pen testing sap critical information exposed

Pentesting SAPCritical information exposed

Sergio [email protected]@serj_ab

Nahuel D. Sá[email protected]

2www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

Disclaimer

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp,

SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP

products and services mentioned herein are trademarks or registered trademarks of SAP

AG in Germany and in several other countries all over the world.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports,

Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and

services mentioned herein are trademarks or registered trademarks of Business Objects in

the United States and/or other countries.

SAP AG is neither the author nor the publisher of this publication and is not responsible for

its content, and SAP Group shall not be liable for errors or omissions with respect to the

materials.


Who is Onapsis, Inc.? Company focused in the security of ERP systems and

business-critical infrastructure (SAP®, Siebel®, Oracle® E-Business SuiteTM,

PeopleSoft®, JD Edwards® …). Working with Global Fortune-100 and large governmental

organizations. What does Onapsis do?

● Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA).● ERP security consulting services.● Trainings on business-critical infrastructure security. Who are we?

Sergio – Exploit writer & Researcher

Nahuel – Researcher & Security consultant

We reported several vulnerabilities to SAP

Contributors of Onapsis ERP Security Blog

Authors of “SAP Security In Depth” and Hackin9 publications


Agenda

Introduction

Pentesting SAP platforms● SAP Router● Oracle external authentication mechanism● Gateway● CTC servlet

Conclusions

Extras● Password cracking● Default Passwords


IntroductionWhat are we talking about ?


So…what is SAP?

SAP (Systems, Applications and Products in Data Processing) is a

german company devoted to the development of business solutions.● Founded in 1972.● Almost 60.000 employees.*● More than 183.000 customers.*● Third biggest independent software vendor (ISV).

Introduction

● http://www.sap.com/customer-showcase/index.epx● http://en.wikipedia.org/wiki/SAP_AG

http://www.sap.com/customer-showcase/index.epx




http://en.wikipedia.org/wiki/SAP_AG

http://en.wikipedia.org/wiki/SAP_AG


SAP Solutions

Enterprise Solutions ● SAP CRM (Customer Relationship Management).● SAP ERP (Enterprise Resource Planning).● SAP PLM (Product Lifecycle Management).● SAP SCM (Supply Chain Management).● SAP SRM (Supplier Relationship Management).

Business Solutions ● SAP GRC (Government, Risk and Compliance).● SAP Business One● …

Introduction


SAP NetWeaver

SAP NetWeaver is the SAP technological integration platform, on top of

which, enterprise and business solutions are developed and run.

Service Oriented Architecture (SOA).

Introduction

SAP Netweaver


System, Landscape and Main Components

Introduction


We have to protect our systems...but from what/who?

External attackers vs. Internal attackers.

Lonely attackers vs. Criminal organizations.

Security is build upon three concepts:● Confidentiality. Espionage● Integrity. Fraud● Availability. Sabotage

Introduction


Segregation of Duties is not enough!

While SoD is of absolute importance, there are many threats which

involve higher levels of risk.

Many of these threats are unknown for Information Security officers,

Financial and Auditing officers and SAP administration staff.

This talk will show you how the cyber-attackers can

break into our systems even if we have well

implemented SoD controls.

Introduction


Pentesting SAPOr… the attacker’s point of view


SAProuterThe gate to the kingdom

Pentesting SAP


Application-Level Gateways

Beyond firewalls, which protect traffic at network level, it is important to

restrict requests based on their content.

SAP provides two different application-level gateways:● SAProuter● SAP Web Dispatcher

Pentesting SAP – SAProuter


SAProuter

SAProuter is an SAP program working as a reverse proxy, which

analyzes connections between SAP systems and between SAP

systems and external networks.

It is designed to analyze and restrict SAP network traffic which was

allowed to pass through the firewall.

SAProuter does not replace the firewall,

it complements it!



SAProuter

Therefore, SAProuter can be used for:● Filter requests based on IP addresses and/or protocol.● Log connections to SAP systems.● Enforce security, requiring the use of a secret password for the

communication.● Require communications using Secure Network Communications

(SNC).



Using and Configuring SAProuter

Route Permission Table Examples:

D host1 host2 serviceX

P 192.168.1.*host2 * pass123

S 10.1.*.* 10.1.2.* *

P * * testpwd

D * * *

P 192.168.1.*sapsrv1 * *

P 192.168.1.*sapsrv2 * *

P 192.168.1.*sapsrv3 * *

P 192.168.1.*sapsrv4 * *

P * * * *



Getting Information From the SAProuter

It is possible to perform info requests to the SAProuter and obtain some

useful information from it:

P req_host saprouter 3299 pass

It is possible to request this information remotely.

(The SAProuter must permit the connection)


19www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedSAP® Security In-Depth

DEMO(Getting SAProuter

information)



Tunneling Protocols Through SAProuter

SAProuter can be used to protocol tunneling. It allows external users

standing outside the internal network to reach internal systems using

specific protocols. If misconfigured, this feature can be abused by an

external attacker to gain access to company’s internal network.

Example:


Firewall only allows

SAProuter port

SAProuter configured to tunnel SSH

P * SAPsystemA 22


Tunneling Protocols Through SAProuter

SAProuter can be used to protocol tunneling. It allows external users

standing outside the internal network to reach internal systems using

specific protocols. If misconfigured, this feature can be abused by an

external attacker to gain access to company’s internal network.

Example:


Attacker can reach the SAP system through the SAProuter using SSH


DEMO(Tunneling Protocols)



Oracle External Authentication Mechanism

Or.. Things made easy

Pentesting SAP


Oracle External Authentication Mechanism

Oracle is the most used database in SAP implementations

One of the most common attacks

It is easy to perform

Impact: Total control over the SAP system

Based on the abuse of trust

relationships between the

SAP System and the

Oracle database

Pentesting SAP – Oracle Ext. Auth. Mechanism


Oracle external authentication process

Username: <sid>adm

Steps:

1 – The application server logs in the DB server as <sid>adm user.




Steps:


Encrpyted password

2 – SAPSR3’s user password is retrieved from SAPUSER table and decrypted.




Steps:


SAPSR3/<pass>

2 – SAPSR3’s user password is retrieved from SAPUSER table and decrypted.

3 – The application server logs in the DB server as SAPSR3 using the decrypted password.



DEMO(Oracle External Auth.)



SAP + Oracle Authentication Procedure

SAP connects to the database as the OPS$<username> (eg:

OPS$<SID>adm).

Retrieves user and password from table SAPUSER.

Re-connects to the database, using the retrieved credentials.

USERID PASSWD

SAPSR3-CRYPT V01/0050ZctvSB67Wv3RWjDBSeLpWwHrWNj05AXb6NEprbkD



So, what is all this about the OPS$ Mechanism??

There is a special Oracle configuration parameter named

REMOTE_OS_AUTHENT.

If set to TRUE, Oracle “trusts” that the remote system has authenticated the

user used for the SQL connection (!)

The user is created as “indentified externally” in the Oracle database.

Oracle recommendation: remote_os_authent = false

SAP default and necessary configuration: remote_os_authent = true

Protection: Restricting who can connect to the Oracle Database

tcp.validnode_checking = yes

tcp.invited_nodes = (192.168.1.102, …)



GatewayComplex attacks involve complex solutions

Pentesting SAP


Interface Security: RFC

The Remote Function Call (RFC) is the most widely used interface in

SAP deployments.

Pentesting SAP – Gateway


Advanced Attacks: Setup

Scenario:

We only need to obtain an ID about current deployment.

How do we get it?● Network sniffing (RFC is clear-text!).● The Gateway Monitor.● Kidnapping the SAP administrator. (No step-by-step demonstration )



Evil Twin

Registration of External Servers can be done remotely.

ACL for registration process is implemented through the reg_info file.

By default, registration for everyone is allowed. (Registration Party!)

External Servers can register several times with the same Program ID.

ANY External Server can register with that ID!

Attack:● Connect to licit Registered Server, ID=REG1 (blocking connections).● Register External Server with ID=REG1.● Drink some beer while watching calls arriving to our Evil Twin

Server...



ID=REG1

ID=REG1

Evil Twin illustrated…

- Legimate External RFC Server registers at SAP R/3 Gateway.

- Innocent lamb connection establishment...

- Client performs RFC call and Server answers politely.

RESPONSE

- An external RFC malicious client/server appears in scene...

(don’t be afraid, it’s controlled)

- The attacker connects with the original RFC server,

preventing him from serving requests from other clients.

- Now, the same malicious client/server connects with the SAP

R/3 Gateway, registering itself with the same ID as the

original external server

- All future connections to the REG1 server will be attended

by the evil one.

RCF Call

SAP GW



A Wiser (and Stealth) Evil Twin: MITM Attacks

Proof of Concept.

Attack:

● Connect to licit Registered Server, ID=REG1 (blocking connections).● Register External Server with ID=REG1.● Receive RFC call. ● Log / Modify Parameters values.● Use established connection with licit Registered Server to forward the (possible

modified) RFC call.● Get results and send them to the original client. ● Disconnect from the licit Registered Server.● Back to Step 1.



ID=REG1

ID=REG1

- So we have the same scenario, legitimate client and

External RFC Server, the SAP R/3 Server and the SAP Gateway

RESPONSE

- Here we go again, blocking valid connections to the

innocent External RCF Server

- Now, the same malicious client/server connects with the

SAP R/3 Gateway, and register itself with the same ID as

the original external server.

- This time, every RFC call received is Logged/Modified, and

forwarded to the original external server.

RCF Call

SAP GWRCF ModifiedCall

A Wiser (and Stealth) Evil Twin: MITM Attacks

ModifiedRESPONSE



Server

Function 1

Attacking the Application Server with a Registered Server

RFC Interface allows client / servers to perform “callbacks”.

RFC Call

RFC ServerRFC Client

RFC CallClient

Function 1Send data

Send result


Client Code


Attacking the Application Server with a Registered Server

We can perform “callbacks” to the RFC partner (in this case, SAP

App. Server)

The RFC Call is executed in the context of the original R/3 call.

Impact depends on authorizations of the R/3 user (SAP_ALL?).

Attack:

● Connect to licit Registered Server, ID=REG1 (blocking connections).● Start an Evil Twin.● Receive RFC call. ● Perform RFC callback. ● If user has SAP_ALL...Bingo!



ID=REG1

ID=REG1

- Yes, again the same scenario: the valid client, the valid

External RFC Server, the SAP R/3 Server and the SAP

Gateway

RESPONSE

- Here we are again, blocking valid connections to the

innocent External RCF Server.

- Again, the same malicious client/server connects with the

SAP R/3 server, and register itself with the ID of the

original external server.

RCF Call

SAP GW

Attacking the R/3 with a Registered Server

PoisonedRCF Callback

- But now, when a RFC call is received, we perform a

callback…- SAP R/3 Application Server OWNED!!



DEMO(Callback)



Securing Gateway

secinfo

USER=*, USER-HOST=allowedHost1, HOST=127.0.0.1,TP=sapxpg;

USER=*, USER-HOST=allowedHost2, HOST=sapgw2,TP=sapxpg;

USER=*, USER-HOST=allowedHost3, HOST=sapgw2,TP=someOtherServer;


reginfo

TP=rfcexec NO=1 HOST=localhost ACCESS=serv1 CANCEL=local

TP=reg* NO=1 HOST=serv2 ACCESS=client1 CANCEL=local

TP=adm1 NO=1 HOST=serv2 ACCESS=*.domain CANCEL=local


CTC ServletSAP goes web… hackers too

Pentesting SAP


“My SAP system is only used internally”

While that was true more than a decade ago, now it’s common for SAP systems to be connected to the Internet.

Attackers know how to find them using regular search engines.

If your SAP is not supposed to be public, make sure it’s not there!!

Pentesting SAP – CTC Servlet


Attacking the SAP J2EE Engine In 2012, SAP released a Security Note which fixes a very critical vulnerability. The vulnerability is based on an old and widespread concept, called “VERB

Tampering”. The attack vector involves sending HTTP requests using uncommon HTTP methods, like HEAD, PUT, DELETE...

In the SAP J2EE Engine, applications are configured using an XML file, defining the profiles required to access the application and the “constraints” applying to each HTTP method.

Some applications only restrict access to GET and POST!!! There is a vulnerable application (CTC runtime) that can be bypassed by sending

HEAD requests. This application can be used to create users and execute OS commands!!!

So, if a HEAD request is executed targeting one of the vulnerable applications, any security restriction is bypassed, leading to the possibility of users creation

or even arbitrary code execution, depending on the vulnerable application.



DEMO(CTC Servlet)



Conclusions

Pentesting SAP


Conclusions

If not properly protected, SAP systems can be prone to espionage,

sabotage and fraud attacks resuting from cyber security breaches.

By securing the environment, it is possible to protect not only the SAP

systems but the entire technological infrastructure of the organization.

The SAProuter has to be configured tigthly, in order to avoid attacks from

untrusted networks, such as the Internet.

The operating system and database represents the base framework for

the SAP systems. They must be kept updated (security patches) and

configured securely. Access to these layers would result in a complete

compromise of the SAP business information.

Pentesting SAP – Conclusions


Conclusions

SAP provides a big number of solutions in a highly complex architecture,

which must be secured at the application and communication layers.

SAP Web applications usually expose systems to untrusted networks. The

universe of possible attackers is highly increased.

The security of the SAP application layer is mandatory. While

Segregation of Duties is highly important, it is not enough. By default, many

configurations are insecure and must be modified.

The number of SAP security notes has drastically increased over the last

years. Their successful implementation should be periodically reviewed.

It’s necessary to assess and secure ALL the systems, not just PRD.

Every Landscape, every System, every Client (mandant), every

Application Server and every Parameter needs to be properly checked.

Pentesting SAP – Conclusions


¿[email protected]


Thank you!


ExtrasCracking SAP password hashes

Pentesting SAP


SAP Password Considerations & Cracking

SAP has implemented different password hashing mechanisms.

Passwords hashes are stored in table USR02 and USH02.

CODVN Description

A Obsolete

B Based on MD5, 8 characters, Uppercase, ASCII

C Not implemented

D Based on MD5, 8 characters, Uppercase, UTF-8

E Reserved

F Based on SHA1, 40 characters, Case Insensitive, UTF-8

G Code Version F + Code Version B (2 hashes)

H Based on SHA1, rand. salt, 40 characters, Case Insensitive, UTF-8

I Code Version H + Code Version F + Code Version B (3 hashes)

On June 26 2008, a patch for John The Ripper for CODVN B and G

was published.

Pentesting SAP – Password cracking


Pentesting SAP – Default Passwords

Standard Users and Passwords

SAP creates some users by default:

THESE USERS MUST BE SECURED!

User ID Description Clients Password

SAP* Super user 000,001, 066new clients

06071992PASS

DDIC ABAP Dictionary super user

000,001 19920706

EARLYWATCH User for the EarlyWatch Service

066 SUPPORT

SAPCPIC Communication User 000, 001 ADMIN

TMSADM TMS User 000, 001 PASSWORD

pen testing sap critical information exposed

Documents