SAP, dos, dos, race conditions => rce. Dmitry Chastuhin, Dmitry Yudin

Transcription

1 SAP, dos, dos, race conditions => rce Dmitry Chastuhin, Dmitry Yudin 1

2 About us Yet another security researcher Business application security expert ERPScan Wiem, jak korzystać z tłumaczami 2

3 About us Reverse engineer Security researcher ERPScan 3

4 About ERPScan The only 360-degree SAP security solution: ERPScan Security Monitoring Suite for SAP Leader by the number of vulnerabilities in SAP and Oracle (500+) 100+ presentations key security conferences worldwide 30+ awards and nominations Research team: 20 experts with experience in different areas of security Headquarters Amsterdam (EU), offices in USA, Australia, Denmark 4 4

5 About what? No blah-blah-blah about how important it is to spend time and money on SAP security (critically important) No blah-blah-blah about best practices No Junk Hacking Just a little story how we got yet another RCE in SAP 5

6 SAP 6

7 Target SAP and WEB? XSS, CSRF, double blind self clickjacking, whatever SAP and ABAP/JAVA? RFC, servlets, ABAP code, transactions SAP and additional services? Log Viewer, SDM, notepad, archives Try to implement some reverse engineering to core binary file 7

8 DISP+WORK.EXE dw - disp+work - Dispatcher & Workprocess - "The complete Kernel" - Here the complete ABAP is processed... 8

9 DISP+WORK.EXE Binary has a considerable size: 51 M 9

10 DISP+WORK.EXE Binary has a considerable size: 51 M Ida db size: 133 M 10

11 DISP+WORK.EXE Binary has a considerable size: 51 M Ida db size: 133 M Difficult debug network communication 11

12 DISP+WORK.EXE Difficulties with debug network communication Even a child can process request: difficult guess the pid of process 12

13 DISP+WORK.EXE 13

14 14

15 Instance profile cfg rdisp/trace = 2 rdisp/trace_resolution = 2 rdisp/trace_logging = on rdisp/trace_hide_sec_data = off rdisp/trace_comps = 2 enque/trace = 2 alert/trace = 2 service/trace = 2 rdisp/configurable_wp_no = 0 rdisp/wp_max_no = 0 rdisp/wp_no_dia = 1 rdisp/wp_no_btc = 0 rdisp/wp_no_vb = 0 rdisp/wp_no_vb2 = 0 rdisp/wp_no_spo = 0 15

16 Instance profile cfg rdisp/trace = 2 rdisp/trace_resolution = 2 rdisp/trace_logging = on rdisp/trace_hide_sec_data = off rdisp/trace_comps = 2 enque/trace = 2 alert/trace = 2 service/trace = 2 rdisp/configurable_wp_no = 0 rdisp/wp_max_no = 0 rdisp/wp_no_dia = 1 rdisp/wp_no_btc = 0 rdisp/wp_no_vb = 0 rdisp/wp_no_vb2 = 0 rdisp/wp_no_spo = 0 Number of configurable work processes 16

17 17

18 Actually it can be processed by one worker. 18

19 By only one worker But 19

20 DISP+WORK.EXE Where is jstart??? 20

21 Before 21

22 After Yoo-hoo, JSTART?!?? 22

23 DISP+WORK.EXE JSTART 23

24 Reverse engineering of DISP+WORK.EXE GOAL 24

25 Reverse engineering of DISP+WORK.EXE But It s too difficult It s too big I m too lazy RCE takes too much time 25

26 Reverse engineering of DISP+WORK.EXE But It s too difficult It s too big I m too lazy RCE takes too much time (maybe) 26

27 SEEK AND DESTROY How about some new targets? 27

28 SEEK AND DESTROY Disp+work here the complete ABAP is processed Gwrd SAP gateway Icman (icm) SAP Web Application Server Jstart SAP AS Java Instance Sapstart SAP starter Igswd_mt SAP IGS (Internet Graphics Service ) Igsmux_mt SAP IGS Igspw_mt SAP IGS 28

29 29

30 SAPSTARTSRV HOW ABOUT SAPSTARTSRV 30

31 SAPSTARTSRV SAP Management Console 31

32 SAPSTARTSRV 15M LISTEN tcp :5NN13 SOAP SAPControl:OSExecute But We need authentication 32

33 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() JsfOpenShm() JsfCheckShmKeyString() JsfCloseShm() 33

34 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() Hardcoded user names {2D4A6FB8-37F1-43d7-88BE-AD279C89DCD7} User name for requests with a temporary local logon tickets. {221BA44F-F88E-4166-BB2B-E B86A} UNDOCUMENTED HARDCODED USER NAME 34

35 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() How about a hardcoded password? 35

36 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() How about a hardcoded password? 36

37 SHM IsTrustedInternalConnect() JsfOpenShm() JsfCheckShmKeyString() JsfCloseShm() 37

38 SHM IsTrustedInternalConnect() JsfOpenShm() JsfCheckShmKeyString() JsfCloseShm() 38

39 SHM What is SHM? 39

40 Shared memory SHM - Shared Memory is an efficient means of passing data between programs. One program will create a memory portion which other processes (if permitted) can access. 40

41 Shared memory IsTrustedInternalConnect() JsfOpenShm() JsfCheckShmKeyString() JsfCloseShm() 41

42 Shared memory IsTrustedInternalConnect() JsfOpenShm() - ok JsfCheckShmKeyString() JsfCloseShm() 42

43 Shared memory IsTrustedInternalConnect() JsfOpenShm() - ok JsfCheckShmKeyString() JsfCloseShm() - ok 43

44 Shared memory IsTrustedInternalConnect() JsfOpenShm() - ok JsfCheckShmKeyString() -??? JsfCloseShm() - ok 44

45 Shared memory JsfCheckShmKeyString() What is this key? Is this key static? Can we guess this key (if not static)? Can we brut this key? 45

46 Shared memory JsfCheckShmKeyString() What is this key? password for authentication on SAPSTARTSRV Is this key static? Can we guess key (if not static)? Can we brut this key? 46

47 Shared memory JsfCheckShmKeyString() Is this key static? No Rng_PseudoRandomInit Rng_PseudoRandom Rng_CompleteUpdate Key len 36 bytes Can we guess this key (if not static)? Can we brut this key? 47

48 Shared memory JsfCheckShmKeyString() Is this key static? No Rng_PseudoRandomInit Rng_PseudoRandom Rng_CompleteUpdate Key len 36 bytes Can we guess this key (if not static)? - No Can we brut this key? 48

49 Shared memory JsfCheckShmKeyString() Is this key static? No Rng_PseudoRandomInit Rng_PseudoRandom Rng_CompleteUpdate Key len 36 bytes Can we guess this key (if not static)? - No Can we brut this key? - No 49

50 Shared memory JsfCheckShmKeyString() 50

51 ShmKey BUT 51

52 ShmKey 52

53 ShmKey if we try to debug a little 53

54 authbypassosexec_poc.py 54

55 DEMO 1 55

56 ShmKey Random ShmKeyStrting is xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax 56

57 ShmKey Random ShmKeyStrting is xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax 57

58 ShmKey Random ShmKeyStrting is xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax 58

59 Random ShmKey AWESOME 59

60 ShmKey Why? xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax 60

61 JsfCheckShmKeyString() Read raw (binary) key from shm memory Convert key to readable format Add x to end and x to begin of key (why?) Check key with user input Return result 61

62 SHM 62

63 In our case xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax is a printable presentation of raw key Hex dump:

64 64

65 In our case xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax is a printable presentation of raw key Hex dump: Some shared memory problems? 65

66 Random ShmKey Do you remember 66

67 Random ShmKey Do you remember profile cfg 67

68 Random ShmKey Do you remember profile cfg jstart what never started 68

69 Instance profile cfg rdisp/trace = 1337 rdisp/trace_resolution = 1337 rdisp/trace_logging = on rdisp/trace_hide_sec_data = off rdisp/trace_comps = 7 enque/trace = 7 alert/trace = 7 service/trace = 7 rdisp/configurable_wp_no = 0 rdisp/wp_max_no = 0 rdisp/wp_no_dia = 1 rdisp/wp_no_btc = 0 rdisp/wp_no_vb = 0 rdisp/wp_no_vb2 = 0 rdisp/wp_no_spo = 0 69

70 Instance profile cfg #rdisp/trace = 1337 #rdisp/trace_resolution = 1337 #rdisp/trace_logging = on #rdisp/trace_hide_sec_data = off #rdisp/trace_comps = 7 #enque/trace = 7 #alert/trace = 7 #service/trace = 7 #rdisp/configurable_wp_no = 0 #rdisp/wp_max_no = 0 #rdisp/wp_no_dia = 1 #rdisp/wp_no_btc = 0 #rdisp/wp_no_vb = 0 #rdisp/wp_no_vb2 = 0 #rdisp/wp_no_spo = 0 70

71 Instance profile cfg #rdisp/trace = 1337 #rdisp/trace_resolution = 1337 #rdisp/trace_logging = on #rdisp/trace_hide_sec_data = off #rdisp/trace_comps = 7 #enque/trace = 7 #alert/trace = 7 #service/trace = 7 #rdisp/configurable_wp_no = 0 #rdisp/wp_max_no = 0 #rdisp/wp_no_dia = 1 #rdisp/wp_no_btc = 0 #rdisp/wp_no_vb = 0 #rdisp/wp_no_vb2 = 0 #rdisp/wp_no_spo = 0 + RESTART WHOLE SYSTEM (OS) 71

72 Random ShmKey After restart 72

73 Random ShmKey After restart Jstart started 73

74 Random ShmKey After restart Jstart started Random ShmKeyStrting indeed random 74

75 Random ShmKey After restart Jstart started Random ShmKeyStrting indeed random This key is NOT working xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax 75

76 Random ShmKey 76

77 HOW CONVERT THIS BUG TO REMOTE RCE WITHOUT LOCAL PF MODIFICATION? 77

78 HOW ABOUT JSTART 78

79 79

80 HOW ABOUT JSTART Plan A: Run authbypassosexec_poc.py (with magic key ) 80

81 HOW ABOUT JSTART Plan A: Run authbypassosexec_poc.py (with magic key ) try to kill jstart 81

82 HOW ABOUT JSTART Plan A: Run authbypassosexec_poc.py (with magic key ) try to kill jstart (now only local) 82

83 HOW ABOUT JSTART Plan A: Run authbypassosexec_poc.py (with magic key ) try to kill jstart (now only local) $ killall r jstart -9 83

84 AND 84

85 85

86 PLAN B Ok, time for plan B 86

87 PLAN B Plan B 87

88 PLAN B ICMAN 88

89 PLAN B 89

90 PLAN B Q: How do you think it killed both jstart and icman at the same time? 90

91 PLAN B A: 91

92 PLAN B 92

93 PLAN B ICMAN $ authbypassosexec_poc.py $ killall -r icman -r jstart -9 93

94 DEMO 2 94

95 REMOTE RCE PLAN Run authbypassosexec_poc.py (with a magic key) 95

96 REMOTE RCE PLAN Run authbypassosexec_poc.py (with magic key) Find remote DoS for jstart 96

97 REMOTE RCE PLAN Run authbypassosexec_poc.py (with magic key) Find remote DoS for jstart Find remote DoS for icman 97

98 JSTART JSTART Application server for Java 98

99 JSTART DoS after 3 days 99

100 JSTART DoS DoS after 3 days Possible race condition 100

101 JSTART DoS DoS after 3 days Possible race condition Jstart restart after a crash 101

102 JSTART DoS DoS after 3 days Possible race condition Jstart restart after a crash EASY TARGET ^_^ 102

103 JSTART DoS Multiply request: "\x00\x00\x00\x1cni_rterr\x00y\x04\x00\x00asd\x00\x00\x00\x04daaaaaaa 103

104 ICM ICM 104

105 ICM ICM 105

106 ICM ICM 106

107 ICM ICM in the SAP NetWeaver Application Server. The ICM is a component of the SAP NetWeaver Application Server. It is implemented as a separate process, which is started and monitored by the ABAP dispatcher. One of core component of SAP 107

108 ICM Binary name icman.exe Size 5.7M IDA db ~ 100M One of core components of SAP => thoroughly audited 108

109 ICM ICM (icman) cve details 109

110 ICM ICM (icman) cve details Last DoS found in

111 ICM ICM (icman) cve details Last DoS found in 2014 via unknown vectors 111

112 ICM DoS DoS after Not so easy

113 ICM DoS After 113

114 ICM DoS 35 days 114

115 ICM DoS 35 days + some weekends 115

116 ICM DoS Multiple requests : 'get / HTTP/1.0\r\nhost:\r\ncookie: ;\x0c%s\r\n\r\n' % ("\x0c" * 0x1b58) icman restart after a crash 116

117 PROBLEMS Race conditions If We kill jstart before icman => NO RCE Small gap for a magic key between jstart and icman start 117

118 Video 3 - RCE 118

119 Solutions ICM DoS: SAP note (Dmitry Yudin) Jstart DoS: SAP note (Dmitry Yudin) MC auth bypass: SAP note (Dmitry Chastuhin, Dmitry Yudin) 119

120 Conclusion Don t give up. If you can't exploit vulnerability using one issue try to find another way to trigger it Holistic approach + correlation (code, SOD, vulnerabilities) Probably a lot of vulnerabilities still do exist on a binary level of different SAP services Have fun! 120

121 228 Hamilton Avenue, Fl. 3, Palo Alto, CA USA Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam EU HQ