practical pentesting of erps and business applications

Invest in security to secure investments

Prac%cal pentes%ng of ERPs and business applica%ons

Alexander Polyakov, CTO in ERPScan Alexey Tyurin, Director of consul%ng department in ERPScan

About ERPScan

•  The only 360-‐degree SAP Security solu%on -‐ ERPScan Security Monitoring Suite for SAP

•  Leader by the number of acknowledgements from SAP ( 150+ ) •  60+ presenta=ons key security conferences worldwide •  25 Awards and nomina=ons •  Research team -‐ 20 experts with experience in different areas

of security •  Headquarters in Palo Alto (US) and Amsterdam (EU)

2

Agenda

•  Business applica%ons •  EBASS (OWASP-‐EAS) •  ERP Pentes%ng approach •  Pentes%ng SAP NetWeaver JAVA •  Pentes%ng Oracle PeopleSoV

3

Business applica=on security

All business processes are generally contained in ERP systems. Any informa%on an aXacker, be it a cybercriminal, industrial spy

or compe%tor, might want is stored in the company’s ERP. This informa%on can include financial, customer or public

rela%ons, intellectual property, personally iden%fiable informa%on and more. Industrial espionage, sabotage and fraud or insider

embezzlement may be very effec%ve if targeted at the vic%m’s ERP system and cause significant damage to the business.

4

SAP security threats

Espionage

•  Financial Data, Financial Planning (FI) •  HR Data, Personal, Contact Details (HR) •  Customer Lists •  Corporate Secrets (PLM) •  Supplier Tenders (SRM) •  Customer Lists (CRM) Cyber criminals need only to gain access to one of the described

systems to successfully steal cri%cal informa%on.

5


Sabotage •  Denial of service

–  Incurs huge costs •  Data modifica%on to cause damage

–  Delete cri%cal informa%on

•  SCADA connec%ons –  Common to see connec%ons between ERP and SCADA

6


Fraud •  Manipulate automated transac%on systems •  Generate false payments •  Transfer money

Associa(on of Cer(fied Fraud Examiners es(mates that

corpora(ons, on average, lose 7% of revenue to fraud

7

Business applica=on security

•  Complexity Complexity kills security. Many different vulnerabili%es in all levels, from network to applica%on

•  Customiza=on Cannot be installed out of the box. They have many (up to 50%) custom codes and business logic

•  Risky Rarely updated because administrators are scared they can be broken during updates; also, it is down%me

•  Unknown Mostly available inside the company (closed world)

hXp://erpscan.com/wp-‐content/uploads/pres/ForgoXen%20World%20-‐%20Corporate%20Business%20Applica%on%20Systems%20Whitepaper.pdf

8

9

ERP Pentes(ng Approach

EASSEC (OWASP-‐EAS)

•  Enterprise Applica%on SoVware Security project •  Founded in 2010 as OWASP-‐EAS •  Published concept and top 10 issues for different areas •  Rebranded to EASSEC in 2013 and updated •  Because it is much more than WEB •  Compliance for SAP NetWeaver ABAP planned for July 2013

Exists to provide guidance to people involved in the procurement, design, implementa(on or sign-‐off of large scale (i.e.'Enterprise') applica(ons. hXp://www.owasp.org/index.php/OWASP_Enterprise_Applica%on_Security_Project hXp://eas-‐sec.org

10

EASSEC

11

•  Network Implementa%on issues (EASSEC-‐NI-‐9-‐2013) •  OS Implementa%on issues (EASSEC-‐OI-‐9-‐2013) •  Database Implementa%on issues (EASSEC-‐NI-‐9-‐2013) •  Applica%on Implementa%on issues (EASSEC-‐AI-‐9-‐2013) •  Frontend Implementa%on issues (EASSEC-‐CI-‐9-‐2013)

EASSEC-‐NI-‐9-‐2013

12

1 Insecurely configured Internet facing applica%ons 2 Vulnerable or default configura%on of routers 3 Lack of proper network filtra%on between EA and Corporate network 4 Lack or vulnerable encryp%on between corporate net and EA Network 5 Lack of frontend access filtra%on 6 Lack of encryp%on inside EA Network 7 Lack of separa%on between Test, Dev, and Prod systems 8 Insecure wireless communica%ons 9 Lack or misconfigured network monitoring

EASSEC-‐OI-‐9-‐2013

13

1 Missing 3rd party soVware patches 2 Missing OS patches 3 Universal OS passwords 4 Unnecessary enabled services 5 Lack of password lockout/complexity checks 6 Unencrypted remote access 7 Insecure trust rela%ons 8 Insecure internal access control 9 Lacking or misconfigured logging

EASSEC-‐DI-‐9-‐2013

14

1 Default passwords for DB access 2 Lack of DB patch management 3 Remotely enabled addi%onal interfaces 4 Insecure trust rela%ons 5 Unencrypted sensi%ve data transport 6 Lack of password lockout and complexity checks 7 Extensive user and group privileges 8 Unnecessary enabled DB features 9 Lacking or misconfigured audit

EASSEC-‐AI-‐9-‐2013

15

1 Lack of patch management 2 Default passwords 3 Unnecessary enabled func=onality 4 Remotely enabled administra=ve services 5 Insecure configura=on 6 Unencrypted communica=ons 7 Internal access control and SoD 8 Insecure trust rela=ons 9 Monitoring of security events

ERP pentes=ng features

•  Deeper knowledge of ERP than normal systems required •  ERP systems are mission cri%cal and cannot be accidentally

taken down (POC exploits are too dangerous) •  Gaining shell / command exec is not the goal

–  The goal is the access to sensi%ve data or the impact on business processes

16

Deeper knowledge

•  Higher difficulty than standard pentests •  Required knowledge of:

–  Business processes –  Business logic –  Exploit tes%ng impact risk assessment –  High end databases –  Numerous (some%mes esoteric) opera%ng systems –  Different hardware plamorms –  Common custom implementa%ons

17

Exploita=on

•  Exploit code is not easily weaponized for ERP •  Payloads have to be adapted

–  Numerous hardware, OS, release version, and DB systems to generate payloads for

–  In some cases, up to 50 different shellcode varia%ons

•  Building a test environment is nearly impossible –  Takes an expert a week to properly install each varia%on –  A year to build a comprehensive test environment

18

Shell

•  A beXer approach required with focus on –  Architecture –  Business logic –  Configura%on

You will get administrator access to business data •  Rather than

–  Program or memory vulnerabili%es You will probably gain access to OS and then need to obtain access to Applica%on

19

Shell

20

Program vulnerabili=es: Architecture flaws:

-‐ Can be patched quickly + Harder to patch and harder to re-‐design (old design – in produc%on for 10 years)

-‐ Need to write & test numerous payloads

+ One vulnerability – one exploit

-‐ AVer gaining OS shell you s%ll need to access data

+ Direct access to applica%on and API (mostly)

+ Easier to find -‐ H a r d e r t o fi n d ( d e e p e r knowledge on the system required)

Architecture issues

•  Informa%on disclosure •  Authen%ca%on bypass

–  This is oVen provided non-‐privileged access •  Improper Access Control

–  This area is mostly covered by Segrega%on of Du%es

•  Undocumented Func%onality –  ERPs have many func%ons created for debug or leV over from old

versions

•  Dangerous Func%onality –  Can be improperly restricted by user accounts with default passwords

•  Insecure Trust Rela%ons –  It is very common to escalate privileges to another system

21

ERPScan Pentes=ng Tool

•  ERPScan's Pentes%ng Tool is a freeware tool that is intended for penetra%on of ERP systems using Black Box tes%ng methods

•  Previous version 0.6 released in 2012 (41 module for SAP) •  Version 1.0 will be released aVer the BlackHat conference and

will contain ~60 modules and tools for SAP and PeopleSoV •  Using ERPScan's SAP Pentes%ng Tool, you can:

–  Obtain informa%on using informa%on disclosure vulnerabili%es; –  Exploit poten%al vulnerabili%es; –  Collect business cri%cal data for reports;

* ERPScan's SAP Pentes(ng Tool is NOT a demo or part of the professional product called

ERPScan Security Monitoring Suite. It is just a number of Perl scripts for penetra(on testers.

22

23

Pentes(ng SAP NetWeaver J2EE

SAP

Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3)

24

•  The most popular business applica%on •  More than 120000 customers worldwide •  74% of Forbes 500 companies run SAP •  Main system – ERP •  3 plamorms

‒  NetWeaver ABAP ‒  NetWeaver J2EE ‒  BusinessObjects

SAP NetWeaver J2EE

•  Addi%onal plamorm

•  Base plamorm for IT stuff. Like:

•  SAP Portal , SAP XI, SAP Solu%on Manager, SAP Mobile, SAP xMII

•  Purpose: Integra%on of different systems

•  If compromised:

•  Stopping of all connected business processes •  Fraud •  Industrial espionage

25

SAP for users

•  Client-‐server applica%on SAP-‐GUI with proprietary DIAG protocol

•  Main func%ons: –  transac=ons executed in SAPGUI –  calling special background func%ons (RFC) remotely

–  modifying code of transac%ons or RFC func%ons using ABAP language

–  using web interfaces like Web Dynpro or BSP in some applica%ons, like SRM

26

27

0

100

200

300

400

500

600

700

800

900

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

By 2014 -‐ 2800 SAP Security notes

SAP vulnerabili=es

J2EE pla`orm architecture

28

J2EE pla`orm services

Service Name Port Number Default Value Range (min-‐max)

Enqueue server 32NN 3201 3200-‐3299 HTTP 5NN00 50000 50000-‐59900

HTTP over SSL 5NN01 50001 50001-‐59901

IIOP 5NN07 50007 50007-‐59907

IIOP Ini%al Context 5NN02 50002 50002-‐59902

IIOP over SSL 5NN03 50003 50003-‐59903

P4 5NN04 50004 50004-‐59904

P4 over HTTP 5NN05 50005 50005-‐59905

P4 over SSL 5NN06 50006 50006-‐59906

Telnet 5NN08 50008 50008-‐59908

Log Viewer control 5NN09 50009 50009-‐59909

JMS 5NN10 50010 50010-‐59910

29

Preven=on

30

Preven%on: •  Deny access to open ports from users subnet (except 5NN00). Only administrators must have access. •  Disable unnecessary services

User management

31

•  UME: User management engine. Using UME, you can manage all user data through web interface: hXp://server:port/useradmin

•  SPML: Service Provisioning Markup Language (SPML). A new unified interface for managing UME: hXp://server:port/spml/spmlservice

Authen=ca=on

32

•  Declara=ve authen=ca=on: -  The Web container (J2EE Engine) handles authen%ca%on -  Example: J2EE Web applica%ons

•  Programma=c authen=ca=on. -  Components running on the J2EE Engine authen%cate directly against

User Management Engine (UME) using the UME API. -  Example: Web Dynpro, Portal iViews

J2EE Engine services

•  SAP NetWeaver HTTP (webserver) •  SAP Visual Admin (P4) •  SAP J2EE Telnet •  SAP Log Viewer •  SAP Portal •  SAP SDM

33

SAP NetWeaver web server

34

SAP HTTP Services can be easily found on the Internet: •  inurl:/irj/portal •  inurl:/IciEventService sap •  inurl:/IciEventService/IciEventConf •  inurl:/wsnavigator/jsps/test.jsp •  inurl:/irj/go/km/docs/

A lot of results

35

SAP NetWeaver 7.2

36

1200 web applica%ons

Vulnerabili=es

37

•  Informa%on disclose •  SMBRelay •  XSS •  CSRF •  Auth bypass Verb Tampering •  Auth bypass Invoker Servlet •  XXE/SSRF


38

•  Applica%on service with J2EE support •  It is like Apache Tomcat but 100 %mes more complex •  Supports different SAP web service types:

-  Web Dynpros -  JSPs -  J2EE web applica%ons -  Java Beans -  SOAP web services -  Portal iViews

•  By default, a lot of test applica%ons installed


39

Demonstra=on of acacks by ERPScan Pentes=ng Tool •  Informa%on disclosure •  CTC web service auth bypass •  Log Viewer aXacks •  P4 password decryp%on •  Breaking connected ABAP systems

Informa=on disclosure

40

•  Kernel or applica%on release and SP version. DSECRG-‐11-‐023, DSECRG-‐11-‐027, DSECRG-‐00208

•  Applica%on logs and traces DSECRG-‐00191, DSECRG-‐11-‐034

•  Username DSECRG-‐12-‐028

•  Internal port scanning, Internal user bruteforce DSECRG-‐11-‐032, DSECRG-‐00175

Inf. disclosure in REP (DSECRG-‐11-‐023)

41

Inf. disclosure in BCB (DSECRG-‐11-‐027)

42

Preven=on

43

•  Install SAP notes: 1503856,1548548, 581525,1503856,1740130, 948851,1619539,1545883

•  Update the latest SAP notes every month •  Disable unnecessary applica%ons

CTC authen=ca=on bypass

44

WEB.XML file is stored in WEB-‐INF directory of applica%on root.

<security-constraint>!<web-resource-collection>!<web-resource-name>Restrictedaccess</web-resource-name>!<url-pattern>/admin/*</url-pattern>!<http-method>DELETE</http-method>!</web-resource-collection>! !<auth-constraint> !<role-name>admin</role-name> !</auth-constraint>!</security-constraint>!!


45

<security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>

What if we use HEAD instead of GET ?


46

•  Must use the security control that lists HTTP verbs (DONE) •  Security control fails to block verbs that are not listed (DONE) •  GET func%onality will be executed with an HEAD verb (DONE) •  SAP NetWeaver J2EE engine has all these features!!!


•  Administra%ve interface for managing J2EE engine (CTC) •  Can be accessed remotely •  Can run user management ac%ons

-  Create new users -  Assign any roles to them -  Execute OS commands on the server side -  Create RFC des%na%ons -  Read RFC des%na%ons info

47

48

DEMO

Preven=on

49

Preven%on: •  Install SAP notes 1503579, 1616259, 1589525, 1624450 •  Scan applica%ons using ERPScan WEB.XML check tool or

manually •  Secure WEB.XML by dele%ng all <hXp-‐method> •  Disable applica%on that are not necessary

SAP VisualAdmin

50

•  SAP Visual Admin: a remote tool for controlling J2EE Engine •  Uses the P4 protocol – SAP’s proprietary •  By default, all data transmiXed in cleartext •  P4 can be configured to use SSL to prevent MitM •  Passwords transmiXed in some sort of encryp%on •  In reality, it is some sort of Base64 transform with known key

VisualAdmin protocol

51

Insecure password encryp=on in P4

52

/* 87 */ char mask = 43690; /* 88 */ char check = 21845; /* 89 */ char[] result = new char[data.length + 1]; /* */ /* 91 */ for (int i = 0; i < data.length; ++i) { /* 92 */ mask = (char)(mask ^ data[i]); /* 93 */ result[i] = mask; /* */ } /* 95 */ result[data.length] = (char)(mask ^ check); /* */ /* 97 */ return result;

53

DEMO

Preven=on

54

Preven%on: •  Use SSL for securing all data transmi�ng in server-‐server and server-‐client connec%ons hXp://help.sap.com/saphelp_nwpi71/helpdata/de/14/ef2940cbf2195de10000000a1550b0/content.htm

LogViewer acacks

55

•  LogViewer: a special service which can be manually enabled in an SAP system.

•  If LogViewer standalone is installed on SAP server, aXacker can try to remotely register a log file by console command register_log.bat

•  No authen%ca%on needed •  This op%on can be used for SMBRelay aXack •  Port address can be 50109 or 5465 or any custom

56

DEMO

Preven=on

57

Preven%on: •  Install SAP note 1685106 •  Disable applica%ons that are not necessary

Breaking connected ABAP systems

58

•  Major part of penetra%on tes%ng is post-‐exploita%on •  NetWeaver J2EE connected with ABAP stack of other systems

by RFC protocol •  Authen%ca%on data for those connec%ons are stored in J2EE

Engine and can be obtained by using API •  To do that, you need to upload a special service which will call

internal func%ons for obtaining access to RFC connec%ons. •  In most cases, those connec%ons are configured with privileged

users RFC is an SAP interface protocol, which simplifies the programming of communica(on processes between systems

Breaking connected ABAP systems

59

public void getUsers(String _file) throws Exception { ClassLoader origClassLoader = Thread.currentThread().getContextClassLoader(); Thread.currentThread().setContextClassLoader(getClass().getClassLoader()); InitialContext ctx = new InitialContext(); Object obj = ctx.lookup("rfcengine"); RFCRuntimeInterface runtime = (RFCRuntimeInterface)ctx.lookup("rfcengine"); BundleConfiguration bundle = new BundleConfiguration(); String text = "Users: \n\n"; BundleConfiguration[] bundles = runtime.getConfigurations(); for (int i = 0; i < bundles.length; i++) { text = text + "LogonUser \t" + bundles[i].getLogonUser() + "\n"; text = text + "LogonPassword \t" + bundles[i].getLogonPassword() + "\n"; text = text + "SystemNumber \t" + bundles[i].getSystemNumber() + "\n"; text = text + "LogonClient \t" + bundles[i].getLogonClient() + "\n\n"; } save(text, _file); Thread.currentThread().setContextClassLoader(origClassLoader); }

60

DEMO

Preven=on

61

Preven%on: •  Install SAP notes 1503579, 1616259 •  Disable applica%ons that are not necessary •  Don’t store cri%cal accounts in RFC des%na%ons, especially

from less cri%cal systems to more cri%cal

62

Pentes(ng Oracle PeopleSoT

Agenda

•  Introduc%on to Oracle PeopleSoV

•  PeopleSoV Internet Architecture

•  Introduc%on to PeopleSoV Security

•  Assessing PeopleSoV using EBASS (OWASP-‐EAS)

•  A lot of DEMOs…

63

What is it?

•  Oracle PeopleSoV Apps: HRMS, FMS, SCM, CRM, EPM •  Can work as one big portal or separately •  Many implementa%ons

64

PeopleSof Internet Architecture

•  Many applica%ons, but they have one architecture •  PeopleSoV Internet Architecture

–  Internet oriented since version 8

•  Based on several special core technologies

65


PeopleTools: •  Technology •  Developer tools •  Framework •  PeopleCode All of the applica%ons are created using PeopleTools.

66


PeopleCode: •  object-‐oriented proprietary (case-‐insensi%ve) language •  used to express business logic for PeopleSoV applica%ons •  PeopleCode syntax resembles other programming languages •  fundamentals of objects and classes are the same as in Java

67


68


Components: •  Web browser •  Web server •  Applica%on server •  Batch server •  Database server

69


70


•  Web server –  WebLogic /WebSphere –  PS Servlets –  Forwards request from a browser to an App Server

•  Applica%on server –  PS Services + Tuxedo + Jolt –  Business logic, SQL transac%on management, Transport

•  Database server –  System Tables, PeopleTools metadata , PeopleSoV applica%on data

71


Another view:

72


•  Users (web browser) – All common web technologies – A single escala%on point for common and administra%ve goals

•  Developers (PeopleTools) – 2-‐Tier – direct connec%on to DBMS – 3-‐Tier – connec%on through Applica%on Server. Special ports WSH, WSL. Essen%ally, basic SQL requests which are forwarded to DBMS by Applica%on Server

•  External systems – Different web services (SOAP, XML) for a cross-‐system integra%on

73


74


Basic role model: •  Permission Lists

–  Permission lists are the building blocks of user security authoriza%on •  Roles

–  A role is a collec%on of permission lists

•  User Profile –  The user profile specifies a number of user aXributes, including one or

more assigned roles

75


Authen=ca=on process and terms: •  User logs in with their User ID and password. •  Applica%on Server uses Connect ID to connect to DBMS.

–  This account has limited rights in DBMS. It is used to retrieve the u=User ID and password, which are then compared to the user’s input

•  If successful, the system takes Symbolic ID (associated with) User ID.

•  The system uses Symbolic ID to find in PSACCESSPRFL the necessary Access ID and the password. This account is privileged.

•  The system reconnects to DBMS using Access ID.

* Passwords are encrypted.

76

EASSEC-‐AI-‐9-‐2013

77

1 Lack of patch management 2 Default passwords 3 Unnecessary enabled func%onality 4 Remotely enabled administra%ve services 5 Insecure configura%on 6 Unencrypted communica%ons 7 Internal access control and SOD 8 Insecure trust rela%ons 9 Monitoring of security events

78

1.   Lack of patch management

PeopleSof Vulns

Some vulns every year, but no info for pentes%ng…

79

PeopleSof DoS

•  old research •  buffer overflow in login process!!! •  we can control the return address •  but stack cookie… so only DoS

* Do you think it is secure Java? No, there are too many crashes J

80

0-‐=me

+ a lot of 0-‐days aVer our last research wait un=l show =me…

81

Subcomponents

A strange finding: Apache Axis 1.4 is from 2006. Is it not too old? What about CVE CVE-‐2012-‐5785 or CVE-‐2012-‐4418, which exist in

Axis 2? Needs deeper tes%ng…

82

2. Default passwords for applica=on access

83

Default accounts

Some of them: •  people:peop1e – DB •  PS:PS – super PS user (also VP1:VP1) •  “password” for many web services •  “dayoff” for a Portal servlet

Ex: psp/[site]/?cmd=viewconfig&pwd=dayoff – to see configs Different way: non-‐standard Weblogic accounts: •  system: Passw0rd (password) – main administrator •  operator: password – operator role •  monitor: password – monitor role

* The password of “system” is oVen changed to that of “PS”

84

85

3. Unnecessary enabled applica=on features

Features

Some of PS: •  Business Interlinks •  Integra%on Gateway •  PeopleSoV Online Library •  PeopleSoV Repor%ng Some of WebLogic: •  UDDI Explorer •  WebLogic web services

86

New inputs

But much more when we look closely (some of them):

87

4. Open remote management interfaces

88

PeopleSof App

Debug commands for the Portal sevlet: •  ?cmd=viewconfig&pwd=dayoff •  ?cmd=reloadconfig&pwd=dayoff •  ?cmd=viewsprop&pwd=dayoff •  ?cmd=debugCache&pwd=dayoff •  ?cmd=purge&pwd=dayoff •  ?cmd=rese�meout&pwd=dayoff •  ?cmd=resetlog&pwd=dayoff •  ?cmd=manifestCache&pwd=dayoff

89

WebLogic

•  WebLogic admin “/console” •  On the same port with PeopleSoV applica%on by default •  Anyone can try to access the inside with default accounts

90

WebLogic

And what about the T3 protocol? Remote management of interfaces

91

WebLogic

•  Non-‐default is fine too •  informa%on from SNMP “public”

92

5. Insecure op=ons

93

Accounts

•  Large enterprise systems. •  There are a lot of accounts which we can bruteforce…

94

Encryp=on

Encryp%on of password in config files: •  Some passwords of PeopleSoV are stored in plaintext •  Some – DES •  Some – 3DES •  Some – AES (Weblogic) DES •  The key for DES is hardcoded •  Was used for encryp%on in the older systems •  Has no ID at the beginning (such as “{V1.1}”)

95

Encryp=on

3DES •  The key for 3DES is standard by default. •  You can check it. The string “{V1.1}” before an encrypted

password shows the key is default. •  AVer each key regenera%on, the number is changed (1.2,

1.3…). •  Do you regenerate it? AES •  If you want to decrypt with AES, you need

SerializedSystemIni.dat. •  You can understand that it is AES by the “{AES}” string in the

beginning of an encrypted password.

96

7. Unencrypted communica=ons

97

Communica=ons

General problem with communica%ons: •  User or Remote system to Web Server:

HTTP and HTTPS are both used by default in PeopleSoV apps. HTTP has no encryp%on.

•  Applica=on server to RDBMS and Developer to RDBMS (2-‐

=er): By default, there is no encryp%on. In some RDBMS (like MS SQL) we can grab creden%als very easily.

98

Non-‐standard

•  JOLT (between Web server and Applica=on server):

By default, there is no encryp%on. Default ports: TCP/9001-‐9005. It looks like HTTP traffic, but it’s a liXle bit weird.

99

Jolt Request

100

Jolt Reply

101

Non-‐standard

•  Developer through Applica=on Server to RDBMS (3-‐=er)

By default, there is no encryp%on. Default ports: TCP/7001-‐7005. It looks like plaintext SQL queries.

102

WSL Request

103

104

Pentest

Ports

105

Default ports

•  80, 443 – both ports – WebLogic / PeopleSoV •  3050 – Tuxedo (not used in PS) •  7000 – WSL – distributes connec%ons on WSH •  7001-‐7005 – WSH – a port on the applica%on server for

developers (3-‐%er) •  7180, 7143 – PS REN server (Real-‐%me EventNo%fica%on) •  9000 – JSL – distributes connec%ons on JSH (jolt) •  9001-‐9005 – a port on the applica%on server for Jolt

connec%ons from the web server •  9500 – PS Debugging port – a port on the applica%on server

(non default) •  9100 – Jolt relay (non default)

106

Google Dorks

•  filetype:GBL peoplesoV

•  peoplesoV inurl:cmd=login

•  in%tle:"PeopleSoV Enterprise Sign-‐in"

•  in%tle:"WebLogic Server" in%tle:"Console Login" inurl:console

•  "Welcome to Weblogic Applica%on Server" PeopleSoV

107

Google Dorks

108

Detect

•  PS can be “hidden” very well and look totally unlike itself

–  Filetype: GBL

–  A lot of JavaScripts with version informa%on

–  Cookie with PORTAL-‐PSJSESSIONID

–  Cookie PSTOKEN

–  Cookie PSLOGINLIST

109

Default inputs

•  A lot of input spots. Scan them!

110

Default inf disclosure

•  Some of them:

111

Default accounts

•  WebLogic account bruteforcing is blocked by default

•  PS account bruteforcing is not blocked be default

•  auditPWD is not monitored

112

113

DEMO

Strange UDDI explorer

One of input spots:

•  We can scan internal network via SSRF (%me-‐based)

•  We can steal the password of administrator * But who uses this strange thing?

114

115

DEMO

MitM acacks

•  No encryp%on is used for JOLT and WSH by default

•  Let’s look a liXle bit closer at the traffic

116

117

DEMO

Another classic acack

•  Most administra%ve tasks are fulfilled by administrators through the portal. XSS is a beau%ful aXack!

•  Ex. 1 (un%l PT 8.51). PSOL Full Text Search: XSS in every entry field

118

Another classic acack

•  Ex. 2 (PT 8.53): CVE-‐2013-‐3818 Patched in CPU 16 July 2013 (cpujul2013)

hXp://172.16.0.79/CfgOCIReturn.html?&debug=true&domain=aaa%27%3Cimg%20src%3D%22zz%22%20onerror%3Dalert%28%22XSS%22%29%3E

119

True DoS

•  One of input points is Business Interlink

•  No authen%ca%on •  Simple request •  PeopleSoV сrashes (Java, to be precise ;))

120

121

DEMO

DoS?

•  One of input points is Business Interlink

•  No authen%ca%on •  Simple request •  Crashes PeopleSoV

CVE-‐2013-‐3820 Patched in CPU on the 16th of July 2013 (cpujul2013)

122

123

DEMO

XXEs

•  Some of input points: PSIGW/*, Business Interlink, SyncServ

•  !!!No authen%ca%on !!!

•  Common XXE injec%on impact: –  We can read plain text files (not all) –  SSRF –  SSRF+gopher (if JDK <= 1.6) –  SSRF+grab NTLM hashes/SMBRelay (if JDK <= 1.6 and OS = Windows) –  Classic en%%es DoS? + we can list directories and read XML files! (no binary)

CVE-‐2013-‐3800, CVE-‐2013-‐3819, CVE-‐2013-‐3821 Patched in CPU on the 16th July 2013 (cpujul2013)

124

Whatever do we read?

•  Configura%on files that can store plaintext passwords: hcmss.dms, create_accessid.sql , connect_2005.sql, psprcs.cfg, hcengl.log, dbsetup.xml, psappsrv.cfg, resetpswd.dms, hcora.dms, connect.sql, pswinclt.cfg * They mostly belong to Connec%on ID. But there are some PS too. •  Configura%on files that can store encrypted passwords (DES, 3DES, AES): configuration.properties, gatewayUserProfile.xml, integrationGateway.properties, config.xml, security.xml, DefaultAuthenticatorInit.ldif, boot.properties, nm_password.properties * They mostly belong to web service. But they can fit forPS too.

125

Whatever do we read? Issues

•  Not all of the listed files can be read by reading data from the web server

•  Passwords from WebLogic accounts are AES-‐encrypted, the key is in the binary file

•  If the administrator re-‐generated keys to 3DES ({V1.2},{V1.3 …), the key is also in a binary file which cannot be read through XXE

•  Theore%cally, the private SSL key can be read and used for

MitM aXacks, but it has to be stored in plain-‐text. By default, it is stored in Java storage (binary)

126

Acack!

1)  Read Connec%on ID and aXack through the database. It is possible to download user hashes and bruteforce them, for example.

2)  From the mul%tude of configura%on files, we can retrieve various accounts (in the case of v. 1.1 or an old PT version with DES) and use it to find the password for the PS acount in Portal.

3)  We can read the file nm_password.proper%es of WebLogic, which stores the hash of the node manager password (similar to the password of the user “system” in WebLogic by default).

127

Bonus (T3 protocol)

A funny case: •  Access to the console is blocked by WAF •  But we know that the console shares a port with PS Portal by

default •  We have a WebLogic account. But what exactly do we do?

128

Bonus (T3 protocol)

A funny case: •  Access to the console is blocked by WAF •  But we know that the console shares a port with PS Portal by

default •  We have a WebLogic account. But what exactly do we do?

•  !!!Use the T3 protocol!!! •  T3 is the RMI to WebLogic. It can be used to execute any

administra%ve ac%ons including applica%on deployment •  It shares a port with console •  It is not the HTTP protocol and thus not blocked by WAF

129

130

DEMO

131

Pentes(ng MicrosoT Dynamics GP

What is it?

•  MicrosoV Dynamics GP is ERP or accoun%ng soVware •  Many implementa%ons: about 430000 companies

Img from hXp://www.calszone.com

132

Architecture

Based on www.securestate.com/Downloads/whitepaper/Cash-‐Is-‐King.pdf

133

Features

•  Fat client

•  Web is only for info and repor%ng

•  Dexterity language

•  The security depends on the security of SQL Server

•  MicrosoV Dynamics GP does not integrate with Ac%ve Directory

134

Security

Role model: •  Security Tasks •  Security Roles •  Users

Features: •  sa •  DYNSA •  DYNGRP •  System password •  SQL users

135

inSecurity

•  All the security of Dynamics relies on the visual restric%ons of the fat client

•  In fact, all users have the rights to the companies’ databases and to DYNAMICS

•  The only obstruc%on: impossible to connect to the SQL server directly. How to bypass it?

136

inSecurity

•  Reverse engineering to understand the password “encryp%on” algorithm

•  A MitM aXack on ourselves

MS SQL server does not encrypt the process of authen%ca%on af a few bytes are replaced upon connec%on!

* The method itself is described and implemented into a Metasploit Framework module that works like a charm: hXp://f0rki.at/microsoV-‐sql-‐server-‐downgrade-‐aXack.html ** It is a feature, not a bug, and MicrosoV is not going to correct it

137

What’s next?

•  Full access to the company’s informa%on in the database For example, privilege escala%on. But a research called “Cash is King” describes subtler methods: hXp://marke%ng.securestate.com/cash-‐is-‐king-‐download-‐our-‐free-‐whitepaper •  AXack on OS For example, if the SQL server is launched under a privileged user account, we can ini%ate a connec%on to our host using stored procedures (xp_dirtree) because we have the rights of the “public” role. The result will be a hash which can be used in a bruteforce aXack. If Dynamics GP uses a cluster of SQL servers (it happens some%mes), we can conduct an SMB Relay aXack on the same server (MS08-‐068 will not work here). The result will be a shell on the cluster :)

138

139

DEMO

Conclusion

It is possible to be protected from almost all those kinds of issues and we are working hard to make it secure

Guides

EAS-‐SEC project

Regular security assessments

Code review

Monitoring technical security

Segrega=on of du=es

Future work

I'd like to thank SAP's Product Security Response Team for the great coopera(on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new aXacks and demos, follow us at @erpscan and aXend future presenta(ons:

•  September 12-‐13 SEC-‐T Conference (Stockholm, Sweden) •  September 21 HackerHalted Conference (Atlanta, USA) •  October 7-‐8 HackerHalted Conference (Reykjavik, Iceland) •  October 30-‐31 RSA Europe (Amsterdam, Netherlands) •  November 7-‐8 ZeroNights (Moscow, Russia)

Greetz to our crew who helped

practical pentesting of erps and business applications

Software

ons alexanderpolyakov

ons researchteam

ons commontoseeconnec

ons ebassowaspeas erppentes

agenda businessapplica

ngof erpsandbusiness

ngapproach pentes

ngsapnetweaverjava pentes