Documente Academic
Documente Profesional
Documente Cultură
in
security
to
secure
investments
2
Agenda
• SAP security
• Conclusion
3
SAP
4
SAP
security
Espionage
• Stealing
financial
informa=on
• Stealing
corporate
secrets
• Stealing
supplier
and
customer
lists
• Stealing
HR
data
Fraud
• False
transac=ons
• Modifica=on
of
master
data
Sabotage
• Denial
of
service
• Modifica=on
of
financial
reports
• Access
to
technology
network
(SCADA)
by
trust
rela=ons
5
SAP
security
35
• BlackHat
30
• Defcon
• HITB
25
• RSA
20
• CONFidence
• DeepSec
15
• Hack=vity
• Troopers
10
• Source
5
0
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
6
Is
it
remotely
exploitable?
sapscan.com
900
800
700
600
500
400
By
2014
-‐
2800
SAP
Security
notes
300
200
100
0
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
8
What
about
other
services?
9
World
8
0
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server
httpd
9
What
about
unpublished
threats?
10
SAP
Forensics
11
Typical
SAP
audit
op@ons
*
The
percentage
of
companies
is
based
on
our
security
assessments
and
product
implementa7ons.
12
What
do
we
see?
13
What
do
we
need
to
monitor?
External
a_acks
on
SAP
*
Ideally,
we
should
control
everything,
but
this
talk
has
limits,
so
let’s
focus
on
the
most
cri7cal
areas.
14
Say
hello
to
Portal
15
EP
architecture
16
Okay,
okay.
SAP
Portal
is
important,
and
it
has
many
links
to
other
modules.
So
what?
17
SAP
Logging
“If
you
are
running
an
ABAP
+
Java
installa7on
of
Web
AS
with
SAP
Web
Dispatcher
as
a
load
balancing
solu7on,
you
can
safely
disable
logging
of
HTTP
requests
and
responses
on
J2EE
Engine,
and
use
the
corresponding
CLF
logs
of
SAP
Web
Dispatcher.
This
also
improves
the
HTTP
communica7on
performance.
The
only
drawback
of
using
the
Web
Dispatcher’s
CLF
logs
is
that
no
informa4on
is
available
about
the
user
execu4ng
the
request
(since
the
user
is
not
authen7cated
on
the
Web
Dispatcher,
but
on
the
J2EE
Engine
instead).“
SOURCE:
SAP
HELP
*Not
the
only….
There
are
many
complex
aTacks
with
POST
requests.
18
SAP
J2EE
Logging
19
SAP
J2EE
Logging
20
Full
logging
is
not
always
the
best
op@on
•
21
SAP
Management
Console
22
SAP
Management
Console
23
SAP
Management
Console
Right!
The
file
userinterface.log
contains
calculated
JSESIONID
But…
The
acacker
must
have
creden=als
to
read
the
log
file
WRONG!
24
SAP
Management
Console
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/
envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/
features/session/">
<enableSession>true</enableSession>
</sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:ReadLogFile xmlns:ns1="urn:SAPControl">
<filename>j2ee/cluster/server0/log/system/userinterface.log</
filename>
<filter/>
<language/>
<maxentries>%COUNT%</maxentries>
<statecookie>EOF</statecookie>
</ns1:ReadLogFile>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
25
Preven@on
26
Preven@on
27
SAP
NetWeaver
J2EE
28
Access
Control
Declara@ve
Programma@c
By
WEB.XML
By
UME
•
Web
Dynpro
-‐
programma=c
•
Portal
iViews
-‐
programma=c
•
J2EE
Web
apps
-‐
declara=ve
29
Access
Control
• The
central
en=ty
in
the
J2EE
authoriza=on
model
is
the
security
role
• Programmers
define
the
applica=on-‐specific
roles
in
the
J2EE
deployment
descriptor
web.xml web-‐j2ee-‐engine.xml
30
web.xml
<servlet>
<servlet-name>CriticalAction</servlet-name>
<servlet-class>com.sap.admin.Critical.Action</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CriticalAction</</servlet-name>
<url-pattern>/admin/critical</url-pattern>
</servlet-mapping
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
Verb Tampering
31
Verb
Tampering
• If
we
are
trying
to
get
access
to
an
applica=on
using
GET
–
we
need
a
login:pass
and
administrator
role
• What
if
we
try
to
get
access
to
applica=on
using
HEAD
instead
GET?
• PROFIT!
32
Verb
Tampering
33
Preven@on
34
Inves@ga@on
j2ee\cluster\<node>\log\system\httpaccess
\responses.trc
35
web.xml
<servlet>
<servlet-name>CriticalAction</servlet-name>
<servlet-class>com.sap.admin.Critical.Action</servlet-
class>
</servlet> GET
/admin/cri=cal/Cri7calAc7on
<servlet-mapping>
<servlet-name>CriticalAction</</servlet-name>
<url-pattern>/admin/critical</url-pattern>
</servlet-mapping
<security-constraint> GET
/servlet/com.sap.admin.Cri=cal.Ac=on
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint> Invoker
servlet
36
Invoker
Servlet
• Want
to
execute
an
OS
command
on
J2EE
server
remotely?
• Maybe
upload
a
backdoor
in
a
Java
class?
• Or
sniff
all
traffic?
37
Invoker
Servlet
38
Preven@on
39
Inves@ga@on
#1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#13649960352
03#/System/Security/Audit#sap.com/
tc~lm~ctc~util~basic_ear#com.sap.security.core.util.SecurityAudit
#Guest#0#SAP J2EE Engine JTA Transaction : [024423a006e18]#n/
a##217c5d309c6311e29bca000c29c26033#SAPEngine_Application_Thread[
impl:
3]_22##0#0#Info#1#com.sap.security.core.util.SecurityAudit#Plain#
##Guest | USER.CREATE | USER.PRIVATE_DATASOURCE.un:CONF |
| SET_ATTRIBUTE: uniquename=[CONF]#
#1.5#000C29C2603300680002C97A000008700004D974E8354D1D#13649960420
62#/System/Security/Audit/J2EE#sap.com/
irj#com.sap.engine.services.security.roles.audit#Guest#182818##n/
a##0c5bfef08bc511e287e6000c29c26033#Thread[Thread-50,5,SAPEngine_
Application_Thread[impl:
3]_Group]##0#0#Info#1#com.sap.engine.services.security.roles.audi
t#Java###{0}: Authorization check for caller assignment to J2EE
security role [{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#guests#
40
Inves@ga@on
41
XSS
EPCF
42
EPCF
For example, EPCF used for transient user data buffer for iViews
43
Preven@on
44
Inves@ga@on
j2ee\cluster\<node>\log\system\httpaccess
\responses.trc
45
Web
Dynpro
JAVA
46
Web
Dynpro
JAVA
47
Inves@ga@on
•
Web
Dynpro
sends
all
data
by
POST,
and
we
only
see
GET
URLs
in
responses.log
•
But
some=mes
we
can
find
informa=on
by
indirect
signs
• The client loaded images from the server during some changes
48
Inves@ga@on
49
Directory
traversal
FIX
50
Directory
traversal
fix
bypass
51
Preven@on
52
Inves@ga@on
/../
!252f..!252f
53
Breaking
SAP
Portal
• Found
a
file
in
the
OS
of
SAP
Portal
with
the
encrypted
passwords
for
administra=on
and
DB
• Found
a
file
in
the
OS
of
SAP
Portal
with
keys
to
decrypt
passwords
• Found
a
vulnerability
(another
one
;))
which
allows
reading
the
files
with
passwords
and
keys
• Decrypt
passwords
and
log
into
Portal
• PROFIT!
54
Read
the
file
55
XXE
in
Portal:
Details
56
XXE
in
Portal
57
XXE
in
Portal
58
XXE
59
XXE
in
Portal:
Result
60
Where
are
the
passwords?
(config.proper4es)
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/
instantclient/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
61
Where
are
the
passwords?
(config.proper4es)
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/
instantclient/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
62
SecStore.proper@es
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx
admin/host/TTT=7KJuOPPs/+u
+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv
+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/
63
config.proper@es
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/
instantclient/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
64
Get
the
password
65
Preven@on
66
Inves@ga@on
POST /irj/servlet/prt/portal/prteventname/
HtmlbEvent/prtroot/pcd!3aportal_content!
2fadministrator!2fsuper_admin!
2fsuper_admin_role!
2fcom.sap.portal.content_administration!
2fcom.sap.portal.content_admin_ws!
2fcom.sap.km.AdminContent!
2fcom.sap.km.AdminContentExplorer!
2fcom.sap.km.AdminExplorer/ HTTP/1.1
67
Inves@ga@on
• The
only
one
way
to
get
HTTP
POST
request
values
is
to
enable
HTTP
Trace
• Visual
Administrator
→
Dispatcher
→
HTTP
Provider
→
Proper=es:
HcpTrace
=
enable
• For
6.4
and
7.0
SP12
and
lower:
– On
Dispatcher:
/j2ee/cluster/dispatcher/log/defaultTrace.trc
– On
Server
\j2ee\cluster\server0\log\system\httpaccess\responses.0.trc
•
For
7.0
SP13
and
higher:
/j2ee/cluster/dispatcher/log/services/http/req_resp.trc
• Manually
analyze
all
requests
for
XXE
acacks
68
Malicious
file
upload:
A_ack
69
Malicious
file
upload:
A_ack
70
Malicious
file
upload:
A_ack
71
Malicious
file
upload:
Forensics
72
Malicious
file
upload:
Preven@on
73
Malicious
file
upload:
Preven@on
74
Portal
post-‐exploita@on
75
SSRF
History:
Basics
Packet A
Packet B
76
Par@al
Remote
SSRF:
HTTP
a_acks
on
other
services
Direct
acack
GET
/vuln.jsp
SSRF
Acack
Get
/vuln.jst
SSRF Acack
A B
77
Gopher
uri
scheme
• Using
gopher://
uri
scheme,
it
is
possible
to
send
TCP
packets
–
Exploit
OS
vulnerabili=es
–
Exploit
old
SAP
applica@on
vulnerabili@es
–
Bypass
SAP
security
restric=ons
–
Exploit
vulnerabili=es
in
local
services
More
info
in
our
BH2012
presenta=on:
SSRF
vs.
Business
Cri7cal
Applica7ons
LINK
78
Portal
post-‐exploita@on
79
An@-‐forensics
80
An@-‐forensics
• Flooding
• Dele=ng
• Changing
81
An@-‐forensics
Log
flooding
• 5
ac=ve
logs
• Maximum
log
file
size
is
10
Mb
• Archiving
when
all
logs
reach
the
maximum
size
• If
file.0.log
-‐>
max
size
then
open
file.1.log
• If
file.4.log
-‐>
max
size
then
zip
all
and
backup
• Rewri=ng
the
same
files
aber
archiving
82
An@-‐forensics
Log
dele@ng
• SAP
locks
write
access
to
the
only
one
ac=ve
log
• SAP
allows
reading/wri=ng
logs,
so
it
is
possible
to
delete
them
• It
could
compromise
the
acacker’s
presence
Log
changing
• SAP
locks
write
access
only
to
the
one
ac=ve
log
• It
is
possible
to
write
into
any
other
log
file
83
Securing
SAP
Portal
• Patching
• Secure
configura=on
• Enabling
HTTP
Trace
with
masking
• Malicious
script
filter
• Log
archiving
• Addi=onal
place
for
log
storage
• Monitoring
of
security
events
– Own
scripts,
parse
common
pacerns
– ERPScan
has
all
exis=ng
web
vulns/0-‐day
pacerns
84
Conclusion
It
is
possible
to
protect
yourself
from
these
kinds
of
issues,
and
we
are
working
close
with
SAP
to
keep
customers
secure
SAP guides
85
Future
work
I'd
like
to
thank
SAP's
Product
Security
Response
Team
for
the
great
coopera7on
to
make
SAP
systems
more
secure.
Research
is
always
ongoing,
and
we
can't
share
all
of
it
today.
If
you
want
to
be
the
first
to
see
new
aTacks
and
demos,
follow
us
at
@erpscan
and
aTend
future
presenta7ons:
July
31
–
BlackHat
(Las
Vegas,
USA)
86
Web:
www.erpscan.com
e-‐mail:
info@erpscan.com
Twicer:
@erpscan
@_chipik
@neyolov
87