How Hackers can Open the Safe and Take the Jewels

ERP Security:How hackers can open the safe and take the jewels

September 25-27, 2013

Ekoparty Security Conference

Buenos Aires, Argentina

Ezequiel Gutesman Ezequiel Gutesman (@gutes)(@gutes) [email protected] [email protected]

Jordan Santarsieri Jordan Santarsieri (@jsansec) (@jsansec) [email protected]@onapsis.com

ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 2

Disclaimer

This publication is copyright 2013 Onapsis Inc. – All rights reserved.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet,

PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are

trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web

Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or

registered trademarks of Business Objects in the United States and/or other countries.

This publication contains references to the products of Oracle and services mentioned herein are trademarks or registered trademarks of Oracle in all countries all over the world.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP

Group shall not be liable for errors or omissions with respect to the materials.

Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for its content, and Oracle Corporation shall not be liable for errors or omissions with respect to the materials.


Agenda

1.Introduction● Why bothering about ERPs?● History of ERP Security● ERP Security for hackers

2.Targeting ERPs● Reinventing the wheel: Technology stacks● Attack Vectors● Demo time!

● Sabotage● Espionage● Fraud

3.Conclusions

1. Introduction


Why bothering about ERPs?

SALESSALES

PRODUCTIONPRODUCTION

FINANCIAL PLANNINGFINANCIAL PLANNING

INVOICINGINVOICING

PROCUREMENTPROCUREMENT

TREASURYTREASURY

LOGISTICSLOGISTICS

PAYROLLPAYROLL

BILLINGBILLING

HUMAN RESOURCESHUMAN RESOURCES



Forbes 500

Mid-size companies



Zombies → Botnets →

Hacktivism(*)

Vulns

(*) http://suelette.home.xs4all.nl/underground/underground.txt

Cyberwarfare&

Surveillance



• They run business-critical processes

• They Store the most sensitive information

• Organizations are highly-dependent on them

ERP


History of ERP security


History of ERP security

1970 1980 1990 2000 2013

1993SAP

R/3Realtime

3-tier

1972 – SAP RF → R/1

1980 SAP R/2 (mainframe)

1988MorrisWorm

2004SAP Netweaver

2003“SAP” Password Sicherheit

2008SAP @JtR

2009 (3) Attacking SAP clients

Decompression of SAP's DIAGprotocol

The risks of downward compatibility

2002SAP “virus”SAPVirWir hacken eine SAPDatenbank

2007

Exploiting SAPInternals

2010 (5+) SAP Knowledge Management

Attacking users with SAPSploit

Rootkits and Trojans on your SAP Landscape The truth about ABAP Security Protecting SAP Applications Against Common Attacks (SAP)

SAP Security Notes

2011 (5+)The Invoker ServletSAP Backdoors & RootiktsArch. & program vulns in SAP'sJ2EE engineSecurity of Enterprise Business Application SystemsAttacks to SAP Web Applications

2012(10+)

30 years of SoD 13 years

1996 Ping of Death

1972BufferOverflows

1995 XSS

2002 SQLiCSRF

2001 HeapSprayingOWASP

2003Metasploit

2006Bluepill

2010Practical Padding Oracles

2011BEAST

2012CRIME

2008Debian PRNG Bug @


ERP Security for hackers

FRAUD

ESPIONAGESABOTAGE

Extract customer/vendor/HR data, financial planning information, balances, profits, sales information, manufacturing recipes, etc.

Paralyze the operation of the organization by shutting down the ERP system, disrupting interfaces with other systems and deleting critical information, etc.

Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.

2. Targeting ERPs


Reinventing the wheel: Technology stacks

Layered architectureAttack Vectors

Client (web/API/thick client)

Application Server

DB

OS

Proprietary protocols / HTTP / SOAP /

CORBA

Trust relationships / ODBC / Other

External Servers

&Other

Application servers



Layered architectureAttack Vectors - SAP

http://bit.ly/19AXe7Y



Layered architectureAttack Vectors - SAP

http://bit.ly/19AXe7Y



Layered architectureAttack Vectors – Oracle JD Edwards

http://bitly.com/QB12xx

HTTP HTTP HTTPJDENET

ODBC

ODBC

Web Server JDE Java Application

Server (JAS)

JDE Enterprise

Server

DatabaseServer

JDE Deployment

Server


Attack Vectors• Components and servers through protocols

– P4, DIAG, RFC, NI, CORBA, SOAP, JDENET, HTTP, SNC, etc, etc.

• Crypto

– Stored keys, default certificates, proprietary schemes

• Business through data manipulation

– Default credentials, lack of checks

• Apps

– Web , companion apps. , transactions, reports, external tools, APIs

• DB

– Connectors, trust relationships, default accounts

Demo Time!

SABOTAGE


JD Edwards: Shutdown via UDP

The JDENet component listens on port 6015 (UDP) for control commands:

SHOWCONN TOGGLE_LOG CONNECT_FROM CONNECT_TO CONNECT_REJECT GET_WRKMGT VIEW_KERNEL_TRACE SHUTDOWN USRBROADCAST …

Wait...



Demo



>>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN"))

0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT0020 44 4F 57 4E DOWN

An attacker needs:

– Access to port 6015 on target

– Send UDP packet

An Attacker gets:

– Immediate JDE Enterprise Server shutdown



>>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN"))

0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT0020 44 4F 57 4E DOWN

An attacker needs:

– Access to port 6015 on target

– Send UDP packet

An Attacker gets:

– Immediate JDE Enterprise Server shutdown

Fix:

Apply the latest Oracle Critical Patch Update, as the fix for

this attack was released by oracle in a scheduled CPU.


Siebel: Bypass log in

The Anonymous user

• Required even if the applications do not allow access by unregistered users

• Used at start up, to connect to“datasource”

• If deleted, no user could access Siebel

• At installation time, Siebel asks you to choose an already created user that will become the Anonymous user

• Should have low privileges, but to avoid configuration issues...



An attacker needs:

– Access to the application

– Insecure configuration of Anonymous user

An Attacker gets:

– Complete control of the Siebel installation



Demo



DemoFix:

In the Siebel configuration file, set the “anonymous user”

property to a low-privileged user.

FRAUD


SAP* w/Master password on installation

SAP: Diverting payments (default credentials)

SAP Clients (or mandants)– Entity w/ independent data (like a tenant)– 3-digit identifiers– “special” default clients (created on installation)

• 000 → Cross-client tasks• 001 → Template for new clients• 066 → SAP support

http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm

SAP* left w/pass 06071992

Catch: SAP* in client 066 not w/ SAP_ALL privileges, but...

http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm



Demo



DemoFix:

- Change SAP* password on all clients (specially 066)

- Correctly assign SAP* permissions

ESPIONAGE


JD Edwards: Stealing passwords

Again, the JDENet... is also listening on port 6015 (TCP) for JDEMsg commands

Remotely retrieve information from the JDE.INI file, and also sensitive information in clear-text

Kernel types and configuration

Security Server configuration

SSO Node information

Database information



An Attacker needs:

– Access to port 6015 on target (TCP)

– Send function call (JdeMsg number 563)•Use hard-coded key and provide victim's username

An Attacker gets:

– Victim's password



DemoFix:

Apply the latest Oracle Critical Patch Update, as the fix for

this attack was released by oracle in a scheduled CPU.


Siebel: Search Inside

Siebel Query Language (no, it's not SQL)

• Used everywhere in Siebel

• Originally designed to filter data inside Applets

• Executing queries not restricted by authorization checks (privilege independent)


Siebel: Search Inside

Access control in Siebel

@ View Level

@ Business Component

Level

Who can access the views

Who can access the data


Siebel Query Language Injection

DemoFix:

Using eScript, catch the pre-query or Invoke query methods

applying a custom filter which should prevent the use of

dangerous functions.


SAP: Getting DB Admin rights

“The J2EE Engine provides a secure storage area where applications or service components on the J2EE Engine can store sensitive data such as passwords or communication

destinations, in encrypted form” (*)

(*) http://help.sap.com/saphelp_nw73/helpdata/en/47/b08e68542e3378e10000000a421937/content.htm

/usr/sap/<SID>/SYS/global/security/data/SecStore.properties

3DES

Problem #1get the file

Problem #2decrypt file

Problem #3access DB

http://help.sap.com/saphelp_nw73/helpdata/en/47/b08e68542e3378e10000000a421937/content.htm



1. Getting the Secure Store File

https://service.sap.com/sap/support/notes/1682613

RMI CORBA

P4(RMI)

SAP NetWeaver Application Server

Uses P4 for:

• Communication between objects in different namespaces (e.g. FileTransfer_Stub)

• Reliable client-server connections

• Transparent failover for clustered remote objects

• Etc





2.Decrypt Secure Store

3.Access DB

3DESKey bundle?


/usr/sap/<SID>/SYS/global/security/data/SecStore.key



DemoFix:

- Apply note https://service.sap.com/sap/support/notes/1682613

- Correctly handle access to SecStore.key file


3. Conclusions


Conclusions● ERP Systems are among the most critical systems in the

organization and that makes them a really interesting target to the attackers

● ERP security has a long history, most of it was about SoD● Technical vulnerabilities are more critical than SoD since

the attacker doesn't need any user in the system ● The attack surface is huge, proprietary protocols and

custom technologies are everywhere● Inherited code from the past● Patching practices are delayed due to complexity and

cost ● Since 2009 ERP cyber-security is getting more attention.

Leading organizations are already leading with this.

Ezequiel Gutesman Ezequiel Gutesman (@gutes)(@gutes) [email protected] [email protected]

Jordan Santarsieri Jordan Santarsieri (@jsansec) (@jsansec) [email protected]@onapsis.com

blog.onapsis.comblog.onapsis.comadventure.onapsis.comadventure.onapsis.com