Home >Software >Top 10 most interesting vulnerabilities and attacks in SAP

Top 10 most interesting vulnerabilities and attacks in SAP

Date post:16-Aug-2015
Category:
View:23 times
Download:3 times
Share this document with a friend
Transcript:
  1. 1. Investinsecurity tosecureinvestments Top10mostinteres.ng SAPvulnerabili.esand a9acks AlexanderPolyakov CTOatERPScan
  2. 2. AboutERPScan The only 360-degree SAP Security solu8on - ERPScan Security MonitoringSuiteforSAP LeaderbythenumberofacknowledgementsfromSAP(150+) 60+presenta.onskeysecurityconferencesworldwide 25Awardsandnomina.ons Researchteam-20expertswithexperienceindierentareas ofsecurity HeadquartersinPaloAlto(US)andAmsterdam(EU) 2
  3. 3. WhatisSAP? Shutup And Pay 3
  4. 4. Really Themostpopularbusinessapplica8on Morethan120000customers 74%ofForbes500 4
  5. 5. Agenda Intro SAPsecurityhistory SAPontheInternet Top10latestinteres8ngaPacks DEMOs Conclusion 5
  6. 6. 6 3areasofSAPSecurity 2010 Applica3onpla4ormsecurity Preventsunauthorizedaccessbothinsidersandremote a3ackers Solu8on:VulnerabilityAssessmentandMonitoring 2008 ABAPCodesecurity Preventsa3acksormistakesmadebydevelopers Solu8on:Codeaudit 2002 Businesslogicsecurity(SOD) Preventsa3acksormistakesmade Solu8on:GRC
  7. 7. TalksaboutSAPsecurity 0 5 10 15 20 25 30 35 2006 2007 2008 2009 2010 2011 2012 Mostpopular: BlackHat HITB Troopers RSA Source DeepSec etc. 7
  8. 8. SAPSecuritynotes 0 100 200 300 400 500 600 700 800 900 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 ByApril26,2012,atotalof2026notes 8
  9. 9. SAPvulnerabili.esbytype 0 50 100 150 200 250 300 350 12-SQLInj 11-BOF 10-Denialofservice 9-RemoteCodeExecu8on 8-Verbtampering 7-Codeinjec8onvulnerability 6-Hard-codedcreden8als 5-Unauthorizedusageofapplica8on 4-Informa8onDisclosure 3-MissingAuthcheck 2-XSS/Unauthorisedmodica8onofstored 1-DirectoryTraversal Statsfrom: 1Q2012 1Q2010 4Q2009 9
  10. 10. SAPontheInternet WehavecollecteddataaboutSAPsystemsintheWEB Havevariousstatsbycountries,applica8ons,versions Informa8onfromGoogle,Shodan,Nmapscan MYTH:SAPsystemsa9acksavailableonlyforinsiders 10
  11. 11. SAPontheInternet About5000systemsincludingDispatcher,Messageserver, SapHostcontrol,Web-services 11
  12. 12. SAPontheInternet 12
  13. 13. Top10vulnerabili.es2011-2012 1.Authen8ca8onBypassviaVerbtampering 2.Authen8ca8onBypassviatheInvokerservlet 3.BueroverowinABAPKernel 4.Codeexecu8onviaTH_GREP 5.MMCreadSESSIONID 6.Remoteportscan 7.Encryp8oninSAPGUI 8.BAPIXSS/SMBRELAY 9.XMLBlowupDOS 10.GUIScrip8ngDOS 13
  14. 14. 10GUI-Scrip.ngDOS:Descrip.on SAPuserscanrunscriptswhichautomatetheiruserfunc8ons AscripthasthesamerightsinSAPastheuserwholaunchedit Securitymessagewhichisshowntousercanbeturnedoin theregistry AlmostanyusercanuseSAPMessages(SM02transac8on) ItispossibletorunDOSaPackonanyuserusingasimplescript New Author: Dmitry Chastukhin (ERPScan) 14
  15. 15. 10GUI-scrip.ng:Othera9acks Scriptcanbeuploadedusing: SAPGUIAc8veXvulnerability TeensyUSBash Anyothermethodofclientexploita8on Othera9ackslikechangingbankingaccountsinLFBKalsopossible 15
  16. 16. 10GUI-scrip.ng:Businessrisks SabotageHigh Easeofexploita.onMedium EspionageNo FraudNo 16
  17. 17. 10GUI-scrip.ng:Preven.on SAPGUIScrip8ngSecurityGuide sapgui/user_scrip8ng=FALSE Blockregistrymodica8ononworksta8ons 17
  18. 18. 9XMLBlowupDOS:Descrip.on WEBRFCinterfacecanbeusedtorunRFCfunc8ons Bydefaultanyusercanhaveaccess EvenwithoutS_RFCauth SAPNetWeaverisvulnerabletomalformedXMLpackets ItispossibletorunDOSaPackonserverusingsimplescript ItispossibletorunovertheInternet! New Author: Alexey Tyurin (ERPScan) 18
  19. 19. 9XMLBlowupDOS:Demo 19
  20. 20. 9XMLBlowupDOS:Businessrisks Easeofexploita.onMedium EspionageNo FraudNo SabotageCri.cal 20
  21. 21. 9XMLBlowupDOS:Preven.on DisableWEBRFC PreventunauthorizedaccesstoWEBRFCusingS_ICF InstallSAPnotes1543318and1469549 21
  22. 22. 8BAPIscriptinjec.on/hashstealing: Descrip.on SAPBAPItransac8onfailstoproperlysani8zeinput PossibletoinjectJavaScriptcodeorlinktoafakeSMBserver SAP GUI clients use Windows so their creden8als will be transferredtoaPackershost. Author: Dmitry Chastukhin (ERPScan) 22
  23. 23. 8BAPIscriptinjec.on/hashstealing: Demo New 23
  24. 24. 8BAPIscriptinjec.on/hashstealing: Businessrisks Easeofexploita.onLow SabotageHigh EspionageHigh FraudHigh 24
  25. 25. 7SAPGUIbadencryp.on:Descrip.on SAPFrontEndcansaveencryptedpasswordsinshortcuts Shortcutsstoredin.saple Thispasswordusesbyte-XORalgorithmwithsecretkey Keyhasthesamevalueforeveryinstalla8onofSAPGUI Anypasswordcanbedecryptedin1second Author: Alexey Sintsov (ERPScan) New 25
  26. 26. 7SAPGUIbadencryp.on:Businessrisks SabotageMedium FraudHigh EspionageHigh Easeofexploita.onMedium 26
  27. 27. 7SAPGUIbadencryp.on:Preven.on DisablepasswordstorageinGUI 27
  28. 28. 6RemoteportscanviaJSP:Descrip.on ItispossibletoscaninternalnetworkfromtheInternet Authen.ca.onisnotrequired SAPNetWeaverJ2EEengineisvulnerable /ipcpricing/ui/BuerOverview.jsp? server=172.16.0.13 &port=31337 &password= &dispatcher= &targetClient= &view= Author: Alexander Polyakov (ERPScan) 28
  29. 29. 6RemoteportscanviaJSP:Demo Portclosed HTTPport SAPport 29
  30. 30. 6RemoteportscanviaJSP:Businessrisks EspionageMedium FraudNo Easeofexploita.onHigh SabotageLow 30
  31. 31. 6RemoteportscanviaJSP:Preven.on InstallSAPnotes: 1548548,1545883,1503856,948851,1545883 Disableunnecessaryapplica8ons 31
  32. 32. 5MMCJSESSIONIDstealing:Descrip.on RemotemanagementofSAPPlatorm Bydefault,manycommandsgowithoutauth ExploitsimplementedinMetasploit(byChrisJohnRiley) Mostofthebugsareinforma8ondisclosure Itispossibletondinforma8onaboutJSESSIONID OnlyiftraceisON Canbeauthen.catedasanexis.nguserremotely 1) Original bug by ChrisJohnRiley 2) JSESSIONID by Alexey Sintsov and Alexey Tyurin (ERPScan) New 32
  33. 33. 5MMCJSESSIONIDstealing:Businessrisks EspionageCri.cal SabotageMedium FraudHigh Easeofexploita.onMedium 33
  34. 34. 5MMCJSESSIONIDstealing:Preven.on TheJSESSIONIDbydefaultwillnotbeloggedinlogle DontuseTRACE_LEVEL=3onproduc8onsystemsordeletetraces averuse OtherinfohPp://help.sap.com/saphelp_nwpi71/helpdata/en/ d6/49543b1e49bc1fe10000000a114084/frameset.htm 34
  35. 35. 4Remotecommandexecu.onin TH_GREP:Descrip.on RCEvulnerabilityinRFCmoduleTH_GREP FoundbyJorisvandeVis SAPwasnotproperlypatched(1433101) Wehavediscoveredthatthepatchcanbebypassedin Windows OriginalbugbyJorisvandeVis(erp-sec) BypassbyAlexeyTyurin(ERPScan) 35
  36. 36. 4RCEinTH_GREP:Details elseifopsys='WindowsNT'. concatenate'/c:"'string'"'lenameintogrep_paramsincharactermode. else./*iflinux*/ /*185*/replacealloccurrencesof''''inlocal_stringwith'''"''"'''. /*186*/concatenate''''local_string''''lenameintogrep_params /*187*/incharactermode. /*188*/endif. /*188*/ 36
  37. 37. 4RCEinTH_GREP:Demo#1 37
  38. 38. 4-RCEinTH_GREP:Moredetails 4waystoexecutevulnerableprogram Usingtransac8on"Se37 Usingtransac8onSM51(thankstoFelixGranados) UsingremoteRFCcall"TH_GREP" UsingSOAPRFCcall"TH_GREP"viaweb 38
  39. 39. 4RCEinTH_GREP:Demo#2 39
  40. 40. 4RCEinTH_GREP:Businessrisks SabotageMedium FraudHigh EspionageHigh Easeofexploita.onmedium 40
  41. 41. 4RFCinTH_GREP:Preven.on InstallSAPnotes1580017,1433101 Preventaccesstocri8caltransac8onsandRFCfunc8ons ChecktheABAPcodeofyourZ-transac8onsforsimilar vulnerabili8es 41
  42. 42. 3-ABAPKernelBOF:Descrip.on PresentedbyAndreasWiegensteinatBlackHatEU2011 BueroverowinSAPkernelfunc8onC_SAPGPARAM WhenNAMEeldismorethan108chars CanbeexploitedbycallinganFMwhichusesC_SAPGPARAM ExampleofreportRSPO_R_SAPGPARAM Author: (VirtualForge) 42
  43. 43. 3ABAPKernelBOF:Businessrisks EspionageCri.cal Easeofexploita.onMedium FraudCri.cal SabotageCri.cal 43
  44. 44. 3ABAPKernelBOF:Preven.on InstallSAPnotes: -1493516Correc8ngbueroverowinABAPsystemcall -1487330Poten8alremotecodeexecu8oninSAPKernel Preventaccesstocri8caltransac8onsandRFCfunc8ons ChecktheABAPcodeofyourZ-transac8onsforcri8calcalls 44
  45. 45. 2InvokerServlet:Descrip.on Rapidlycallsservletsbytheirclassname PublishedbySAPintheirsecurityguides Possibletocallanyservletfromtheapplica8on EvenifitisnotdeclaredinWEB.XML Canbeusedforauthbypass 45
  46. 46. 2-InvokerServlet:Details ! CriticalAction ! com.sap.admin.Critical.Action ! ! ! CriticalAction ! /admin/critical ! ! ! ! Restrictedaccess! /admin/*! GET! ! !admin !! ! Author: Dmitry Chastukhin (ERPScan) Whatifwecall/servlet/com.sap.admin.Cri.cal.Ac.on 46
  47. 47. 2Invokerservlet:Businessrisks EaseofuseVeryeasy! EspionageHigh SabotageHigh FraudHigh 47
  48. 48. 2-Invokerservlet:Preven.on Updatetothelatestpatch1467771,1445998 EnableInvokerServletGloballypropertyoftheservlet_jspmustbefalse Ifyoucantinstallpatchesforsomereason,youcancheckallWEB.XMLlesusing ERPScanweb.xmlscannermanually. 48
  49. 49. 1VERBTampering 49
  50. 50. 1stPlaceVerbTampering ! ! Restrictedaccessname>! /admin/*! GET! ! ! !admin !! ! ! WhatifweuseHEADinsteadofGET? Author: Alexander Polyakov (ERPScan) 50
  51. 51. 1Verbtampering:Details Remotelywithoutauthen.ca.on! 51 CTCSecretinterfaceformanagingJ2EEengine Canbeaccessedremotely Canrunusermanagementac8ons: Addusers Addtogroups RunOScommands Start/StopJ2EE
  52. 52. 1Verbtampering:Demo 52
  53. 53. 1Verbtampering:Moredetails 53 Ifpatched,canbebypassedbytheInvokerservlet!
  54. 54. 1Verbtampering:Businessrisks EspionageCri.cal SabotageCri.cal FraudCri.cal EaseofuseVeryeasy! 54
  55. 55. 1stPlaceVerbtampering:Preven.on Preven8on: InstallSAPnotes1503579,1616259 InstallotherSAPnotesaboutVerbTampering(about18) Scanapplica8onsusingERPScanWEB.XMLchecktoolormanually SecureWEB.XMLbydele8ngall Disabletheapplica8onsthatarenotnecessary 55
  56. 56. Conclusion Itispossibletobeprotectedfromalmostallthosekindsofissuesandwe areworkinghardwithSAPtomakeitsecure SAPGuides Itsallinyourhands RegularSecurityassessments ABAPCodereview Monitoringtechnicalsecurity Segrega.onofDu.es 56
  57. 57. Futurework Manyoftheresearchedthingscannotbedisclosednowbecause of our good relaGonship with SAP Security Response Team, whom I would like to thank for cooperaGon. However, if you wanttoseenewdemosand0-days,[email protected] a3endthefuturepresentaGons: PHDaysinMay(Moscow) Just4Mee8nginJuly(Portugal) BlackHatUSAinJuly(LasVegas) 57
  58. 58. Greetz to our crew who helped: Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, Pavel Kuzmin,EvgeniyNeelov. web: www.erpscan.com e-mail: [email protected] [email protected] TwiPer: @erpscan @sh2kerr 58
Popular Tags:

Click here to load reader

Reader Image
Embed Size (px)
Recommended