83
Mo’ Budget, Mo’ Mo’ Budget, Mo’ Problems Problems Steve Lord, Mandalorian Steve Lord, Mandalorian

Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Embed Size (px)

Citation preview

Page 1: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Mo’ Budget, Mo’ Mo’ Budget, Mo’ ProblemsProblemsSteve Lord, MandalorianSteve Lord, Mandalorian

Page 2: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

What is this talk about?What is this talk about?

Large IT ProjectsLarge IT Projects System IntegratorsSystem Integrators SAPSAP

Page 3: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

What is SAP?What is SAP?

Enterprise Resource Planning (SAP Enterprise Resource Planning (SAP R/3)R/3)

CRMCRM EPEP HRHR FI/COFI/CO BWBW MMMM PPPP

Page 4: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

What is SAP/R3, really?What is SAP/R3, really?

Business process re-Business process re-implementationimplementation

Fancy MIS framework with template Fancy MIS framework with template processesprocesses

Big basket for corporate eggsBig basket for corporate eggs

Page 5: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Fundamentals of Large Fundamentals of Large ProjectsProjects

The bigger the budget, the harder The bigger the budget, the harder the fallthe fall Compound delays due to complex Compound delays due to complex

dependenciesdependencies Corners cut to meet deadlinesCorners cut to meet deadlines Functionality Vs. SecurityFunctionality Vs. Security Decision rarely based upon business Decision rarely based upon business

casecase When was the last time you signed off $xxx When was the last time you signed off $xxx

million?million? Don’t believe me?Don’t believe me?

Page 6: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Irish HSE PPARs and FISP Irish HSE PPARs and FISP SystemsSystems

PPARs (HR) and FISP (FI/CO)PPARs (HR) and FISP (FI/CO) Projected Combined Cost - £6.2milProjected Combined Cost - £6.2mil PPARs Cost when halted in 2005 - PPARs Cost when halted in 2005 -

£80mil£80mil FISP Cost when halted - £20.7milFISP Cost when halted - £20.7mil Revenues for Deloitte & Touche - Revenues for Deloitte & Touche -

£34.5mil£34.5mil Revenues for SAP – Undisclosed (not Revenues for SAP – Undisclosed (not

part of D&T’s fees)part of D&T’s fees)

Page 7: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

PPARsPPARs

““It’s like a case study in how not to It’s like a case study in how not to run a project … It’s appaling stuff.” run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader– Enda Kenny, Fine Gael Leader

PPARs could’ve paid for:PPARs could’ve paid for: A 600 bed HospitalA 600 bed Hospital 20 St. Patrick’s Day beers for Every 20 St. Patrick’s Day beers for Every

Man, Woman and Child in IrelandMan, Woman and Child in Ireland

Page 8: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

HP’s Internal FailureHP’s Internal Failure

iGSOiGSO Launched in 2002Launched in 2002 Consolidate 350 Digital, Compaq, HP, Consolidate 350 Digital, Compaq, HP,

Tandem systemsTandem systems Expected finish date 2007Expected finish date 2007

Page 9: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

HP: The Adaptive Enterprise HP: The Adaptive Enterprise that couldn’t adaptthat couldn’t adapt

Total cost of Implementation failureTotal cost of Implementation failure US$400 mil (revenue)US$400 mil (revenue) US$275 mil (operating profit)US$275 mil (operating profit) 3 Executives heads3 Executives heads

Did I mention this was the total for Did I mention this was the total for Q3 2002?Q3 2002?

Page 10: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

How is SAP Implemented How is SAP Implemented Internally?Internally?

Usually PoorlyUsually Poorly Inadequate Skills/ExperienceInadequate Skills/Experience Poor/No Business Requirements Poor/No Business Requirements

CaptureCapture Technology Driven ImplementationTechnology Driven Implementation Poor DocumentationPoor Documentation Usually very expensive ($20mil+)Usually very expensive ($20mil+)

Page 11: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

How is SAP implemented by How is SAP implemented by External Integrators?External Integrators?

PoorlyPoorly Front-loading SkillsFront-loading Skills Business Requirements Capture?Business Requirements Capture? Partner-driven ImplementationPartner-driven Implementation Poor/No DocumentationPoor/No Documentation Subject to contract wranglingSubject to contract wrangling Can be extremely expensive ($50mil+)Can be extremely expensive ($50mil+)

Page 12: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Where does it all go Where does it all go wrong?wrong?

Lack of:Lack of: CommunicationCommunication ContingencyContingency Requirements Capture/AnalysisRequirements Capture/Analysis SimplicitySimplicity SecuritySecurity

Page 13: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Where does Security come Where does Security come in?in?

At the end of a long queueAt the end of a long queue By the time it reaches us, it is:By the time it reaches us, it is:

Non or semi-functionalNon or semi-functional DelayedDelayed Costing the businessCosting the business

Security’s role is toSecurity’s role is to SUSO (Shut Up, Sign Off)SUSO (Shut Up, Sign Off)

Page 14: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Show me the SUSOShow me the SUSO

You need to sign this offYou need to sign this off If you don’tIf you don’t

You’re blocking the businessYou’re blocking the business You’re costing us moneyYou’re costing us money You’re getting in the way of the projectYou’re getting in the way of the project

If you doIf you do It’s your backside on the dotted lineIt’s your backside on the dotted line

Page 15: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

End of TalkEnd of Talk

Oh you want more?Oh you want more?

Page 16: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

This is the price, right?This is the price, right?Come on down!Come on down!

Page 17: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

This is the price, right?This is the price, right?

Quiz ShowQuiz Show PrizesPrizes Need Need Victims Victims VolunteersVolunteers

Page 18: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

How it worksHow it works

Question is askedQuestion is asked Potential answers are shownPotential answers are shown You have to guess which one of the You have to guess which one of the

answers was an actual responseanswers was an actual response

Page 19: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

This is the price, right?This is the price, right?Question 1Question 1

Page 20: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Why can’t we use SSH?Why can’t we use SSH?

A) It (PuTTY) isn’t vendor supportedA) It (PuTTY) isn’t vendor supported B) SFTP Doesn’t support ASCIIB) SFTP Doesn’t support ASCII C) We don’t have a PKIC) We don’t have a PKI D) Key Management is too difficultD) Key Management is too difficult E) The TCO for OpenSSH is too highE) The TCO for OpenSSH is too high

Page 21: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Why can’t we switch off Why can’t we switch off RSH?RSH?

A) It requires a server rebuildA) It requires a server rebuild B) It requires extensive testing that B) It requires extensive testing that

would cost millionswould cost millions C) CowboyNealC) CowboyNeal D) We use telnet, you insensitive D) We use telnet, you insensitive

clod!clod! E) We don’t know what it would E) We don’t know what it would

breakbreak

Page 22: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Why did the SI buy the tin Why did the SI buy the tin prior to completing the design prior to completing the design

stage?stage? A) Because the vendor rebate would be A) Because the vendor rebate would be

lower next yearlower next year B) Because the client will have to write B) Because the client will have to write

off the hardware expenditure anywayoff the hardware expenditure anyway C) Because it’s easier to justify spending C) Because it’s easier to justify spending

on one round of big tin than two rounds on one round of big tin than two rounds of smaller tinof smaller tin

D) If the client has already paid a fortune D) If the client has already paid a fortune up front they’re less likely to pull the up front they’re less likely to pull the plug laterplug later

Page 23: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Why were all the consultants Why were all the consultants on the job South African?on the job South African?

A) Because of S.A’s extensive A) Because of S.A’s extensive investment in enterprise technology investment in enterprise technology trainingtraining

B) Because all the experienced B) Because all the experienced guys are from Joburgguys are from Joburg

C) Because they’re cheaper than C) Because they’re cheaper than native employees and have a lesser native employees and have a lesser understanding of local employment understanding of local employment lawlaw

Page 24: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Why are these not risks?Why are these not risks? A) Because it’s not live yetA) Because it’s not live yet B) Because you need an account to access B) Because you need an account to access

the systemsthe systems C) Because you’d need to have an RSH client C) Because you’d need to have an RSH client

and a copy of finger to access the systemsand a copy of finger to access the systems D) Because you’d need to have an FTP client D) Because you’d need to have an FTP client

to gain access to an unshadowed /etc/passwdto gain access to an unshadowed /etc/passwd E) Because there are plenty of other ways inE) Because there are plenty of other ways in F) Because you’re holding the project up so F) Because you’re holding the project up so

just sign off or there’ll be troublejust sign off or there’ll be trouble

Page 25: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Well done!Well done!

The good news isThe good news is People got prizesPeople got prizes

The bad news isThe bad news is We’re all losers in the endWe’re all losers in the end

Page 26: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Breaking SAPBreaking SAPSend in the clownsSend in the clowns

Page 27: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

SAP StructureSAP Structure

Infrastructure IssuesInfrastructure Issues Front-End ApplicationFront-End Application Business LogicBusiness Logic Business ProcessesBusiness Processes Database SkullduggeryDatabase Skullduggery

Page 28: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Infrastructure IssuesInfrastructure IssuesLet me paint you a pictureLet me paint you a picture

Page 29: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

What does an SAP What does an SAP deployment look like?deployment look like?

Page 30: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

What does an SAP What does an SAP deployment look like?deployment look like?

Page 31: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Points of interestPoints of interest

There is no standard deploymentThere is no standard deployment There should be Firewalls involvedThere should be Firewalls involved

If there are, Any-Any rules may be usedIf there are, Any-Any rules may be used Sometimes the File Server(s) are Sometimes the File Server(s) are

shared between dev, test and live tooshared between dev, test and live too Sometimes the App Server(s) are Sometimes the App Server(s) are

shared between dev, test and live tooshared between dev, test and live too

Page 32: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

How (not) to conduct an SAP How (not) to conduct an SAP PentestPentest

NmapNmap AmapAmap NiktoNikto NessusNessus MetasploitMetasploit

Page 33: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

How to conduct an SAP How to conduct an SAP PentestPentest

Nmap (-sS and –sU only, no –sV or –A Nmap (-sS and –sU only, no –sV or –A and watch timings)and watch timings)

Manual confirmation of services with Manual confirmation of services with standard client toolsstandard client tools

RSH, Finger, Net View, Showmount, RSH, Finger, Net View, Showmount, FTPFTP

No active exploitationNo active exploitation Password guessing possible, but not Password guessing possible, but not

automatedautomated

Page 34: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

SAP Systems areSAP Systems are

UnpatchedUnpatched UnhardenedUnhardened Unmaintained (caveat: security)Unmaintained (caveat: security) Unmanaged (caveat: security)Unmanaged (caveat: security)

Page 35: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Once you’ve got local Once you’ve got local accessaccess

Useful toolsUseful tools R3TransR3Trans TPTP

SQL TrustsSQL Trusts OSQL –EOSQL –E SQLPLUS “/ as sysdba”SQLPLUS “/ as sysdba” MySQL –u root, mysqld_safeMySQL –u root, mysqld_safe

Page 36: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

R3TransR3Trans

Uses SAP’s abstracted SQL model Uses SAP’s abstracted SQL model (T-SQL)(T-SQL)

Uses ‘control files’ to perform Uses ‘control files’ to perform actions upon databasesactions upon databases

R3Trans –d –vR3Trans –d –v Test database connectionTest database connection

Page 37: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

R3Trans Control FileR3Trans Control File

EXPORTEXPORTFILE=‘/tmp/.export/’FILE=‘/tmp/.export/’CLIENT=000CLIENT=000SELECT * FROM USR02SELECT * FROM USR02

Start with:Start with: R3Trans /tmp/controlR3Trans /tmp/control

Don’t forget to check trans.logDon’t forget to check trans.log

Page 38: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Where to lookWhere to look

/usr/sap/trans/usr/sap/trans /usr/sap/<SID>/usr/sap/<SID> /home/<SID>adm/home/<SID>adm

There is no reason for these There is no reason for these directories to be world writeable!directories to be world writeable!

Most should be 700, 770 or 775Most should be 700, 770 or 775

Page 39: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

From the trenchesFrom the trenches

““We use RSH to copy files around We use RSH to copy files around the environment. RSH has a feature the environment. RSH has a feature call .rhosts which enables us to call .rhosts which enables us to restrict access to specific users or restrict access to specific users or hosts”hosts”

Page 40: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Front-End IssuesFront-End IssuesBusting down the door citing section Busting down the door citing section 404404

Page 41: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

What front-end?What front-end?

SAP has manySAP has many SAPGUISAPGUI WebGUI/NetWeaver/ITS/EPWebGUI/NetWeaver/ITS/EP SAPRFCSAPRFC

For the sake of time we will focus For the sake of time we will focus on SAPGUIon SAPGUI These issues do apply elsewhere These issues do apply elsewhere

thoughthough

Page 42: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

SAPGUISAPGUI

Page 43: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

SAPGUISAPGUI

See the box up next to the green tick?See the box up next to the green tick? Use /? to start debuggingUse /? to start debugging Type in a transaction code (T-Code) to start a Type in a transaction code (T-Code) to start a

transactiontransaction

Page 44: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

SAP Transactions of NoteSAP Transactions of Note SU01 – User AuthorizationSU01 – User Authorization SU02 – User Profile AdministrationSU02 – User Profile Administration RZ04 – Maintain SAP InstancesRZ04 – Maintain SAP Instances SECR – Audit Information SystemSECR – Audit Information System SE11 – Data DictionarySE11 – Data Dictionary SE38 – ABAP EditorSE38 – ABAP Editor SE61 – R/3 DocumentationSE61 – R/3 Documentation SM21 – System LogSM21 – System Log SM31 – Table MaintenanceSM31 – Table Maintenance SM51 – List of SM51 – List of TargetsTargets SAP Servers SAP Servers SU24 – Disable Authorization ChecksSU24 – Disable Authorization Checks SM49 – Execute Operating System CommandsSM49 – Execute Operating System Commands SU12 – Delete All UsersSU12 – Delete All Users PE51 – HR Form Editor (HR)PE51 – HR Form Editor (HR) P013 – Maintain Positions (HR)P013 – Maintain Positions (HR) P001 – Maintain Jobs (HR)P001 – Maintain Jobs (HR)

Page 45: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

SAP Transactions of NoteSAP Transactions of Note AL08 – Users Logged OnAL08 – Users Logged On AL11 – Display SAP DirectoriesAL11 – Display SAP Directories OS01 – LAN Check with PingOS01 – LAN Check with Ping OS03 – Local OS Parameter changesOS03 – Local OS Parameter changes OS04 – Local System ConfigurationOS04 – Local System Configuration OSO5 – Remote System ConfigurationOSO5 – Remote System Configuration OSS1 – SAP’s Online Service SystemOSS1 – SAP’s Online Service System PFCG – Profile GeneratorPFCG – Profile Generator RZ01 – Job Scheduling MonitorRZ01 – Job Scheduling Monitor RZ20 – CCMS MonitoringRZ20 – CCMS Monitoring RZ21 – Customize CCMS MonitorRZ21 – Customize CCMS Monitor SA38 – ABAP/4 ReportingSA38 – ABAP/4 Reporting SCC0 – Client CopySCC0 – Client Copy SE01 – Transport and Correction SystemSE01 – Transport and Correction System SE13 – Maintain Technical Settings (Tables)SE13 – Maintain Technical Settings (Tables) SUIM – Repository Information SystemSUIM – Repository Information System

Page 46: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

You can’t access those!You can’t access those!

I can access them (or equivalents) if I can access them (or equivalents) if restrictions are based on:restrictions are based on: Easy Access Menu ItemsEasy Access Menu Items Transactions onlyTransactions only Custom-tables (e.g a ZUSERS table of Custom-tables (e.g a ZUSERS table of

allowed users)allowed users)

Restrictions need to be implemented at Restrictions need to be implemented at the Authorization levelthe Authorization level

So what else is there?So what else is there?

Page 47: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

ReportsReports

RPCIFU01 – Display FileRPCIFU01 – Display File RPCIFU03 – Download Unix FileRPCIFU03 – Download Unix File RPCIFU04 – Upload Unix FileRPCIFU04 – Upload Unix File RPR_ABAP_SOURCE_SCAN – Search ABAP RPR_ABAP_SOURCE_SCAN – Search ABAP

for a string ;)for a string ;) RSBDCOS0 – Execute OS CommandRSBDCOS0 – Execute OS Command RSPARAM – Check System ParametersRSPARAM – Check System Parameters RSORAREL – Get the Oracle System RSORAREL – Get the Oracle System

ReleaseRelease

Page 48: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

TablesTables

Accessible through: Accessible through: SE16 (Maintain Tables)SE16 (Maintain Tables) SE17 (Display Tables) SE17 (Display Tables) SA38 (Execute ABAP)SA38 (Execute ABAP) SE38 (ABAP Editor)SE38 (ABAP Editor) Customizations (ZZ_TABLE_ADMIN Customizations (ZZ_TABLE_ADMIN

etc.)etc.)

Will Be Covered LaterWill Be Covered Later

Page 49: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Job SchedulerJob Scheduler

Can’t get OS access?Can’t get OS access? Use SM36 or SM36WIZ InsteadUse SM36 or SM36WIZ Instead

Specify Immediate StartSpecify Immediate Start External Program as StepExternal Program as Step

Page 50: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Custom Transaction funCustom Transaction fun

Input ValidationInput Validation Selection Criteria ExpansionSelection Criteria Expansion Path specification (../../, // etc)Path specification (../../, // etc) Shell Escapes (; /bin/ls, |”/bin/ls”| etc)Shell Escapes (; /bin/ls, |”/bin/ls”| etc) SQL InjectionSQL Injection Export/Import file fun and gamesExport/Import file fun and games

Bypass Authorization ChecksBypass Authorization Checks

Page 51: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

From the trenchesFrom the trenches

““As discussed in the meeting on As discussed in the meeting on <redacted> with <redacted>, <redacted> with <redacted>, we’ve agreed that there is no we’ve agreed that there is no further action required. I appreciate further action required. I appreciate that you are on holiday at the that you are on holiday at the moment, but we will take your moment, but we will take your expected non-response in advance expected non-response in advance as agreement upon the matter.”as agreement upon the matter.”

Page 52: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Database SkullduggeryDatabase SkullduggeryHere be DragonsHere be Dragons

Page 53: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Database StuffDatabase Stuff

The Database contains all the data.The Database contains all the data. The Database is accessed by SAP The Database is accessed by SAP

users through the SAP system.users through the SAP system. The SAP database is not subject to The SAP database is not subject to

the same controls as SAP itself.the same controls as SAP itself.

WARNING: DO NOT MODIFY THE WARNING: DO NOT MODIFY THE DATABASE WITHOUT PERMISSION DATABASE WITHOUT PERMISSION SIGNED IN BLOOD (not yours)SIGNED IN BLOOD (not yours)

Page 54: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Getting InGetting In

Patch WeaknessesPatch Weaknesses Brute ForceBrute Force Roundhouse KicksRoundhouse Kicks Default AccountsDefault Accounts

Page 55: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Speaking of Default Speaking of Default AccountsAccounts

Default Accounts (with Oracle Default Accounts (with Oracle Hashes)Hashes) DDIC/199220706 (4F9FFB093F909574)DDIC/199220706 (4F9FFB093F909574) SAP/SAPR3SAP/SAPR3 (BEAA1036A464F9F0)(BEAA1036A464F9F0) SAP/6071992SAP/6071992 (B1344DC1B5F3D903)(B1344DC1B5F3D903) SAPR3/SAPSAPR3/SAP (58872B4319A76363)(58872B4319A76363) EARLYWATCH/SUPPORTEARLYWATCH/SUPPORT

(8AA1C62E08C76445)(8AA1C62E08C76445)

Page 56: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Note about SchemasNote about Schemas

<610 has SAPR3 as Schema Owner<610 has SAPR3 as Schema Owner >610 uses SAP as Schema Owner>610 uses SAP as Schema Owner

Page 57: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Database Queries of NoteDatabase Queries of Note

Select Select MANDT,BNAME,BCODE,USTYP,CLASMANDT,BNAME,BCODE,USTYP,CLASS from <SAPDB>..USR02S from <SAPDB>..USR02

SELECT * FROM UST04SELECT * FROM UST04 SELECT * FROM TSTCT WHERE SELECT * FROM TSTCT WHERE

SPRSL = ‘E’SPRSL = ‘E’ SELECT * FROM DBCONSELECT * FROM DBCON exec master.dbo.xp_cmdshell exec master.dbo.xp_cmdshell

'cmd.exe /c net view’'cmd.exe /c net view’

Page 58: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Common Values in the DBCommon Values in the DB

ACTVT – Activity CodeACTVT – Activity Code USTYP – User TypeUSTYP – User Type MANDT – Client NumberMANDT – Client Number BUKRS – Company CodeBUKRS – Company Code BEGRU – AuthorizationBEGRU – Authorization

Page 59: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

USTYP valuesUSTYP values USTYP specifies the type of user (used in USTYP specifies the type of user (used in

USR02)USR02) A – Dialog (interactive user)A – Dialog (interactive user) C – Communications (CPIC)C – Communications (CPIC) D – System (BDC)D – System (BDC) S – ServiceS – Service L – ReferenceL – Reference

People often don’t change passwords on People often don’t change passwords on CPIC users as they’re not sure what breaksCPIC users as they’re not sure what breaks

Page 60: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Tables to look atTables to look at BKPF – Accounting Header (FI)BKPF – Accounting Header (FI) BSEG – Accounting Document Segment (FI)BSEG – Accounting Document Segment (FI) CEPC – Profit Master DataCEPC – Profit Master Data EKKO – PO HeaderEKKO – PO Header RSEG – Incoming InvoiceRSEG – Incoming Invoice RBKP – Invoice ReceiptsRBKP – Invoice Receipts KNA1 – Customer Master RecordsKNA1 – Customer Master Records LFA1 – Vendor Master RecordsLFA1 – Vendor Master Records PNP – Personnel Data (HR Only)PNP – Personnel Data (HR Only) CSKS – Cost Centre Master (HR)CSKS – Cost Centre Master (HR) T569V – Payroll Control Records (HR)T569V – Payroll Control Records (HR)

Page 61: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Subverting Business Subverting Business LogicLogicIt’s not a lie, we just didn’t tell you It’s not a lie, we just didn’t tell you thatthat

Page 62: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

How SAP Controls AccessHow SAP Controls Access

Local logon details in USR02Local logon details in USR02 Profile details in UST04, USR04 etc.Profile details in UST04, USR04 etc. Authorizations & ProfilesAuthorizations & Profiles

Page 63: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Custom SAP Code and Access Custom SAP Code and Access ControlControl

ABAPs and Auths 101ABAPs and Auths 101 Authorization checksAuthorization checks

AUTHORITY-CHECK OBJECT <object>AUTHORITY-CHECK OBJECT <object>

If the authority check statement If the authority check statement isn’t there, it is assumed that you isn’t there, it is assumed that you can go ahead!can go ahead!

Page 64: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

SAP Authorization ConceptSAP Authorization Concept

Page 65: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Common Authorization Common Authorization SnafusSnafus

‘‘Pyramid Structure’ ApproachPyramid Structure’ Approach Overly Restrictive ApproachOverly Restrictive Approach Use Standard SAP Profiles ApproachUse Standard SAP Profiles Approach Transactions/Menu only ApproachTransactions/Menu only Approach Objects only ApproachObjects only Approach

Page 66: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

So what happens when things So what happens when things go wrong?go wrong?

Page 67: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

When things go wrongWhen things go wrong

Too much accessToo much access Too little accessToo little access Disgruntled Employees and no Disgruntled Employees and no

audit trailaudit trail Enron style funEnron style fun

Page 68: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Business Process HackingBusiness Process HackingWhere you too can be like Where you too can be like NeoNeo

Page 69: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Business Process HackingBusiness Process Hacking

When your business processes are When your business processes are correctly aligned all is good.correctly aligned all is good.

When they aren’t…When they aren’t… … … And it’s even worse when it’s And it’s even worse when it’s

legislationlegislation

Page 70: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

BPH Vs. Social EngineeringBPH Vs. Social Engineering From the Canadian charter of rights and From the Canadian charter of rights and

freedoms:freedoms: 20.20. (1) Any member of the public in Canada has the (1) Any member of the public in Canada has the

right to communicate with, and to receive available right to communicate with, and to receive available services from, any head or central office of an services from, any head or central office of an institution of the Parliament or government of Canada institution of the Parliament or government of Canada in English or French, and has the same right with in English or French, and has the same right with respect to any other office of any such institution respect to any other office of any such institution wherewhere

aa) there is a significant demand for communications with ) there is a significant demand for communications with and services from that office in such language; or and services from that office in such language; or

bb) due to the nature of the office, it is reasonable that ) due to the nature of the office, it is reasonable that communications with and services from that office be communications with and services from that office be available in both English and French.available in both English and French.

Is this charter open to abuse?Is this charter open to abuse?

Page 71: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

BPH ExampleBPH Example

User provisioning policy not User provisioning policy not correctly implementedcorrectly implemented Weakness: New users created but old Weakness: New users created but old

ones not disabledones not disabled Result: Accounts can be used after Result: Accounts can be used after

owners leaveowners leave

Page 72: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

BPH Example #2BPH Example #2

Evening meal expense claim Evening meal expense claim requires signature of most senior requires signature of most senior person presentperson present Then signed off by person at higher Then signed off by person at higher

gradegrade No requirement to list people presentNo requirement to list people present

Page 73: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

How does this tie into SAP?How does this tie into SAP?

SAP process integrationSAP process integration If the process fits…If the process fits… If it doesn’t?If it doesn’t?

Page 74: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

A word from our sponsorsA word from our sponsorsWell, Steve has to get revenue Well, Steve has to get revenue somehowsomehow

Page 75: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

A word from our sponsorsA word from our sponsors

Page 76: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

OWASP-EASOWASP-EASStays crisp in milkStays crisp in milk

Page 77: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

OWASP-EASOWASP-EAS

What?What? Why?Why? How?How? When?When?

Page 78: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

What?What?

OWASP-Enterprise Application OWASP-Enterprise Application Security ProjectSecurity Project

Enterprise Grade SchnizzleEnterprise Grade Schnizzle Requirements GuidelinesRequirements Guidelines Audit ProgrammesAudit Programmes Business-level and tech guidance docsBusiness-level and tech guidance docs

Page 79: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

Why?Why?

OWASP is great for Web-based stuffOWASP is great for Web-based stuff It’s great for toy applicationsIt’s great for toy applications It’s not great for large business It’s not great for large business

systemssystems Not applicableNot applicable Not relevantNot relevant Not ‘Enterprise Grade’Not ‘Enterprise Grade’

Page 80: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

How?How?

Initial LaunchInitial Launch Parent OWASP-EAS Mailing ListParent OWASP-EAS Mailing List Develop industry linksDevelop industry links Initial projectsInitial projects

OWASP-EAS RFP GuideOWASP-EAS RFP Guide Security Document TemplatesSecurity Document Templates SAP Assessment GuideSAP Assessment Guide

White PapersWhite Papers

Page 81: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

When?When?

Real Soon Now*Real Soon Now* Formal launch in June ‘06Formal launch in June ‘06 ‘‘Soft’ Launch End AprilSoft’ Launch End April

Mailing ListMailing List Sub-Projects InitiationSub-Projects Initiation

*may contain nuts*may contain nuts

Page 82: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

ConclusionsConclusions

Page 83: Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

ConclusionsConclusions

SAP is teh r0x0rSAP is teh r0x0r The people who implement it aren’t The people who implement it aren’t

necessarily sonecessarily so OWASP-EAS will help them… to a OWASP-EAS will help them… to a

pointpoint