, HOST=127.0.0.1,TP=sapxpg;
USER=*, USER-HOST=allowedHost2, HOST=sapgw2,TP=sapxpg;
USER=*, USER-HOST=allowedHost3, HOST=sapgw2,TP=someOtherServer;
Pentesting SAP – Gateway
reginfo
TP=rfcexec NO=1 HOST=localhost ACCESS=serv1 CANCEL=local
TP=reg* NO=1 HOST=serv2 ACCESS=client1 CANCEL=local
TP=adm1 NO=1 HOST=serv2 ACCESS=*.domain CANCEL=local
43www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
CTC ServletSAP goes web… hackers too
Pentesting SAP
44www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
“My SAP system is only used internally”
While that was true more than a decade ago, now it’s common for SAP systems to be connected to the Internet.
Attackers know how to find them using regular search engines.
If your SAP is not supposed to be public, make sure it’s not there!!
Pentesting SAP – CTC Servlet
45www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Attacking the SAP J2EE Engine In 2012, SAP released a Security Note which fixes a very critical vulnerability. The vulnerability is based on an old and widespread concept, called “VERB
Tampering”. The attack vector involves sending HTTP requests using uncommon HTTP methods, like HEAD, PUT, DELETE...
In the SAP J2EE Engine, applications are configured using an XML file, defining the profiles required to access the application and the “constraints” applying to each HTTP method.
Some applications only restrict access to GET and POST!!! There is a vulnerable application (CTC runtime) that can be bypassed by sending
HEAD requests. This application can be used to create users and execute OS commands!!!
So, if a HEAD request is executed targeting one of the vulnerable applications, any security restriction is bypassed, leading to the possibility of users creation
or even arbitrary code execution, depending on the vulnerable application.
Pentesting SAP – CTC Servlet
46www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
DEMO(CTC Servlet)
Pentesting SAP – CTC Servlet
47www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Conclusions
Pentesting SAP
48www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Conclusions
If not properly protected, SAP systems can be prone to espionage,
sabotage and fraud attacks resuting from cyber security breaches.
By securing the environment, it is possible to protect not only the SAP
systems but the entire technological infrastructure of the organization.
The SAProuter has to be configured tigthly, in order to avoid attacks from
untrusted networks, such as the Internet.
The operating system and database represents the base framework for
the SAP systems. They must be kept updated (security patches) and
configured securely. Access to these layers would result in a complete
compromise of the SAP business information.
Pentesting SAP – Conclusions
49www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Conclusions
SAP provides a big number of solutions in a highly complex architecture,
which must be secured at the application and communication layers.
SAP Web applications usually expose systems to untrusted networks. The
universe of possible attackers is highly increased.
The security of the SAP application layer is mandatory. While
Segregation of Duties is highly important, it is not enough. By default, many
configurations are insecure and must be modified.
The number of SAP security notes has drastically increased over the last
years. Their successful implementation should be periodically reviewed.
It’s necessary to assess and secure ALL the systems, not just PRD.
Every Landscape, every System, every Client (mandant), every
Application Server and every Parameter needs to be properly checked.
Pentesting SAP – Conclusions
50www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
51www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Thank you!
52www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
ExtrasCracking SAP password hashes
Pentesting SAP
53www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
SAP Password Considerations & Cracking
SAP has implemented different password hashing mechanisms.
Passwords hashes are stored in table USR02 and USH02.
CODVN Description
A Obsolete
B Based on MD5, 8 characters, Uppercase, ASCII
C Not implemented
D Based on MD5, 8 characters, Uppercase, UTF-8
E Reserved
F Based on SHA1, 40 characters, Case Insensitive, UTF-8
G Code Version F + Code Version B (2 hashes)
H Based on SHA1, rand. salt, 40 characters, Case Insensitive, UTF-8
I Code Version H + Code Version F + Code Version B (3 hashes)
On June 26 2008, a patch for John The Ripper for CODVN B and G
was published.
Pentesting SAP – Password cracking
54www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Pentesting SAP – Default Passwords
Standard Users and Passwords
SAP creates some users by default:
THESE USERS MUST BE SECURED!
User ID Description Clients Password
SAP* Super user 000,001, 066new clients
06071992PASS
DDIC ABAP Dictionary super user
000,001 19920706
EARLYWATCH User for the EarlyWatch Service
066 SUPPORT
SAPCPIC Communication User 000, 001 ADMIN
TMSADM TMS User 000, 001 PASSWORD