CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us

Invest in security
to secure investments
All your SAP P@$$w0ЯdZ belong to us
Dmitry Chastukhin – Director of SAP pentest/research team

ERPScan
Leading SAP AG partner in the field of discovering security
vulnerabilities by the number of found vulnerabilities
• Developing software for SAP security monitoring
• Talks at 40+ security conferences worldwide: BlackHat
(US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.
• First to develop software for NetWeaver J2EE assessment
• The only solution to assess all areas of SAP security
• Research team with experience in different areas of security from
ERP and web security to mobile, embedded devices, and critical
infrastructure, accumulating their knowledge on SAP research.
• Local partner : PBSG. www.pbsg.pl
2erpscan.com ERPScan — invest in security to secure investments

Dmitry Chastukhin
Business application security
expert
Yet another security
researcher

SAP
• The most popular business application
• More than 250000 customers worldwide
• More than 83 % of Forbes 500 run SAP
• More than 40 % of ERP market in Poland

SAP security
Espionage
• Stealing financial information
• Stealing corporate secrets
• Stealing supplier and customer lists
• Stealing HR data
Fraud
• False transactions
• Modification of master data
Sabotage
• Denial of service
• Modification of financial reports
• Access to technology network (SCADA) by trust relations

Is it remotely exploitable?
> 5000 non-web SAP services exposed in the world
including Dispatcher, Message server, SapHostControl, etc.
sapscan.com

What about other services?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server
httpd
World

SAP MMC – overview
• MMC is installed by default on port 5<ID>13
• Used for remote management of SAP servers
• Commands executed via SOAP interface
• By default, SSL is not implemented
• Administrative password transmitted using basic auth (Base64)
• By sniffing this password, we can get full control over the server
erpscan.com 8ERPScan — invest in security to secure investments

SAP MMC – attacks
• Many attacks can be implemented without authentication
• Attacks can be executed by sending SOAP requests
• Mostly, it is information disclosure and denial of service
• Also, OS command execution

Advanced MMC attacks
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<sapsess:Session
xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/">
<enableSession>true</enableSession>
</sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:ReadLogFile xmlns:ns1="urn:SAPControl">
<filename>j2ee/cluster/server0/log/system/userinterface.log</filename>
<filter/>
<language/>
<maxentries>%COUNT%</maxentries>
<statecookie>EOF</statecookie>
</ns1:ReadLogFile>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

PWN
If an attacker can read a file from server OS,
they can get clear text passwords of SAP users
and, as a result, compromise the SAP system

Default passwords

Default passwords
User name Password
SAP* 06071992
PASS
DDIC 19920706
TMSADM PASSWORD
$1Pawd2&
EARLYWATCH SUPPORT
SAPCPIC ADMIN

Passwords on client side

SAPGUI: History of ActiveX attacks
erpscan.com 15
Date Component Author Vulnerability Link
04.01.2007 Rfcguisink Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysap-stack-
overflow/
04.01.2007 Kwedit Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysap-stack-
overflow/
07.11.2008 Mdrmsap Will Dormann BOF http://www.securityfocus.com/bid/32186/info
07.01.2009 Sizerone Carsten Eiram BOF http://www.securityfocus.com/bid/33148/info
31.03.2009 WebWiewer3D Will Dormann BOF http://www.securityfocus.com/bid/34310/info
15.04.2009 Kwedit Carsten Eiram Insecure Method http://secunia.com/secunia_research/2008-56/
08.06.2009 Sapirrfc Alexander Polyakov (ERPScan) BOF http://erpscan.com/advisories/dsecrg-09-015-sap-gui-6-4-buffer-overflow-vulnerability/
28.09.2009 WebWiewer3D Alexander Polyakov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-043-sap-gui-7-1-webviewer2d-activex-
%e2%80%94-insecure-methods/
28.09.2009 WebWiewer2D Alexander Polyakov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-044-sap-gui-7-1-webviewer3d-activex-insecure-
methods/
07.10.2009 VxFlexgrid Elazar Broad ,
Alexander Polyakov (ERPScan)
BOF http://erpscan.com/advisories/dsecrg-09-017-sap-gui-vsflexgrid-activex-%e2%80%94-
buffer-overflow-vulnerability/
23.03.2010 BExGlobal Alexey Sintsov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-064-sap-gui-7-1-insecure-method-code-
execution/
unpublished Kwedit Alexander Polyakov, Alexey
Troshichev (ERPScan)
Insecure Method
14.12.2010 RFCSDK Alexey Sintsov (ERPScan) Memory Corruption http://erpscan.com/advisories/dsecrg-09-069-sap-rfc-sdk-%e2%80%94-format-string/
14.12.2010 RFCSDK Alexey Sintsov (ERPScan) Format String http://erpscan.com/advisories/dsecrg-09-070-sap-rfc-sdk-%e2%80%94-memory-
corruption/
unpublished Alexander Polyakov (ERPScan) Insecure Method
22.12.2010 NWBC Alexey Sintsov (ERPScan) Memory Corruption http://erpscan.com/advisories/dsecrg-10-010-zdi-10-290-sap-netweaver-business-client-
sapthemerepository-activex-control-remote-code-execution-vulnerability/
ERPScan — invest in security to secure investments

• Attack via ActiveX
‒ A lot of issues with RCE inside (1519966, 1327004, 1092631, …)
• Attack via client bugs
‒ Buffer overflow in saplogon.exe (1504547)
What after that?
SapLogon shortcuts!
Often, lazy users store password for SAP account in shortcuts

[System]
Name=DM0
Description=Test Sap Server
Client=800
[User]
Name=SAP*
Language=EN
Password=PW_48B7231FD1FE390C
[Function]
Title=myShortcut
Command=se16
[Configuration]
WorkDir=C:Documents and SettingsAdministratorMy DocumentsSAPSAP GUI
[Options]
Reuse=1
This is how a typical shortcut looks like…
File: <name>.sap

[Label]
Key1=myShortcut
[Command]
Key1=-
desc="Test Sap Server"
-sid="DM0"
-clt="800"
-u="SAP*"
-l="EN"
-tit="myShortcut"
-cmd="se16"
-wd="C:Documents and SettingsAdministratorMy DocumentsSAPSAP GUI"
-ok="/nse16"
-pwenc="PW_48B7231FD1FE390C"
…or like that
File: sapshortcut.ini

pwenc="PW_48B7231FD1FE390C"
PW_48B7231FD1FE390C
48B7231FD1FE390C
I used this password: 06071992
Looks like XOR encryption

• After a few experiments, we found out:
– Yes, this is XOR
– Yes, the key is static for all SAPLogon
• The key is:
788113…dc49b0

• …and the PY code to decrypt
key="788…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in
zip(s1,s2))
enc_pass="PW_48B7231FD1FE390C"
dec_pass=sxor(enc_pass[3:].decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass

Prevention
• Don’t use SAPGUI 6.4 (there are no patches for
some vulns)
• Patch SAPGUI with the latest SP
• Don’t store password in shortcuts
(HKCUSoftwareSAPSAPShortcutSecurity EnablePassword=0)
• Make sure that you do not activate the storage
of passwords in SAP shortcuts
• Authentication security for SAP shortcuts:
http://help.sap.com/SAPHELP_NWPI71/helpdata/en/4d/dc9db9bc
0e02cfe10000000a42189b/content.htm

Passwords from USR02, USH02,
USRPWDHISTORY

USR02 password hash
• Well known password area
• Hash algorithm:
– CODVN A
– CODVN B (MD5-based)
– CODVN D (MD5-based)
– CODVN E (MD5-based)
– CODVN F (SHA1-based)
– CODVN G (Code versions B & F)
– CODVN H (SHA-1-based)
– CODVN I (Code versions B, F & H)
• Just use John the Ripper

Prevention
• Use the latest algorithm
• SAP Note 2467: Password rules and preventing incorrect logons
• SAP Note 721119: Logon with (delivered) default user fails
• SAP Note 735356: Special character in passwords; reactivation not possible
• SAP Note 862989: New password rules as of SAP NetWeaver 2004s
• SAP Note 874738: New password hash calculation procedure (code version E)
• SAP Note 991968: Value list for login/password_hash_algorithm
• SAP Note 1023437: Downwardly incompatible passwords since NW2004s
• SAP Note 1237762: Protection against password hash attacks
• SAP Note 1300104: CUA – New password hash procedures - Background
information
• SAP Note 1458262: Recommended settings for password hash algorithms
• SAP Note 1484692: Protect read access to password hash value tables
• SAP Note 1488159: SUIM – RSUSR003 – Incorrect results for CODVN = F

Passwords from RFC request

• If an attacker caches an RFC request with logon data, he will be:
– Happy because he got the login and password
– Upset because the password is encrypted
– Happy because the encryption is just a XOR (lol)
– Happy because the key is static
313ec…a4021
– Very happy because he got the clear text password

• …and the PY code to decrypt
key="313e…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in
zip(s1,s2))
enc_pass=“<pwd_there>"
dec_pass=sxor(enc_pass.decode("hex"),key.decode("hex"))

Prevention
• Secure RFC connection using SNC
• SAP Security Note 1724516
• RFC and SNC:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/72/e52c405
7cb185de10000000a1550b0/content.htm

erpscan.com 31
SAP Visual Admin password

SAP VisualAdmin
erpscan.com 32
• SAP Visual Admin – a remote tool for controlling J2EE Engine
• Uses the P4 protocol – SAP’s proprietary
• By default, all data transmitted in cleartext
• P4 can be configured to use SSL to prevent MitM
• Passwords are transmitted by some sort of encryption

SAP VisualAdmin data

Insecure password encryption in P4
erpscan.com 34
/* 87 */ char mask = 43690; //aaaa hex
/* 88 */ char check = 21845; //5555 hex
/* 89 */ char[] result = new char[data.length + 1];
/* */
/* 91 */ for (int i = 0; i < data.length; ++i) {
/* 92 */ mask = (char)(mask ^ data[i]);
/* 93 */ result[i] = mask;
/* */ }
/* 95 */ result[data.length] = (char)(mask ^ check);
/* */
/* 97 */ return result;

Prevention
• Secure P4 connection using SSL
• Using P4 protocol over a secure connection:
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/2d9ba88
aef4bb9e10000000a42189b/content.htm

SAP JAVA Security Storage

SecStore
• The AS Java stores security-relevant information encrypted in a
file in the file system
• The AS Java stores the following security-relevant information in
files in the file system:
– Database user SAP<SID>DB and its password
– Database connection information
– Administrator user and its password
• Secure storage file is located at :
usrsap<SID>SYSglobalsecuritydataSecStore.properties

SecStore
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx
admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH
admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ
$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt
$internal/mode=encrypted
admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E
• The AS Java uses the SAP Java Cryptography Toolkit to encrypt
the information in the secure store using the TripleDES
algorithm. The encryption is performed during the AS Java
installation process
• Let’s look deeper

SecStore
• OK. TripleDES. We heed a key for decryption
• The main problem is that the key file is located in the same
directory as the encrypted data:
usrsap<SID>SYSglobalsecuritydataSecStore.key
• The key consists of two parts:
– Version information
– Encrypted key phrase

SecStore
• Version information. It affects the TripleDES key
– If version >= 7.00.000, then the Triple DES key = key phrase + <SID>
• Encrypted key phrase
– By default, it is the initial password which the administrator sets up during
SAP system installation. Often, this phase equals to the DB password or an
SAP administrator account password (SAP*, DDIC, J2EE_Admin, etc.)
– For encrypting the key phrase, XOR algorithm with static key is used
43,-74…,-41,-67
• That’s why, if an attacker only got the SecStore.key file, they can
also get access into SAP, because they have the initial password

SecStore
• OK. We have the encrypted passwords (SecStore.properties)
• We have the decrypted key (SecStore.key)
• We can get all sensitive information from Security Storage
• As I said, data’s encrypted by the TripleDES algorithm
• More precisely, the encryption uses the TripleDES algorithm in
CBC mode using a secret key which is derived from a password
with the SHA hash algorithm
– The key is the key phrase from SecStore.key + <SID> (if version >=
7.00.000)
– The salt is the value 0000000000000000

SecStore
• We also wrote a tool which decrypts all the stuff from SAP JAVA
AS Security Storage (SecStore_Cr.jar)
• Also, SAP Secure Store file can have another name (ex.
JUpgrade.properties) and store other interesting data, like:
– Password for SAP OS user (SIDADM)
– DB password
– DDIC password
– etc…

Prevention
• Install SAP Note 1619539
• Restrict read access to files SecStore.properties,
JUpgrade.properties, and SecStore.key
• Managing secure storage in the file system:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/cd/14c93ec2
f7df6ae10000000a114084/content.htm

Passwords from log files

Log files
• We know about many places where SAP writes logs
• Administrator can define the verbosity level
• Attacker can found many interesting things in log files:
information about the system, information about the users,
even session information
• Very interesting path with logs: /sapinst_instdir/
But what about passwords?

Log files
• Passwords in SAP log files looks like that:
dev_umconfigurator.trc

Log files
• Sometimes, we can find a clear text password
sapinst_dev.<n>.log

Log files
• Sometimes, we can find an encrypted password

Log files
• Guess what type of encryption is used? 
• Right! XOR with a static hardcoded key:
31…65d
• As a result, we have a decryptor:
key="31…5d"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))
def prepare(val):
encoco=val.split("|")
rez=""
for a in encoco:
rez= rez + str(hex(int(a)).replace("0x",""))
return rez
encr=prepare(raw_input("Enter encrypted password:"))
dec_pass=sxor(encr.decode("hex"),key.decode("hex"))

Log files
• The same story with the config file
usrsap<SID>configusagetypes.properties

Prevention
• Don’t use TRACE_LEVEL = 3
• Delete traces when work is finished
• Mask security-sensitive data in HTTP access log
• Incrementing/decrementing the trace level:
https://help.sap.com/saphelp_nwpi71/helpdata/en/46/962416a5a
613e8e10000000a155369/content.htm

Passwords from SLD config file

SLD
• SLD is the central information repository for your system
landscape
• It contains information about:
– technical systems
– landscapes
– business systems
– products
– software components in your system landscape

SLD password files
• Configuration file: usrsap<sid>DVEBMGS<nn>exe
slddest.cfg
– User name with DataSupplierLD role
– User password (wooot!)
– Host name
– Port
Encrypted by DES algorithm in the early version of SLD
Static default key is: 0A…71F
But if user specifies the key, then the key file is stored near the
encrypted data file in slddest.cfg.key

SLD password files
• In the latest versions of SLD, another algorithm is used:
TripleDES with hardcoded key

Prevention
• Restrict read access to file slddest.cfg
and slddest.cfg.key
• Configuring sldreg and transferring data to
SLD:
http://help.sap.com/saphelp_nw70/helpdata/en/42/ea5ff4b5d6
1bd9e10000000a11466f/content.htm

Passwords from ABAP SecStore

Password from RSECTAB
• The secure storage is a component of the SAP Web Application
Server ABAP
• It allows the encrypted storage of sensitive data that SAP
applications require when logging into other systems
• These SAP applications use the storage to store passwords:
– RFC destinations
– Exchange Infrastructure (XI)
– LDAP system users
– SAPphone
– SAPconnect
– CCMS (Generic Request and Message Generator)
• Table RSECTAB
select rawtohex(DATA) from SAPSR3.RSECTAB

• TripleDES 3DES mode: DES-EDE3
• The triple DES algorithm uses the DES-EDE3 method where a 24
byte key is supplied. This means there are three DES operations
in the sequence encrypt-decrypt-encrypt with the three
different keys. The first key will be bytes 1 to 8, the second key
bytes 9 to 16 and the third key bytes 17 to 24
• Two rounds

• First round
• Encrypt:
– char randomPreﬁx[2];
– char payload[109];
– char payloadLength;
– char magicLocal[4];
– char magicGlobalSalted[4];
– char recordIdentiﬁerA7Hash[16];

• Key for the first round of encryption base on default key:
Key’def[1] = Keydef[1] ^ (Hsup[0] & 0xF0)
Key’def[6] = Keydef[6] ^ (Hsup[0] & 0x0F)
• Where Hsup is md5(sidA7[3]+insnoA7[10])

• Second round
• Encrypt all data with the default key

• What about the default key?
• It is encrypted via 3DES-EDE2, too
• But the key for this encryption is hardcoded

Prevention
• Change the default key
• Choosing your own key:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/f73d419
45bdb2be10000000a1550b0/content.htm

Passwords from DBCON table

DBCON table
• SAP has a connection with different DBs
• Administrator can manage this connection via the transaction
DBCO
• All DB connections information is stored encrypted in the table
DBCON (Description of Database Connections)

DBCON table

DBCON table
• Encrypted data looks like:
V01/0030ZctvSB67Wv1OuVLazse4ORik
– BASE64 + DES
– hardcoded key: 59A…70E
– decrypted data includes static salt: BE HAPPY

Prevention
• Restrict access to the table DBCON
• Restrict access to the transaction DBCO
• SAP Security Notes 1638280 and 1823566

Passwords from HANA

SAP HANA
• User details (including passwords) stored in hdbuserstore
• Located in the /usr/sap/hdbclient directory
• About hdbuserstore:
‒ SSFS_HDB.DAT
‒ with user data
‒ with keys

SAP HANA
• SSFS_HDB.DAT
• Signature: RSecSSFsData
• 3DES
• Default key is the same as in the ABAP Security Storage

SAP HANA
• SAP HANA – in memory database
• But it drops some data into FS
– Backup
– Savepoint
“The SAP HANA database holds the bulk of its data in memory for maximum
performance, but it still uses persistent disk storage to provide a fallback in case
of failure. Data is automatically saved from memory to disk at regular
savepoints. The data belonging to a savepoint represents a consistent state of
the data on disk and remains so until the next savepoint operation has
completed., After a power failure, the database can be restarted like any disk-
based database and returns to its last consistent state”
– SAP HANA Security Guide

SAP HANA
• “Data volume encryption ensures that anyone who can access
the data volumes on disk using operating system commands
cannot see the actual data. If data volumes are encrypted, all
pages that reside in the data area on disk are encrypted using
the AES-256-CBC algorithm.”
• “After data volume encryption has been enabled, an initial page
key is automatically generated. Page keys are never readable in
plain text, but are encrypted themselves using a dedicated
persistence encryption root key.”

SAP HANA
“SAP HANA uses SAP NetWeaver SSFS to protect the root encryption keys that
are used to protect all encryption keys used in the SAP HANA system from
unauthorized access.”
• SSFS_HDB.DAT
– HDB_SERVER/PERSISTENCE/ROOTKEY
– HDB_SERVER/DPAPI
• The persistence encryption feature does not encrypt the
following data:
– Database redo log files
– Database backups
– Database traces

Prevention
• Change the encryption key after installation
• Restrict access to the key file
• Restrict access to the DAT file
• Security guide for HANA (p. 71)
http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
• Secure storage in the file system:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/a0/82dd0ab
bde4696b98a8be133b27f3b/content.htm

Etc..
• ICF Password Repository
– ICFSECPASSWD
• FI module passwords
– FIEB_PASSWORD
• Oracle Fail Safe
– Stores passwords inside the ENVIRONMENT variable (Note 1764043 p. 4)
• SAP BusinessObjects LCMuser – hardcoded SVN user
– SAP BusinessObjects Enterprise
XI.0LCM_repositorysvn_repositoryconf
• SAP BusinessObjects axis2 login:password
– axis2.xml
Just try to grep DB using the word “password” 

Conclusion
It is possible to protect yourself from these kinds of issues,
and we are working close with SAP to keep customers secure
SAP guides
It’s all in your hands
Regular security assessments
ABAP code review
Monitoring technical security
Segregation of duties
Security events monitoring

Web:
www.erpscan.com
e-mail: info@erpscan.com
Twitter:
@erpscan
@_chipik

CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (17)

Similar to CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us

Similar to CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us (20)

Recently uploaded

Recently uploaded (20)

CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us