cybsec-sap penetration testing defense indepth · pdf file... pci services, sap security . sap...
TRANSCRIPT
SAPSAPSAPSAP Penetration Testing
& Defense In-Depth
Mariano Mariano NuNuezez Di CroceDi [email protected]@cybsec.com
OctoberOctober 22--3, 20083, 2008EkopartyEkoparty, Buenos Aires , Buenos Aires -- ArgentinaArgentina
Copyright 2008 CYBSEC. Copyright 2008 CYBSEC. AllAll rightsrights reservedreserved..
sap security, sap pentest, sap pentesting, sap pt, sap security assessment, sap vulnerability assessment, sap insecurity, sap vulnerabilities, sap vulnerability, sap defense, hardening sap, sap hardening, protecting sap
2
2008
WhoWhoWhoWho isisisis CYBSEC ?CYBSEC ?CYBSEC ?CYBSEC ?
Provides Information Security services since 1996.
More than 300 customers, located in LatinAmerica, USA and Europe.
Wide range of services: Strategic Management, Operation Management,
Control Management, Incident Management, PCI Services, SAP Security.
SAP SAP SAP SAP &&&& CYBSECCYBSECCYBSECCYBSEC
Member of the SAP Global Security Alliance (GSA).
Has been working with SAP (Walldorf) since 2005.
Provides specific SAP security services (Penetration Testing, Secure
Architecture Design, Secure Configuration, )
3
2008
WhoWhoWhoWho amamamam I?I?I?I?
Senior Security Researcher at CYBSEC.
Devoted to Penetration Testing and Vulnerability Research.
Discovered vulnerabilities in Microsoft, Oracle, SAP, Watchfire,
Speaker/Trainer at Blackhat, Sec-T, Hack.lu, DeepSec, Ekoparty, CIBSI,
SAP SAP SAP SAP &&&& MeMeMeMe
Started researching in 2005.
SAP Pentesting projects (customers).
Discovered more than 40 vulnerabilities in SAP software.
Published Attacking the Giants: Exploiting SAP Internals.
Developed sapyto, the first SAP Penetration Testing Framework.
CYBSECs SAP (In)Security Training instructor.
4
2008
AgendaAgendaAgendaAgenda
Agenda
Introduction to the SAP World
Why SAP Penetration Testing?
PenTest Setup
SAP PenTesting
Discovery Phase
Exploration Phase
Vulnerability Assessment Phase
Exploitation Phase
Case Study: SAProuter Security Assessment
Conclusions
5
2008
Introduction to Introduction to
the SAP Worldthe SAP WorldBasic concepts for deep knowledge
6
2008
SoSoSoSo whatwhatwhatwhat isisisis SAP?SAP?SAP?SAP?
Introduction to the SAP World
SAP (Systems, Applications and Products in Data Processing) is a
german company devoted to the development of business solutions.
More than 41.600 customers in more than 120 countries.
More than 121.000 SAP implementations around the globe.
Third biggest independent software vendor (ISV).
Provides different solutions:
CRM, ERP, PLM, SCM, SRM, GRC, Business One,
The ERP solution is composed of different functional modules (FI, CO,
SD, HR, MM, etc) that implements organization business processes.
Modules are linked together, integrated by the Netweaver platform.
SAP runs on multiple Operating Systems and Databases.
7
2008
SAP Basic ConceptsSAP Basic ConceptsSAP Basic ConceptsSAP Basic Concepts
Introduction to the SAP World
Instance & System
An instance is an administrative entity which groups related
components of an SAP system, providing one or more services.
Systems are identified by SAP System ID (SID).
System (instance) parametrization is done in Profiles.
8
2008
SAP Basic ConceptsSAP Basic ConceptsSAP Basic ConceptsSAP Basic Concepts
Introduction to the SAP World
Client
Legally and organizationally independent unit in an SAP system
(company group, business unit, corporation).
Identified by a three-digit number.
Default clients: 000, 001 and 066.
Transaction
Related secuence of steps (dialog steps) aimed to perform an
operation in the SAP database.
Identified by a transaction code (ej: SU01, SE16, FK01, PA20,)
9
2008
SAP Basic ConceptsSAP Basic ConceptsSAP Basic ConceptsSAP Basic Concepts
Introduction to the SAP World
ABAP
ABAP is the SAP high-level programming language used to
develop business applications.
Reports / Programs
ABAP programs that receive user input and produce a report in
the form of an interactive list.
Function Modules
Independent ABAP modules. Can be called locally or remotely.
The RFC (Remote Function Call) Interface
Used to call function modules on remote systems.
10
2008
SAP Basic ConceptsSAP Basic ConceptsSAP Basic ConceptsSAP Basic Concepts
Introduction to the SAP World
The Authorization Concept (Simplified)
Users are asigned roles/profiles.
Each profile contains a set of Authorization objects.
When a user tries to perform an activity, the required authorization
objects are checked against users authorization objects (user buffer).
Controlled Activities:
Starting Transactions (S_TCODE)
Accessing Tables (S_TABU_DIS)
Starting Programs (S_PROGRAM)
Calling RFC Function Modules (S_RFC)
Authorization checks can also be done programatically, through the
AUTHORITY_CHECK clause.
11
2008
SomeSomeSomeSome LowLowLowLow----levellevellevellevel KnowledgeKnowledgeKnowledgeKnowledge
Introduction to the SAP World
SAP_ALL profile = SAP God.
Many other profiles may enable a user become a god too.
Each SAP System uses its own Database.
SAP processes run under the adm or SAPService user
accounts.
Connections to the Database are done with the same UID. No
authorization at this level
Direct access to the Database means full SAP compromise!
Connections between systems often based on Trust Relationships
(r* services).
Many customers interfaces are implemented through FTP (cleartext,
usually weak passwords).
12
2008
Why SAP Why SAP
Penetration Testing?Penetration Testing?Or why You and your CFO should care
13
2008
Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?
Why SAP Penetration Testing?
The new SAP system
must be running on
October 3rd, no excuses.
14
2008
Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?
Why SAP Penetration Testing?
The new SAP system
must be running on
October 3rd, no excuses.
But we havent secured the
systems yetyou know,
there is something called
Security
15
2008
Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?
Why SAP Penetration Testing?
The new SAP system
must be running on
October 3rd, no excuses.
But we havent secured the
systems yetyou know,
there is something called
SecuritySecurity? Hmmis it French?
I dont care
Business *must* go on!
16
2008
Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?
Why SAP Penetration Testing?
The new SAP system
must be running on
October 3rd, no excuses.
But we havent secured the
systems yetyou know,
there is something called
SecuritySecurity? Hmmis it French?
I dont care
Business *must* go on!But we should take care of
User authorizations to
prevent frauds!
17
2008
Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?
Why SAP Penetration Testing?
The new SAP system
must be running on
October 3rd, no excuses.
But we havent secured the
systems yetyou know,
there is something called
SecuritySecurity? Hmmis it French?
I dont care
Business *must* go on!But we should take care of
User authorizations to
prevent frauds!
Just give everyone full access
(SAP_ALL) for three months,
then well lock it down
18
2008
Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?
Why SAP Penetration Testing?
The new SAP system
must be running on
October 3rd, no excuses.
But we havent secured the
systems yetyou know,
there is something called
SecuritySecurity? Hmmis it French?
I dont care
Business *must* go on!But we should take care of
User authorizations to
prevent frauds!
Just give everyone full access
(SAP_ALL) for three months,
then well lock it downOK
19
2008
Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?
Why SAP Penetration Testing?
The new SAP system
must be running on
October 3rd, no excuses.
But we havent secured the
systems yetyou know,