Sitnl erp sec-2011

986 views

Published on


This presentation tries to raise awareness on SAP Security (Platform security). Some default settings that might need adjustment are shown.

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
986
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Sitnl erp sec-2011

  1. 1. www.erp-sec.comAll about SAP Security (except authorizations) 1
  2. 2. DISCLAIMERSDisclaimer 1: This presentation is not comprehensive, SAP platform security is a very wide area of expertise (focus is on part of the Abap stack here)Disclaimer2: We do not encourage Hacking/Cracking whatsoever in ANY form. This presentation is here to help you gain inside and get awareness on some specific SAP platform security and into the minds of seasoned computer criminals, so that you can forestall their attempts and pre- empt all harmful attacks. Hacking IS illegal!
  3. 3. TOPICS COVEREDFollowing topics are covered and „glued together‟ intoa scenario: ”How to get rich in 5 simple steps”(OK, that can be less, but where‟s the fun in that?!) 1 Use Default users 2 Use OS command execution 3 Use Password parameters 4 Use The power of RFC calls 5 Use SAP Gateway Meet FBI‟s most wanted BlackHat hacker: Miss G! 3
  4. 4. Miss G! 4
  5. 5. 1.Default AccountsRisk:Well, that‟s an open door!Mitigation:•Rsusr003 to check•Deactivate sap* by setting parameter login/no_automatic_user_sapstar = 1and create SAP* in clients where it does not exist•Change passwords/Lock accounts•Not only on PRD, but on the ENTIRE landscape•Don‟t delete SAP*/DDIC•Don‟t forget TMSADM!More info:•http://help.sap.com•Oss note1568362
  6. 6. DEMO: Default Accounts
  7. 7. 2. OS command executionInfo: SM49/SM69, RSBDCOS0 are known and can beprotected. But other flaws exist in SAP that allow OS commandinjection. Just reported 5 vulnerable FM‟s to SAP Security team.Risk: Execution of OS commands is dangerous when donefrom application level since the <SID>adm user is highlyprivileged and has a database trust. Become the <SID>admuser and the DB is yours !!Mitigation:•PATCH, make sure security notes are implemented, secure<SID>adm with strong authentication, and don‟t give SAP_ALL.More info:•http://www.bizec.org/wiki/Controlled_Operating_System_(OS)_Command_Execution•The SAP Security notes
  8. 8. DEMO: OS command execution
  9. 9. 3. Password parametersInfo: Some default password parameters have settings thatneed to be adjusted. Two important ones:• login/password_downwards_compatibility = 1• login/min_password_lng = 6Risk: Weak password hashes can be easily bruteforcedMitigation: If your landscape is NW 7.0 or newer; setparameter login/password_downwards_compatibility = 0, deleteold hashes and make sure hashes are protected in USR tablesor disable passwords if you use SSO. No SSO? Setlogin/min_password_lng >= 8More info:http://help.sap.com/saphelp_nw70/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm
  10. 10. DEMO: Password parameters
  11. 11. 4. The power of RFC callsInfo: Many times I hear “It is only a system user, so it cannotbe abused”. Think again! And no SAP system is needed for that,there are RFCSDK‟s for many programming languages!Risk:Almost any action/transaction in SAP can also beperformed by RFC Calls via non-dialog--users.Mitigation:• Implement SAP Gateway protection. It can by DEFAULT be used to execute remoteOS commands as <SID>ADM• Make sure to implement proper network segmentation with Firewalls, so no RFCcalls can be made from frontends• Protect non-dialog users by using strong passwords (and do not give themSAP_ALL)•only create RFC destinations with stored credentials or system trust from systems ofhigher security classification to systems of lower security classification (e.g. fromPRD -> DEV, never trust DEV systems in a PRD system, never EVER have a RFCwith SAP_ALL user from Sandbox to PRD, etc.)
  12. 12. DEMO: The power of RFC calls
  13. 13. 5. SAP GatewayInfo: This component handles RFC traphic. It exists on all SAPABAP systems and even on some JAVA nowadays. By default itis totally unprotectedRisk: Execution of OS commands as <SID>adm user(remember the DB trust!?). This component has a HIGH risk.Mitigation:•Implement ACL via reg_info and sec_info.•Network segementation to prevent RFC execution from usernetwork•Much more specific information, see SAP Security guides
  14. 14. 5. SAP Gateway DEMO: The Gateway
  15. 15. 5. SAP Gateway DEMO: The Gateway
  16. 16. 5. SAP Gateway Questions?THANK YOU!Any Questions?

×