Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Attacks on SAP Mobile

935 views

Published on

Attacks on SAP Mobile

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Attacks on SAP Mobile

  1. 1. Invest in security to secure investments Attacks on SAP Mobile Vahagn Vardanyan. ERPScan
  2. 2. Vahagn Vardanyan SAP and Web application researcher Specialist degree in information security 2 @vah_13
  3. 3. About ERPScan • The only 360-degree SAP Security solution - ERPScan Security Monitoring Suite for SAP • Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentations key security conferences worldwide • 25 Awards and nominations • Research team - 20 experts with experience in different areas of security • Headquarters in Palo Alto (US) and Amsterdam (EU) 3
  4. 4. Agenda 4 About SAP Mobile Platform SAP Control Center SAP SQL Anywhere services SAP Mobile Server SAP Mobile Platform vulnerability Decrypt GIOP protocol XXE SAP Control Center CSRF in SMP 3.0 Cassini 1.0 SQL Anywhere BoF SAP EMR Unwired SQL injection Conclusion
  5. 5. SAP Mobile Platform 5
  6. 6. SMP architecture 6
  7. 7. SMP protocols SUP 2.1.3 SUP 2.2 SMP 2.3 SMP 3.0 SMP Messaging x x x x SMP Replication x x x x HTTP Rest API x x x SAP Agentry x x 8
  8. 8. SMP services SAP Control Center SAP SQL Anywhere services SAP Mobile Server 9
  9. 9. SAP Control Center • Working process: sccservice.exe • Open ports: • 2100 (Messaging service) • 8282/8283 ( SCC ) • 9999 (RMI) 10
  10. 10. SMP services  SAP Control Center  SAP SQL Anywhere services  SAP Mobile Server 11
  11. 11. SQL Anywhere • Version 3: 1992 …………………………. • Version 10: 2006 - renamed SQL Anywhere (high availability, intra-query parallelism, materialized views) • Version 11: 2008 (full text search, BlackBerry support) • Version 12: 2010 (support for spatial data) • Version 16: April 18, 2013 - (faster synchronization and improved security) 12
  12. 12. SQL Anywhere 13
  13. 13. SMP services  SAP Control Center  SAP SQL Anywhere services  SAP Mobile Server 14
  14. 14. SAP Mobile Server • MobiLink • AdminWebServices • MlsrvWrapper • InfoboxMultiplexer • OBMO • JMSBridge 15
  15. 15. SAP Mobile Server (MobiLink) 16
  16. 16. AdminWebServices • Uses Cassini Web Server 1.0 • Listens to the local port 5100 17
  17. 17. SAP Mobile Platform vulnerabilities 18
  18. 18. Decrypting the SAP Mobile Platform GIOP protocol 19
  19. 19. Decrypting the SAP Mobile Platform GIOP protocol • GIOP – General Inter-ORB Protocol (GIOP) is the abstract protocol by which object request brokers (ORBs) communicate • Uses mlsrv16.exe (Mobilink) – port 2000 20
  20. 20. XXE in the SAP Mobile Platform portal page CVE-2015-2813 21
  21. 21. XXE in the SAP Mobile Platform portal page… 22
  22. 22. XXE in the SAP Mobile Platform portal page… • Portal URL: https://IP_ADDR:8283/scc • web.xml & services-config.xml C:SAPSCC-3_2servicesEmbeddedWebContainercontainerJetty- 7.6.2.v20120308workjetty-0.0.0.0-8282-scc.war-_scc-any-webappWEB- INFweb.xml <servlet-mapping> <servlet-name>MessageBrokerServlet</servlet- name> <url-pattern>/messagebroker/*</url-pattern> </servlet-mapping> 23
  23. 23. …XXE… C:SAPSCC-3_2servicesEmbeddedWebContainercontainerJetty- 7.6.2.v20120308workjetty-0.0.0.0-8282-scc.war-_scc-any-webappWEB- INFflexservices-config.xml ******************************** <channel-definition id="scc-http" class="mx.messaging.channels.HTTPChannel"> <endpoint url="http://{server.name}:{server.port}/scc/messagebroker/http" class="flex.messaging.endpoints.HTTPEndpoint" /> </channel-definition> ******************************** 1. /scc/messagebroker/amfpolling 2. /scc/messagebroker/amfsecurepolling 3. /scc/messagebroker/http 4. /scc/messagebroker/httpsecure 5. /scc/messagebroker/amflongpolling 24
  24. 24. …XXE 25
  25. 25. Read file with XXE C:SAPMobilePlatformServersUnwiredServerRepositoryInstancecomsybas esupserverSUPServersup.properties sup.imo.upa = 457ba103a46559486a81350d552a9e47fb085927eb6df0ccc79231bc3d 26
  26. 26. Decrypt sup.imo.upa 27
  27. 27. SAP Mobile Platform unauthenticated access to other servlets • Architecture and program vulnerabilities in SAP’s J2EE engine (BlackHat USA 2011) • web.xml files revealed hidden methods to: – Read and generate logs 28
  28. 28. Prevention Install SAP security note 2125358 SAP Mobile Platform XXE vulnarability 29
  29. 29. CSRF in SMP 3.0 30
  30. 30. CSRF in SMP 3.0 31
  31. 31. CSRF in SMP 3.0 32
  32. 32. CSRF in SMP 3.0 33 • addAdministrator • addRepository • removeServerLogs • createApplication • createBackendConnection ********************
  33. 33. Prevention Install SAP security note 2114316 SAP Mobile Platform CSRF vulnarability 34
  34. 34. Cassini 1.0 35
  35. 35. AdminWebService POST /MobileOffice/Admin.asmx/AddAdminUser HTTP/1.1 Host: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: length strUserName=Admin2&strActivationCode=123QWEasd&iExpirat ionHours=100 36
  36. 36. AdminWebService 37
  37. 37. SAP SQL Anywhere Buffer Overflow/Code Execution CVE-2015-2819 38
  38. 38. SAP SQL Anywhere BoF/Code Execution • CVE-2008-0912 – The MobiLink server is affected by a heap overflow which happens during the handling of strings like username, version, and remote ID (all pre-auth) which are longer than 128 bytes • CVE-2014-9264 – Stack-based buffer overflow in the .NET Data Provider in SAP SQL Anywhere allows remote attackers to execute arbitrary code via a crafted column alias 39
  39. 39. First PSH request 40
  40. 40. First PSH request • 41
  41. 41. SQL Anywhere BoF 42
  42. 42. Prevention Install SAP security note 2108161 Denial of service in SAP SQL Anywhere 43
  43. 43. SAP EMR Unwired SQL injection CVE-2013-7096 44
  44. 44. SAP EMR Unwired SQL injection • CVE-2013-7096 (CVSS 7.5) • AndroidManifest.xml: <provider android:name=".providers.ModiDataDbProvider" android:authorities="com.sap.mobi.docsprovider" /> 1. content://com.sap.mobi.docsprovider/documents/offline_cat 2. content://com.sap.mobi.docsprovider/documents/offline/ 3. content://com.sap.mobi.docsprovider/documents/sample 4. content://com.sap.mobi.docsprovider/documents/online 5. content://com.sap.mobi.docsprovider/documents/offline_auth 6. content://com.sap.mobi.docsprovider/documents/offline 7. content://com.sap.mobi.docsprovider/documents/online_auth 8. content://com.sap.mobi.docsprovider/documents/sample/ 9. content://com.sap.mobi.docsprovider/documents/online_cat 45
  45. 45. Prevention Install SAP security note 1864518 Security Improvements for MOB-APP-EMR-AND 46
  46. 46. Conclusion 47 SAP Guides Regular security assessments Monitoring technical security Segregation of Duties Security events monitoring
  47. 47. Each SAP landscape is unique and we pay close attention to the requirements of our customers and prospects. ERPScan development team constantly addresses these specific needs and is actively involved in product advancement. If you wish to know whether our scanner addresses a particular aspect, or simply have a feature wish list, please e-mail us. We will be glad to consider your suggestions for the future releases or monthly updates. 48 About 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 USA HQ Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam EU HQ www.erpscan.com info@erpscan.com

×