Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol

Similar documents
Intercepting SNC-protected traffic

Systems Applications Proxy Pwnage!

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

Rootkits and Trojans on Your SAP Landscape

Monitoring SAP ENCYCLOPEDIA ... ENCYCLOPEDIA. Monitoring Secrets for SAP. ArgSoft Intellectual Property Holdings, Limited

MWR InfoSecurity Security Advisory. Sophos RMS / TAO Component DoS Vulnerability. 16 th January Contents

Case Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University

Preventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE

Hackveda Training - Ethical Hacking, Networking & Security

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

How were the Credit Card Numbers Published on the Web? February 19, 2004

Fuzzing proprietary SCADA protocols

SAP NetWeaver 04 Security Guide. Network and Communication Security

McAfee Certified Assessment Specialist Network

Protecting SAP HANA from vulnerabilities and exploits. MARCH TROOPERS Security Conference, Heidelberg

9. Wireshark I: Protocol Stack and Ethernet

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Bank Infrastructure - Video - 1

Fuzzing Proprietary Protocols

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Malware and Vulnerability Check Point. 1. Find Problems 2. Tell Vendors 3. Share with Community

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

Objectives: (1) To learn to capture and analyze packets using wireshark. (2) To learn how protocols and layering are represented in packets.

Smart Fuzzing. Lidong LI & Naijie XU I.

Symantec Ransomware Protection

Hunting crypto secrets in SAP systems. Martin Gallo, Product Owner/Security Researcher

Check Point DDoS Protector Introduction

SAP Web Dispatcher 6.40 for SAP Web AS Java. Jochen Rundholz NW RIG APA

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

CIT 380: Securing Computer Systems. Network Security Concepts

Network Model: Each layer has a specific function.

CTS2134 Introduction to Networking. Module 08: Network Security

Penetration Testing with Kali Linux

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

A Framework for Optimizing IP over Ethernet Naming System

Microsoft Office Protected-View Out-Of- Bound Array Access

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Locking down a Hitachi ID Suite server

9. Security. Safeguard Engine. Safeguard Engine Settings

Wireless LAN Security. Gabriel Clothier

Activating Intrusion Prevention Service

Security Testing Summary of Konica Minolta bizhub vcare 2.8 Device Management and Communications System and Various bizhub Products

Man-In-The-Browser Attacks. Daniel Tomescu

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

How to perform the DDoS Testing of Web Applications

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Scribe Notes -- October 31st, 2017

NETWORK PACKET ANALYSIS PROGRAM

SAP Security In-Depth

Evaluation Criteria for Web Application Firewalls

Binary Analysis for Botnet Reverse Engineering & Defense. Dawn Song UC Berkeley

Transport Level Security

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Certified Penetration Testing Consultant

Going Without CPU Patches on Oracle E-Business Suite 11i?

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Curso: Ethical Hacking and Countermeasures

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

CSC Network Security

SAP Document. SAP GUI Technical Infrastructure. SAP AG Neurottstr. 16 D Walldorf

Post Connection Attacks

SAP NetWeaver Performance and Availability

A Perfect CRIME? TIME Will Tell. Tal Be ery, Imperva

Host Identity Sources

A Surfeit of SSH Cipher Suites

Security Concerns in Automotive Systems. James Martin

IPSec. Overview. Overview. Levente Buttyán

MBFuzzer - MITM Fuzzing for Mobile Applications

EAS- SEC: Framework for Securing Enterprise Business Applica;ons

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Host Website from Home Anonymously

Memcached DDoS Vulnerability Proof-of-Concept for Memory Injection and Mass Exploitation

When Hardware Attacks. Marc Witteman

Change and Transport Management

Solutions Business Manager Web Application Security Assessment

Web Application Penetration Testing

The SAP Internet Programming Model, Part 1

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

RiskSense Attack Surface Validation for Web Applications

MikroTik Security : The Forgotten Things

Chapter 9. Firewalls

Infecting the Embedded Supply Chain

SAP ABAP Training Course Content :

SAP Certified Technology Associate - System Administration (SAP HANA) with SAP NetWeaver 7.5

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

COMPUTER NETWORK SECURITY

Engineering Your Software For Attack

In-Memory Fuzzing in JAVA

Computer Networks Security: intro. CS Computer Systems Security

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Exam4Free. Free valid exam questions and answers for certification exam prep

Lab Exercise Protocol Layers

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

HP 2012 Cyber Security Risk Report Overview

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Transcription:

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core Security Defcon 20 July 2012 P A G E

Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout Dissecting and understanding the Diag protocol Results and findings Defenses and countermeasures Conclusion and future work P A G E 2

Introduction P A G E 3

Introduction Leader business software provider Sensitive enterprise business processes runs on SAP systems SAP security became a hot topic Some components still not well covered Proprietary protocols used at different components P A G E 4

Introduction Dynamic Information and Action Gateway (Diag) protocol (aka SAP GUI protocol ) Link between presentation layer (SAP GUI) and application layer (SAP Netweaver) Present in every SAP NW ABAP AS Compressed but unencrypted by default TCP ports 3200 to 3298 P A G E 5

Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout Dissecting and understanding the Diag protocol Results and findings Defenses and countermeasures Conclusion and future work P A G E 6

Motivation and related work P A G E 7

Previous work on Diag protocol Proprietary tools? Sniffing through reflectionmethod Compression algorithm disclosed Proxy-like tool Decompression Wireshark plug-in Cain&Abel sniffing P A G E 8

# of Security Notes Motivation Previous work mostly focused on decompression Protocol inner workings remains unknown No practical tool for penetration testing 836 734 518 289 2009 2010 2011 2012 Only 2 out of ~2300 security fixes published by SAP since 2009 affected components related to Diag P A G E 9

Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout Dissecting and understanding the Diag protocol Results and findings Defenses and countermeasures Conclusion and future work P A G E 1 0

SAP Netweaver architecture and protocols layout P A G E 11

SAP Netweaver architecture P A G E 1 2

Relevant concepts and components ABAP SAP s programming language Dispatcher and work processes (wp) Dispatcher: distribute user requests across wp Work processes: handles specific tasks Types: dialog, spool, update, background, lock Dialog processing Programming method used by ABAP Separates business programs in screens and dialog steps P A G E 1 3

SAP Protocols layout RFC Diag Protocol Router BAPI SOAP NI (Network Interface) Protocol HTTP SSL Proprietary protocols Standard protocols P A G E 1 4

Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout Dissecting and understanding the Diag protocol Results and findings Defenses and countermeasures Conclusion and future work P A G E 1 5

Dissecting and understanding the Diag protocol P A G E 16

Dissecting and understanding the Diag protocol Approach Black-box No binary reverse engineering techniques were used Enable system/developer traces (GUI/app server) Analyze network and application traces Learn by interacting with the components (GUI/app server) Continuous improvement of test tools based on gained knowledge P A G E 1 7

Dissecting and understanding the Diag protocol NI (Network Interface) Protocol Diag Protocol Payload DP Header (optional) Diag Header Compressio n Header (optional) Diag Item 1 Diag Item n P A G E 1 8

Dissecting and understanding the Diag protocol Initialization Identified only two relevant protocol states: Not initialized Initialized User s context assigned in shared memory Started by GUI application Only first packet Always uncompressed NI (Network Interface) Protocol Diag Protocol Payload DP Header (optional) Diag Header Compressi on Header (optional) Diag Item 1 Diag Item n P A G E 1 9

Dissecting and understanding the Diag protocol DP Header 200 bytes length Two different semantics IPC (inter process communication) Used in communications between dispatcher and work processes Synchronization and status Network Most fields filled with default values Relevant fields: Terminal name, Length Only present during initialization (first packet) DP Header (optional) NI (Network Interface) Protocol Diag Header Diag Protocol Compressi on Header (optional) Payload Diag Item 1 Diag Item n P A G E 2 0

Dissecting and understanding the Diag protocol Diag Header Compression enabled/disabled, encryption using SNC 0 1 2 3 4 5 6 7 Mode Comm Flag Mode Stat Error Flag Msg type Msg Info Msg RC Comp Flag Identifies different sessions using the same channel DP Header (optional) NI (Network Interface) Protocol Diag Header Diag Protocol Compressi on Header (optional) Payload Diag Item 1 Diag Item n P A G E 2 1

Dissecting and understanding the Diag protocol Compression Enabled by default Uses two variants of Lempel-Ziv Adaptive Compression Algorithm LZH (Lempel-Ziv-Huffman) LZ77 LZC (Lempel-Ziv-Welch-Thomas) LZ78 Same implementation as SAP s MaxDB open source project Can be disabled in GUI by setting TDW_NOCOMPRESS environment variable DP Header (optional) NI (Network Interface) Protocol Diag Header Diag Protocol Compressi on Header (optional) Payload Diag Item 1 Diag Item n P A G E 2 2

Dissecting and understanding the Diag protocol Compression Header LZH: compression level LZC: max # of bits per code 0 4 5 7 Uncompressed length Comp Alg Magic Bytes x1f x9d Special Byte LZH: 0x12 LZC: 0x10 DP Header (optional) NI (Network Interface) Protocol Diag Header Diag Protocol Compressi on Header (optional) Payload Diag Item 1 Diag Item n P A G E 2 3

Dissecting and understanding the Diag protocol Payload SES Fixed length (16 bytes) Session information ICO Fixed length (20 bytes) Icon information TIT Fixed length (3 bytes) Title information DiagMessage Fixed length (76 bytes) Old Diag message OKC CHL (? Bytes) Fixed length (22 bytes) SBA Fixed length (9 bytes) List items EOM Fixed length (0 bytes) End of message NI (Network Interface) Protocol APPL/APPL4 Variable length Diag Protocol Payload DIAG_XMLBlob Variable length XML Blob DP Header (optional) Diag Header Compressi on Header (optional) Diag Item 1 SBA2 Fixed length (36 bytes) List items Diag Item n P A G E 2 4

Dissecting and understanding the Diag protocol APPL/APPL4 items 0 1 3..5 4..6 Type Length Field ID SID NI (Network Interface) Protocol Diag Protocol Payload APPL: 0x10 APPL4: 0x12 APPL: 2 bytes APPL4: 4 bytes DP Header (optional) Diag Header Compressi on Header (optional) Diag Item 1 Diag Item n P A G E 2 5

Diag protocol security highlights Protocol version APPL item included in payload during initialization Can disable compression using version number 200 Authentication Performed as a regular dialog step Set user s context on work processes shared memory Embedded RFC calls APPL item that carries RFC calls in both directions Server doesn t accept RFC calls until authenticated P A G E 2 6

Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout Dissecting and understanding the Diag protocol Results and findings Defenses and countermeasures Conclusion and future work P A G E 2 7

Results and findings P A G E 28

Packet dissection Wireshark plug-in written in C/C++ NI Protocol dissector TCP reassembling Router Protocol dissector Basic support Diag protocol dissector Decompression DP header / Diag Header / Compression Header Item ID/SID identification and dissection of relevant items Call RFC dissector for embedded calls RFC protocol dissector Basic coverage of relevant parts P A G E 2 9

Packet dissection P A G E 3 0

Packet crafting Scapy classes SAPNi SAPDiagDP (DP Header) SAPDiag (Diag header + compression) SAPDiagItem Custom classes for relevant Diag items PoC and example scripts Information gathering Login Brute Force Proxy/MITM script Diag server P A G E 3 1

Fuzzing approach Fuzzing scheme using scapy classes test cases generation delivery windbg monitoring xmlrpc syncronization Monitoring of all work processes P A G E 3 2

Vulnerabilities found 6 vulnerabilities released on May 2012 affecting SAP NW 7.01/7.02, fix available on SAP Note 168710 Unauthenticated remote denial of service when developed traces enabled CVE-2012-2511 DiagTraceAtoms function CVE-2012-2512 DiagTraceStreamI function CVE-2012-2612 DiagTraceHex function P A G E 3 3

Vulnerabilities found Unauthenticated remote denial of service CVE-2012-2513 Diaginput function CVE-2012-2514 DiagiEventSource function Unauthenticated remote code execution when developer traces enabled CVE-2012-2611 DiagTraceR3Info function Stack-based buffer overflow while parsing ST_R3INFO CODEPAGE item Thanks to Francisco Falcon (@fdfalcon) for the exploit P A G E 3 4

Attack scenarios Target applications servers Attacker Exploit mentioned CVEs Gather server information Login brute force SAP NW AS P A G E 3 5

Attack scenarios Target GUI users Gather credentials Attacker Inject RFC calls in user s GUI Rogue Server GUI Shortcut MitM GUI User GUI User GUI User SAP NW AS P A G E 3 6

Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout Dissecting and understanding the Diag protocol Results and findings Defenses and countermeasures Conclusion and future work P A G E 3 7

Defenses and countermeasures P A G E 38

Defenses and countermeasures Restrict network access to dispatcher service TCP ports 3200-3298 Use application layer gateways Implement SNC client encryption Provides authentication and encryption Available for free at SAP Marketplace since 2011 See SAP Note 1643878 Restrict use of GUI shortcuts SAP GUI > 7.20 disabled by default See SAP Note 1397000 P A G E 3 9

Defenses and countermeasures Use WebGUI with HTTPS See SAP Note 314568 Patch regularly Patch Tuesday RSECNOTE program, see SAP Note 888889 Patch CVEs affecting Diag Look at CORE s advisory for mitigation/countermeasures See SAP Note 168710 Test regularly P A G E 4 0

Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout Dissecting and understanding the Diag protocol Results and findings Defenses and countermeasures Conclusion and future work P A G E 4 1

Conclusion and future work P A G E 42

Conclusion Protocol details now available to the security community Practical tools for dissection and crafting of protocol s messages published New vectors for testing and assessing SAP environments Discussed countermeasures and defenses P A G E 4 3

Future work Security assessment and fuzzing of GUI/app server. Complete dissection of embedded RFC calls. Full implementation of attack scenarios Integration with external libraries and exploitation tools. Security assessment of SNC and coverage of encrypted traffic. P A G E 4 4

Q & A P A G E 45

Thank you! Thanks to Diego, Flavio, Dana, Wata and Euge P A G E 46

References https://service.sap.com/sap/support/notes/1643879 http://www.secaron.de/content/presse/fachartikel/sniffing_diag.pdf http://conus.info/re-articles/sapgui.html http://www.sensepost.com/labs/conferences/2011/systems_application_proxy_pwnage http://ptresearch.blogspot.com/2011/10/sap-diag-decompress-plugin-for.html http://www.oxid.it/index.html https://service.sap.com/securitynotes http://help.sap.com/saphelp_nw70/helpdata/en/84/54953fc405330ee10000000a114084/frameset.htm http://www.troopers.de/wp-content/uploads/2011/04/tr11_wiegenstein_sap_gui_hacking.pdf http://www.virtualforge.com/tl_files/theme/presentations/the%20abap%20underverse%20-%20slides.pdf http://www.wireshark.org/ http://www.secdev.org/projects/scapy/ http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities https://service.sap.com/sap/support/notes/1687910 http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm https://service.sap.com/sap/support/notes/1643878 https://service.sap.com/sap/support/notes/1397000 https://service.sap.com/sap/support/notes/314568 https://service.sap.com/sap/support/notes/888889 P A G E 4 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback