Ertunga Arsal Chaos Communication Congress 2010

Rootkits and Trojans on your SAP Landscape

1

Agenda

• Introduc.ontoEnterpriseSecurity• SAP*Applica.onsinGeneral• BASIS(SAPinfrastructure)Security• A>ackstoABAPPrograms• ABAPRootkits• TheThreatAgents• HowToStaySecure

*SAPreferstoSAPR/3andNetweaverapplica.onsthroughoutthispresenta.on,notthecompany.

2

AboutMe

• ErtungaArsal<e.arsal@esnc.de>–SecurityResearcherwithfocusonEnterpriseSystems–FounderofESNCGmbH,acompanyspecializedinSAPSecurity

• OfficiallyacknowledgedforthefollowingSecurityPatches:• SAPNote1484692-Protectreadaccesstopasswordhashtables• SAPNote1497104-ProtectaccesstoPSE• SAPNote1421005-Secureconfigura.onofthemessageserver• SAPNote1483525-NewsecuritycenterinSAPGUI7.20• SAPNote1485029-Protectreadaccesstokeytables• SAPNote1488406-HandlingthegenerateduserTMSADM• SAPNote1511107-Execu.ngfreelydeterminedcodeusingtransac.onSE37• SAPNote1510704-MissingAuthoriza.onCheckinAFXWorkbenchreport

3

TypicalEnterprise

• Hasmorethanathousandofemployees• IsacircusofITSystems

–Mixtureofopera.ngsystems,databases,applica.ons• Andtheirdifferentversions• Usuallyimplementedbydifferentteams• Spanningtoalotofyears

• Decisionmakerscaremoreabouttheirbonusthantheinterestofthecompany

4

TypicalEnterpriseSecurity

• EvenmediumlevelofITsecurityistooexpensivetoachieve–Missingassetmanagement(howmanyOracleDBs,Windowsservers,etc?)–Tonsofsecurityscanning,tofewremedia.onchasing–Manyofthevulnerabili.escannotbemi.gated

• ObsessedbyCrossSiteScrip.ng• ITsecuritydepartmentscannotinfluencesecuritydecisionsofbusinessapplica.onsmuch,becauseofpoli.calreasons

• NobodycaresaboutthehackedUNIXmachine,SQLDB,orothers– Iftheyarenotdirectlyheldresponsible(CYAS-CoverYourAssSecurity)

• SoX,PCI-DSS,legalrequirements,...

• Defacementsandsimilarsecurityincidentsarebudgetapprovers

5

SAPSystems

• Businessspecific–HR,Finances,Logis.cs…

• Industrysolu.ons–Defense&Aerospace,Oil&Gas,Banking,Chemicals...

• HoldtheCrownJewels–Hence“Business”

• Areusuallyextensivelycustomized– SAPconsultantson-site– Longrunningimplementa.onprojects

• Lessexposuretotypicalhackers–WhowouldlearnABAPforhacking?–Howwouldsomeonetryitathome?

6

Su>on’sLaw

• Mainprinciple:“Whendiagnosing,oneshouldfirstconsidertheobvious”

• Namedauerabankrobber,WillieSu>on–Su>onwasaskedwhyherobbedthebanks–Hisresponse*:“Becausethat’swherethemoneyis”

• Probablyheneversaidthis

7

SAPSecurity

• Securitymostlyfocusesonauthoriza.onsandsegrega.onofdu.es– SOD’smainfocusistheac.onsofasingleperson– Twoguysgettogether=throwawayyourSODinvestments

–Weakpasswords(99%ofthecase)=throwawayyourSODinvestments

• Intrusionpreven.oniss.llababy–HowmanysignaturesdoesyourexpensiveIDPhaveforbusinessapps?

• Risksareunderes.mated/generalITSecurityeffortsaretypicallyunbalancedatcompanies

–HowmanyGlobal500sarerunningSAPforthecorebusiness?

–HowmanypeoplefromtheirITSecurityteamshaveSAPsecurityskills?

• Unlikee.gAc.veDirectory,SAPsystemsbelongtothebusiness,nottheIT• Securitydepartmentsusuallyfailwhentheyarechallenged

– Eithermissingskillsor“Thisa'ackistoosophis-cated,nobodycandoit”response

8

SAP:SimplifiedConnec.onOverview

9

• DIAGProtocol:GUIusers–TCP3200-3299

• RFCProtocol:Serviceusers–TCP3300-3399

• RFCProtocoloverSOAP:ServiceUsers–TCP8000-8099(Usually)

SAPLoadBalancer

• “MessageServer”• Ifnotproperlyconfigured,ana>ackercanregisteritsownservers[toppic-PoC]

• Canfaketheclients,MITMormore– Implementms/acl_infoaccesscontroltoprotectit!

10

SAPApplica.onServer

• Realnamethe“Gateway”• Built-inremoteshellfunc.onalityviaRFC

–Goodforremoteadministra.onwithoutauthen.ca.on–Supportsallopera.ngsystems(AIX,HP-UX,Z/OS,Win...)–CanberestrictedviasecinfoACLconfigura.on–Marianomen.onedthisatBHin2007

• Secinfo/reginfocanbebypassedwithease–Makesureyouapplythelatestkernelsecuritypatchesandyouhavearestric.vesecinfo/reginfoconfigura.on!

11

DEMO:RemoteShell

12

IP: 5.5.5.7 we attack hereour application

talks RFC

“GUIusersarethemostpowerfulusers”mythandRFC

• RFC(RemoteFunc.onCall)protocolletsyourunfunc.onsremotely–Torun;useJava,C,etc.withRFC-SDKorsimplyexecutethetestprogramstartrfc.Followingcreatesanewuserwithgodrights:startrfc -3 -h 10.1.5.4 -s 05 -c 010 -u ERTUNGA -p CCC42 -F SUSR_RFC_USER_INTERFACE -E USER=SATRIANI -E ACTIVITY=01 -E PASSWORD=RUBINA -E USER_TYPE=A -T USER_PROFILES,12,r=-<press ENTER>SAP_ALL<press enter> <press ctrl-z and enter>

• Thereisnoexploitinvolved.Everythingisintendedfunc.onality.–Beats“RFCusersarenotathreatbecausetheycannotloginviaSAPGUI”–Timetorecheckcompany’ssharedfoldersandeliminatehardcodedpasswords.

• RFC(a.k.acommunica.on)usersarethusveryveryimportant!–Securetheirpasswordsandmakethempartofthepasswordchangeprocess–Don’tforget:GUI(dialog)userswhichhaveS_RFCrightscanalsoexecuteremotely–SAP_ALLFORCOMMUNICATIONUSERSISANOGO!

13

AFewRFC’stonotedownandprotect:(Properuserauthoriza.onsisthekey)

• RFC_READ_TABLE–Readsthecontentsofanytable(Includingoneswithsensi.vedatae.gsalaryinforma.on)– Hasbugsinconver.nge.gbinaryfields

• 1Byte=2Hex,so20bytehash->40hexchars• Onlyreturnsfirst20charsbecauseofmiscalcula.on->onlyfirsthalfofthepasswordhashes

• SUSR_RFC_USER_INTERFACE–canbeusedforcrea.ng/modifyingusers.

• RFC_ABAP_INSTALL_AND_RUN– TakesABAPsourcelinesandexecutesthem

• doesnotexecuteonproduc.onsystemsbutnon-produc.ondoesnotmeanthatsystemisunimportant!

– Widelyknown!!!.ghtenuserauthoriza.onstopreventabuse– MorerestrictedinlatestNetWeaverSystems

• SAP_ALLRFCusersdon’thavethoserestric.ons!!!

• !!!RFCcanbeencapsulatedinSOAPmessages(SOAPRFC)–Company’sinternalproxysuddenlyopensthedoorstoallSAPsystems–Disableitifnotused!

14

SingleSign-on(SSO2)

• Isaconveniencefeature,notasecurityfeature• RTFM:SecureStoreandForward[SSF]documenta.on• PersonalSecurityEnvironmentfilesholdtheprivatekeydata

–StoredperdefaultinSAPSYS.psefileorDBtableSSF_PSE_D

• Ifana>ackerobtainsit,itcancreateauthen.ca.on.cketsforthevic.msystem–Accep.ngthese.cketsisenabledperdefault–A>ackercanlogonasanyuser

• Theideaofhomebrewedauthen.ca.on.cketsfirstcamefromanSAPguru:RalfNellessen

15

DEMO:Cer.ficateA>acks

16

SingleSign-on(SSO2)

• Theprivatekeycontainer(PSE)canbepin-protected

• Iwastryingtoseewhetherthepinmechanismhadanyflaws–Foundaway,sogoogledformoreinfo

–Somebodywasunconsciouslyaheadandevendocumentedthat:)

• Disableaccep.ng.cketsusingrelevantprofileparameters!

17

ConfiguringSecureNetworkCommunica.onsforSAP(h>p://dlc.sun.com/pdf/820-5064/820-5064.pdf)

SAPApplica.ons(ABAP)

• ABAPcodeholdsalmostallofthebusinesslogic• Morethan2.000.000programsarepresentatanSAPECC6.0systemauerinstalla.on.–Someprogramshavemorethan50.000linesofsourcecode

• ABAPLanguageisverypowerfulandeasytolearn–Highlevelandeasytoreadapplica.ons– Lowlevelfunc.onalityisproxiedtothekernelexecutableswhenrequired.e.gforencryp.on.• ABAPstackcan“call”thekernel.• We’llonlyfocusonthena.veABAPcodeforthispresenta.on.

18

DynamicABAP

• Statement:GENERATESUBROUTINEPOOL–DynamicallygeneratesABAPcode.– Ifthecodeisgeneratedviauserspecifiedinput,mistakesmean:

• ABAPInjec.on• Gameover

–AnexampleistheTMS_CI_START_SERVICEvulnerability

19

TMS_CI_START_SERVICEExecutableFunc.on

• TransportManagementSystemrequiredthis–Transport==SouwareInstalla.on

• ItisanRFC–RemotelyExecutableFunc.onCall

• Takesaninputtableassourcecodeandiftheparametersarespecifiedproperly,executesthecontentsofit.–Bingo!

20

TMS_CI_START_SERVICEExecutableFunc.on

• Hereisasimplerepresenta.onofthevulnerablepartofit:Generatesubroutinepoolpp_tablenameix_context.

perform(ix_command)inprogram(ix_context)tablespp_table.

• SAPpatcheditvia:–SAPNote1298160:Forbiddenprogramexecu.onpossible

• TMSADMdefaultpasswordisatleastforthelast5yearspublic–Passwordis“PASSWORD”

21

DEMO:ABAPInjec.on

22

SQLInjec.on

• ABAPtypicallyusesparametrizedqueries.–Developerscans.llspecifypartsofsqlstatementsdynamicallybyparentheses

• Notdynamic:–SELECT ColumnA FROM TableA INTO[...]

• Dynamic:–SELECT(var_ColumName)FROM(var_TableName)INTO[...]WHERE(var_WhereClause)

• Avoiddynamicstatementswherepossible!

23

SQLInjec.on

• It’snotabug,itsafeatureinconcept“RunTimeTypeCrea.on”– (e.gZ_RTTCreportinNSPTestsystem)–h>ps://wiki.sdn.sap.com/wiki/display/Snippets/Concept+of+Run+Time+Type+Crea.on

• Meansgenerictableaccess-ifnotdoneproperly• !!!Alsocheckthe“EXECSQL”

– ItallowsDBspecificdynamicqueries

24

CrossSiteScrip.ng

• Hardtobelieveweares.lltalkingaboutitin2011• Propersani.za.on/encodingoftheinputdataisthekeyforselfdevelopedwebcodesuchasBSPs.

• Ifnotdone,ana>ackercandoeverythingrelatedtoXSS,plussteale.gtheSSO2(Authen.ca.on)cookiesfromtheclients– SSO2cookiesarestatelesssoclientimpersona.onisabreeze.

• Avoidusingthismechanismwithoutpropercontrols

– IfyouhaveF5’sorsimilardevices,encryptcookiesbasedonoriginip• cankillbusinessifyouencryptbasedonfullip(32bits)• canbetooopenifyoujustencrypt/24ofthatip• WhathappenstoNATclients,Firesheep?

25

ABAPExecutableManipula.on

• Statement:INSERTREPORT

• WritescustomcodetoanyABAPprogram• It’sevenpossibletocallaneditortomakeitmoreuserfriendly–CallededitorissimilartotheABAPdevelopmentenvironment

• Verysuspiciousiffoundinselfdevelopedcode

26

RS_REPAIR_SOURCEExecutableProgram

• Unpatchedversiondoesnothaveauthoriza.onchecking.

• Peoplewithe.gSE38rightscanexecutethisandmanipulatethesystemanddataofit.

• SameasABAPinjec.on,onlymoreconvenient.• SAPpatcheditvia:

– SAPNote1167258:ProgramRS_REPAIR_SOURCE

• Therearemanyothercri.calABAPstatementsbuttheyarebeyondourscopefortoday.[onehour.melimithit]

27

ABAPRootkits

• So,itispossibletomodifysystemexecutables(ABAPs)• Ana>ackercaneasilyinfectimportantonesexecutablesandinstallanABAProotkit

• SAPhasRFCfunc.onsthatdonotrequireuserauthen.ca.onbydefault(SRFCFunc.onGroup).Thiscouldbeonecandidate.

• Installedrootkitcangiveanonymousaccesstothea>ackerwithfunc.onalitysuchas:– InstallingSAP_ALLusers–Manipula.ngABAPreports–RunningOScommands– StealinghashesorPSEfiles–Dele.ngLogs

28

TheFrontEnd:SAPGUI

• Mainapplica.onforSAPsystems• Runsondifferentpla�orms• Haspowerfulfeatures• HasanAPIforclientac.ons

–Downloading–Uploading– Execute–RegistryAccess– etc.

• WithSAPGUI7.20,thereisa“SecurityCenter”wherecertainac.onscanbeblockedwithanACL

29

DEMO:Execu.ngcodeontheclient

3012

our application talks RFC1 we attack here2

4 Code is executed at victims machine After next connect

Logon Code gets manipulated3

Triple-Penetra.onA>acks

• Penetra-on1:A>ackerexploitstheweakestsystem–Typicalenterprisesetup:

• Tes.ng/Development->QualityAssurance->Produc.on

–Amongthem,mostunprotectedaretest/developmentsystems• Whoconnecttothesesystems?Usually,adminsanddevelopers

–TAGS:PasswordSecurity,Protec.onofthePSEfiles,MessageServerSecurity,DatabaseSecurity,OSSecurity,NetworkSniffing,MissingPatchesetc...

31

Triple-Penetra.onA>acks

• Penetra-on2:A>ackerinfectsclientswhichconnecttotheweakestsystem–Startswithmodifica.on/infec.onofthecri.calareassuchaslogonscreenABAPcode

–Whenadmins/developerssuccessfullylogin,maliciouspayloadisdownloadedandexecutedontheseusers’computers• An.virusbypass,usermoderootkits,etc.• SniffingSAPcreden.alse.gbytamperingsaplogon.ini

32

Triple-Penetra.onA>acks

• Penetra-on3:Vic.minfectsallthesystemsitlaterconnectsto–Modifica.onofcri.calcomponentsofthenewlyaccessedSAPsystems• Internalproduc.onsystems• Partnersystemsorothercri.calsystems

33

0wnHalftheW0rld’sT0pBusinesses

• Especiallywhenini.altargetisanSAPHos.ngorTrainingprovider–A>ackerpaysasmallamounttogetatestaccount– Infectsthesystem– Sitsdownandwaitsfortheadminorotheruserstospreadtheinfec.ontothesystemstheyconnectto

• ConfigureyourSAPGUIsecurityse�ngsandavoidsharedSAPsystemswherepossible!

• Protectyourendusersviaproperendpointprotec.on!34

TheRobinHoodW0rmforFunandProfit

• Wormcanaccesstothefinancialapplica.onsanddata!– Sortofthe“Wormwriter’swetdream”

• Checksthebalanceattheyearendclosing• Ifthecompanyhasprofit:

–Donates%0.01ofthatamounttoRedCross,RedCrescent[putyourfavoriteredorganiza.onhere],SaveTheChildrenorWikileaks

• IfinfectedsystemscontainHRsystems:–Wormpublishessalaryinforma-onoftheemployeesonline

• Tensofthousandsofpeopleno.cethatthejerkfromdepartmentXgetstwiceasmuchmoney

• Alsoconsiderthelegalimplica.onsonthebusinesses

35

TheThreatAgent:ABAPDeveloper

• Writescodethatrunsattheheartofthesystem• Theuserrightsandpermissionsdon’tapplytohim• Hecanassigngodrightstoitselfviacode

–Auditlogsaretypicallydisabledondevelopmentsystems• Ifenabled,mostprobablydeveloperswillbeabletodisable/tamperthem• remembertoalwayslogtoanexternalsystem.

• Youneedtotrustthedevelopersmorethanyoursecurityteam–WouldyouhireanABAPdeveloperwhorecentlyworkedatacompe.tor?

• IFanswerEQUALS”HELL,YEAH”,thinkagainnow.–Howaboutthecontractedonesthatalsoprovideservicestoothercompaniesatthesame.me?

36

TheThreatAgent:DarkOrganisa.ons

• STUXNETisverypopularbut…–SAPsouwareisusedforproduc.onoffighterjets,runningpowergrids,oil&gas,cri.calproduc.onsystemsandmore.Especiallyproduc.on,materialsmanagement,logis.csandfinancialsapplica.ons…

• h>p://www.sap.com/industries/

–Hasmuchbe>erAPIanddocumenta.onthanPLCsandStep7

• ComparedtotheeffortspentforSTUXNET,itwouldbeunreasonabletothinkthatsimilarisnotalreadydoneforsuchsystems–WhathappenswhenyouorderwrongmaterialsforthenextEurofighteraircrau?

–Howwouldyoudetectit?

37

Howtostaysecure?(somemore.ps)

• Propersystemsarchitectureisaprerequisite.–ReadandApplythe“SECURECONFIGURATIONSAPNETWEAVER-APPLICATIONSERVERABAP”documentfromSAP

• Makesurerelevantpeopleinyourcompanyalsoreadit!• Check:h>ps://service.sap.com/~sapidb/011000358700000968282010E.pdf

• Implementsecinfo/reginfoandms_aclinfoACLsbeforesystemisfirstonline

• AnalyzeyoursystemsoruseanABAPintegritycheckingtoolfordetec.ngmalicioussystemtamperingandrootkitinfec.ons.–Currentlyonlytwoproductsknowntome.FromOnapsisandESNCGmbH

• Nevergivethedevelopmentsystemswritepermissionstotheproduc.onsystems’transportimportfolders

38

Howtostaysecure?

• Haveproper“check-in”and“leaversprocess”thattaketheABAPdeveloperrisksintoconsidera.on–e.g.Fulluserpasswordresetsoncertaindevelopmentsystemsorotherprecau.onswhenadeveloperleavesthecompany

–Alsoconsiderpu�ngexternalconsultantsinthescope

• Auditthecodeagainstsecurityvulnerabili.esbeforetranspor.ngtoproduc.onsystems–Currentlyonly2automa.onproductsknowntome.FromESNCGmbHandfromVirtualForgeGmbH

• Syncingpasswordstodevelopmentsystemsmeans,possibilityofdeveloperstocapturevalidpasswordsforproduc.onsystems.Avoidit!

39

Howtostaysecure?

• Getridofinsecureand/ordefaultpasswords• Disablebackwardscompa.bilityofpasswords• Followvendor’ssecuritynotesandguidelines

–h>ps://service.sap.com/securitynotes

• Convincetheuppermanagementthatstaying2yearsbehindthesecuritypatchesisabadidea!

• Installthelatestsecuritypatches• Installthelatestsecuritypatches• Installthelatestsecuritypatches

40

Credits/Thanks

• StefanFuenfrockenfromEUROSEC• RalfNellessenfromTRUSTWERK• Chris.anWippermannfromSAP• Everyone@ProductSecurityResponseTeam/SAP

41

Ques.ons?

ErtungaArsalertungaat_sabanciuniv.edu

42

Thispublica.oncontainsreferencestoproductsofSAPAG.SAP,ABAP,SAPGUIandothernamedSAPproductsandassociatedlogosarebrandnamesorregisteredtrademarksofSAPAGinGermanyandothercountriesintheworld.SAPAGisneithertheauthornorthepublisherofthispublica.onandisnotresponsibleforitscontent.

Thispresenta.onandtheaccompanyingpaperisforeduca.onalpurposesonly,Iwillnotbeheldresponsibleforwhatyoudowiththisinforma.on,youuseitatyourownrisk.

SomeToolsForProtec.ngYourSAPSystems

• SAPVulnerabilityScanandPenetra.onTes.ng:–ESNCSecuritySuite–h>ps://www.esnc.de/esnc-sap-security-audit-souware/esnc-security-suite-sap-security-scanner/index.html

• SAPSIEMIntegra.onandReal-.meA>ackDetec.on:–EnterpriseThreatMonitor–h>ps://www.enterprise-threat-monitor.com

43