Upload
morisson
View
3.575
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
INTEGRITY
Security (A)SAP(very) Short introduction to SAP security
Bruno Morisson <[email protected]>
INTEGRITY
About
Consultant and Partner @ INTEGRITY Leading Consulting and Penetration Testing engagements Breaking things, and finding how to fix them OSCP, CISSP-ISSMP, CISA, ISO27001LA Currently doing the MSc in Information Security @ Royal Holloway, University of London.Organizing BSidesLisbon 2013
@morissonhttp://www.linkedin.com/in/morisson
INTEGRITY
What is SAP ?SAP, started in 1972 by five former IBM employees in Mannheim, Germany, states that it is the world's largest inter-enterprise software company and the world's fourth-largest independent software supplier, overall.
The original name for SAP was German: Systeme, Anwendungen, Produkte, German for "Systems Applications and Products." The original SAP idea was to provide customers with the ability to interact with a common corporate database for a comprehensive range of applications. Gradually, the applications have been assembled and today many corporations, including IBM and Microsoft, are using SAP products to run their own businesses.
Source: http://searchsap.techtarget.com/definition/SAP
INTEGRITY
Say that again??
Customer Relationship Management (CRM)
Enterprise Resource Planning (ERP)
Product Lifecycle Management (PLM)
Supply Chain Management (SCM)
Supplier Relationship Management (SRM)
INTEGRITY
tl;dr
Extremely complex software that huge enterprises depend on for business critical applications
INTEGRITY
So, what about security ?
INTEGRITY
INTEGRITY
INTEGRITY
SAP Security Notes
0
7.5
15
22.5
30
Oct’11 Dec’11 Feb’12 Apr’12 Jun’12 Aug’12 Oct’12Dec’12
Feb’13Apr’13
Jun’13
INTEGRITY
SAP Security Notes
INTEGRITY
How often do you upgrade a complex business critical application ?
INTEGRITY
Common Problems
Integration
Default users/passwords
Misconfigured permissions
Lack of authentication
Cleartext protocols
Command Injection
Buffer overflows
SQLi
XSS
XXE
SSRF
...
INTEGRITY
Standing on the shoulders of giantsChris John Riley - SAP (in)Security
http://www.slideshare.net/ChrisJohnRiley/sap-insecurity-scrubbing-sap-clean-with-soap
David Hartley (nmonkee) - SAP Slappin’
http://labs.mwrinfosecurity.com/publications/2012/04/27/sap-slapping/
Mariano di Croce - The SAProuter
http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Mariano%20Nunez%20Di%20Croce%20-%20SAProuter%20.pdf
Alexander Polyakov - Breaking SAP portal
http://erpscan.com/presentations/breaking-sap-portal-from-hashdays-2012/
INTEGRITY
So I sneezed...
SAP Security Note 1816536 / CVE-2013-3319
INTEGRITY
SAP Security Note 181653621 Aug 2012 – Reported vulnerability to vendor
23 Aug 2012 – Vendor acknowledged vulnerability
22 Oct 2012 – Vendor contact, with status update
23 Jan 2013 – Contacted vendor, requesting status update
23 Jan 2013 – Vendor replied with status update
9 Apr 2013 – Vendor releases patch
9 Jul 2013 – Advisory released
INTEGRITY
SAP Security Note 1816536
Summary
Symptom
An attacker can discover information relating to used Operating System Version, Databases Version who uses SAP Host Agent.
This information could be used to allow the attacker to specialize their
attacks against the Operating System and Databases Software.
INTEGRITY
INTEGRITY
DEMO
INTEGRITY
INTEGRITY
SAProuterWhat is SAProuter ?
SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP Systems, or between SAP Systems and external networks. SAProuter controls the access to your network (application level gateway), and, as such, is a useful enhancement to an existing firewall system (port filter). Figuratively speaking, the firewall acts as an impenetrable wall around your network. However, since particular types of connections need to penetrate this wall, a “hole” has to be made in the firewall. SAProuter assumes the control of this hole.
Source: http://help.sap.com/saphelp_nw70/helpdata/en/4f/992d39446d11d189700000e8322d00/content.htm
INTEGRITY
SAProuter
INTEGRITY
SAProuter
Permission From To Serv PassP * * 3200S * * 3200D * + *
INTEGRITY
SAProuter
INTEGRITY
sap_router_portscanner.rbmsf auxiliary(sap_router_portscanner) > show options
Module options (auxiliary/scanner/sap/sap_router_portscanner):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 1 yes The number of concurrent ports to check per host
INSTANCES 00-99 no SAP instance numbers to scan (NN in PORTS definition)
MODE SAP_PROTO yes Connection Mode: SAP_PROTO or TCP (accepted: SAP_PROTO, TCP)
PORTS 32NN yes Ports to scan (e.g. 3200-3299,5NN13)
RHOSTS 192.168.1.175 yes The target address range or CIDR identifier
SAPROUTER_HOST 192.168.1.25 yes SAPRouter address
SAPROUTER_PORT 3299 yes SAPRouter TCP port
THREADS 1 yes The number of concurrent threads
msf auxiliary(sap_router_portscanner)
INTEGRITY
DEMO
INTEGRITY
INTEGRITY
Questions ?