Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Introduction
Whoami
Topics
- Jamesbond-kind-of-spionage; it’s real
- A practical example of a backdoor
- SAP Hana security
- SAP Security base...
Not a sexy topic
SAP Security, not allways a sexy topic. But….
007, Secret service activities
• Corporate
espionage
• State-
sponsored
espionage
• ‘Regular’
Cybercrime
• Political
motiv...
Jamesbond-kind-of-spionage,
it’s real
It’s China… they say…
SAP and backdoors?
SAP building backdoors for the NSA. Far fetched?
Yes, strongly denied by SAP and in my believe also
not...
The challenge:
In order to effectively secure an SAP platform, you need to understand and secure all of its
systems, compo...
A backdoor into SAP; you need one of these 3
So, to fully compromise an SAP system we need at least
one of the following:
...
A backdoor into SAP…
In this scenario we will combine 3 vulnerabilities:
1. A Default user with default password for Diagn...
Some details on the 3 vulnerabilities
1. Default user with default password for Diagnostics purposes
• User SMDAGENT_<SID>...
Select password hashes from the database
Brute force privileged SAP accounts
Gain access to the SAP Solution Manager
Demo
Post-exploitation
From there?
• Use (trusted) RFC’s to the world
• Use your imagination
• And take over the world
Try and ...
Mitigation
How to protect?
Change password or delete user SMDAGENT_<SID>
Apply OSS note 1774432 (CVSS score 4.6)
Apply OSS...
Something about Hana Security…
0
2
4
6
8
10
12
14
16
18
2011
2012
2013
2014
2015
SAP HANA Security notes
With great power ...
Running Hana? Better patch…
SAP Security baseline
SAP Security baseline template
• Helps you when defining a SAP Security baseline
• Contains many set...
Concluding
What I hope you learned today:
• SAP Security can be sexy
• Defenders have to work harder
• Don’t forget the sy...
Questions?
Website: www.erp-sec.com
Twitter: @jvis @erpsec
Need more info? Contact us...
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as
well as their respective lo...
Thank you!
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Upcoming SlideShare
Loading in …5
×

Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2

424 views

Published on

SAP Security - SAP Hana - Backdoors - SAP Security baseline

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2

  1. 1. Introduction Whoami
  2. 2. Topics - Jamesbond-kind-of-spionage; it’s real - A practical example of a backdoor - SAP Hana security - SAP Security baseline
  3. 3. Not a sexy topic SAP Security, not allways a sexy topic. But….
  4. 4. 007, Secret service activities • Corporate espionage • State- sponsored espionage • ‘Regular’ Cybercrime • Political motivated cybercrime • Backdoors
  5. 5. Jamesbond-kind-of-spionage, it’s real
  6. 6. It’s China… they say…
  7. 7. SAP and backdoors? SAP building backdoors for the NSA. Far fetched? Yes, strongly denied by SAP and in my believe also not true. But what if there are backdoors SAP or customers are no aware of…. A practical example…
  8. 8. The challenge: In order to effectively secure an SAP platform, you need to understand and secure all of its systems, components, infrastructure layers and related vulnerabilities and threats. To break a SAP platform you only need one flaw/vulnerability! If you are the good guy, you have to work harder! But first… The challenge
  9. 9. A backdoor into SAP; you need one of these 3 So, to fully compromise an SAP system we need at least one of the following: • Gain SAP_ALL rights on application layer • Get access to the Operating system as <sid>adm • Get access to the Database, in particular the SAP scheme Getting access to one of the above means you have access to all three.
  10. 10. A backdoor into SAP… In this scenario we will combine 3 vulnerabilities: 1. A Default user with default password for Diagnostics purposes 2. A Remote wrapper to execute local function modules remotely without authorization check 3. A Local function module to execute native SQL without authorization check Business risk: Leads to a full compromise of your business critical data 1 2 3
  11. 11. Some details on the 3 vulnerabilities 1. Default user with default password for Diagnostics purposes • User SMDAGENT_<SID> is used by the Wily host agent for gathering diagnostics • It gets created via the Solution Manager “Managed System Configuration” in solman 7.0 • Exists not only in Solution Manager, but also in backend systems 2. Local function to execute native SQL without authorization check • Function Module /SDF/RBE_NATSQL_SELECT can be used to execute native SQL • Lacks authorization check 3. Remote wrapper without authorization check • Function Module /SDF/GEN_PROXY can be used to execute local Function Modules remotely • Lacks authorization check
  12. 12. Select password hashes from the database Brute force privileged SAP accounts Gain access to the SAP Solution Manager Demo
  13. 13. Post-exploitation From there? • Use (trusted) RFC’s to the world • Use your imagination • And take over the world Try and take over the world!
  14. 14. Mitigation How to protect? Change password or delete user SMDAGENT_<SID> Apply OSS note 1774432 (CVSS score 4.6) Apply OSS note 1727914 (CVSS score 7.5) Monitoring / logging Also see the SAP Whitepaper https://scn.sap.com/docs/DOC-60424
  15. 15. Something about Hana Security… 0 2 4 6 8 10 12 14 16 18 2011 2012 2013 2014 2015 SAP HANA Security notes With great power comes great responsibility
  16. 16. Running Hana? Better patch…
  17. 17. SAP Security baseline SAP Security baseline template • Helps you when defining a SAP Security baseline • Contains many settings to check • Not only on SAP application level, but also includes Database, Operating System, network and frontend level The baseline can be accessed on the SAP Support site at https://support.sap.com/sos -> Media Library -> Security Baseline Template.
  18. 18. Concluding What I hope you learned today: • SAP Security can be sexy • Defenders have to work harder • Don’t forget the systems of the ‘techies’ as the SAP Solution Manager is a critical component when it comes to security • Patch, patch, patch • Check the SAP Teched Materials! • Read and make use of the SAP Security Baseline document
  19. 19. Questions?
  20. 20. Website: www.erp-sec.com Twitter: @jvis @erpsec Need more info? Contact us...
  21. 21. SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV. Disclaimer
  22. 22. Thank you!

×