All your SAP Passwords belong to us (Confidence)

Invest in security to secure investments

All your SAP Passwords belong to us.

Dmitry Chastuchin Director, Security Consul;ng ERPScan.

About ERPScan

•  The only 360-‐degree SAP Security solu;on -‐ ERPScan Security Monitoring Suite for SAP

•  Leader by the number of acknowledgements from SAP ( 150+ ) •  60+ presenta=ons key security conferences worldwide •  25 Awards and nomina=ons •  Research team -‐ 20 experts with experience in different areas

of security •  Headquarters in Palo Alto (US) and Amsterdam (EU)

2

SAP

•  The most popular business applica;on •  More than 250000 customers worldwide •  More than 83 % of Forbes 500 run SAP

3

SAP security

Espionage •  Stealing financial informa;on •  Stealing corporate secrets •  Stealing supplier and customer lists •  Stealing HR data

Fraud •  False transac;ons •  Modifica;on of master data

Sabotage •  Denial of service •  Modifica;on of financial reports •  Access to technology network (SCADA) by trust rela;ons

4

Is it remotely exploitable?

5000+ non-‐web SAP services exposed in the world including Dispatcher, Message server, SapHostControl, etc.

5

Is it remotely exploitable?

0

1

2

3

4

5

6

7

8

9

SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd

6

SAP MMC – overview

•  MMC is installed by default on port 5<ID>13 •  Used for remote management of SAP servers •  Commands executed via SOAP interface •  By default, SSL is not implemented •  Administra;ve password transmi\ed using basic auth (Base64) •  By sniffing this password, we can get full control over the server

7

SAP MMC – aSacks

•  Many a\acks can be implemented without authen;ca;on •  A\acks can be executed by sending SOAP requests •  Mostly, it is informa;on disclosure and denial of service

•  Also, OS command execu;on

8

Advanced MMC aSacks

<?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">

<SOAP-ENV:Header> <sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/features/

session/">

<enableSession>true</enableSession> </sapsess:Session> </SOAP-ENV:Header>

<SOAP-ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl">

<filename>j2ee/cluster/server0/log/system/userinterface.log</filename> <filter/>

<language/> <maxentries>%COUNT%</maxentries>

<statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

9

PWN

If an a&acker can read a file from server OS, he can get clear text passwords of SAP users and, as a result, compromise the SAP

system

10

11

Default passwords

Passwords on client side

User name Password

SAP* 06071992 PASS

DDIC 19920706

TMSADM PASSWORD $1Pawd2&

EARLYWATCH SUPPORT

SAPCPIC ADMIN

12

13



•  A\ack via Ac;veX ‒  A lot of issues with RCE inside (1519966, 1327004, 1092631, …)

•  A\ack via client bugs ‒  Buffer overflow in saplogon.exe (1504547)

What aler that?

SapLogon shortcuts!

Olen, lazy users store password for SAP account in shortcuts

14


[System] Name=DM0 Description=Test Sap Server Client=800 [User] Name=SAP* Language=EN Password=PW_48B7231FD1FE390C [Function] Title=myShortcut Command=se16 [Configuration] WorkDir=C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI [Options] Reuse=1

This is how a typical shortcut looks like…

File: <name>.sap

15


[Label] Key1=myShortcut [Command] Key1=- desc="Test Sap Server" -sid="DM0" -clt="800" -u="SAP*" -l="EN" -tit="myShortcut" -cmd="se16" -wd="C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI" -ok="/nse16" -pwenc="PW_48B7231FD1FE390C"

…or like that

File: sapshortcut.ini

16


pwenc="PW_48B7231FD1FE390C"

PW_48B7231FD1FE390C

48B7231FD1FE390C

I used this password: 06071992 Looks like XOR encryp;on

17


•  Aler a few experiments, we found out: –  Yes, this is XOR –  Yes, the key is sta;c for all SAPLogon

•  The key is:

788113…dc49b0

18


•  …and the PY code to decrypt

key="788…"

def sxor(s1,s2):

return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))

enc_pass="PW_48B7231FD1FE390C"

dec_pass=sxor(enc_pass[3:].decode("hex"),key.decode("hex"))

print "Decoded password is: "+dec_pass

19

Preven=on

•  Don’t use SAPGUI 6.4 (there are no patches for some vulns)

•  Patch SAPGUI with the latest SP •  Don’t store password in shortcuts •  (HKCU\Solware\SAP\SAPShortcut\Security

EnablePassword=0) •  Make sure that you do not ac;vate the storage of

passwords in SAP shortcuts •  Authen;ca;on security for SAP shortcuts: h\p://help.sap.com/SAPHELP_NWPI71/helpdata/en/4d/dc9db9bc0e02cfe10000000a42189b/content.htm

20

21

Passwords from USR02, USH02, USRPWDHISTORY

USR02 password hash

•  Well known password area •  Hash algorithm:

–  CODVN A –  CODVN B (MD5-‐based) –  CODVN D (MD5-‐based) –  CODVN E (MD5-‐based) –  CODVN F (SHA1-‐based) –  CODVN G (Code versions B & F) –  CODVN H (SHA-‐1-‐based) –  CODVN I (Code versions B, F & H)

•  Just use John the Ripper

22

Preven=on

•  Use the latest algorithm •  SAP Note 2467: Password rules and preven;ng incorrect logons •  SAP Note 721119: Logon with (delivered) default user fails •  SAP Note 735356: Special character in passwords; reac;va;on not possible •  SAP Note 862989: New password rules as of SAP NetWeaver 2004s •  SAP Note 874738: New password hash calcula;on procedure (code version E) •  SAP Note 991968: Value list for login/password_hash_algorithm •  SAP Note 1023437: Downwardly incompa;ble passwords since NW2004s •  SAP Note 1237762: Protec;on against password hash a\acks •  SAP Note 1300104: CUA – New password hash procedures -‐ Background informa;on •  SAP Note 1458262: Recommended se|ngs for password hash algorithms •  SAP Note 1484692: Protect read access to password hash value tables •  SAP Note 1488159: SUIM – RSUSR003 – Incorrect results for CODVN = F

23

Passwords from RFC request

24


•  If an a\acker catches an RFC request with logon data, he will be: –  Happy because he got the login and password –  Upset because the password is encrypted –  Happy because the encryp;on is just a XOR (lol) –  Happy because the key is sta;c

Key: 313ec…a4021 –  Very happy because he got the clear text password

25


26


•  …and the PY code to decrypt

key="313e…"

def sxor(s1,s2):

return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))

enc_pass="0108F357D03F770D"

dec_pass=sxor(enc_pass.decode("hex"),key.decode("hex"))

print "Decoded password is: "+dec_pass

27

Preven=on

•  Secure RFC connec;on using SNC •  SAP Security Note 1724516 •  RFC and SNC: h\p://help.sap.com/saphelp_nw70ehp2/helpdata/en/72/e52c4057cb185de10000000a1550b0/content.htm

28

29

SAP Visual Admin password

SAP VisualAdmin

30

•  SAP Visual Admin – a remote tool for controlling J2EE Engine •  Uses the P4 protocol – SAP’s proprietary •  By default, all data transmi\ed in cleartext •  P4 can be configured to use SSL to prevent MitM •  Passwords are transmi\ed by some sort of encryp;on •  In reality, it is some sort of Base64 transforma;on with a known

key

SAP VisualAdmin data

31

Insecure password encryp=on in P4

32

/* 87 */ char mask = 43690; //aaaa hex /* 88 */ char check = 21845; //5555 hex /* 89 */ char[] result = new char[data.length + 1]; /* */ /* 91 */ for (int i = 0; i < data.length; ++i) { /* 92 */ mask = (char)(mask ^ data[i]); /* 93 */ result[i] = mask; /* */ } /* 95 */ result[data.length] = (char)(mask ^ check); /* */ /* 97 */ return result;

33

DEMO SAP Visual Admin password sniffing

Preven=on

•  Secure P4 connec;on using SSL •  SAP Security Note 1724516 •  Using P4 protocol over a secure connec;on: h\p : / / he l p . s ap . c om/ s aphe l p_nw73ehp1 /he l pda t a / en /48/2d9ba88aef4bb9e10000000a42189b/content.htm

34

35

SAP JAVA Security Storage

SecStore

•  The AS Java stores security-‐relevant informa;on encrypted in a file in the file system

•  The AS Java stores the following security-‐relevant informa;on in files in the file system: –  Database user SAP<SID>DB and its password –  Database connec;on informa;on –  Administrator user and its password

•  Secure storage file is located at : \usr\sap\<SID>\SYS\global\security\data\SecStore.properties

36

SecStore

$internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ $internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt $internal/mode=encrypted admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E

•  The AS Java uses the SAP Java Cryptography Toolkit to encrypt the informa;on in the secure store using the TripleDES algorithm. The encryp;on is performed during the AS Java installa;on process

•  Let’s look deeper

37

SecStore

•  Algorithm is TripleDES. We heed a key for decryp;on

•  The main issue is that the key file is located in the same directory as the encrypted data:

\usr\sap\<SID>\SYS\global\security\data\SecStore.key

•  The key consists of two parts: –  Version informa;on –  Encrypted key phrase

38

SecStore

•  Version informa;on. It affects the TripleDES key –  If version >= 7.00.000, then the Triple DES key = key phrase + <SID>

•  Encrypted key phrase –  By default, it is the ini;al password which the administrator sets up during SAP system installa;on. Olen, this phase equals to the DB password or an SAP administrator account password (SAP*, DDIC, J2EE_Admin, etc.) –  For encryp;ng the key phrase, XOR algorithm with sta;c key is used

43,-74…,-41,-67

•  That’s why, if an a\acker only got the SecStore.key file, they can also get access into SAP, because they have the ini;al password

39

SecStore

•  OK. We have the encrypted password (SecStore.properXes) •  We have the decryp;on key (SecStore.key) •  We can get all sensi;ve informa;on from Security Storage •  As I said, data’s encrypted by the TripleDES algorithm •  More precisely, the encryp;on uses the TripleDES algorithm in

CBC mode using a secret key which is derived from a password with the SHA hash algorithm –  The key is the key phrase from SecStore.key + <SID> (if version >= 7.00.000) –  The salt is the value 0000000000000000

40

SecStore

•  We also wrote a tool which decrypts all the stuff from SAP JAVA AS Security Storage (SecStore_Cr.jar)

•  Also, SAP Secure Store file can have another name (ex. JUpgrade.proper;es) and store other interes;ng data, like: –  Password for SAP OS user (SIDADM) –  DB password –  DDIC password –  etc…

41

Preven=on

•  Install SAP Note 1619539 •  Restrict read access to files SecStore.properXes, JUpgrade.properXes, and SecStore.key •  Managing secure storage in the file system: h\p://help.sap.com/saphelp_nw70ehp2/helpdata/en/cd/14c93ec2f7df6ae10000000a114084/content.htm

42

43

Passwords from log files

Log files

•  We know about many places where SAP writes logs •  Administrator can define the verbosity level •  A\acker can found many interes;ng things in log files:

informa;on about the system, informa;on about the users, even session informa;on

•  Very interes;ng path with logs: /sapinst_instdir/

But what about passwords?

44

Log files

•  Passwords in SAP log files looks like that:

dev_umconfigurator.trc

45

Log files

•  Some;mes, we can find a clear text password

sapinst_dev.<n>.log

46

Log files

•  Some;mes, we can find an encrypted password

47

Log files

•  Guess what type of encryp;on is used? J •  Right! XOR with a sta;c hardcoded key:

31…65d •  As a result, we have a decryptor: key="31XXXXXXXXXXXX5d" def sxor(s1,s2): return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) def prepare(val): encoco=val.split("|") rez="" for a in encoco: rez= rez + str(hex(int(a)).replace("0x","")) return rez encr=prepare(raw_input("Enter encrypted password:")) dec_pass=sxor(encr.decode("hex"),key.decode("hex")) print "Decoded password is: "+dec_pass

48

Log files

•  The same story with the config file usr\sap\<SID>\config\usagetypes.properXes

49

Preven=on

•  Don’t use TRACE_LEVEL = 3 •  Delete traces when work is finished •  Mask security-‐sensi;ve data in HTTP access log •  Incremen;ng/decremen;ng the trace level: h \ p s : / / h e l p . s a p . c om / s a p h e l p _ nwp i 7 1 / h e l p d a t a / e n /46/962416a5a613e8e10000000a155369/content.htm

50

51

Passwords from SLD config file

SLD

•  SLD is the central informa;on repository for your system landscape

•  It contains informa;on about: –  technical systems –  landscapes –  business systems –  products –  solware components in your system landscape

52

SLD password files

•  Configura;on file: usr\sap\<sid>\DVEBMGS<nn>\exe\ slddest.cfg –  User name with DataSupplierLD role –  User password (wooot!) –  Host name –  Port

Encrypted by DES algorithm in the early version of SLD Sta;c default key is: 0A…71F

But if user specifies the key, then the key file is stored near the encrypted data file in slddest.cfg.key

53

SLD password files

•  In the latest versions of SLD, another algorithm is used: TripleDES with hardcoded key

54

Preven=on

•  Restrict read access to fileslddest.cfg and slddest.cfg.key •  Configuring sldreg and transferring data to SLD: h\p://help.sap.com/saphelp_nw70/helpdata/en/42/ea5ff4b5d61bd9e10000000a11466f/content.htm

55

56

Passwords from ABAP SecStore

Password from RSECTAB

•  The secure storage is a component of the SAP Web Applica;on Server ABAP

•  It allows the encrypted storage of sensi;ve data that SAP applica;ons require when logging into other systems

•  These SAP applica;ons use the storage to store passwords: –  RFC des;na;ons –  Exchange Infrastructure (XI) –  LDAP system users –  SAPphone –  SAPconnect –  CCMS (Generic Request and Message Generator)

•  Table RSECTAB select rawtohex(DATA) from SAPSR3.RSECTAB

57


58


59


•  TripleDES 3DES mode: DES-‐EDE3 •  The triple DES algorithm uses the DES-‐EDE3 method where a 24

byte key is supplied. This means there are three DES opera;ons in the sequence encrypt-‐decrypt-‐encrypt with the three different keys. The first key will be bytes 1 to 8, the second key bytes 9 to 16 and the third key bytes 17 to 24

•  Two rounds

60


•  First round •  Encrypt:

–  char randomPrefix[2]; –  char payload[109]; –  char payloadLength; –  char magicLocal[4]; –  char magicGlobalSalted[4]; –  char recordIden;fierA7Hash[16];

61


•  Key for the first round of encryp;on base on default key: Key’def[1] = Keydef[1] ^ (Hsup[0] & 0xF0)

Key’def[6] = Keydef[6] ^ (Hsup[0] & 0x0F)

Key’def[7] = Keydef[7] ^ (Hsup[3] & 0xF0)






•  Where Hsup is md5(sidA7[3]+insnoA7[10])

62


63


•  Second round •  Encrypt all data with the default key

64


•  What about the default key? •  It is encrypted via 3DES-‐EDE2, too •  But the key for this encryp;on is hardcoded

65

Preven=on

•  Change the default key •  SAP Security Note 1902611 •  Choosing your own key: h\p://help .sap.com/saphelp_nw70ehp2/helpdata/en/e0/f73d41945bdb2be10000000a1550b0/content.htm

66

67

Passwords from DBCON table

DBCON table

•  SAP has a connec;on with different DBs •  Administrator can manage this connec;on via the transac;on

DBCO •  All DB connec;ons informa;on is stored encrypted in the table

DBCON (Descrip;on of Database Connec;ons)

68

DBCON table

•  Encrypted data looks like: V01/0030ZctvSB67Wv1OuVLazse4ORik

–  BASE64 + DES –  hardcoded key: 59A…70E –  decrypted data includes sta;c salt: BE HAPPY

69

Preven=on

•  Restrict access to the table DBCON •  Restrict access to the transac;on DBCO •  SAP Security Notes 1638280 and 1823566

70

71

Passwords from HANA

SAP HANA

•  User details (including passwords) stored in hdbuserstore •  Located in the /usr/sap/hdbclient directory •  About hdbuserstore:

‒  SSFS_HDB.DAT ‒  with user data ‒  with keys

72

SAP HANA

•  SSFS_HDB.DAT •  Signature: RSecSSFsData •  Algorithm: 3DES •  Default key is the same as in the ABAP Security Storage

73

SAP HANA

•  SAP HANA – in memory database •  But it drops some data into FS

–  Backup –  Savepoint

“The SAP HANA database holds the bulk of its data in memory for maximum

performance, but it sXll uses persistent disk storage to provide a fallback in case of failure. Data is automaXcally saved from memory to disk at regular

savepoints. The data belonging to a savepoint represents a consistent state of the data on disk and remains so unXl the next savepoint operaXon has

completed. Aber a power failure, the database can be restarted like any disk-‐based database and returns to its last consistent state,”

– SAP HANA Security Guide

74

SAP HANA

•  “Data volume encrypXon ensures that anyone who can access the data volumes on disk using operaXng system commands cannot see the actual data. If data volumes are encrypted, all pages that reside in the data area on disk are encrypted using the AES-‐256-‐CBC algorithm.”

•  “Aber data volume encrypXon has been enabled, an iniXal page key is automaXcally generated. Page keys are never readable in plain text, but are encrypted themselves using a dedicated persistence encrypXon root key.”

75

SAP HANA

“SAP HANA uses SAP NetWeaver SSFS to protect the root encrypXon keys that are used to protect all encrypXon keys used in the SAP HANA system from

unauthorized access.”

•  SSFS_HDB.DAT –  HDB_SERVER/PERSISTENCE/ROOTKEY –  HDB_SERVER/DPAPI

•  The persistence encryp;on feature does not encrypt the following data: –  Database redo log files –  Database backups –  Database traces

76

Preven=on

•  Change the encryp;on key aler installa;on •  Restrict access to the key file •  Restrict access to the DAT file •  Security guide for HANA (p. 71) h&p://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf

•  Secure storage in the file system: h&p : / / h e l p . s a p . c om/ saphe l p _nw70ehp2 /h e l p da t a / en /a0/82dd0abbde4696b98a8be133b27f3b/content.htm

77

Etc..

•  ICF Password Repository –  ICFSECPASSWD

•  FI module passwords –  FIEB_PASSWORD

•  Oracle Fail Safe –  Stores passwords inside the ENVIRONMENT variable (Note 1764043 p. 4)

•  SAP BusinessObjects LCMuser – hardcoded SVN user –  \SAP BusinessObjects Enterprise XI.0\LCM_repository\svn_repository

\conf

•  SAP BusinessObjects axis2 login:password –  axis2.xml

78

It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure

SAP guides

It’s all in your hands

Regular security assessments

ABAP code review

Monitoring technical security

Segrega=on of du=es

79

Conclusion

I'd like to thank SAP's Product Security Response Team for the great cooperaXon to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new a&acks and demos, follow us at @erpscan and a&end future presentaXons.

PS: •  EAS-‐SEC: Recourse which combines

–  Guidelines for assessing enterprise applica;on security –  Guidelines for assessing custom code –  Surveys about enterprise applica;on security

80

Future work