sap security, sap pentest, sap pentesting, sap pt, sap security
assessment, sap vulnerability assessment, sap insecurity, sap
vulnerabilities, sap vulnerability, sap defense, hardening sap, sap
hardening, protecting sap
SAP Penetration Testing & Defense In-DepthMariano Nuez Di
[email protected]
October 2-3, 2008 Ekoparty, Buenos Aires - Argentina
Copyright 2008 CYBSEC. All rights reserved. reserved.
2008
Who is CYBSEC ?Provides Information Security services since
1996. More than 300 customers, located in LatinAmerica, USA and
Europe. Wide range of services: Strategic Management, Operation
Management, Control Management, Incident Management, PCI Services,
SAP Security.
SAP & CYBSECMember of the SAP Global Security Alliance
(GSA). Has been working with SAP (Walldorf) since 2005. Provides
specific SAP security services (Penetration Testing, Secure
Architecture Design, Secure Configuration, )
2
2008
Who am I?Senior Security Researcher at CYBSEC. Devoted to
Penetration Testing and Vulnerability Research. Discovered
vulnerabilities in Microsoft, Oracle, SAP, Watchfire,
Speaker/Trainer at Blackhat, Sec-T, Hack.lu, DeepSec, Ekoparty,
CIBSI,
SAP & MeStarted researching in 2005. SAP Pentesting projects
(customers). Discovered more than 40 vulnerabilities in SAP
software. Published Attacking the Giants: Exploiting SAP Internals.
Developed sapyto, the first SAP Penetration Testing Framework.
CYBSECs SAP (In)Security Training instructor.3
Agenda 2008
AgendaIntroduction to the SAP World Why SAP Penetration Testing?
PenTest Setup SAP PenTesting Discovery Phase Exploration Phase
Vulnerability Assessment Phase Exploitation Phase Case Study:
SAProuter Security Assessment Conclusions
4
2008
Introduction to the SAP WorldBasic concepts for deep
knowledge
5
Introduction to the SAP World 2008
So what is SAP? SoSAP (Systems, Applications and Products in
Data Processing) is a german company devoted to the development of
business solutions. More than 41.600 customers in more than 120
countries. More than 121.000 SAP implementations around the globe.
Third biggest independent software vendor (ISV). Provides different
solutions: CRM, ERP, PLM, SCM, SRM, GRC, Business One, The ERP
solution is composed of different functional modules (FI, CO, SD,
HR, MM, etc) that implements organization business processes.
Modules are linked together, integrated by the Netweaver platform.
SAP runs on multiple Operating Systems and Databases.6
Introduction to the SAP World 2008
SAP Basic ConceptsInstance & System An instance is an
administrative entity which groups related components of an SAP
system, providing one or more services. Systems are identified by
SAP System ID (SID). System (instance) parametrization is done in
Profiles.
7
Introduction to the SAP World 2008
SAP Basic ConceptsClient Legally and organizationally
independent unit in an SAP system (company group, business unit,
corporation). Identified by a three-digit number. Default clients:
000, 001 and 066. Transaction Related secuence of steps (dialog
steps) aimed to perform an operation in the SAP database.
Identified by a transaction code (ej: SU01, SE16, FK01, PA20,)
8
Introduction to the SAP World 2008
SAP Basic ConceptsABAP ABAP is the SAP high-level programming
language used to develop business applications. Reports / Programs
ABAP programs that receive user input and produce a report in the
form of an interactive list. Function Modules Independent ABAP
modules. Can be called locally or remotely. The RFC (Remote
Function Call) Interface Used to call function modules on remote
systems.9
Introduction to the SAP World 2008
SAP Basic ConceptsThe Authorization Concept (Simplified) Users
are asigned roles/profiles. Each profile contains a set of
Authorization objects. When a user tries to perform an activity,
the required authorization objects are checked against users
authorization objects (user buffer). Controlled Activities:
Starting Transactions (S_TCODE) Accessing Tables (S_TABU_DIS)
Starting Programs (S_PROGRAM) Calling RFC Function Modules (S_RFC)
Authorization checks can also be done programatically, through the
AUTHORITY_CHECK clause.10
Introduction to the SAP World 2008
Some Low-level Knowledge Low-levelSAP_ALL profile = SAP God.
Many other profiles may enable a user become a god too. Each SAP
System uses its own Database. SAP processes run under the adm or
SAPService user accounts. Connections to the Database are done with
the same UID. No authorization at this level Direct access to the
Database means full SAP compromise! Connections between systems
often based on Trust Relationships (r* services). Many customers
interfaces are implemented through FTP (cleartext, usually weak
passwords).11
2008
Why SAP Penetration Testing?Or why You and your CFO should
care
12
Why SAP Penetration Testing? 2008
Why do you Need an SAP Penetration Test?The new SAP system must
be running on October 3rd, no excuses.
13
Why SAP Penetration Testing? 2008
Why do you Need an SAP Penetration Test?But we havent secured
the systems yetyou know, there is something called Security The new
SAP system must be running on October 3rd, no excuses.
14
Why SAP Penetration Testing? 2008
Why do you Need an SAP Penetration Test?But we havent secured
the systems yetyou know, there is something called Security
Security? Hmmis it French? I dont care Business *must* go on! The
new SAP system must be running on October 3rd, no excuses.
15
Why SAP Penetration Testing? 2008
Why do you Need an SAP Penetration Test?But we havent secured
the systems yetyou know, there is something called Security
Security? Hmmis it French? I dont care But we should take care of
User authorizations to Business *must* go on! prevent frauds! The
new SAP system must be running on October 3rd, no excuses.
16
Why SAP Penetration Testing? 2008
Why do you Need an SAP Penetration Test?But we havent secured
the systems yetyou know, there is something called Security
Security? Hmmis it French? I dont care But we should take care of
User authorizations to Business *must* go on! prevent frauds! Just
give everyone full access(SAP_ALL)
The new SAP system must be running on
October 3rd, no excuses.
for three months,
then well lock it down
17
Why SAP Penetration Testing? 2008
Why do you Need an SAP Penetration Test?But we havent secured
the systems yetyou know, there is something called Security
Security? Hmmis it French? I dont care But we should take care of
User authorizations to Business *must* go on! prevent frauds! Just
give everyone full access OK(SAP_ALL)
The new SAP system must be running on
October 3rd, no excuses.
for three months,
then well lock it down
18
Why SAP Penetration Testing? 2008
Why do you Need an SAP Penetration Test?But we havent secured
the systems yetyou know, there is something called Security
Security? Hmmis it French? I dont care But we should take care of
User authorizations to Business *must* go on! prevent frauds! Just
@#-*!#&$%!! give everyone full access OK(SAP_ALL)
The new SAP system must be running on
October 3rd, no excuses.
for three months,
then well lock it down
19
Why SAP Penetration Testing? 2008
Why do you Need an SAP Penetration Test? (cont.)CFO Mistake:
CFOs Mistake:Alert
Weak SAP Security configuration can definitely result in
Business Frauds!guy Mistake: Security guys Mistake:Alert
SAP Security is much (*much*) more than User roles and
authorizations!20
Why SAP Penetration Testing? 2008
Why do you Need an SAP Penetration Test? (Wrap up)Security
configurations of SAP systems are usually left by default. By
default, many configurations are not secure. Conclusion: Many SAP
implementations are not secure! Is yours secure? A Penetration Test
to these systems will help you know how your SAP implementation can
be attacked and which is the real impact of this. It will help you
discover the weaknesses, secure them, and increase the security
level of your systems (a.k.a decrease fraud risk). In this talk,
well see some of the activities that make up the different phases
of an SAP Penetration Testing (no way of covering them all).21
2008
PenTest SetupBefore we begin
22
PenTest Setup 2008
PreparationWhat do you need? The Shopping List sapyto nmap r*
tools (rsh, rlogin, rexec) SQL client tools NFS client tools SMB
client & security tools BurpSuite / w3af Nessus john (patched)
hydra
Try to get as much information as possible about target
platforms, usage and policies before starting the assessment.
Remember that everthing that breaks while you are pentesting *will*
be your fault (even if someone breaks his leg).23
sapyto 2008
sapytoFirst SAP Penetration Testing Framework. Support for
activities in all phases of the pentest. Open-source (and free).
Plugin based. Developed in Python and C. Version 0.93 released at
Blackhat Europe 07.
24
sapyto 2008
Available Plugins in sapyto v0.93Audit: RFC Ping. Registration
of External Servers. Detection of RFCEXEC. Detection of SAPXPG. Get
system information. Get server documentation. Attack:
RFC_START_PROGRAM Dir Traversal. Run commands through RFCEXEC. Run
commands through SAPXPG. StickShell. Evil Twin Attack. Get remote
RFCShell.
Tools: RFC Password Obfuscator / De-obfuscator.
25
sapyto 2008
News! Hot News! sapyto v0.98Core and architecture fully
re-built. Based on connectors. The SAPRFC* connectors and the
RFCSDK. Plugins are now categorized in Discovery, Audit and
Exploit. Discovery plugins find new targets. Audit plugins carry
out the vulnerability assessments. Exploit plugins are used as
proof of concepts for discovered vulns. sapytoAgents deployment.
New plugins for auditing SAProuters, find clients,
bruteforcing,
26
2008
Discovery PhaseFinding SAP targets
27
Discovery Phase 2008
Discovering SAP Systems and Applications (Targets)Available
Options: Traffic sniffing. SAP portscanning. Checking SAPGUI
configurations. SAP Systems use a fixed range of ports. Most ports
follows the PREFIX + SYS. NUMBER format. Common ports: 32XX, 33XX,
36XX, 39XX, 3299, 81XX, Nmap: Watch Timings (-T3) and dont use
version detection. New sapyto will provide automatic discovery of
SAP systems and configuration of targets/connectors for
auditing!28
2008
Exploration PhaseGetting as much information as possible
29
Exploration Phase 2008
Getting Information from SAP Application ServersThe
RFC_SYSTEM_INFO function module returns information about remote
SAP Application Servers (implemented in sapytos sapinfo plugin) Can
be called remotely (and anonymously) by default.
[5]sapinfo(target#0) { Remote System Information: RFC Log Version:
011 Release Status of SAP System: 700 Kernel Release: 700 Operating
System: Linux Database Host: sapl01 Central Database System: ORACLE
Integer Format: Little Endian Dayligth Saving Time: Float Type
Format: IEEE Hostame: sapl01 IP Address: 192.168.3.4 System ID: TL1
RFC Destination: sapl01_TL1_00 Timezone: -18000 (diff from UTC in
seconds) Character Set: 4103 Machine ID: 390
30
Exploration Phase 2008
Getting Information from SAP Application ServersThe
RFC_SYSTEM_INFO function module returns information about remote
SAP Application Servers (implemented in sapytos sapinfo plugin) Can
be called remotely (and anonymously) by default.
[5]sapinfo(target#0) { Remote System Information: Protection / RFC
Log Version: 011 Countermeasure Release Status of SAP System: 700
Kernel Release: 700 Restrict connections to the SAP Gateway at the
network level. Operating System: Linux Database Host: sapl01 For
more information, refer to SAP Note 931252. Central Database
System: ORACLE Integer Format: Little Endian Dayligth Saving Time:
Float Type Format: IEEE Hostame: sapl01 IP Address: 192.168.3.4
System ID: TL1 RFC Destination: sapl01_TL1_00 Timezone: -18000
(diff from UTC in seconds) Character Set: 4103 Machine ID: 390
31
Exploration Phase 2008
Finding Available ClientsUsers are client-dependent. Default
clients: 000, 001, 066.
getClients(target#0) Client 000 is Client 001 is Client 066 is
Client 101 is Client 200 is } res: Ok
{ available. available. available. available. available.32
Exploration Phase 2008
Analyzing Shared ResourcesThe Common Transport Directory (CTD)
is the directory where changes (transports) are exported to and
imported from in an SAP landscape. This directory must be shared
for all systems in the landscape. It is often the case, where the
kernel files and profiles are shared to dialog instances.$
showmount e sapserver /export/usr/sap/trans /export/sapmnt/NP1
/export/informix/NP1 /export/interfacesNP1 /export/interfsrcNP1
(everyone) (everyone) (everyone) (everyone) (everyone)
33
Exploration Phase 2008
Analyzing Shared ResourcesThe Common Transport Directory (CTD)
is the directory where changes (transports) are exported to and
imported from in an SAP landscape. This directory must be shared
for all systems in the landscape. It is often the case, where the
kernel files and profiles are shared to Protection / Countermeasure
dialog instances.Shared resource access should be restricted to SAP
$ showmount e sapserver related systems and users only.
/export/usr/sap/trans (everyone) /export/sapmnt/NP1 (everyone)
/export/informix/NP1 (everyone) /export/interfacesNP1 (everyone)
/export/interfsrcNP1 (everyone)
34
2008
Vulnerability Assesment PhaseAnalyzing the discovered
components
35
Vulnerability Assessment Phase 2008
SAP Default UsersThere is public information regarding the
existence of default SAP user accounts. Many of these accounts are
configured with high privileged profiles.User ID SAP* DDIC
EARLYWATCH SAPCPIC Description Super user ABAP Dictionary super
user User for the EarlyWatch Service Communication User Clients
000,001, 066 new clients 000,001 066 000, 001 Password 06071992
PASS 19920706 SUPPORT ADMIN
36
Vulnerability Assessment Phase 2008
SAP Default UsersThere is public information regarding the
existence of default SAP user accounts. Many of these accounts are
configured with high privileged profiles.User ID SAP* DDIC
Description Clients Protection / Countermeasure Super user 000,001,
066 Default users must be secured. new clientsSAP*ABAP Dictionary
super should be deactivated.
Password 06071992 PASS 19920706 SUPPORT ADMIN
000,001 066 000, 001
user Use report RSUSR003 to check the status of default users.
EARLYWATCH SAPCPIC User for the EarlyWatch Service Communication
User
37
Vulnerability Assessment Phase 2008
SAP User Account BruteforcingUsernames are up to 12 characters
long. As part of the PenTest, you can try guessing/cracking user
credentials.Old Passwords ( 6.40) Max. Length Case 8 Insensitive
New Passwords (> 6.40) 40 Sensitive
WARNING! User locking is implemented! (usually, between 3-12
tries) Ops! In versions 6.20, lock counter is not incremented
through RFC. sapytos bruteLogin plugin can work in different modes:
Try default users only and SAP*:PASS in detected clients. Specific
credentials wordlist. Username and Password wordlists.38
Vulnerability Assessment Phase 2008
Getting Credentials from the Wire RFC SniffingRFC (Remote
Function Call) is the most widely used interface in the SAP world.
In order for a system to connect through RFC, it must provide login
information for the remote system. RFC is clear-text, but you wont
be able to see the password in the wire Password is obfuscated!
-> Use sapytos getPassword plugin... 01a0 01b0 01c0 01d0 01e0
01f0 0200 0210 0220 0230 0240 0250 0260 00 00 00 00 00 00 06 05 14
00 10 5f 22 ea 45 5e 22 c5 10 e1 00 00 00 c0 a8 02 8b 05 14 01 30
00 0a 72 66 63 5f 73 65 72 76 65 72 01 30 01 11 00 06 42 43 55 53
45 52 01 11 01 17 00 0b 81 bb 89 62 fc b5 3e 70 07 6e 79 01 17 01
14 00 03 30 30 30 01 14 01 15 00 01 45 01 15 05 01 00 01 01 05 01
05 02 00 00 05 02 00 0b 00 03 36 34 30 00 0b 01 02 00 0e 5a 43 55
53 54 5f 47 45 54 4d 4f 4e 45 59 01 02 05 14 00 10 5f 22 ea 45 5e
22 c5 10 e1 00 00 00 c0 a8 02 8b 05 14 02 01 00 09 43 4c 49 45 4e
54 5f 49 44 02 01 02 03 00 08 43 55 53 54 30 30 31 00 02 03 ff ff
00 00 ff ff 00 00 01 c7 00 00 3e 80 ..........._".E^
".............0. .rfc_server.0... .BCUSER......... b..?w.oy......00
0......E........ ...........640.. ....ZCUST_GETMON EY......_".E^"..
..............CL IENT_ID......CUS T001............ ...>.
for CHAR in CLEAR_TEXT_PASS: OBFUSCATED_PASS[i] = CHAR
XOR
KEY[i]
39
Vulnerability Assessment Phase 2008
Getting Credentials from the Wire RFC SniffingRFC (Remote
Function Call) is the most widely used interface in the SAP world.
In order for a system to connect through RFC, it must provide login
information for the remote system. RFC is clear-text, but/
Countermeasure to see the password in the you wont be able
Protection wire Password is obfuscated! -> Use the
confidentiality and integrity of Enable SNC, protecting sapytos
getPassword pluginthe traffic.... 01a0 01b0 01c0 01d0 01e0 01f0
0200 0210 0220 0230 0240 0250 0260 00 00 00 00 00 00 06 05 14 00 10
5f 22 ea 45 5e 22 c5 10 e1 00 00 00 c0 a8 02 8b 05 14 01 30 00 0a
72 66 63 5f 73 65 72 76 65 72 01 30 01 11 00 06 42 43 55 53 45 52
01 11 01 17 00 0b 81 bb 89 62 fc b5 3e 70 07 6e 79 01 17 01 14 00
03 30 30 30 01 14 01 15 00 01 45 01 15 05 01 00 01 01 05 01 05 02
00 00 05 02 00 0b 00 03 36 34 30 00 0b 01 02 00 0e 5a 43 55 53 54
5f 47 45 54 4d 4f 4e 45 59 01 02 05 14 00 10 5f 22 ea 45 5e 22 c5
10 e1 00 00 00 c0 a8 02 8b 05 14 02 01 00 09 43 4c 49 45 4e 54 5f
49 44 02 01 02 03 00 08 43 55 53 54 30 30 31 00 02 03 ff ff 00 00
ff ff 00 00 01 c7 00 00 3e 80 ..........._".E^ ".............0.
.rfc_server.0... .BCUSER......... b..?w.oy......00 0......E........
...........640.. ....ZCUST_GETMON EY......_".E^".. ..............CL
IENT_ID......CUS T001............ ...>.
for CHAR in CLEAR_TEXT_PASS: OBFUSCATED_PASS[i] = CHAR
XOR
KEY[i]
40
Vulnerability Assessment Phase 2008
Analysis of the RFC InterfaceRFC Communication is done through
the Gateway Service. The GW can connect with external RFC servers:
Registered Servers: The external system registers to the GW under a
Program ID. Started Servers: The GW connects to a remote system and
starts a program (trust?)
By exploiting Registered Servers caveats, it may be possible to
obtain confidential information, DoS, perform RFC MITM and callback
attacks. By exploiting Started Servers vulnerabilities, it may be
possible to obtain remote code execution on misconfigured
Application Servers.(check the Attacking the Giants: Exploiting SAP
Internals white-paper)41
2008
Exploitation PhaseGetting access and beyond
42
Exploitation Phase 2008
But why do we need Exploitation anyway? ButVulnerability
Assessments reports enumerate discovered vulnerabilities with the
associated risk estimate. A security aware individual would easily
see the problems. But, what about the people from the Financial
areas? For them to get involved, they need to see the facts! You
must show them how their information can be compromised ->
screenshots, livedemosVulnerability Assessments are 2D,
Exploitation adds a new Dimension.
43
Exploitation Phase 2008
SAP Password Considerations & CrackingSAP has implemented
different password hashing mechanisms. Passwords hashes are stored
in table USR02 (BCODE, PASSCODE) and USH02.Code Vers. A B C D E F G
Description Obsolete Based on MD5, 8 characters, Uppercase, ASCII
Not implemented Based on MD5, 8 characters, Uppercase, UTF-8
Reserved Based on SHA1, 40 characters, Case Insensitive, UTF-8 Code
Version F + Code Version B (2 hashes)
On June 26 2008, a patch for John The Ripper for CODVN B and F
was published.44
Exploitation Phase 2008
SAP Password Considerations & CrackingSAP has implemented
different password hashing mechanisms. Passwords hashes are stored
in table USR02 (BCODE, PASSCODE) and USH02.Code Vers. Description
Protection / Countermeasure A Obsolete B Based on MD5, 8
characters, Uppercase, ASCII Access to tables USR02 and USH02
should be protected. C Not implemented Password security should be
enforced through profile D Based on MD5, 8 characters, Uppercase,
UTF-8 configuration (login/* parameters). E Reserved Table USR40
can be used to protect from trivial passwords. F Based refer to SAP
Note 1237762. For more information, on SHA1, 40 characters, Case
Insensitive, UTF-8 G Code Version F + Code Version B (2 hashes)
On June 26, a patch for John The Ripper for CODVN B and F was
published.45
Exploitation Phase 2008
Exploiting SAP/Oracle Authentication MechanismDiscovered by me
in 2007. Discovered by Jochen Hein in 2003 (Doh!) Target: Default
SAP/Oracle installations.
The SAP+Oracle Authentication MechanismSAP connects to the
database as the OPS$ (eg: OPS$adm). Retrieves user and password
from table SAPUSER. Re-connects to the database, using the
retrieved credentials.
46
Exploitation Phase 2008
Exploiting SAP/Oracle Authentication MechanismThere is a special
Oracle configuration parameter named REMOTE_OS_AUTHENT. If set to
TRUE, Oracle trusts that the remote system has authenticated the
user used for the SQL connection (!) The user is created as
indentified externally in the Oracle database. Oracle
recommendation: remote_os_authent = false SAP default and necessary
configuration: remote_os_authent = true What do you need? Database
host/port. SAP System ID. Oracle Instance ID ( = SAPSID?)
47
Exploitation Phase 2008
Exploiting SAP/Oracle Authentication MechanismThere is a special
Oracle configuration parameter named REMOTE_OS_AUTHENT. If set to
TRUE, Oracle trusts that the remote system has authenticated the
user used for the SQL connection (!) The user is created as
indentified externally in the Oracle database. Protection /
Countermeasure Oracle recommendation: remote_os_authent = false SAP
default and necessary configuration: remote_os_authent = true
Restrict who can connect to the Oracle listener: What do you
need?tcp.validnode_checking = yes = (192.168.1.102, )
tcp.invited_nodes Database host/port.
SAP System ID. Oracle Instance ID ( = SAPSID?)
48
Exploitation Phase 2008
Exploiting Weak RFC Interface SecurityPossible in default
configuration of SAP Systems. Allows for unauthenticated remote
code execution. Starting EXPLOIT plugins
---------------------------weakRFC(target#1) { Creating new SHELL
object... SHELL object created. ID: 536 } res: Ok sapyto> shells
sapyto/shells> list Shell ID: 536 [RFCShell] Target information:
Connector: SAPRFC_EXT SAP Gateway Host: sapprd01 SAP Gateway
Service: 3300 ... ... sapyto/shells> start 536 Starting shell
#536 RFCShell - Run commands through RFC. The remote target OS is:
Win.NET. sapyto/shells/536> run whoami Call successfull. Command
output: prdadm sapyto/shells/536>
49
Exploitation Phase 2008
Exploiting Weak RFC Interface SecurityPossible in default
configuration of SAP Systems. Allows for unauthenticated remote
code execution. Protection / Countermeasure Starting EXPLOIT
plugins ---------------------------weakRFC(target#1) { Starting of
External Creating new SHELL object...through the file RFC Servers
is controlled SHELL object created. ID: 536 res: Ok specified
by}the gw/sec_info profile parameter. sapyto> shells
sapyto/shells> list This file should exist and restrict access
to allowed systems Shell ID: 536 [RFCShell] Target the Application
Servers. to start specific programs ininformation: Connector:
SAPRFC_EXT The gw/reg_info fileSAP Gateway Host: sapprd01 protects
Registered Servers and should SAP Gateway Service: 3300 be
configured as well. ... ...
For more information, refer to SAP Note 618516.sapyto/shells>
start 536 Starting shell #536 RFCShell - Run commands through RFC.
The remote target OS is: Win.NET. sapyto/shells/536> run whoami
Call successfull. Command output: prdadm sapyto/shells/536>
50
2008
Case Study: SAProuter Security Assessment
51
Case Study: SAProuter Security Assessment 2008
SAProuter IntroductionSAProuter is an SAP program working as a
proxy, which analyzes connections between SAP systems and between
SAP systems and external networks.Typical SAProuter
ArchitectureInternal Network External User Other Internal Systems
Internet DEV QAS PRDIntraWeb
SSH Server
SAProuter Border FW
Internal Users
Mainframe
52
Case Study: SAProuter Security Assessment 2008
SAProuter IntroductionIf SAProuter is in place, clients have to
specify a route string to connect.
/H/saprouter/S/3299/H/sapprd1/S/3200
Access in controlled through an ACL file called Route Permission
Table. Entry format:P/S/D src_host dst_host dst_port pwd
First-match criteria. In no match, deny connection.53
Case Study: SAProuter Security Assessment 2008
The Route Permission TableRoute Permission Table Example:D P S D
host1 192.168.1.* 10.1.*.* * host2 host2 10.1.2.* * serviceX * * *
* pass123
Route Permission Table in the real life:D P S P host1
192.168.1.* 10.1.*.* * host2 host2 10.1.2.* * serviceX * * *
*54
pass123
Case Study: SAProuter Security Assessment 2008
SAProuter Security Assessment with sapytoThe saprouterSpy plugin
Performs Internal Network port-scan. Discovers new targets through
SAProuter and configure them for auditing by other plugins.
55
Case Study: SAProuter Security Assessment 2008
SAProuter Security Assessment: sapytoAgents Assessment:Native
Routing SAPRouter also supports the routing of native protocols.
Useful for remote administration of Operating Systems, DB, etc.
Certain limitations apply. saprouterAgent plugin deploys a
sapytoAgent, which can be used to proxy native connections (HTTP,
SSH, Telnet, etc) to internal systems.
56
Case Study: SAProuter Security Assessment 2008
SAProuter IntroductionSAProuter is an SAP program working as a
proxy, which analyzes connections between SAP systems and between
SAP systems and external networks.Protection /
CountermeasureTypical SAProuter Architecture
SAProuter should be implemented in a separate DMZ. Use VPNs
and/or restrict connections at the border Firewall. specific
targets and ports. SNC should be required.Internet DEV QAS
PRDIntraWeb
Internal Network
External User The Route Permission Table should restrict access
only to allowed parties, to Other Internal Systems
Entries containing wildcards (*) are discouraged and should be
carefully analyzed.
SSH Server
SAProuter Border FW
Internal Users
Mainframe
57
2008
ConclusionsWrapping up
58
Conclusions 2008
ConclusionsIts impossible to cover all the activities of an SAP
Pentest in a one hour talk! SAP systems deal with sensitive
business information and processes. The integrity, confidentiality
and availability of this information is critical. SAP systems
security is often overlooked during the implementation phase, in
order to avoid business delays. SAP security is much more than User
Roles/Profiles and Authorizations! By default, some configurations
would expose the systems to high risk threats. SAP provides many
ways to secure systems and communications. Administrators should
enable security settings as soon as possible. Pentesting your SAP
systems will let you know the current security level of your
implementation (and show your managers why you need resources to
secure it :P ) CYBSECs sapyto supports activities of all phases of
the project. SAP Penetration Tests should be carried out in
controlled environments, performed by qualified experts in the
subject.59
References 2008
ReferencesAttacking the Giants: Exploiting SAP Internals
White-paperhttp://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf
John The Ripper Patch for SAP
hasheshttp://marc.info/?l=john-users&m=121444075820309&w=2
sapytohttp://www.cybsec.com/EN/research/sapyto.php
CYBSECs SAP Security
Serviceshttp://www.cybsec.com/EN/services/SAP_security.php
SAP Note 931252 - Security Note: Authority Check for Function
Group SRFC. SAP Note 618516 - Security-related enhancement of
RFCEXEC program. SAP Note 1237762 - ABAP systems: Protection
against password hash attacks
60
2008
Questions?
61
2008
Thank you!
www.cybsec.com
62