Attacks Based on Security Configurations

Attacks based on security

configurations

March 18th, 2014

BIZEC Workshop

Juan Perez-Etchegoyen [email protected]

SAP Security 2014 – Protecting Your SAP Systems

Against Hackers And Industrial Espionage

mailto:[email protected]

2 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved

Disclaimer

This publication is copyright 2014 Onapsis Inc. – All rights reserved.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP

NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and

services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in

several other countries all over the world.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions,

Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are

trademarks or registered trademarks of Business Objects in the United States and/or other countries.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content,

and SAP Group shall not be liable for errors or omissions with respect to the materials.


Agenda

Introduction

Configurations

Attacks

Recommendations

Conclusions

SAP Security 2014 – Protecting Your SAP Systems Against

Hackers And Industrial Espionage


Who is Onapsis Inc.? Company focused in protecting ERP systems from cyber-attacks

(SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).

Working with Global Fortune-100 and large governmental organizations.

What does Onapsis do?

Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit).

ERP security professional services.

Trainings on ERP security.

Who are we? Juan Perez-Etchegoyen (JP), CTO at Onapsis.

Discovered several vulnerabilities in SAP and Oracle ERPs...

Speakers/Trainers at the most important Security Conferences



http://www.onapsis.com/x1




http://www.onapsis.com/ips



http://www.onapsis.com/bizploit




Introduction




A Cyber-criminal & SAP systems

● If an attacker is after an SAP system, he’s probably looking

forward to perform:

ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc.

SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc.

FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.




What is his goal?

The SAP Production System

SALES

PRODUCTION

FINANCIAL PLANNING

INVOICING

PROCUREMENT

TREASURY

LOGISTICS

PAYROLL

BILLING

HUMAN RESOURCES




Where an attacker would probably hit…

• SAP systems are built upon several layers.

• Segregation of Duties (SoD) controls apply at the Business Logic

layer.

• The SAP Application Layer (NetWeaver/BASIS) is common to most

modern SAP solutions, serving as the base technological framework.

Operating System

Database

SAP Business Logic

SAP Application Layer SAP Solution

Base Infrastructure




Where an attacker would probably hit…

• SAP systems are built upon several layers.

• Segregation of Duties (SoD) controls apply at the Business Logic

layer.

• The SAP Application Layer (NetWeaver/BASIS) is common to most

modern SAP solutions, serving as the base technological framework.

Operating System

Database

SAP Business Logic

SAP Application Layer SAP Solution

Base Infrastructure



Successful attacks to this layer would result in

a complete compromise of the SAP system

(SAP_ALL or equivalent) usually even

withouth requiring a username or password


Configurations and

SAP systems




Netweaver framework can be tuned…

SAP Systems can be configured through

different mechanisms:

• Customizing (IMG)

• UME Settings (JAVA only)

• ACL settings

• Profile Parameters

• Transport profile

• User parameters

• RFC Destinations

• …

reginfo

secinfo

Webdispatcher

Management Console

Message Server

ICM ACL

SAPGui ACL




Profile parameters

• Conceptually each parameter is a key-value pair

• Depending on the kernel version, there are close to 1500 parameters

• Around 10% of them are security-relevant

• Parameters are configured within profiles:

• Default

• Instance

• Start*

• Dynamic parameters do not require a system restart

• Some examples:

• rdisp/wp_no_dia = 10

• rsau/enable = 1

• login/min_password_lng = 8

• login/password_downwards_compatibility = 1

Non dynamic

No security-relevant Non dynamic

Security-relevant Non dynamic

Security-relevant Dynamic

Security-relevant




Challenges?




Challenges

• Each profile parameter seems to be defining simple concepts but

• It could be challenging to understand

• Many times little documentation is available

• For some situations…

• parameters are related so behavior depends on many values

• parameters take precedence

• profiles take precedence

• (kerneldefault.pflinstance profiledynamic configuration)

• parameters could change from App. Server to App. Server

• parameters configuration depend on files/tables contents

• parameters are created and destroyed within new kernel versions

• Default values?




Attack scenarios




Attack #1 Emergency mechanism




Attack #1 – Emergency mechanism

An emergency mechanism to connect to the SAP systems:

• Enabled by a profile parameter login/no_automatic_user_sapstar

• User SAP* does not exist in the database

• Connection with full authorizations

• Default credentials SAP*:PASS

• Cross-client issue (could be affecting only one client)

• Cross-App-Srv issue (could affect a single application server)

The connection to the system will be successful based on a

profile parameter and the user master record.

Impact: Full SAP system compromise.






Demo


Attack #1

Client SAP* Record in Database

Server 1 (Central Instance)

Server 2 (Dialog Instance)



login/no_automatic_user_sapstar 1 1 0 1

000 Yes No No No No

001 Yes No No No No

066 Yes No No No No

200 Yes No No No No

230 No No No Yes No

300 Yes No No No No




Attack #1

Client SAP* Record in Database

Server 1 (Central Instance)




login/no_automatic_user_sapstar 1 1 0 1

000 Yes No No No No

001 Yes No No No No

066 Yes No No No No

200 Yes No No No No

230 No No No Yes No

300 Yes No No No No

Protection / Countermeasure

Do not delete the user SAP* from any client

Secure the user SAP* for all the clients in the SAP system (including standard)

configure login/no_automatic_user_sapstar to 1.




Attack #2 Load Balancing




Attack #2 – Load Balancing

The load balance on SAP systems is driven by new application servers

registering on the Message Server, which is restricted by:

• Parameter ms/acl_info

• Contents of ms_acl_info file.

The registration of a new application server will be successful

based mainly on the contents of the acl file.

Impact: Full SAP system compromise.




Demo




Demo


Create and maintain the acl to restrict which SAP Application Servers are allowed

to register in the Message Server.




Attack #3 Password policies




Attack #3 – Password policies

The ability for a user to connect to the system if password policies are

enhanced will depend on:

• Type of connection (DIAG/RFC)

• User Type (service,system,dialog…)

• Parameter rfc/reject_expired_passwd

• Parameter login/password_compliance_to_current_policy

The connection to the system will be successful based on two

profile parameters, the user and the protocol.

Impact: Effectiveness on brute-force attacks




Attack #3

# Parameters Dialg Serv Systm Comm

1 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0

Yes Yes No No

2 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0

Yes Yes Yes Yes


Yes Yes No No


Yes Yes Yes Yes




Attack #3



Pwd Chg

Yes No No


No Yes Yes No


Pwd Chg

Yes No No


Yes Yes Yes Yes




Attack #3



Pwd Chg

Yes No No


No Yes Yes No


Pwd Chg

Yes No No


Yes Yes Yes Yes


Secure both profile parameters according to business requirements without

disrupting any pre-established interface.




Attack #4 Interfaces




Attack #4 – Interfaces

The ability for a user to register, start and connect to an interface on the

SAP system will depend on:

• Parameters gw/reg_info, gw/sec_info, gw/acl_mode,

gw/sim_mode, gw/reg_no_conn_info …

• Contents of reginfo and secinfo files.

The registration of an interface will be successful based on

several profile parameters and the proper acl file.

Impact: Potential full SAP system compromise.




Attack #4

acl file gw/acl_mode start/register

File exists and is empty

0 or 1 No servers allowed

File does not exists 0 Unrestricted

File does not exists 1 Only local and internal

File properly defined

0 or 1 Only servers defined in ACL



If gw/sim_mode is enabled and no explicit denial is included

in the ACL, everything is accepted.

Simplified version of the configuration options


Demo




- So we have the same scenario, legitimate client and

External RFC Server, the SAP R/3 Server and the SAP Gateway

RESPONSE

- Here we go again, blocking valid connections to the

innocent External RCF Server

- Now, the same malicious client/server connects with the

SAP R/3 Gateway, and register itself with the same ID as the

original external server.

- This time, every RFC call received is Logged/Modified, and

forwarded to the original external server.

RCF Call

`

SAP FE

SAP GW RCF Modified Call

Evil Twin: MITM Attacks

Modified

RESPONSE SAP R/3

External RFC

Server

External RFC

Malicius Server

Attack #4




- Yes, again the same scenario: the valid client, the valid


RESPONSE

- Here we are again, blocking valid connections to the

innocent External RCF Server.

- Again, the same malicious client/server connects with the

SAP R/3 server, and register itself with the ID of the


RCF Call

`

SAP FE

External RFC

Server

SAP GW

Attacking the R/3 with a Registered Server

Poisoned RCF Callback

External RFC

Malicius Server

SAP R/3SAP R/3

- But now, when a RFC call is received, we perform a

callback…

- SAP R/3 Application Server OWNED!!

Attack #4



http://images.google.com.ar/imgres?imgurl=http://absurda_revolucion.blogia.com/upload/bandera_calavera_pirata_copiar.jpeg&imgrefurl=http://absurda_revolucion.blogia.com/&h=188&w=280&sz=11&hl=es&start=4&tbnid=y4sEQDSUWW-hMM:&tbnh=77&tbnw=114&prev=/images?q=calavera+pirata&svnum=10&hl=es&sa=N


Attacking the R/3 with a Registered Server Attack #4

- Yes, again the same scenario: the valid client, the valid


RESPONSE

- Here we are again, blocking valid connections to the

innocent External RCF Server.

- Again, the same malicious client/server connects with the

SAP R/3 server, and register itself with the ID of the


RCF Call

`

SAP FE

External RFC

Server

SAP GW

Poisoned RCF Callback

External RFC

Malicius Server

SAP R/3SAP R/3

- But now, when a RFC call is received, we perform a

callback…

- SAP R/3 Application Server OWNED!!


Create and maintain the proper acl files to restrict which servers can be

registered and started and who can connect to those servers.

Maintain profile parameters according to your security policies.



http://images.google.com.ar/imgres?imgurl=http://absurda_revolucion.blogia.com/upload/bandera_calavera_pirata_copiar.jpeg&imgrefurl=http://absurda_revolucion.blogia.com/&h=188&w=280&sz=11&hl=es&start=4&tbnid=y4sEQDSUWW-hMM:&tbnh=77&tbnw=114&prev=/images?q=calavera+pirata&svnum=10&hl=es&sa=N


Wrapping up...




The BIZEC TEC/11, lists the most common and critical issues affecting the

business runtime.

● BIZEC TEC-01: Vulnerable Software in Use

● BIZEC TEC-02: Standard Users with Default Passwords

● BIZEC TEC-03: Unsecured SAP Gateway

● BIZEC TEC-04: Unsecured SAP/Oracle authentication

● BIZEC TEC-05: Insecure RFC interfaces

● BIZEC TEC-06: Insufficient Security Audit Logging

● BIZEC TEC-07: Unsecured SAP Message Server

● BIZEC TEC-08: Dangerous SAP Web Applications

● BIZEC TEC-09: Unprotected Access to Administration Services

● BIZEC TEC-10: Insecure Network Environment

● BIZEC TEC-11: Unencrypted Communications

Bizec

Attack #1

Attack #4

Attack #2



http://www.bizec.org/


General recommendations

• Use RZ10 and keep track of profiles and

parameter values through the database.

• Specify values in the default profile whenever

possible, to define a value for all App. Servers.

• Pay attention to the values defined on the Instance profiles, as

those will override the default profile.

• Keep special attention on the dynamic parameters, as the

modification of those could remain unnoticed.

• Keep track of the profile parameters that are security-relevant,

as those could have a big impact on the security.




Conclusions

● Configurations are complex on SAP systems and can have a huge

impact on its security.

● Complex situations could expose the system.

● Proper controls in place and monitoring of all SAP configurations can

help reducing the risk.

● Holistic security at the SAP Application Layer involves every

landscape, every system, every instance and every client.




References

● SAP Runs SAP – Remote Function Call: Gateway Hacking and Defense (Björn

Brencher, SAP)

●Secure Configuration of SAP NetWeaver Application Server Using ABAP

●http://www.bizec.org/wiki/BIZEC_TEC11

●http://scn.sap.com/community/netweaver/blog/2012/07/28/change-sap-profile-

parameters

●https://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000

a114084/content.htm

● Special Thanks to the Onapsis Team ( Sergio Abraham, Pablo Muller, Jordan

Santarsieri…)



http://www.bizec.org/wiki/BIZEC_TEC11

http://scn.sap.com/community/netweaver/blog/2012/07/28/change-sap-profile-parameters







https://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm

https://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm


Questions? [email protected]

Stay tuned!

@onapsis

@jp_pereze



mailto:[email protected]


Thank you!

www.onapsis.com

Follow us! @onapsis



Attacks Based on Security Configurations

Technology

sap products

sap netweaver

sap group

sap business bydesign

products of sap ag

cyberattacks sap

cybercriminal sap systems

onapsis ips