1

www.erp-sec.com

All about SAP Security

(except authorizations)

Disclaimer 1: This presentation is not comprehensive, SAP

platform security is a very wide area of expertise (focus is on

part of the Abap stack here)

Disclaimer2: We do not encourage Hacking/Cracking

whatsoever in ANY form. This presentation is here to help

you gain inside and get awareness on some specific SAP

platform security and into the minds of seasoned computer

criminals, so that you can forestall their attempts and pre-

empt all harmful attacks. Hacking IS illegal!

DISCLAIMERS

3

TOPICS COVERED

Following topics are covered and „glued together‟ into

a scenario: ”How to get rich in 5 simple steps” (OK, that can be less, but where‟s the fun in that?!)

1 Use Default users

2 Use OS command execution

3 Use Password parameters

4 Use The power of RFC calls

5 Use SAP Gateway

Meet FBI‟s most wanted BlackHat hacker: Miss G!

4

Miss G!

1.Default Accounts

Risk:Well, that‟s an open door!

Mitigation: •Rsusr003 to check

•Deactivate sap* by setting parameter login/no_automatic_user_sapstar = 1

and create SAP* in clients where it does not exist

•Change passwords/Lock accounts

•Not only on PRD, but on the ENTIRE landscape

•Don‟t delete SAP*/DDIC

•Don‟t forget TMSADM!

More info: •http://help.sap.com

•Oss note1568362

DEMO: Default Accounts

2. OS command execution

Info: SM49/SM69, RSBDCOS0 are known and can be

protected. But other flaws exist in SAP that allow OS command

injection. Just reported 5 vulnerable FM‟s to SAP Security team.

Risk: Execution of OS commands is dangerous when done

from application level since the <SID>adm user is highly

privileged and has a database trust. Become the <SID>adm

user and the DB is yours !!

Mitigation: •PATCH, make sure security notes are implemented, secure

<SID>adm with strong authentication, and don‟t give SAP_ALL.

More info: •http://www.bizec.org/wiki/Controlled_Operating_System_(OS)_Command_Execution

•The SAP Security notes

DEMO: OS command execution

3. Password parameters

Info: Some default password parameters have settings that

need to be adjusted. Two important ones:

• login/password_downwards_compatibility = 1

• login/min_password_lng = 6

Risk: Weak password hashes can be easily bruteforced

Mitigation: If your landscape is NW 7.0 or newer; set

parameter login/password_downwards_compatibility = 0, delete

old hashes and make sure hashes are protected in USR tables

or disable passwords if you use SSO. No SSO? Set

login/min_password_lng >= 8

More info: http://help.sap.com/saphelp_nw70/helpdata/en/22/41c43ac23cef2fe10000000a11408

4/content.htm

DEMO: Password parameters

4. The power of RFC calls

Info: Many times I hear “It is only a system user, so it cannot

be abused”. Think again! And no SAP system is needed for that,

there are RFCSDK‟s for many programming languages!

Risk:Almost any action/transaction in SAP can also be

performed by RFC Calls via non-dialog--users.

Mitigation: • Implement SAP Gateway protection. It can by DEFAULT be used to execute remote

OS commands as <SID>ADM

• Make sure to implement proper network segmentation with Firewalls, so no RFC

calls can be made from frontends

• Protect non-dialog users by using strong passwords (and do not give them

SAP_ALL)

•only create RFC destinations with stored credentials or system trust from systems of

higher security classification to systems of lower security classification (e.g. from

PRD -> DEV, never trust DEV systems in a PRD system, never EVER have a RFC

with SAP_ALL user from Sandbox to PRD, etc.)

DEMO: The power of RFC calls

5. SAP Gateway

Info: This component handles RFC traphic. It exists on all SAP

ABAP systems and even on some JAVA nowadays. By default it

is totally unprotected

Risk: Execution of OS commands as <SID>adm user

(remember the DB trust!?). This component has a HIGH risk.

Mitigation: •Implement ACL via reg_info and sec_info.

•Network segementation to prevent RFC execution from user

network

•Much more specific information, see SAP Security guides

5. SAP Gateway

DEMO: The Gateway

5. SAP Gateway

DEMO: The Gateway

5. SAP Gateway

Questions?

THANK YOU!

Any Questions?