This document discusses security vulnerabilities in SAP systems. It notes that many SAP systems have non-web services exposed that could allow remote access. It also details how passwords are sometimes stored insecurely in SAP shortcuts, log files, and database tables, allowing attackers to gain access to systems and steal sensitive data. The document recommends steps companies can take to prevent such vulnerabilities, like patching systems, not storing passwords in shortcuts, and using more secure authentication methods.
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Secure Your SAP Investments with ERPScan
1. Invest
in
security
to
secure
investments
All
your
SAP
Passwords
belong
to
us.
Dmitry
Chastuchin
Director,
Security
Consul;ng
ERPScan.
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu;on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta=ons
key
security
conferences
worldwide
• 25
Awards
and
nomina=ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. SAP
• The
most
popular
business
applica;on
• More
than
250000
customers
worldwide
• More
than
83
%
of
Forbes
500
run
SAP
3
4. SAP
security
Espionage
• Stealing
financial
informa;on
• Stealing
corporate
secrets
• Stealing
supplier
and
customer
lists
• Stealing
HR
data
Fraud
• False
transac;ons
• Modifica;on
of
master
data
Sabotage
• Denial
of
service
• Modifica;on
of
financial
reports
• Access
to
technology
network
(SCADA)
by
trust
rela;ons
4
5. Is
it
remotely
exploitable?
5000+
non-‐web
SAP
services
exposed
in
the
world
including
Dispatcher,
Message
server,
SapHostControl,
etc.
5
6. Is
it
remotely
exploitable?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server
httpd
6
7. SAP
MMC
–
overview
• MMC
is
installed
by
default
on
port
5<ID>13
• Used
for
remote
management
of
SAP
servers
• Commands
executed
via
SOAP
interface
• By
default,
SSL
is
not
implemented
• Administra;ve
password
transmied
using
basic
auth
(Base64)
• By
sniffing
this
password,
we
can
get
full
control
over
the
server
7
8. SAP
MMC
–
aSacks
• Many
aacks
can
be
implemented
without
authen;ca;on
• Aacks
can
be
executed
by
sending
SOAP
requests
• Mostly,
it
is
informa;on
disclosure
and
denial
of
service
• Also,
OS
command
execu;on
8
14. Passwords
on
client
side
• Aack
via
Ac;veX
‒ A
lot
of
issues
with
RCE
inside
(1519966,
1327004,
1092631,
…)
• Aack
via
client
bugs
‒ Buffer
overflow
in
saplogon.exe
(1504547)
What
aler
that?
SapLogon
shortcuts!
Olen,
lazy
users
store
password
for
SAP
account
in
shortcuts
14
15. Passwords
on
client
side
[System]
Name=DM0
Description=Test Sap Server
Client=800
[User]
Name=SAP*
Language=EN
Password=PW_48B7231FD1FE390C
[Function]
Title=myShortcut
Command=se16
[Configuration]
WorkDir=C:Documents and SettingsAdministratorMy DocumentsSAPSAP GUI
[Options]
Reuse=1
This
is
how
a
typical
shortcut
looks
like…
File: <name>.sap
15
16. Passwords
on
client
side
[Label]
Key1=myShortcut
[Command]
Key1=-
desc="Test Sap Server"
-sid="DM0"
-clt="800"
-u="SAP*"
-l="EN"
-tit="myShortcut"
-cmd="se16"
-wd="C:Documents and SettingsAdministratorMy DocumentsSAPSAP GUI"
-ok="/nse16"
-pwenc="PW_48B7231FD1FE390C"
…or
like
that
File: sapshortcut.ini
16
17. Passwords
on
client
side
pwenc="PW_48B7231FD1FE390C"
PW_48B7231FD1FE390C
48B7231FD1FE390C
I
used
this
password:
06071992
Looks
like
XOR
encryp;on
17
18. Passwords
on
client
side
• Aler
a
few
experiments,
we
found
out:
– Yes,
this
is
XOR
– Yes,
the
key
is
sta;c
for
all
SAPLogon
• The
key
is:
788113…dc49b0
18
19. Passwords
on
client
side
• …and
the
PY
code
to
decrypt
key="788…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in
zip(s1,s2))
enc_pass="PW_48B7231FD1FE390C"
dec_pass=sxor(enc_pass[3:].decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
19
20. Preven=on
• Don’t
use
SAPGUI
6.4
(there
are
no
patches
for
some
vulns)
• Patch
SAPGUI
with
the
latest
SP
• Don’t
store
password
in
shortcuts
• (HKCUSolwareSAPSAPShortcutSecurity
EnablePassword=0)
• Make
sure
that
you
do
not
ac;vate
the
storage
of
passwords
in
SAP
shortcuts
• Authen;ca;on
security
for
SAP
shortcuts:
hp://help.sap.com/SAPHELP_NWPI71/helpdata/en/4d/dc9db9bc0e02cfe10000000a42189b/
content.htm
20
22. USR02
password
hash
• Well
known
password
area
• Hash
algorithm:
– CODVN
A
– CODVN
B
(MD5-‐based)
– CODVN
D
(MD5-‐based)
– CODVN
E
(MD5-‐based)
– CODVN
F
(SHA1-‐based)
– CODVN
G
(Code
versions
B
&
F)
– CODVN
H
(SHA-‐1-‐based)
– CODVN
I
(Code
versions
B,
F
&
H)
• Just
use
John
the
Ripper
22
23. Preven=on
• Use
the
latest
algorithm
• SAP
Note
2467:
Password
rules
and
preven;ng
incorrect
logons
• SAP
Note
721119:
Logon
with
(delivered)
default
user
fails
• SAP
Note
735356:
Special
character
in
passwords;
reac;va;on
not
possible
• SAP
Note
862989:
New
password
rules
as
of
SAP
NetWeaver
2004s
• SAP
Note
874738:
New
password
hash
calcula;on
procedure
(code
version
E)
• SAP
Note
991968:
Value
list
for
login/password_hash_algorithm
• SAP
Note
1023437:
Downwardly
incompa;ble
passwords
since
NW2004s
• SAP
Note
1237762:
Protec;on
against
password
hash
aacks
• SAP
Note
1300104:
CUA
–
New
password
hash
procedures
-‐
Background
informa;on
• SAP
Note
1458262:
Recommended
se|ngs
for
password
hash
algorithms
• SAP
Note
1484692:
Protect
read
access
to
password
hash
value
tables
• SAP
Note
1488159:
SUIM
–
RSUSR003
–
Incorrect
results
for
CODVN
=
F
23
25. Passwords
from
RFC
request
• If
an
aacker
catches
an
RFC
request
with
logon
data,
he
will
be:
– Happy
because
he
got
the
login
and
password
– Upset
because
the
password
is
encrypted
– Happy
because
the
encryp;on
is
just
a
XOR
(lol)
– Happy
because
the
key
is
sta;c
Key: 313ec…a4021
– Very
happy
because
he
got
the
clear
text
password
25
30. SAP
VisualAdmin
30
• SAP
Visual
Admin
–
a
remote
tool
for
controlling
J2EE
Engine
• Uses
the
P4
protocol
–
SAP’s
proprietary
• By
default,
all
data
transmied
in
cleartext
• P4
can
be
configured
to
use
SSL
to
prevent
MitM
• Passwords
are
transmied
by
some
sort
of
encryp;on
• In
reality,
it
is
some
sort
of
Base64
transforma;on
with
a
known
key
34. Preven=on
• Secure
P4
connec;on
using
SSL
• SAP
Security
Note
1724516
• Using
P4
protocol
over
a
secure
connec;on:
hp://help.sap.com/saphelp_nw73ehp1/helpdata/en/
48/2d9ba88aef4bb9e10000000a42189b/content.htm
34
36. SecStore
• The
AS
Java
stores
security-‐relevant
informa;on
encrypted
in
a
file
in
the
file
system
• The
AS
Java
stores
the
following
security-‐relevant
informa;on
in
files
in
the
file
system:
–
Database
user
SAP<SID>DB
and
its
password
–
Database
connec;on
informa;on
–
Administrator
user
and
its
password
• Secure
storage
file
is
located
at
:
usrsap<SID>SYSglobalsecuritydataSecStore.properties
36
38. SecStore
• Algorithm
is
TripleDES.
We
heed
a
key
for
decryp;on
• The
main
issue
is
that
the
key
file
is
located
in
the
same
directory
as
the
encrypted
data:
usrsap<SID>SYSglobalsecuritydataSecStore.key
• The
key
consists
of
two
parts:
–
Version
informa;on
–
Encrypted
key
phrase
38
39. SecStore
•
Version
informa;on.
It
affects
the
TripleDES
key
–
If
version
>=
7.00.000,
then
the
Triple
DES
key
=
key
phrase
+
<SID>
•
Encrypted
key
phrase
–
By
default,
it
is
the
ini;al
password
which
the
administrator
sets
up
during
SAP
system
installa;on.
Olen,
this
phase
equals
to
the
DB
password
or
an
SAP
administrator
account
password
(SAP*,
DDIC,
J2EE_Admin,
etc.)
–
For
encryp;ng
the
key
phrase,
XOR
algorithm
with
sta;c
key
is
used
43,-74…,-41,-67
• That’s
why,
if
an
aacker
only
got
the
SecStore.key
file,
they
can
also
get
access
into
SAP,
because
they
have
the
ini;al
password
39
40. SecStore
• OK.
We
have
the
encrypted
password
(SecStore.properXes)
• We
have
the
decryp;on
key
(SecStore.key)
• We
can
get
all
sensi;ve
informa;on
from
Security
Storage
• As
I
said,
data’s
encrypted
by
the
TripleDES
algorithm
• More
precisely,
the
encryp;on
uses
the
TripleDES
algorithm
in
CBC
mode
using
a
secret
key
which
is
derived
from
a
password
with
the
SHA
hash
algorithm
–
The
key
is
the
key
phrase
from
SecStore.key
+
<SID>
(if
version
>=
7.00.000)
–
The
salt
is
the
value
0000000000000000
40
41. SecStore
• We
also
wrote
a
tool
which
decrypts
all
the
stuff
from
SAP
JAVA
AS
Security
Storage
(SecStore_Cr.jar)
• Also,
SAP
Secure
Store
file
can
have
another
name
(ex.
JUpgrade.proper;es)
and
store
other
interes;ng
data,
like:
–
Password
for
SAP
OS
user
(SIDADM)
–
DB
password
–
DDIC
password
–
etc…
41
42. Preven=on
•
Install
SAP
Note
1619539
•
Restrict
read
access
to
files
SecStore.properXes,
JUpgrade.properXes,
and
SecStore.key
•
Managing
secure
storage
in
the
file
system:
hp://help.sap.com/saphelp_nw70ehp2/helpdata/en/cd/
14c93ec2f7df6ae10000000a114084/content.htm
42
44. Log
files
• We
know
about
many
places
where
SAP
writes
logs
• Administrator
can
define
the
verbosity
level
• Aacker
can
found
many
interes;ng
things
in
log
files:
informa;on
about
the
system,
informa;on
about
the
users,
even
session
informa;on
• Very
interes;ng
path
with
logs:
/sapinst_instdir/
But
what
about
passwords?
44
45. Log
files
• Passwords
in
SAP
log
files
looks
like
that:
dev_umconfigurator.trc
45
46. Log
files
• Some;mes,
we
can
find
a
clear
text
password
sapinst_dev.<n>.log
46
47. Log
files
• Some;mes,
we
can
find
an
encrypted
password
47
48. Log
files
• Guess
what
type
of
encryp;on
is
used?
J
• Right!
XOR
with
a
sta;c
hardcoded
key:
31…65d
• As
a
result,
we
have
a
decryptor:
key="31XXXXXXXXXXXX5d"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))
def prepare(val):
encoco=val.split("|")
rez=""
for a in encoco:
rez= rez + str(hex(int(a)).replace("0x",""))
return rez
encr=prepare(raw_input("Enter encrypted password:"))
dec_pass=sxor(encr.decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
48
49. Log
files
•
The
same
story
with
the
config
file
usrsap<SID>configusagetypes.properXes
49
50. Preven=on
• Don’t
use
TRACE_LEVEL
=
3
• Delete
traces
when
work
is
finished
• Mask
security-‐sensi;ve
data
in
HTTP
access
log
• Incremen;ng/decremen;ng
the
trace
level:
h p s : / / h e l p . s a p . c o m / s a p h e l p _ n w p i 7 1 / h e l p d a t a / e n /
46/962416a5a613e8e10000000a155369/content.htm
50
52. SLD
• SLD
is
the
central
informa;on
repository
for
your
system
landscape
• It
contains
informa;on
about:
–
technical
systems
–
landscapes
–
business
systems
–
products
–
solware
components
in
your
system
landscape
52
53. SLD
password
files
•
Configura;on
file:
usrsap<sid>DVEBMGS<nn>exe
slddest.cfg
–
User
name
with
DataSupplierLD
role
–
User
password
(wooot!)
–
Host
name
–
Port
Encrypted
by
DES
algorithm
in
the
early
version
of
SLD
Sta;c
default
key
is:
0A…71F
But
if
user
specifies
the
key,
then
the
key
file
is
stored
near
the
encrypted
data
file
in
slddest.cfg.key
53
54. SLD
password
files
• In
the
latest
versions
of
SLD,
another
algorithm
is
used:
TripleDES
with
hardcoded
key
54
55. Preven=on
• Restrict
read
access
to
fileslddest.cfg
and
slddest.cfg.key
• Configuring
sldreg
and
transferring
data
to
SLD:
hp://help.sap.com/saphelp_nw70/helpdata/en/42/
ea5ff4b5d61bd9e10000000a11466f/content.htm
55
57. Password
from
RSECTAB
• The
secure
storage
is
a
component
of
the
SAP
Web
Applica;on
Server
ABAP
• It
allows
the
encrypted
storage
of
sensi;ve
data
that
SAP
applica;ons
require
when
logging
into
other
systems
• These
SAP
applica;ons
use
the
storage
to
store
passwords:
– RFC
des;na;ons
– Exchange
Infrastructure
(XI)
– LDAP
system
users
– SAPphone
– SAPconnect
– CCMS
(Generic
Request
and
Message
Generator)
• Table
RSECTAB
select rawtohex(DATA) from SAPSR3.RSECTAB
57
60. Password
from
RSECTAB
• TripleDES
3DES
mode:
DES-‐EDE3
• The
triple
DES
algorithm
uses
the
DES-‐EDE3
method
where
a
24
byte
key
is
supplied.
This
means
there
are
three
DES
opera;ons
in
the
sequence
encrypt-‐decrypt-‐encrypt
with
the
three
different
keys.
The
first
key
will
be
bytes
1
to
8,
the
second
key
bytes
9
to
16
and
the
third
key
bytes
17
to
24
• Two
rounds
60
65. Password
from
RSECTAB
• What
about
the
default
key?
• It
is
encrypted
via
3DES-‐EDE2,
too
• But
the
key
for
this
encryp;on
is
hardcoded
65
66. Preven=on
• Change
the
default
key
• SAP
Security
Note
1902611
• Choosing
your
own
key:
hp://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/
f73d41945bdb2be10000000a1550b0/content.htm
66
68. DBCON
table
• SAP
has
a
connec;on
with
different
DBs
• Administrator
can
manage
this
connec;on
via
the
transac;on
DBCO
• All
DB
connec;ons
informa;on
is
stored
encrypted
in
the
table
DBCON
(Descrip;on
of
Database
Connec;ons)
68
69. DBCON
table
•
Encrypted
data
looks
like:
V01/0030ZctvSB67Wv1OuVLazse4ORik
–
BASE64
+
DES
–
hardcoded
key:
59A…70E
–
decrypted
data
includes
sta;c
salt:
BE HAPPY
69
70. Preven=on
• Restrict
access
to
the
table
DBCON
• Restrict
access
to
the
transac;on
DBCO
• SAP
Security
Notes
1638280
and
1823566
70
72. SAP
HANA
• User
details
(including
passwords)
stored
in
hdbuserstore
• Located
in
the
/usr/sap/hdbclient
directory
• About
hdbuserstore:
‒ SSFS_HDB.DAT
‒ with
user
data
‒ with
keys
72
73. SAP
HANA
• SSFS_HDB.DAT
• Signature:
RSecSSFsData
• Algorithm:
3DES
• Default
key
is
the
same
as
in
the
ABAP
Security
Storage
73
74. SAP
HANA
• SAP
HANA
–
in
memory
database
• But
it
drops
some
data
into
FS
– Backup
– Savepoint
“The
SAP
HANA
database
holds
the
bulk
of
its
data
in
memory
for
maximum
performance,
but
it
sXll
uses
persistent
disk
storage
to
provide
a
fallback
in
case
of
failure.
Data
is
automaXcally
saved
from
memory
to
disk
at
regular
savepoints.
The
data
belonging
to
a
savepoint
represents
a
consistent
state
of
the
data
on
disk
and
remains
so
unXl
the
next
savepoint
operaXon
has
completed.
Aber
a
power
failure,
the
database
can
be
restarted
like
any
disk-‐
based
database
and
returns
to
its
last
consistent
state,”
–
SAP
HANA
Security
Guide
74
75. SAP
HANA
•
“Data
volume
encrypXon
ensures
that
anyone
who
can
access
the
data
volumes
on
disk
using
operaXng
system
commands
cannot
see
the
actual
data.
If
data
volumes
are
encrypted,
all
pages
that
reside
in
the
data
area
on
disk
are
encrypted
using
the
AES-‐256-‐CBC
algorithm.”
•
“Aber
data
volume
encrypXon
has
been
enabled,
an
iniXal
page
key
is
automaXcally
generated.
Page
keys
are
never
readable
in
plain
text,
but
are
encrypted
themselves
using
a
dedicated
persistence
encrypXon
root
key.”
75
76. SAP
HANA
“SAP
HANA
uses
SAP
NetWeaver
SSFS
to
protect
the
root
encrypXon
keys
that
are
used
to
protect
all
encrypXon
keys
used
in
the
SAP
HANA
system
from
unauthorized
access.”
• SSFS_HDB.DAT
–
HDB_SERVER/PERSISTENCE/ROOTKEY
–
HDB_SERVER/DPAPI
• The
persistence
encryp;on
feature
does
not
encrypt
the
following
data:
–
Database
redo
log
files
–
Database
backups
–
Database
traces
76
77. Preven=on
• Change
the
encryp;on
key
aler
installa;on
• Restrict
access
to
the
key
file
• Restrict
access
to
the
DAT
file
• Security
guide
for
HANA
(p.
71)
h&p://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
• Secure
storage
in
the
file
system:
h&p://help.sap.com/saphelp_nw70ehp2/helpdata/en/
a0/82dd0abbde4696b98a8be133b27f3b/content.htm
77
78. Etc..
•
ICF
Password
Repository
– ICFSECPASSWD
•
FI
module
passwords
– FIEB_PASSWORD
•
Oracle
Fail
Safe
– Stores
passwords
inside
the
ENVIRONMENT
variable
(Note
1764043
p.
4)
•
SAP
BusinessObjects
LCMuser
–
hardcoded
SVN
user
– SAP
BusinessObjects
Enterprise
XI.0LCM_repositorysvn_repository
conf
•
SAP
BusinessObjects
axis2
login:password
– axis2.xml
78
79. It
is
possible
to
protect
yourself
from
these
kinds
of
issues,
and
we
are
working
close
with
SAP
to
keep
customers
secure
SAP
guides
It’s
all
in
your
hands
Regular
security
assessments
ABAP
code
review
Monitoring
technical
security
Segrega=on
of
du=es
79
Conclusion
80. I'd
like
to
thank
SAP's
Product
Security
Response
Team
for
the
great
cooperaXon
to
make
SAP
systems
more
secure.
Research
is
always
ongoing,
and
we
can't
share
all
of
it
today.
If
you
want
to
be
the
first
to
see
new
a&acks
and
demos,
follow
us
at
@erpscan
and
a&end
future
presentaXons.
PS:
• EAS-‐SEC:
Recourse
which
combines
– Guidelines
for
assessing
enterprise
applica;on
security
– Guidelines
for
assessing
custom
code
– Surveys
about
enterprise
applica;on
security
80
Future
work