Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Вектор атаки на SAP — система CUA

1,032 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Вектор атаки на SAP — система CUA

  1. 1. SAP CUA as an SAP Attack Vector Dmitry Gutsko Business System Security Assessment Group Positive Technologies PHDays IV
  2. 2. Agenda ― What is SAP CUA? ― Deployment schemes ― SAP CUA user privileges ― Attack vectors • Compromising a child system • Analysis of network packets ― Protection/Countermeasures
  3. 3. What is SAP CUA? SAP HCM SAP CRM SAP ECC SAP BW SAP FI SAP CUA
  4. 4. What is SAP CUA? SAP CUA Central System Child System Child System Child System
  5. 5. SAP CUA deployment
  6. 6. SAP CUA deployment (trusted connections)
  7. 7. SAP CUA User Privileges (SAP Recommendations) ― Client side (SAP CUA child system) • SAP_BC_USR_CUA_CLIENT • SAP_BC_USR_CUA_SETUP_CLIENT ― Server side (SAP CUA central system) • SAP_BC_USR_CUA_CENTRAL • SAP_BC_USR_CUA_CENTRAL_BDIST • SAP_BC_USR_CUA_SETUP_CENTRAL
  8. 8. SAP CUA User privileges
  9. 9. SAP CUA User privileges
  10. 10. SAP CUA User privileges
  11. 11. Attack vectors ― Compromising SAP CUA central system No comments ― Compromising a child system 1. Bypassing a SAP CUA child system’s restrictions 2. Escalation of privileges in the SAP CUA model 3. Gathering information in the SAP CUA model ― Compromising a network 4. Intercepting data sent between child and central systems
  12. 12. SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target
  13. 13. SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1. Central system compromising 2. Escalation of privileges at the central system 3. Creating account in a child system 1 2 3
  14. 14. SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1 1. Another child system compromising 2. Escalation of privileges in the CUA model 3. Creating account in a child system 2 3
  15. 15. Bypassing a SAP CUA child system’s restrictions ― Create a user ― Change a password ― Assign a profile
  16. 16. Bypassing a SAP CUA child system’s restrictions (video)
  17. 17. Bypassing a SAP CUA child system’s restrictions ― Create a user: Execute FM BAPI_USER_CREATE1 (transaction SE37) in a child system ― Change a password: Edit the USRFLDSEL table (transaction SE16n) in a child system ― Assign a profile/role: Edit the USRFLDSEL table (transaction SE16n) in a child system
  18. 18. SAP CUA Central System Child System Child System Child System Child System Attacker Child System Child System Escalation of privileges in the SAP CUA model
  19. 19. SAP CUA Central System Child System Child System Child System Child System SAP CUA users SAP_BC_USR_CUA_CLIENT SAP_BC_USR_CUA_SETUP_CLIENT SAP_BC_USR_CUA_CENTRAL SAP_BC_USR_CUA_CENTRAL_BDIST SAP_BC_USR_CUA_SETUP_CENTRAL RFC Connection to the central CUA system RFC Connection to a child CUA system Attacker RSECTAB, RFCDES tables = User credentials SE37 transaction = FM remote execution
  20. 20. Escalation of privileges in the SAP CUA model (video)
  21. 21. Escalation of privileges in the SAP CUA model ― Reassign a User-System: Execute FM BAPI_USER_SYSTEM_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Assign a profile: Execute FM BAPI_USER_LOCPROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Assign a role: Execute FM BAPI_USER_LOCACTGROUPS_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Gather information (continued)
  22. 22. Gathering information about the SAP CUA model ― CUA Users/hashes: Execute in the central system FM RFC_READ_TABLE (USR02, USH02, …) (Role SAP_BC_USR_CUA_CENTRAL) ― The CUA model: Locally execute Transaction SCUA Execute in a central system FM RFC_READ_TABLE (USZBVSYS, …) = CUA logs Read local tables RFCDES, RSECTAB = RFC destinations
  23. 23. SAP Security Note 1997455
  24. 24. Central System SAP CUA Child System Child System Child System Child System RFC/IDoc (compressed) Usr02.Bname: PHD-USER Usr02.Bcode: 283D7893C91674A0 Usr02.Ustyp: A Usr02.Uflag: 0 User Accounts RFC User Account to Child System RFC User Account to Central System Hacker Intercepting data sent between child and central systems RFC/IDoc User Creation Confirmation
  25. 25. Sending user credentials to a child system RFC account password recovery UserID Encrypted password Length For gamma generating XORed password Password
  26. 26. Sending user credentials to a child system User credentials data recovery
  27. 27. Obtained account sent to a child system ― Get user list: Execute FM BAPI_USER_GETLIST (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Create users: Execute FM BAPU_USER_CREATE1 (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Assign privileges: Execute FM BAPI_USER_PROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Lock/Unlock users: Execute FM BAPI_USER_LOCK/BAPI_USER_UNLOCK (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT)
  28. 28. Protection/Countermeasures ― Do not combine SAP systems of various security classifications in a single CUA model ― Delete SETUP roles for CUA users ― Apply Note 1997455 or modify SAP_BC_USR_CUA_CENTRAL role ― Activate table logging (USRFLDSEL) ― Enable SNC encryption for RFC connections ― Use trusted connections; assign S_RFC, S_ICF, S_RFCACL authorization objects to system users ― Control access to critical transactions: SM49, SE37, SCUA, ST04,… ― Configure ACL for SAP Gateway ― Do not forget about other clients
  29. 29. Thank you for your attention!
  30. 30. Additional information Transactions: SCUA– Display System Landscape (CUA model) SCUL– Log Display for Central User Administration SCUM – User Distribution Field Selection SCUG – Central User Administration Structure Display SE37- ABAP Function Modules Notes: 492589 – Minimum authorizations for communication users 333441 - CUA: Tips for problem analysis 376856 - Password synchronization - Single Sign-On/CUA 1997455 - Potential information disclosure in BC-SEC-USR-ADM Tables: USZBVSYS - CUA: Assignment of Systems to Users USRFLDSEL- CUA: Field Attributes

×