View
14
Download
0
Category
Preview:
Citation preview
Yvan ‘iggy’ GENUER
SAP : ALL YOUR $$ ARE BELONG TO US
SAP Security overview
Securimag - 22/01/2015
AGENDA
2
● /whois me ?
● /wtf is SAP (‘functionally’)
● /wtf is SAP (‘technically’)
● /SAP and Security
● /attack SAP
● /demo
● /links - sources
/WHOIS ME ?
3
● Not a security expert
● But expert SAP with some security skills
● 12 years experiences in SAP
● Last 2 years in SAP Security (audit, pentest, recommendation, etc)
● Many customers, projects, blablabla
WTF IS SAP ?
4
/WTF IS SAP ?
5
● Leader, expensive, complex
● More than 200,000 companies
run SAP in 120 countries
● SAP Customers :
- Transport -> 1 billion flight
passengers per year
- Produce -> 65% of all TV’s
- Produce -> 77.000 cars per day
- And…
● ERP
● 72% of the world-wide beers
are produced by companies
running SAP !
Source : Virtual Forge GmbH
/WTF IS SAP ?
6
WTF IS SAP (TECHNICALLY)
7
/WTF IS SAP (TECHNICALY ?)
8
● Example for standard SAP ABAP Netweaver 7.40 ERP 6.0
● Vocabulary...
- ABAP : Advanced Business Application Programming
- FM : Function Module (in ABAP)
- Report : Program ABAP
- SID : System IDentifiant
- Client (‘mandant’) : Organizational unit in SAP. Use to separate business
objects
- Transaction : ‘alias’ to launch reports directly
- Tables : ~80.000 (~100.000 indexes)
- Programs : ~35.000
- Params : ~1.500
- Db size (just after installation) : ~80 GB
/WTF IS SAP (TECHNICALY ?)
9
● Supported Database
● Supported OS ● Supported OS
/WTF IS SAP (TECHNICALY ?)
10
● SAP Classical Architecture
SAP AND SECURITY
11
/SAP AND SECURITY
12
● SAP Security Notes
3000+ since 2009
/SAP AND SECURITY
13
● Complexity
- Security don’t like complexity... SAP could be very complex, with many
interfaces on different platforms. Vulnerabilities at all level, from network to
application.
● Risky
- SAP store critical information, and run critical business flow. Patch or
changing something could be very risky. ‘You take the risk ?’
● Customization
- Companies can customize their SAP systems. More SAP is customized
more secure it is a nightmare.
/SAP AND SECURITY
14
● Root = is not the goal
- Flag is : Access sensitive business data or critical flow
● Training
- Dangerous for business
- Create a test lab is a lot of investisment
- SAP is not taught in school
- Framework (msf, bizploit)
- SAP offer Security training course... For ‘only’ $5.000 (5 days).
ATTACK SAP
15
/ATTACK SAP
16
● Target ?
/ATTACK SAP
17
● Myth : “SAP isn’t connected to internet”
● Google, shodan... sapscan.com !
/ATTACK SAP
18
● Issues ranking - from EAS-SEC Procject (Open security project)
Critical issue Access Severity Simplicity
1. Patch management flaws Anonymous High Easy
2. Default passwords Anonymous High Easy
3. Unnecessary functionnality Anonymous High Easy
4. Open remote management interface Anoymouse High Medium
5. Insecure settings Anonymous Medium Medium
6. Unencrypted connections Anonymous Medium Medium
7. Access control and SOD conflicts User High Medium
8. Insecure trusted connections User High Easy
9. Security events logging Administrator High Medium
/ATTACK SAP
19
● Issues ranking - from EAS-SEC Procject (Open security project)
Critical issue Access Severity Simplicity
1. Patch management flaws Anonymous High Easy
2. Default passwords Anonymous High Easy
3. Unnecessary functionnality Anonymous High Easy
4. Open remote management interface Anoymouse High Medium
5. Insecure settings Anonymous Medium Medium
6. Unencrypted connections Anonymous Medium Medium
7. Access control and SOD conflicts User High Medium
8. Insecure trusted connections User High Easy
9. Security events logging Administrator High Medium
/ATTACK SAP - PATCH MANAGEMENT FLAWS
20
● SAP Security Notes (patch)
● SAP components updates
● SAP kernel update
● Change process flow could be very long in big companies
- Zero day is useless
- Using last 6 months public bugs is enough
/ATTACK SAP - PATCH MANAGEMENT FLAWS
21
/ATTACK SAP - PATCH MANAGEMENT FLAWS
22
/ATTACK SAP - PATCH MANAGEMENT FLAWS
23
/ATTACK SAP – DEFAULT PASSWORD
24
● One of the biggest mistake in SAP System...
How ?
HOW it’s possible !!??
/ATTACK SAP – DEFAULT PASSWORD
25
● Not one, or two but at least 5 defaults users was created in all SAP
System after a fresh installation.
USER Password Client
SAP* 06071992, PASS 000, 001, 066, <all new clients>
DDIC 19920706, SAP4ALL, change 000, 001, <all new clients>
EARLYWATCH SUPPORT 066
SAPCPIC admin 000, 001
TMSADM Null, PASSWORD, $1Pawd2& 000, 001, 066, <all new clients>
/ATTACK SAP – DEFAULT PASSWORD
26
● Above example, SAP System with 3 customs clients
- 27 defaults users (!)
- Most of these defaults credentials had high privileges
- Some of them could be reinitialize from different SAP System
- Only one is enough to compromise the SAP System
000 001 066 100 200 600
SAP* no no no no no no
DDIC no no no no no no
EARLYWATCH no no no no
SAPCPIC no no no no no
TMSADM no no YES no no no
/ATTACK SAP – SAP GATEWAY
27
● The SAP Gateway is a technical component of SAP System. It
manages RFC communications between SAP and the rest of world
(other SAP system or external program).
/ATTACK SAP – SAP GATEWAY
28
SAP Netweaver ABAP Database
SAP
Gateway
SAP Gui
SAP Server
External appli
Work
Processes
Operating System
(1) RFC call ABAP Function modules
(1) (1)
/ATTACK SAP – SAP GATEWAY
29
SAP Netweaver ABAP Database
SAP
Gateway
SAP Gui
SAP Server
External appli
Work
Processes
Operating System
(1) RFC call ABAP Function modules
(2) RFC call to start OS commands (list file, transport, interface, etc)
(2)
(2)
/ATTACK SAP – SAP GATEWAY
30
SAP Netweaver ABAP Database
SAP
Gateway
SAP Gui
SAP Server
External appli
Work
Processes
Operating System
/bin/sh
Insert into usr02…
(1) RFC call ABAP Function modules
(3) Wait ? OS command ? -> I can do anything…
(2) RFC call to start OS commands (list file, transport, interface, etc)
(3)
(3)
(3)
(3)
/ATTACK SAP – SAP GATEWAY
31
● The SAP Gateway security is controlled by 2 files :
- reginfo file (gw/reg_info parameter) = who can coming ?
- sec_info file (gw/sec_info parameter) = who can execute OS command ?
/ATTACK SAP - UNENCRYPTED CONNECTIONS
32
● Could be encrypted with SAP SNC layer (Secure Network
Connection)… but disable by default.
● Wireshark plugins : SAP dissection !
Proprietary protocols
SNC (Secure Network Communication)
NI (Network Interface) Protocol
RFC DIAG Router Msg Enq
Standard protocols
SSL
HTTP
SOAP
/ATTACK SAP - UNENCRYPTED CONNECTIONS
33
XOR encryption
with static key
/ATTACK SAP - INSECURE TRUSTED CONNECTIONS
34
● RFC connections that store user credential
● Trusted system with low security level
DEV INT PRD
trusted trusted
Trusted ? Trusted ?
Trusted ???
DEMOS
35
/DEMOS
36
attacker
SAP Production
Appear protected
No easy vuln, creds, etc
Don’t ’trust’ everyone
/DEMOS
37
attacker
SAP Production SAP Development
(1) Default password
(2) Not up to date
(3) Full control
(1)
(2)
(3)
/DEMOS
38
attacker
SAP Production SAP Development
(1) ‘configure’ development (1) Default password
(2) Not up to date
(3) Full control
(1)
/DEMOS
39
attacker
SAP Production SAP Development
(1) ‘configure’ development
(2) Production ‘trust’ development
(1) Default password
(2) Not up to date
(3) Full control
(1) (2)
/DEMOS
40
attacker
SAP Production SAP Development
(1) ‘configure’ development
(2) Production ‘trust’ development
(1) Default password
(2) Not up to date
(3) Full control
(1) (2)
/DEMOS
41
attacker
SAP Production SAP Development
(1) ‘configure’ development
(2) Production ‘trust’ development
(2) (3) Bad SAP Gateway ACL
(1) Default password
(2) Not up to date
(3) Full control
(1) (2)
(3)
/DEMOS
42
attacker
SAP Production SAP Development
(1) ‘configure’ development
(2) Production ‘trust’ development
(2) (3) Bad SAP Gateway ACL
(4) Full control
(1) Default password
(2) Not up to date
(3) Full control
(1) (2)
(3)
(4)
SOURCES LINKS
43
QUESTIONS ?
44
THANKS YOU
Recommended