Sap penetration testing_defense_in_depth

SAPSAPSAPSAP Penetration Testing

& Defense In-Depth

Mariano Mariano NuNuezez Di CroceDi [email protected]@cybsec.com

OctoberOctober 22--3, 20083, 2008EkopartyEkoparty, Buenos Aires , Buenos Aires -- ArgentinaArgentina

Copyright 2008 CYBSEC. Copyright 2008 CYBSEC. AllAll rightsrights reservedreserved..

sap security, sap pentest, sap pentesting, sap pt, sap security assessment, sap vulnerability assessment, sap insecurity, sap vulnerabilities, sap vulnerability, sap defense, hardening sap, sap hardening, protecting sap

2 2008

WhoWhoWhoWho isisisis CYBSEC ?CYBSEC ?CYBSEC ?CYBSEC ?

Provides Information Security services since 1996. More than 300 customers, located in LatinAmerica, USA and Europe. Wide range of services: Strategic Management, Operation Management, Control Management, Incident Management, PCI Services, SAP Security.

SAP SAP SAP SAP &&&& CYBSECCYBSECCYBSECCYBSEC

Member of the SAP Global Security Alliance (GSA). Has been working with SAP (Walldorf) since 2005. Provides specific SAP security services (Penetration Testing, SecureArchitecture Design, Secure Configuration, )

3 2008

WhoWhoWhoWho amamamam I?I?I?I?

Senior Security Researcher at CYBSEC. Devoted to Penetration Testing and Vulnerability Research. Discovered vulnerabilities in Microsoft, Oracle, SAP, Watchfire, Speaker/Trainer at Blackhat, Sec-T, Hack.lu, DeepSec, Ekoparty, CIBSI,

SAP SAP SAP SAP &&&& MeMeMeMe

Started researching in 2005. SAP Pentesting projects (customers). Discovered more than 40 vulnerabilities in SAP software. Published Attacking the Giants: Exploiting SAP Internals. Developed sapyto, the first SAP Penetration Testing Framework. CYBSECs SAP (In)Security Training instructor.

4 2008

AgendaAgendaAgendaAgenda

Agenda

Introduction to the SAP World

Why SAP Penetration Testing?

PenTest Setup

SAP PenTesting

Discovery Phase

Exploration Phase

Vulnerability Assessment Phase

Exploitation Phase

Case Study: SAProuter Security Assessment

Conclusions

5 2008

Introduction to Introduction to

the SAP Worldthe SAP WorldBasic concepts for deep knowledge

6 2008

SoSoSoSo whatwhatwhatwhat isisisis SAP?SAP?SAP?SAP?


SAP (Systems, Applications and Products in Data Processing) is a german company devoted to the development of business solutions.

More than 41.600 customers in more than 120 countries. More than 121.000 SAP implementations around the globe. Third biggest independent software vendor (ISV).

Provides different solutions:CRM, ERP, PLM, SCM, SRM, GRC, Business One,

The ERP solution is composed of different functional modules (FI, CO, SD, HR, MM, etc) that implements organization business processes. Modules are linked together, integrated by the Netweaver platform. SAP runs on multiple Operating Systems and Databases.

7 2008

SAP Basic ConceptsSAP Basic ConceptsSAP Basic ConceptsSAP Basic Concepts


Instance & System An instance is an administrative entity which groups relatedcomponents of an SAP system, providing one or more services. Systems are identified by SAP System ID (SID). System (instance) parametrization is done in Profiles.

8 2008



Client Legally and organizationally independent unit in an SAP system(company group, business unit, corporation). Identified by a three-digit number. Default clients: 000, 001 and 066.

Transaction Related secuence of steps (dialog steps) aimed to perform anoperation in the SAP database. Identified by a transaction code (ej: SU01, SE16, FK01, PA20,)

9 2008



ABAP ABAP is the SAP high-level programming language used todevelop business applications.

Reports / Programs ABAP programs that receive user input and produce a report in the form of an interactive list.

Function Modules Independent ABAP modules. Can be called locally or remotely.

The RFC (Remote Function Call) Interface Used to call function modules on remote systems.

10

2008



The Authorization Concept (Simplified) Users are asigned roles/profiles. Each profile contains a set of Authorization objects. When a user tries to perform an activity, the required authorizationobjects are checked against users authorization objects (user buffer). Controlled Activities:

Starting Transactions (S_TCODE) Accessing Tables (S_TABU_DIS) Starting Programs (S_PROGRAM) Calling RFC Function Modules (S_RFC)

Authorization checks can also be done programatically, through theAUTHORITY_CHECK clause.

11

2008

SomeSomeSomeSome LowLowLowLow----levellevellevellevel KnowledgeKnowledgeKnowledgeKnowledge


SAP_ALL profile = SAP God. Many other profiles may enable a user become a god too. Each SAP System uses its own Database. SAP processes run under the adm or SAPService user accounts. Connections to the Database are done with the same UID. No authorization at this level Direct access to the Database means full SAP compromise! Connections between systems often based on Trust Relationships(r* services). Many customers interfaces are implemented through FTP (cleartext, usually weak passwords).

12

2008

Why SAP Why SAP

Penetration Testing?Penetration Testing?Or why You and your CFO should care

13

2008

Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?Why do you Need an SAP Penetration Test?


The new SAP systemmust be running on

October 3rd, no excuses.

14

2008





But we havent secured thesystems yetyou know, there is something called

Security

15

2008






SecuritySecurity? Hmmis it French?

I dont careBusiness *must* go on!

16

2008








But we should take care ofUser authorizations to

prevent frauds!

17

2008









prevent frauds!Just give everyone full access

(SAP_ALL) for three months, then well lock it down

18

2008











OK

19

2008











OK@#-*!#&$%!!

20

2008

Why do you Need an SAP Penetration Test? (cont.)Why do you Need an SAP Penetration Test? (cont.)Why do you Need an SAP Penetration Test? (cont.)Why do you Need an SAP Penetration Test? (cont.)


CFOCFOCFOCFOssss MistakeMistakeMistakeMistake::::

SecuritySecuritySecuritySecurity guyguyguyguyssss MistakeMistakeMistakeMistake::::

Alert

Weak SAP Security configuration can definitely result in Business Frauds!

Alert

SAP Security is much (*much*) more than User roles and authorizations!

21

2008

Why do you Need an SAP Penetration Test? (Wrap up)Why do you Need an SAP Penetration Test? (Wrap up)Why do you Need an SAP Penetration Test? (Wrap up)Why do you Need an SAP Penetration Test? (Wrap up)


Security configurations of SAP systems are usually left by default. By default, many configurations are not secure. Conclusion: Many SAP implementations are not secure!

Is yours secure? A Penetration Test to these systems will help youknow how your SAP implementation can be attacked and which is thereal impact of this.

It will help you discover the weaknesses, secure them, and increasethe security level of your systems (a.k.a decrease fraud risk).

In this talk, well see some of the activities that make up the differentphases of an SAP Penetration Testing (no way of covering them all).

22

2008

PenTestPenTest SetupSetupBefore we begin

23

2008

PreparationPreparationPreparationPreparation

PenTest Setup

What do you need? The Shopping List sapyto nmap r* tools (rsh, rlogin, rexec) SQL client tools NFS client tools

SMB client & security tools BurpSuite / w3af Nessus john (patched) hydra

Try to get as much information as possible about target platforms, usage and policies before starting the assessment.

Remember that everthing that breaks while you are pentesting *will* be your fault (even if someone breaks his leg).

24

2008

sapytosapytosapytosapyto

First SAP Penetration Testing Framework. Support for activities in all phases of the pentest. Open-source (and free). Plugin based. Developed in Python and C. Version 0.93 released at Blackhat Europe 07.

sapyto

25

2008

AvailableAvailableAvailableAvailable Plugins in Plugins in Plugins in Plugins in sapytosapytosapytosapyto v0.93v0.93v0.93v0.93

sapyto

Audit: Attack:

RFC Ping. Registration of External Servers. Detection of RFCEXEC. Detection of SAPXPG. Get system information. Get server documentation.

RFC_START_PROGRAM Dir Traversal. Run commands through RFCEXEC. Run commands through SAPXPG. StickShell. Evil Twin Attack. Get remote RFCShell.

Tools:

RFC Password Obfuscator / De-obfuscator.

26

2008

Hot Hot Hot Hot NewsNewsNewsNews! ! ! ! sapytosapytosapytosapyto v0.98v0.98v0.98v0.98

sapyto

Core and architecture fully re-built. Based on connectors. The SAPRFC* connectors and the RFCSDK. Plugins are now categorized in Discovery, Audit and Exploit.

Discovery plugins find new targets. Audit plugins carry out the vulnerability assessments. Exploit plugins are used as proof of concepts for discovered vulns.

sapytoAgents deployment. New plugins for auditing SAProuters, find clients, bruteforcing,

27

2008

Discovery PhaseDiscovery PhaseFinding SAP targets

28

2008

Discovering SAP Systems and Applications (Targets)Discovering SAP Systems and Applications (Targets)Discovering SAP Systems and Applications (Targets)Discovering SAP Systems and Applications (Targets)

Discovery Phase

Available Options: Traffic sniffing. SAP portscanning. Checking SAPGUI configurations.

SAP Systems use a fixed range of ports. Most ports follows the PREFIX + SYS. NUMBER format. Common ports: 32XX, 33XX, 36XX, 39XX, 3299, 81XX,

Nmap: Watch Timings (-T3) and dont use version detection.

New sapyto will provide automatic discovery of SAP systems andconfiguration of targets/connectors for auditing!

29

2008

ExplorationExploration PhasePhaseGetting as much information as possible

30

2008

Getting Information from SAP Application ServersGetting Information from SAP Application ServersGetting Information from SAP Application ServersGetting Information from SAP Application Servers

Exploration Phase

The RFC_SYSTEM_INFO function module returns information aboutremote SAP Application Servers (implemented in sapytos sapinfo plugin) Can be called remotely (and anonymously) by default. [5]

sapinfo(target#0) {Remote System Information:

RFC Log Version: 011Release Status of SAP System: 700Kernel Release: 700Operating System: LinuxDatabase Host: sapl01Central Database System: ORACLEInteger Format: Little EndianDayligth Saving Time: Float Type Format: IEEEHostame: sapl01IP Address: 192.168.3.4System ID: TL1RFC Destination: sapl01_TL1_00Timezone: -18000 (diff from UTC in seconds)Character Set: 4103Machine ID: 390

31

2008

Getting Information from SAP Application ServersGetting Information from SAP Application ServersGetting Information from SAP Application ServersGetting Information from SAP Application Servers

Exploration Phase

The RFC_SYSTEM_INFO function module returns information aboutremote SAP Application Servers (implemented in sapytos sapinfo plugin) Can be called remotely (and anonymously) by default. [5]

sapinfo(target#0) {Remote System Information:

RFC Log Version: 011Release Status of SAP System: 700Kernel Release: 700Operating System: LinuxDatabase Host: sapl01Central Database System: ORACLEInteger Format: Little EndianDayligth Saving Time: Float Type Format: IEEEHostame: sapl01IP Address: 192.168.3.4System ID: TL1RFC Destination: sapl01_TL1_00Timezone: -18000 (diff from UTC in seconds)Character Set: 4103Machine ID: 390

Protection / Countermeasure

Restrict connections to the SAP Gateway at the network level. For more information, refer to SAP Note 931252.

32

2008

Finding Available ClientsFinding Available ClientsFinding Available ClientsFinding Available Clients

Exploration Phase

Users are client-dependent. Default clients: 000, 001, 066.

getClients(target#0) {Client 000 is available.Client 001 is available.Client 066 is available.Client 101 is available.Client 200 is available.

} res: Ok

33

2008

Analyzing Shared ResourcesAnalyzing Shared ResourcesAnalyzing Shared ResourcesAnalyzing Shared Resources

Exploration Phase

The Common Transport Directory (CTD) is the directory wherechanges (transports) are exported to and imported from in an SAP landscape. This directory must be shared for all systems in the landscape. It is often the case, where the kernel files and profiles are shared todialog instances.

$ showmount e sapserver

/export/usr/sap/trans (everyone)/export/sapmnt/NP1 (everyone)/export/informix/NP1 (everyone)/export/interfacesNP1 (everyone)/export/interfsrcNP1 (everyone)

34

2008

Analyzing Shared ResourcesAnalyzing Shared ResourcesAnalyzing Shared ResourcesAnalyzing Shared Resources

Exploration Phase

The Common Transport Directory (CTD) is the directory wherechanges (transports) are exported to and imported from in an SAP landscape. This directory must be shared for all systems in the landscape. It is often the case, where the kernel files and profiles are shared todialog instances.

$ showmount e sapserver

/export/usr/sap/trans (everyone)/export/sapmnt/NP1 (everyone)/export/informix/NP1 (everyone)/export/interfacesNP1 (everyone)/export/interfsrcNP1 (everyone)


Shared resource access should be restricted to SAP related systems and users only.

35

2008

VulnerabilityVulnerability

AssesmentAssesment PhasePhaseAnalyzing the discovered components

36

2008

SAP Default UsersSAP Default UsersSAP Default UsersSAP Default Users


There is public information regarding the existence of default SAP user accounts. Many of these accounts are configured with high privileged profiles.

ADMIN000, 001Communication UserSAPCPIC

SUPPORT066User for the EarlyWatch Service

EARLYWATCH

19920706000,001ABAP Dictionary super user

DDIC

06071992PASS

000,001, 066new clients

Super userSAP*PasswordClientsDescriptionUser ID

37

2008

SAP Default UsersSAP Default UsersSAP Default UsersSAP Default Users


There is public information regarding the existence of default SAP user accounts. Many of these accounts are configured with high privileged profiles.

ADMIN000, 001Communication UserSAPCPIC

SUPPORT066User for the EarlyWatch Service

EARLYWATCH

19920706000,001ABAP Dictionary super user

DDIC

06071992PASS

000,001, 066new clients

Super userSAP*PasswordClientsDescriptionUser ID Protection / Countermeasure

Default users must be secured. SAP* should be deactivated. Use report RSUSR003 to check the status of default users.

38

2008

SAP User Account SAP User Account SAP User Account SAP User Account BruteforcingBruteforcingBruteforcingBruteforcing


Usernames are up to 12 characters long. As part of the PenTest, you can try guessing/cracking user credentials.

SensitiveInsensitiveCase

408Max. LengthNew Passwords (> 6.40)Old Passwords ( 6.40)

WARNING! User locking is implemented! (usually, between 3-12 tries) Ops! In versions 6.20, lock counter is not incremented through RFC.

sapytos bruteLogin plugin can work in different modes: Try default users only and SAP*:PASS in detected clients. Specific credentials wordlist. Username and Password wordlists.

39

2008

Getting Credentials from the Wire Getting Credentials from the Wire Getting Credentials from the Wire Getting Credentials from the Wire RFC SniffingRFC SniffingRFC SniffingRFC Sniffing


RFC (Remote Function Call) is the most widely used interface in theSAP world. In order for a system to connect through RFC, it must provide logininformation for the remote system. RFC is clear-text, but you wont be able to see the password in thewire Password is obfuscated! -> Use sapytos getPassword plugin...

01a0 00 00 00 00 00 00 06 05 14 00 10 5f 22 ea 45 5e ..........._".E^01b0 22 c5 10 e1 00 00 00 c0 a8 02 8b 05 14 01 30 00 ".............0.01c0 0a 72 66 63 5f 73 65 72 76 65 72 01 30 01 11 00 .rfc_server.0...01d0 06 42 43 55 53 45 52 01 11 01 17 00 0b 81 bb 89 .BCUSER.........01e0 62 fc b5 3e 70 07 6e 79 01 17 01 14 00 03 30 30 b..?w.oy......0001f0 30 01 14 01 15 00 01 45 01 15 05 01 00 01 01 05 0......E........0200 01 05 02 00 00 05 02 00 0b 00 03 36 34 30 00 0b ...........640..0210 01 02 00 0e 5a 43 55 53 54 5f 47 45 54 4d 4f 4e ....ZCUST_GETMON0220 45 59 01 02 05 14 00 10 5f 22 ea 45 5e 22 c5 10 EY......_".E^"..0230 e1 00 00 00 c0 a8 02 8b 05 14 02 01 00 09 43 4c ..............CL0240 49 45 4e 54 5f 49 44 02 01 02 03 00 08 43 55 53 IENT_ID......CUS0250 54 30 30 31 00 02 03 ff ff 00 00 ff ff 00 00 01 T001............0260 c7 00 00 3e 80 ...>.

for CHAR in CLEAR_TEXT_PASS:

OBFUSCATED_PASS[i] = CHAR XOR KEY[i]

40

2008

Getting Credentials from the Wire Getting Credentials from the Wire Getting Credentials from the Wire Getting Credentials from the Wire RFC SniffingRFC SniffingRFC SniffingRFC Sniffing


RFC (Remote Function Call) is the most widely used interface in theSAP world. In order for a system to connect through RFC, it must provide logininformation for the remote system. RFC is clear-text, but you wont be able to see the password in thewire Password is obfuscated! -> Use sapytos getPassword plugin...

01a0 00 00 00 00 00 00 06 05 14 00 10 5f 22 ea 45 5e ..........._".E^01b0 22 c5 10 e1 00 00 00 c0 a8 02 8b 05 14 01 30 00 ".............0.01c0 0a 72 66 63 5f 73 65 72 76 65 72 01 30 01 11 00 .rfc_server.0...01d0 06 42 43 55 53 45 52 01 11 01 17 00 0b 81 bb 89 .BCUSER.........01e0 62 fc b5 3e 70 07 6e 79 01 17 01 14 00 03 30 30 b..?w.oy......0001f0 30 01 14 01 15 00 01 45 01 15 05 01 00 01 01 05 0......E........0200 01 05 02 00 00 05 02 00 0b 00 03 36 34 30 00 0b ...........640..0210 01 02 00 0e 5a 43 55 53 54 5f 47 45 54 4d 4f 4e ....ZCUST_GETMON0220 45 59 01 02 05 14 00 10 5f 22 ea 45 5e 22 c5 10 EY......_".E^"..0230 e1 00 00 00 c0 a8 02 8b 05 14 02 01 00 09 43 4c ..............CL0240 49 45 4e 54 5f 49 44 02 01 02 03 00 08 43 55 53 IENT_ID......CUS0250 54 30 30 31 00 02 03 ff ff 00 00 ff ff 00 00 01 T001............0260 c7 00 00 3e 80 ...>.

for CHAR in CLEAR_TEXT_PASS:

OBFUSCATED_PASS[i] = CHAR XOR KEY[i]


Enable SNC, protecting the confidentiality and integrity of the traffic.

41

2008

Analysis of the RFC InterfaceAnalysis of the RFC InterfaceAnalysis of the RFC InterfaceAnalysis of the RFC Interface


RFC Communication is done through the Gateway Service. The GW can connect with external RFC servers:

Registered Servers: The external system registers to the GW under a Program ID.

Started Servers:The GW connects to a remote system and starts a program (trust?)

By exploiting Registered Servers caveats, it may be possible to obtainconfidential information, DoS, perform RFC MITM and callback attacks. By exploiting Started Servers vulnerabilities, it may be possible to obtainremote code execution on misconfigured Application Servers.

(check the Attacking the Giants: Exploiting SAP Internals white-paper)

42

2008

ExploitationExploitation Phase Phase Getting access and beyond

43

2008

ButButButBut why do we need Exploitation anyway?why do we need Exploitation anyway?why do we need Exploitation anyway?why do we need Exploitation anyway?

Exploitation Phase

Vulnerability Assessments reports enumerate discovered vulnerabilitieswith the associated risk estimate. A security aware individual would easily see the problems. But, what about the people from the Financial areas? For them to get involved, they need to see the facts! You must show them how their information can be compromised -> screenshots, live-demos

Vulnerability Assessments are 2D, Exploitation adds a new Dimension.

44

2008

SAP Password Considerations & CrackingSAP Password Considerations & CrackingSAP Password Considerations & CrackingSAP Password Considerations & Cracking

Exploitation Phase

SAP has implemented different password hashing mechanisms. Passwords hashes are stored in table USR02 (BCODE, PASSCODE) and USH02.

Code Version F + Code Version B (2 hashes)G

Based on SHA1, 40 characters, Case Insensitive, UTF-8

FReservedEBased on MD5, 8 characters, Uppercase, UTF-8DNot implementedCBased on MD5, 8 characters, Uppercase, ASCIIBObsoleteADescriptionCode Vers.

On June 26 2008, a patch for John The Ripper for CODVN B and F waspublished.

45

2008

SAP Password Considerations & CrackingSAP Password Considerations & CrackingSAP Password Considerations & CrackingSAP Password Considerations & Cracking

Exploitation Phase

SAP has implemented different password hashing mechanisms. Passwords hashes are stored in table USR02 (BCODE, PASSCODE) and USH02.

Code Version F + Code Version B (2 hashes)G

Based on SHA1, 40 characters, Case Insensitive, UTF-8

FReservedEBased on MD5, 8 characters, Uppercase, UTF-8DNot implementedCBased on MD5, 8 characters, Uppercase, ASCIIBObsoleteADescriptionCode Vers.

On June 26, a patch for John The Ripper for CODVN B and F waspublished.


Access to tables USR02 and USH02 should be protected. Password security should be enforced through profile configuration (login/* parameters). Table USR40 can be used to protect from trivial passwords. For more information, refer to SAP Note 1237762.

46

2008

Exploiting SAP/Oracle Authentication MechanismExploiting SAP/Oracle Authentication MechanismExploiting SAP/Oracle Authentication MechanismExploiting SAP/Oracle Authentication Mechanism

Exploitation Phase

Discovered by me in 2007. Discovered by Jochen Hein in 2003 (Doh!) Target: Default SAP/Oracle installations.

The SAP+Oracle Authentication Mechanism

SAP connects to the database as the OPS$ (eg: OPS$adm). Retrieves user and password from table SAPUSER. Re-connects to the database, using the retrieved credentials.

47

2008


Exploitation Phase

There is a special Oracle configuration parameter named REMOTE_OS_AUTHENT. If set to TRUE, Oracle trusts that the remote system has authenticated the user used for the SQL connection (!) The user is created as indentified externally in the Oracle database. Oracle recommendation: remote_os_authent = false SAP default and necessary configuration: remote_os_authent = true

What do you need? Database host/port. SAP System ID. Oracle Instance ID ( = SAPSID?)

48

2008


Exploitation Phase

There is a special Oracle configuration parameter named REMOTE_OS_AUTHENT. If set to TRUE, Oracle trusts that the remote system has authenticated the user used for the SQL connection (!) The user is created as indentified externally in the Oracle database. Oracle recommendation: remote_os_authent = false SAP default and necessary configuration: remote_os_authent = true

What do you need? Database host/port. SAP System ID. Oracle Instance ID ( = SAPSID?)


Restrict who can connect to the Oracle listener:

tcp.validnode_checking = yes

tcp.invited_nodes = (192.168.1.102, )

49

2008

Exploiting Weak RFC Interface SecurityExploiting Weak RFC Interface SecurityExploiting Weak RFC Interface SecurityExploiting Weak RFC Interface Security

Exploitation Phase

Possible in default configuration of SAP Systems. Allows for unauthenticated remote code execution.

Starting EXPLOIT plugins----------------------------

weakRFC(target#1) {Creating new SHELL object...SHELL object created. ID: 536

} res: Oksapyto> shellssapyto/shells> listShell ID: 536 [RFCShell]

Target information: Connector: SAPRFC_EXTSAP Gateway Host: sapprd01SAP Gateway Service: 3300...

...

sapyto/shells> start 536Starting shell #536RFCShell - Run commands through RFC.The remote target OS is: Win.NET.sapyto/shells/536> run whoamiCall successfull. Command output:prdadmsapyto/shells/536>

50

2008

Exploiting Weak RFC Interface SecurityExploiting Weak RFC Interface SecurityExploiting Weak RFC Interface SecurityExploiting Weak RFC Interface Security

Exploitation Phase

Possible in default configuration of SAP Systems. Allows for unauthenticated remote code execution.

Starting EXPLOIT plugins----------------------------

weakRFC(target#1) {Creating new SHELL object...SHELL object created. ID: 536

} res: Oksapyto> shellssapyto/shells> listShell ID: 536 [RFCShell]

Target information: Connector: SAPRFC_EXTSAP Gateway Host: sapprd01SAP Gateway Service: 3300...

...

sapyto/shells> start 536Starting shell #536RFCShell - Run commands through RFC.The remote target OS is: Win.NET.sapyto/shells/536> run whoamiCall successfull. Command output:prdadmsapyto/shells/536>


Starting of External RFC Servers is controlled through the filespecified by the gw/sec_info profile parameter. This file should exist and restrict access to allowed systems to start specific programs in the Application Servers. The gw/reg_info file protects Registered Servers and should be configured as well. For more information, refer to SAP Note 618516.

51

2008

Case Study: Case Study:

SAProuterSAProuter Security Security

AssessmentAssessment

52

2008

Internet

Internal Network

Border FWSAProuter

DEV

Other Internal

Systems

IntraWeb

External User

QAS PRD

SSH Server

Internal Users Mainframe

SAProuterSAProuterSAProuterSAProuter IntroductionIntroductionIntroductionIntroduction


SAProuter is an SAP program working as a proxy, which analyzes connections between SAP systems and between SAP systems and external networks.

Typical SAProuter Architecture

53

2008



If SAProuter is in place, clients have to specify a route string to connect.

/H/saprouter/S/3299/H/sapprd1/S/3200

Access in controlled through an ACL file called Route Permission Table.Entry format:

First-match criteria. In no match, deny connection.

P/S/D src_host dst_host dst_port pwd

54

2008

TheTheTheThe RouteRouteRouteRoute PermissionPermissionPermissionPermission TableTableTableTable


Route Permission Table Example:

D host1 host2 serviceX

P 192.168.1.* host2 * pass123

S 10.1.*.* 10.1.2.* *

D * * * *

Route Permission Table in the realrealrealreal life:

D host1 host2 serviceX

P 192.168.1.* host2 * pass123

S 10.1.*.* 10.1.2.* *

P * * * *

55

2008

SAProuterSAProuterSAProuterSAProuter SecuritySecuritySecuritySecurity AssessmentAssessmentAssessmentAssessment withwithwithwith sapytosapytosapytosapyto


The saprouterSpy plugin Performs Internal Network port-scan. Discovers new targets through SAProuter and configure them for auditing by other plugins.

56

2008

SAProuterSAProuterSAProuterSAProuter SecuritySecuritySecuritySecurity AssessmentAssessmentAssessmentAssessment: : : : sapytoAgentssapytoAgentssapytoAgentssapytoAgents


Native Routing SAPRouter also supports the routing of native protocols. Useful for remote administration of Operating Systems, DB, etc. Certain limitations apply.

saprouterAgent plugin deploys a sapytoAgent, which can be used to proxy native connections (HTTP, SSH, Telnet, etc) to internal systems.

57

2008

Internet

Internal Network

Border FWSAProuter

DEV

Other Internal

Systems

IntraWeb

External User

QAS PRD

SSH Server

Internal Users Mainframe



SAProuter is an SAP program working as a proxy, which analyzes connections between SAP systems and between SAP systems and external networks.

Typical SAProuter Architecture


SAProuter should be implemented in a separate DMZ. Use VPNs and/or restrict connections at the border Firewall. The Route Permission Table should restrict access only to allowed parties, to specific targets and ports. SNC should be required. Entries containing wildcards (*) are discouraged and should be carefully analyzed.

58

2008

ConclusionsConclusionsWrapping up

59

2008

ConclusionsConclusionsConclusionsConclusions

Conclusions

Its impossible to cover all the activities of an SAP Pentest in a one hour talk! SAP systems deal with sensitive business information and processes. Theintegrity, confidentiality and availability of this information is critical. SAP systems security is often overlooked during the implementation phase, in order to avoid business delays. SAP security is much more than User Roles/Profiles and Authorizations! By default, some configurations would expose the systems to high risk threats. SAP provides many ways to secure systems and communications. Administrators should enable security settings as soon as possible. Pentesting your SAP systems will let you know the current security level of yourimplementation (and show your managers why you need resources to secure it :P ) CYBSECs sapyto supports activities of all phases of the project. SAP Penetration Tests should be carried out in controlled environments, performed by qualified experts in the subject.

60

2008

ReferencesReferencesReferencesReferences

References

Attacking the Giants: Exploiting SAP Internals White-paperhttp://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf

John The Ripper Patch for SAP hasheshttp://marc.info/?l=john-users&m=121444075820309&w=2

sapytohttp://www.cybsec.com/EN/research/sapyto.php

CYBSECs SAP Security Serviceshttp://www.cybsec.com/EN/services/SAP_security.php

SAP Note 931252 - Security Note: Authority Check for Function Group SRFC. SAP Note 618516 - Security-related enhancement of RFCEXEC program. SAP Note 1237762 - ABAP systems: Protection against password hash attacks

61

2008

QuestionsQuestions??

62

2008

ThankThank youyou!!

www.cybsec.com

Technology

Sap penetration testing_defense_in_depth