Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Эксплуатируем неэксплуатируемые уязвимости SAP

568 views

Published on

Ведущие: Дмитрий Частухин и Дмитрий Юдин

Бла-бла-бла SAP. Бла-бла-бла крупные компании. Бла-бла-бла взлом на миллионы долларов. Вот так обычно начинается любой доклад о SAP. Но в этот раз все будет по-другому. Давненько не было рассказов о жестокой эксплуатации и необычных уязвимостях. Пришло время пуститься во все тяжкие! Докладчики расскажут (и покажут), как получить полный контроль над системой, используя ряд незначительных уязвимостей в службах SAP.

Published in: Technology
  • Be the first to comment

Эксплуатируем неэксплуатируемые уязвимости SAP

  1. 1. 1 Getting access to the SAP server via SAP Management Console Dmitry Chastuhin, Dmitry Yudin
  2. 2. 2 About us Business application security expert Yet another security researcher ERPScan
  3. 3. 3 About us Security researcher Reverse engineer ERPScan
  4. 4. 4 About ERPScan • The only 360-degree SAP security solution: ERPScan Security Monitoring Suite for SAP • Leader by the number of vulnerabilities in SAP and Oracle (500+) • 100+ presentations key security conferences worldwide • 30+ awards and nominations • Research team: 20 experts with experience in different areas of security • Headquarters Amsterdam (EU), offices in USA, Australia, Denmark 4
  5. 5. 5 About what? • No blah-blah-blah about how important it is to spend time and money on SAP security (critically important) • No blah-blah-blah about best practices • No Junk Hacking Just a little story how we got yet another RCE in SAP 5
  6. 6. 6 SAP 6
  7. 7. 7 Target • SAP and WEB? – XSS, CSRF, double blind self clickjacking, whatever • SAP and ABAP/JAVA? – RFC, servlets, ABAP code, transactions • SAP and additional services? – Log Viewer, SDM, notepad, archives Try to implement some reverse engineering to core binary file 7
  8. 8. 8 DISP+WORK.EXE dw - disp+work - Dispatcher & Workprocess - "The complete Kernel" - Here the complete ABAP is processed ... 8
  9. 9. 9 DISP+WORK.EXE Binary has a considerable size: ≈ 51 M 9
  10. 10. 10 DISP+WORK.EXE Binary has a considerable size: ≈ 51 M Ida db size: ≈ 133 M 10
  11. 11. 11 DISP+WORK.EXE Binary has a considerable size: ≈ 51 M Ida db size: ≈ 133 M Difficult debug network communication 11
  12. 12. 12 DISP+WORK.EXE Difficulties with debug network communication Even a child can process request: difficult guess the pid of process 12
  13. 13. 13 DISP+WORK.EXE
  14. 14. 14
  15. 15. 15 Instance profile cfg rdisp/TRACE = 2 rdisp/TRACE_RESOLUTION = 2 rdisp/TRACE_LOGGING = on rdisp/TRACE_HIDE_SEC_DATA = off rdisp/TRACE_COMPS = 2 enque/TRACE = 2 alert/TRACE = 2 service/trace = 2 rdisp/configurable_wp_no = 0 rdisp/wp_max_no = 0 rdisp/wp_no_dia = 1 rdisp/wp_no_btc = 0 rdisp/wp_no_vb = 0 rdisp/wp_no_vb2 = 0 rdisp/wp_no_spo = 0 15
  16. 16. 16 Instance profile cfg rdisp/TRACE = 2 rdisp/TRACE_RESOLUTION = 2 rdisp/TRACE_LOGGING = on rdisp/TRACE_HIDE_SEC_DATA = off rdisp/TRACE_COMPS = 2 enque/TRACE = 2 alert/TRACE = 2 service/trace = 2 rdisp/configurable_wp_no = 0 rdisp/wp_max_no = 0 rdisp/wp_no_dia = 1 rdisp/wp_no_btc = 0 rdisp/wp_no_vb = 0 rdisp/wp_no_vb2 = 0 rdisp/wp_no_spo = 0 16 Number of configurable work processes
  17. 17. 17
  18. 18. 18 Actually it can be processed by one worker. 
  19. 19. 19 By only one worker  But …
  20. 20. 20 DISP+WORK.EXE Where is jstart??? 20
  21. 21. 21 Before …
  22. 22. 22 After … Yoo-hoo, JSTART?!?? …
  23. 23. 23 DISP+WORK.EXE JSTART 23
  24. 24. 24 Reverse engineering of DISP+WORK.EXE GOAL
  25. 25. 25 Reverse engineering of DISP+WORK.EXE • But – It’s too difficult – It’s too big – I’m too lazy – RCE takes too much time
  26. 26. 26 Reverse engineering of DISP+WORK.EXE • But – It’s too difficult – It’s too big – I’m too lazy – RCE takes too much time (maybe)
  27. 27. 27 SEEK AND DESTROY How about some new targets?
  28. 28. 28 SEEK AND DESTROY • Disp+work – here the complete ABAP is processed • Gwrd – SAP gateway • Icman (icm) – SAP Web Application Server • Jstart – SAP AS Java Instance • Sapstart – SAP starter • Igswd_mt – SAP IGS (Internet Graphics Service ) • Igsmux_mt – SAP IGS • Igspw_mt – SAP IGS
  29. 29. 29
  30. 30. 30 SAPSTARTSRV • HOW ABOUT SAPSTARTSRV
  31. 31. 31 SAPSTARTSRV • SAP Management Console
  32. 32. 32 SAPSTARTSRV • ≈ 15M • LISTEN tcp 0 0.0.0.0:5NN13 • SOAP – SAPControl:OSExecute  • But  – We need authentication
  33. 33. 33 Reverse engineering of SAPSTARTSRV • IsTrustedInternalConnect() – JsfOpenShm() – JsfCheckShmKeyString() – JsfCloseShm()
  34. 34. 34 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() – Hardcoded user names • “{2D4A6FB8-37F1-43d7-88BE-AD279C89DCD7}” User name for requests with a temporary local logon tickets. • “{221BA44F-F88E-4166-BB2B-E2541910B86A}” UNDOCUMENTED HARDCODED USER NAME
  35. 35. 35 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() How about a hardcoded password?
  36. 36. 36 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() How about a hardcoded password?
  37. 37. 37 SHM • IsTrustedInternalConnect() – JsfOpenShm() – JsfCheckShmKeyString() – JsfCloseShm()
  38. 38. 38 SHM • IsTrustedInternalConnect() – JsfOpenShm() – JsfCheckShmKeyString() – JsfCloseShm()
  39. 39. 39 SHM What is SHM?
  40. 40. 40 Shared memory SHM - Shared Memory is an efficient means of passing data between programs. One program will create a memory portion which other processes (if permitted) can access.
  41. 41. 41 Shared memory •IsTrustedInternalConnect() –JsfOpenShm() –JsfCheckShmKeyString() –JsfCloseShm()
  42. 42. 42 Shared memory •IsTrustedInternalConnect() –JsfOpenShm() - ok –JsfCheckShmKeyString() –JsfCloseShm()
  43. 43. 43 Shared memory •IsTrustedInternalConnect() –JsfOpenShm() - ok –JsfCheckShmKeyString() –JsfCloseShm() - ok
  44. 44. 44 Shared memory • IsTrustedInternalConnect() –JsfOpenShm() - ok –JsfCheckShmKeyString() - ??? –JsfCloseShm() - ok
  45. 45. 45 Shared memory • JsfCheckShmKeyString() –What is this key? –Is this key static? –Can we guess this key (if not static)? –Can we brut this key?
  46. 46. 46 Shared memory • JsfCheckShmKeyString() What is this key? • password for authentication on SAPSTARTSRV – Is this key static? – Can we guess key (if not static)? – Can we brut this key?
  47. 47. 47 Shared memory • JsfCheckShmKeyString() – Is this key static? • No – Rng_PseudoRandomInit – Rng_PseudoRandom – Rng_CompleteUpdate – Key len 36 bytes – Can we guess this key (if not static)? – Can we brut this key?
  48. 48. 48 Shared memory • JsfCheckShmKeyString() – Is this key static? • No – Rng_PseudoRandomInit – Rng_PseudoRandom – Rng_CompleteUpdate – Key len 36 bytes – Can we guess this key (if not static)? - No – Can we brut this key?
  49. 49. 49 Shared memory • JsfCheckShmKeyString() – Is this key static? • No – Rng_PseudoRandomInit – Rng_PseudoRandom – Rng_CompleteUpdate – Key len 36 bytes – Can we guess this key (if not static)? - No – Can we brut this key? - No
  50. 50. 50 Shared memory • JsfCheckShmKeyString()
  51. 51. 51 ShmKey … BUT
  52. 52. 52 ShmKey …
  53. 53. 53 ShmKey … … if we try to debug a little
  54. 54. 54 authBypassOSExec_poc.py
  55. 55. 55 DEMO 1
  56. 56. 56 ShmKey … • “Random” ShmKeyStrting is – “xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”
  57. 57. 57 ShmKey … • “Random” ShmKeyStrting is – “xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”
  58. 58. 58 ShmKey … • “Random” ShmKeyStrting is – “xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”
  59. 59. 59 Random ShmKey … AWESOME
  60. 60. 60 ShmKey … Why? “xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”
  61. 61. 61 • JsfCheckShmKeyString() – Read raw (binary) key from shm memory – Convert key to readable format – Add ‘x’ to end and ‘x’ to begin of key  (why?) – Check key with user input – Return result
  62. 62. 62
  63. 63. 63 In our case xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx is a printable presentation of raw key Hex dump: 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00
  64. 64. 64
  65. 65. 65 In our case xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx is a printable presentation of raw key Hex dump: 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00 Some shared memory problems?
  66. 66. 66 Random ShmKey … Do you remember …
  67. 67. 67 Random ShmKey … Do you remember … profile cfg …
  68. 68. 68 Random ShmKey … Do you remember … profile cfg … jstart – what never started …
  69. 69. 69 Instance profile cfg rdisp/TRACE = 1337 rdisp/TRACE_RESOLUTION = 1337 rdisp/TRACE_LOGGING = on rdisp/TRACE_HIDE_SEC_DATA = off rdisp/TRACE_COMPS = 7 enque/TRACE = 7 alert/TRACE = 7 service/trace = 7 rdisp/configurable_wp_no = 0 rdisp/wp_max_no = 0 rdisp/wp_no_dia = 1 rdisp/wp_no_btc = 0 rdisp/wp_no_vb = 0 rdisp/wp_no_vb2 = 0 rdisp/wp_no_spo = 0 69
  70. 70. 70 Instance profile cfg #rdisp/TRACE = 1337 #rdisp/TRACE_RESOLUTION = 1337 #rdisp/TRACE_LOGGING = on #rdisp/TRACE_HIDE_SEC_DATA = off #rdisp/TRACE_COMPS = 7 #enque/TRACE = 7 #alert/TRACE = 7 #service/trace = 7 #rdisp/configurable_wp_no = 0 #rdisp/wp_max_no = 0 #rdisp/wp_no_dia = 1 #rdisp/wp_no_btc = 0 #rdisp/wp_no_vb = 0 #rdisp/wp_no_vb2 = 0 #rdisp/wp_no_spo = 0 70
  71. 71. 71 Instance profile cfg #rdisp/TRACE = 1337 #rdisp/TRACE_RESOLUTION = 1337 #rdisp/TRACE_LOGGING = on #rdisp/TRACE_HIDE_SEC_DATA = off #rdisp/TRACE_COMPS = 7 #enque/TRACE = 7 #alert/TRACE = 7 #service/trace = 7 + RESTART SYSTEM #rdisp/configurable_wp_no = 0 #rdisp/wp_max_no = 0 #rdisp/wp_no_dia = 1 #rdisp/wp_no_btc = 0 #rdisp/wp_no_vb = 0 #rdisp/wp_no_vb2 = 0 #rdisp/wp_no_spo = 0 71
  72. 72. 72 Random ShmKey … • After restart
  73. 73. 73 Random ShmKey … • After restart – Jstart started
  74. 74. 74 Random ShmKey … • After restart – Jstart started – “Random” ShmKeyStrting indeed random
  75. 75. 75 Random ShmKey … • After restart – Jstart started – “Random” ShmKeyStrting indeed random – This key is NOT working “xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”
  76. 76. 76 Random ShmKey …
  77. 77. 77 HOW CONVERT THIS BUG TO REMOTE RCE WITHOUT LOCAL PF MODIFICATION?
  78. 78. 78 HOW ABOUT JSTART …
  79. 79. 79
  80. 80. 80 HOW ABOUT JSTART … Plan A: Run authBypassOSExec_poc.py (with “magic key”)
  81. 81. 81 HOW ABOUT JSTART … Plan A: Run authBypassOSExec_poc.py (with “magic key”) try to kill jstart
  82. 82. 82 HOW ABOUT JSTART … Plan A: Run authBypassOSExec_poc.py (with “magic key”) try to kill jstart (now only local)
  83. 83. 83 HOW ABOUT JSTART … Plan A: Run authBypassOSExec_poc.py (with “magic key”) try to kill jstart (now only local) $ killall –r jstart -9
  84. 84. 84 • AND
  85. 85. 85
  86. 86. 86 PLAN B • Ok, time for plan B
  87. 87. 87 PLAN B • Plan B
  88. 88. 88 PLAN B • ICMAN …
  89. 89. 89 PLAN B
  90. 90. 90 PLAN B Q: How do you think it killed both jstart and icman at the same time?
  91. 91. 91 PLAN B A:
  92. 92. 92 PLAN B
  93. 93. 93 PLAN B • ICMAN $ authBypassOSExec_poc.py $ killall -r icman -r jstart -9
  94. 94. 94 DEMO 2
  95. 95. 95 REMOTE RCE • PLAN – Run authBypassOSExec_poc.py (with a magic key)
  96. 96. 96 REMOTE RCE • PLAN – Run authBypassOSExec_poc.py (with magic key) – Find remote DoS for jstart
  97. 97. 97 REMOTE RCE • PLAN – Run authBypassOSExec_poc.py (with magic key) – Find remote DoS for jstart – Find remote DoS for icman
  98. 98. 98 JSTART JSTART – Application server for Java
  99. 99. 99 JSTART • DoS after ≈ 3 days
  100. 100. 100 JSTART DoS • DoS after ≈ 3 days • Possible race condition
  101. 101. 101 JSTART DoS • DoS after ≈ 3 days • Possible race condition • Jstart restart after a crash
  102. 102. 102 JSTART DoS • DoS after ≈ 3 days • Possible race condition • Jstart restart after a crash • EASY TARGET ^_^
  103. 103. 103 JSTART DoS Multiply request: "x00x00x00x1cNI_RTERRx00yx04x00x00ASDx00x00x00x04DAAAAAAA“
  104. 104. 104 ICM • ICM …
  105. 105. 105 ICM •ICM …
  106. 106. 106 ICM •ICM…
  107. 107. 107 ICM • ICM in the SAP NetWeaver Application Server. The ICM is a component of the SAP NetWeaver Application Server. It is implemented as a separate process, which is started and monitored by the ABAP dispatcher. • One of core component of SAP
  108. 108. 108 ICM – Binary name icman.exe – Size 5.7M – IDA db ~ 100M – One of core components of SAP => heavily audited
  109. 109. 109 ICM • ICM (icman) … cve details
  110. 110. 110 ICM • ICM (icman) … cve details Last DoS found in 2014 …
  111. 111. 111 ICM • ICM (icman) … cve details Last DoS found in 2014 … via unknown vectors
  112. 112. 112 ICM DoS • DoS after … Not so easy ...
  113. 113. 113 ICM DoS After
  114. 114. 114 ICM DoS ≈ 35 days
  115. 115. 115 ICM DoS ≈ 35 days + some weekends
  116. 116. 116 ICM DoS • Multiple requests : 'get / HTTP/1.0rnhost:rncookie: ;x0c%srnrn' % ("x0c" * 0x1b58) • icman restart after a crash
  117. 117. 117 PROBLEMS … • Race conditions … • If We kill jstart before icman => NO RCE • Small gap for a magic key between jstart and icman start
  118. 118. 118 Video 3 - RCE
  119. 119. 119 Solutions… • ICM DoS: – SAP note 2256185 (Dmitry Yudin) • Jstart DoS: – SAP note 2259547 (Dmitry Yudin) • MC auth bypass: – SAP note 2259547 (Dmitry Chastuhin, Dmitry Yudin)
  120. 120. 120 Conclusion • Don’t give up. If you can't exploit vulnerability using one issue try to find another way to trigger it • Holistic approach + correlation (code, SOD, vulnerabilities) • Probably a lot of vulnerabilities still do exist on a binary level of different SAP services • Have fun!
  121. 121. 121121 About 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 USA HQ Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam EU HQ www.erpscan.com info@erpscan.com @_chipik @ret5et

×