INTEGRITY
Security (A)SAP
(very) Short introduction to SAP security
Bruno Morisson <bm@integrity.pt>
INTEGRITY
About
Consultant and Partner @ INTEGRITY
Leading Consulting and Penetration Testing engagements
Breaking things,...
INTEGRITY
What is SAP ?
SAP, started in 1972 by five former IBM employees in Mannheim, Germany,
states that it is the world...
INTEGRITY
Say that again??
Customer Relationship Management (CRM)
Enterprise Resource Planning (ERP)
Product Lifecycle Man...
INTEGRITY
tl;dr
Extremely complex software that huge enterprises
depend on for business critical applications
INTEGRITY
So, what about security ?
INTEGRITY
INTEGRITY
INTEGRITY
SAP Security Notes
0
7.5
15
22.5
30
Oct’11
Dec’11
Feb’12
Apr’12
Jun’12
Aug’12
Oct’12
Dec’12
Feb’13
Apr’13
Jun’13
INTEGRITY
SAP Security Notes
INTEGRITY
How often do you upgrade a complex
business critical application ?
INTEGRITY
Common Problems
Integration
Default users/passwords
Misconfigured permissions
Lack of authentication
Cleartext pr...
INTEGRITY
Standing on the shoulders of giants
Chris John Riley - SAP (in)Security
http://www.slideshare.net/ChrisJohnRiley...
INTEGRITY
So I sneezed...
SAP Security Note 1816536 / CVE-2013-3319
INTEGRITY
SAP Security Note 1816536
21 Aug 2012 – Reported vulnerability to vendor
23 Aug 2012 – Vendor acknowledged vulne...
INTEGRITY
SAP Security Note 1816536
Summary
Symptom
An attacker can discover information relating to used Operating
System...
INTEGRITY
INTEGRITY
DEMO
INTEGRITY
INTEGRITY
SAProuter
What is SAProuter ?
SAProuter is an SAP program that acts as an intermediate station (proxy) in a
netw...
INTEGRITY
SAProuter
INTEGRITY
SAProuter
Permission From To Serv Pass
P * * 3200
S * * 3200
D * + *
INTEGRITY
SAProuter
INTEGRITY
sap_router_portscanner.rb
msf auxiliary(sap_router_portscanner) > show options
Module options (auxiliary/scanner...
INTEGRITY
DEMO
INTEGRITY
INTEGRITY
Questions ?
Upcoming SlideShare
Loading in …5
×

Security asap

6,295 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,295
On SlideShare
0
From Embeds
0
Number of Embeds
1,598
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security asap

  1. 1. INTEGRITY Security (A)SAP (very) Short introduction to SAP security Bruno Morisson <bm@integrity.pt>
  2. 2. INTEGRITY About Consultant and Partner @ INTEGRITY Leading Consulting and Penetration Testing engagements Breaking things, and finding how to fix them OSCP, CISSP-ISSMP, CISA, ISO27001LA Currently doing the MSc in Information Security @ Royal Holloway, University of London. Organizing BSidesLisbon 2013 @morisson http://www.linkedin.com/in/morisson
  3. 3. INTEGRITY What is SAP ? SAP, started in 1972 by five former IBM employees in Mannheim, Germany, states that it is the world's largest inter-enterprise software company and the world's fourth-largest independent software supplier, overall. The original name for SAP was German: Systeme, Anwendungen, Produkte, German for "Systems Applications and Products." The original SAP idea was to provide customers with the ability to interact with a common corporate database for a comprehensive range of applications. Gradually, the applications have been assembled and today many corporations, including IBM and Microsoft, are using SAP products to run their own businesses. Source: http://searchsap.techtarget.com/definition/SAP
  4. 4. INTEGRITY Say that again?? Customer Relationship Management (CRM) Enterprise Resource Planning (ERP) Product Lifecycle Management (PLM) Supply Chain Management (SCM) Supplier Relationship Management (SRM)
  5. 5. INTEGRITY tl;dr Extremely complex software that huge enterprises depend on for business critical applications
  6. 6. INTEGRITY So, what about security ?
  7. 7. INTEGRITY
  8. 8. INTEGRITY
  9. 9. INTEGRITY SAP Security Notes 0 7.5 15 22.5 30 Oct’11 Dec’11 Feb’12 Apr’12 Jun’12 Aug’12 Oct’12 Dec’12 Feb’13 Apr’13 Jun’13
  10. 10. INTEGRITY SAP Security Notes
  11. 11. INTEGRITY How often do you upgrade a complex business critical application ?
  12. 12. INTEGRITY Common Problems Integration Default users/passwords Misconfigured permissions Lack of authentication Cleartext protocols Command Injection Buffer overflows SQLi XSS XXE SSRF ...
  13. 13. INTEGRITY Standing on the shoulders of giants Chris John Riley - SAP (in)Security http://www.slideshare.net/ChrisJohnRiley/sap-insecurity-scrubbing-sap-clean-with-soap David Hartley (nmonkee) - SAP Slappin’ http://labs.mwrinfosecurity.com/publications/2012/04/27/sap-slapping/ Mariano di Croce - The SAProuter http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Mariano%20Nunez %20Di%20Croce%20-%20SAProuter%20.pdf Alexander Polyakov - Breaking SAP portal http://erpscan.com/presentations/breaking-sap-portal-from-hashdays-2012/
  14. 14. INTEGRITY So I sneezed... SAP Security Note 1816536 / CVE-2013-3319
  15. 15. INTEGRITY SAP Security Note 1816536 21 Aug 2012 – Reported vulnerability to vendor 23 Aug 2012 – Vendor acknowledged vulnerability 22 Oct 2012 – Vendor contact, with status update 23 Jan 2013 – Contacted vendor, requesting status update 23 Jan 2013 – Vendor replied with status update 9 Apr 2013 – Vendor releases patch 9 Jul 2013 – Advisory released
  16. 16. INTEGRITY SAP Security Note 1816536 Summary Symptom An attacker can discover information relating to used Operating System Version, Databases Version who uses SAP Host Agent. This information could be used to allow the attacker to specialize their attacks against the Operating System and Databases Software.
  17. 17. INTEGRITY
  18. 18. INTEGRITY DEMO
  19. 19. INTEGRITY
  20. 20. INTEGRITY SAProuter What is SAProuter ? SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP Systems, or between SAP Systems and external networks. SAProuter controls the access to your network (application level gateway), and, as such, is a useful enhancement to an existing firewall system (port filter).                   Figuratively speaking, the firewall acts as an impenetrable wall around your network. However, since particular types of connections need to penetrate this wall, a “hole” has to be made in the firewall. SAProuter assumes the control of this hole.                             Source: http://help.sap.com/saphelp_nw70/helpdata/en/4f/992d39446d11d189700000e8322d00/content.htm
  21. 21. INTEGRITY SAProuter
  22. 22. INTEGRITY SAProuter Permission From To Serv Pass P * * 3200 S * * 3200 D * + *
  23. 23. INTEGRITY SAProuter
  24. 24. INTEGRITY sap_router_portscanner.rb msf auxiliary(sap_router_portscanner) > show options Module options (auxiliary/scanner/sap/sap_router_portscanner): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 1 yes The number of concurrent ports to check per host INSTANCES 00-99 no SAP instance numbers to scan (NN in PORTS definition) MODE SAP_PROTO yes Connection Mode: SAP_PROTO or TCP (accepted: SAP_PROTO, TCP) PORTS 32NN yes Ports to scan (e.g. 3200-3299,5NN13) RHOSTS 192.168.1.175 yes The target address range or CIDR identifier SAPROUTER_HOST 192.168.1.25 yes SAPRouter address SAPROUTER_PORT 3299 yes SAPRouter TCP port THREADS 1 yes The number of concurrent threads msf auxiliary(sap_router_portscanner)
  25. 25. INTEGRITY DEMO
  26. 26. INTEGRITY
  27. 27. INTEGRITY Questions ?

×