www.erp-sec.comAll about SAP Security (except authorizations) 1
DISCLAIMERSDisclaimer 1: This presentation is not comprehensive, SAP platform security is a very wide area of expertise (focus is on part of the Abap stack here)Disclaimer2: We do not encourage Hacking/Cracking whatsoever in ANY form. This presentation is here to help you gain inside and get awareness on some specific SAP platform security and into the minds of seasoned computer criminals, so that you can forestall their attempts and pre- empt all harmful attacks. Hacking IS illegal!
TOPICS COVEREDFollowing topics are covered and „glued together‟ intoa scenario: ”How to get rich in 5 simple steps”(OK, that can be less, but where‟s the fun in that?!) 1 Use Default users 2 Use OS command execution 3 Use Password parameters 4 Use The power of RFC calls 5 Use SAP Gateway Meet FBI‟s most wanted BlackHat hacker: Miss G! 3
1.Default AccountsRisk:Well, that‟s an open door!Mitigation:•Rsusr003 to check•Deactivate sap* by setting parameter login/no_automatic_user_sapstar = 1and create SAP* in clients where it does not exist•Change passwords/Lock accounts•Not only on PRD, but on the ENTIRE landscape•Don‟t delete SAP*/DDIC•Don‟t forget TMSADM!More info:•http://help.sap.com•Oss note1568362
2. OS command executionInfo: SM49/SM69, RSBDCOS0 are known and can beprotected. But other flaws exist in SAP that allow OS commandinjection. Just reported 5 vulnerable FM‟s to SAP Security team.Risk: Execution of OS commands is dangerous when donefrom application level since the <SID>adm user is highlyprivileged and has a database trust. Become the <SID>admuser and the DB is yours !!Mitigation:•PATCH, make sure security notes are implemented, secure<SID>adm with strong authentication, and don‟t give SAP_ALL.More info:•http://www.bizec.org/wiki/Controlled_Operating_System_(OS)_Command_Execution•The SAP Security notes
3. Password parametersInfo: Some default password parameters have settings thatneed to be adjusted. Two important ones:• login/password_downwards_compatibility = 1• login/min_password_lng = 6Risk: Weak password hashes can be easily bruteforcedMitigation: If your landscape is NW 7.0 or newer; setparameter login/password_downwards_compatibility = 0, deleteold hashes and make sure hashes are protected in USR tablesor disable passwords if you use SSO. No SSO? Setlogin/min_password_lng >= 8More info:http://help.sap.com/saphelp_nw70/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm
4. The power of RFC callsInfo: Many times I hear “It is only a system user, so it cannotbe abused”. Think again! And no SAP system is needed for that,there are RFCSDK‟s for many programming languages!Risk:Almost any action/transaction in SAP can also beperformed by RFC Calls via non-dialog--users.Mitigation:• Implement SAP Gateway protection. It can by DEFAULT be used to execute remoteOS commands as <SID>ADM• Make sure to implement proper network segmentation with Firewalls, so no RFCcalls can be made from frontends• Protect non-dialog users by using strong passwords (and do not give themSAP_ALL)•only create RFC destinations with stored credentials or system trust from systems ofhigher security classification to systems of lower security classification (e.g. fromPRD -> DEV, never trust DEV systems in a PRD system, never EVER have a RFCwith SAP_ALL user from Sandbox to PRD, etc.)
5. SAP GatewayInfo: This component handles RFC traphic. It exists on all SAPABAP systems and even on some JAVA nowadays. By default itis totally unprotectedRisk: Execution of OS commands as <SID>adm user(remember the DB trust!?). This component has a HIGH risk.Mitigation:•Implement ACL via reg_info and sec_info.•Network segementation to prevent RFC execution from usernetwork•Much more specific information, see SAP Security guides