This document discusses security vulnerabilities in SAP systems. It notes that many SAP systems have non-web services exposed that could allow remote access. It also details how passwords are sometimes stored insecurely in SAP shortcuts, log files, and database tables, allowing attackers to gain access to systems and steal sensitive data. The document recommends steps companies can take to prevent such vulnerabilities, like patching systems, not storing passwords in shortcuts, and using more secure authentication methods.

1. Invest
in
security
to
secure
investments
All
your
SAP
Passwords
belong
to
us.
Dmitry
Chastuchin
Director,
Security
Consul;ng
ERPScan.

2. About
ERPScan
• The
only
360-­‐degree
SAP
Security
solu;on
-­‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta=ons
key
security
conferences
worldwide
• 25
Awards
and
nomina=ons
• Research
team
-­‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2

3. SAP
• The
most
popular
business
applica;on
• More
than
250000
customers
worldwide
• More
than
83
%
of
Forbes
500
run
SAP
3

4. SAP
security
Espionage
• Stealing
financial
informa;on
• Stealing
corporate
secrets
• Stealing
supplier
and
customer
lists
• Stealing
HR
data
Fraud
• False
transac;ons
• Modifica;on
of
master
data
Sabotage
• Denial
of
service
• Modifica;on
of
financial
reports
• Access
to
technology
network
(SCADA)
by
trust
rela;ons
4

5. Is
it
remotely
exploitable?
5000+
non-­‐web
SAP
services
exposed
in
the
world
including
Dispatcher,
Message
server,
SapHostControl,
etc.
5

6. Is
it
remotely
exploitable?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server
httpd
6

7. SAP
MMC
–
overview
• MMC
is
installed
by
default
on
port
5<ID>13
• Used
for
remote
management
of
SAP
servers
• Commands
executed
via
SOAP
interface
• By
default,
SSL
is
not
implemented
• Administra;ve
password
transmied
using
basic
auth
(Base64)
• By
sniffing
this
password,
we
can
get
full
control
over
the
server
7

8. SAP
MMC
–
aSacks
• Many
aacks
can
be
implemented
without
authen;ca;on
• Aacks
can
be
executed
by
sending
SOAP
requests
• Mostly,
it
is
informa;on
disclosure
and
denial
of
service
• Also,
OS
command
execu;on
8

9. Advanced
MMC
aSacks
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://
www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/features/
session/">
<enableSession>true</enableSession>
</sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:ReadLogFile xmlns:ns1="urn:SAPControl">
<filename>j2ee/cluster/server0/log/system/userinterface.log</filename>
<filter/>
<language/>
<maxentries>%COUNT%</maxentries>
<statecookie>EOF</statecookie>
</ns1:ReadLogFile>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
9

10. PWN
If
an
a&acker
can
read
a
file
from
server
OS,
he
can
get
clear
text
passwords
of
SAP
users
and,
as
a
result,
compromise
the
SAP
system
10

11. 11
Default
passwords

12. Passwords
on
client
side
User
name
Password
SAP*
06071992
PASS
DDIC
19920706
TMSADM
PASSWORD
$1Pawd2&
EARLYWATCH
SUPPORT
SAPCPIC
ADMIN
12

13. 13
Passwords
on
client
side

14. Passwords
on
client
side
• Aack
via
Ac;veX
‒ A
lot
of
issues
with
RCE
inside
(1519966,
1327004,
1092631,
…)
• Aack
via
client
bugs
‒ Buffer
overflow
in
saplogon.exe
(1504547)
What
aler
that?
SapLogon
shortcuts!
Olen,
lazy
users
store
password
for
SAP
account
in
shortcuts
14

15. Passwords
on
client
side
[System]
Name=DM0
Description=Test Sap Server
Client=800
[User]
Name=SAP*
Language=EN
Password=PW_48B7231FD1FE390C
[Function]
Title=myShortcut
Command=se16
[Configuration]
WorkDir=C:Documents and SettingsAdministratorMy DocumentsSAPSAP GUI
[Options]
Reuse=1
This
is
how
a
typical
shortcut
looks
like…
File: <name>.sap
15

16. Passwords
on
client
side
[Label]
Key1=myShortcut
[Command]
Key1=-
desc="Test Sap Server"
-sid="DM0"
-clt="800"
-u="SAP*"
-l="EN"
-tit="myShortcut"
-cmd="se16"
-wd="C:Documents and SettingsAdministratorMy DocumentsSAPSAP GUI"
-ok="/nse16"
-pwenc="PW_48B7231FD1FE390C"
…or
like
that
File: sapshortcut.ini
16

17. Passwords
on
client
side
pwenc="PW_48B7231FD1FE390C"
PW_48B7231FD1FE390C
48B7231FD1FE390C
I
used
this
password:
06071992
Looks
like
XOR
encryp;on
17

18. Passwords
on
client
side
• Aler
a
few
experiments,
we
found
out:
– Yes,
this
is
XOR
– Yes,
the
key
is
sta;c
for
all
SAPLogon
• The
key
is:
788113…dc49b0
18

19. Passwords
on
client
side
• …and
the
PY
code
to
decrypt
key="788…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in
zip(s1,s2))
enc_pass="PW_48B7231FD1FE390C"
dec_pass=sxor(enc_pass[3:].decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
19

20. Preven=on
• Don’t
use
SAPGUI
6.4
(there
are
no
patches
for
some
vulns)
• Patch
SAPGUI
with
the
latest
SP
• Don’t
store
password
in
shortcuts
• (HKCUSolwareSAPSAPShortcutSecurity
EnablePassword=0)
• Make
sure
that
you
do
not
ac;vate
the
storage
of
passwords
in
SAP
shortcuts
• Authen;ca;on
security
for
SAP
shortcuts:
hp://help.sap.com/SAPHELP_NWPI71/helpdata/en/4d/dc9db9bc0e02cfe10000000a42189b/
content.htm
20

21. 21
Passwords
from
USR02,
USH02,
USRPWDHISTORY

22. USR02
password
hash
• Well
known
password
area
• Hash
algorithm:
– CODVN
A
– CODVN
B
(MD5-­‐based)
– CODVN
D
(MD5-­‐based)
– CODVN
E
(MD5-­‐based)
– CODVN
F
(SHA1-­‐based)
– CODVN
G
(Code
versions
B
&
F)
– CODVN
H
(SHA-­‐1-­‐based)
– CODVN
I
(Code
versions
B,
F
&
H)
• Just
use
John
the
Ripper
22

23. Preven=on
• Use
the
latest
algorithm
• SAP
Note
2467:
Password
rules
and
preven;ng
incorrect
logons
• SAP
Note
721119:
Logon
with
(delivered)
default
user
fails
• SAP
Note
735356:
Special
character
in
passwords;
reac;va;on
not
possible
• SAP
Note
862989:
New
password
rules
as
of
SAP
NetWeaver
2004s
• SAP
Note
874738:
New
password
hash
calcula;on
procedure
(code
version
E)
• SAP
Note
991968:
Value
list
for
login/password_hash_algorithm
• SAP
Note
1023437:
Downwardly
incompa;ble
passwords
since
NW2004s
• SAP
Note
1237762:
Protec;on
against
password
hash
aacks
• SAP
Note
1300104:
CUA
–
New
password
hash
procedures
-­‐
Background
informa;on
• SAP
Note
1458262:
Recommended
se|ngs
for
password
hash
algorithms
• SAP
Note
1484692:
Protect
read
access
to
password
hash
value
tables
• SAP
Note
1488159:
SUIM
–
RSUSR003
–
Incorrect
results
for
CODVN
=
F
23

24. Passwords
from
RFC
request
24

25. Passwords
from
RFC
request
• If
an
aacker
catches
an
RFC
request
with
logon
data,
he
will
be:
– Happy
because
he
got
the
login
and
password
– Upset
because
the
password
is
encrypted
– Happy
because
the
encryp;on
is
just
a
XOR
(lol)
– Happy
because
the
key
is
sta;c
Key: 313ec…a4021
– Very
happy
because
he
got
the
clear
text
password
25

26. Passwords
from
RFC
request
26

27. Passwords
from
RFC
request
• …and
the
PY
code
to
decrypt
key="313e…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in
zip(s1,s2))
enc_pass="0108F357D03F770D"
dec_pass=sxor(enc_pass.decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
27

28. Preven=on
• Secure
RFC
connec;on
using
SNC
• SAP
Security
Note
1724516
• RFC
and
SNC:
hp://help.sap.com/saphelp_nw70ehp2/helpdata/en/72/
e52c4057cb185de10000000a1550b0/content.htm
28

29. 29
SAP
Visual
Admin
password

30. SAP
VisualAdmin
30
• SAP
Visual
Admin
–
a
remote
tool
for
controlling
J2EE
Engine
• Uses
the
P4
protocol
–
SAP’s
proprietary
• By
default,
all
data
transmied
in
cleartext
• P4
can
be
configured
to
use
SSL
to
prevent
MitM
• Passwords
are
transmied
by
some
sort
of
encryp;on
• In
reality,
it
is
some
sort
of
Base64
transforma;on
with
a
known
key

31. SAP
VisualAdmin
data
31

32. Insecure
password
encryp=on
in
P4
32
/* 87 */ char mask = 43690; //aaaa hex
/* 88 */ char check = 21845; //5555 hex
/* 89 */ char[] result = new char[data.length + 1];
/* */
/* 91 */ for (int i = 0; i < data.length; ++i) {
/* 92 */ mask = (char)(mask ^ data[i]);
/* 93 */ result[i] = mask;
/* */ }
/* 95 */ result[data.length] = (char)(mask ^ check);
/* */
/* 97 */ return result;

33. 33
DEMO
SAP
Visual
Admin
password
sniffing

34. Preven=on
• Secure
P4
connec;on
using
SSL
• SAP
Security
Note
1724516
• Using
P4
protocol
over
a
secure
connec;on:
hp://help.sap.com/saphelp_nw73ehp1/helpdata/en/
48/2d9ba88aef4bb9e10000000a42189b/content.htm
34

35. 35
SAP
JAVA
Security
Storage

36. SecStore
• The
AS
Java
stores
security-­‐relevant
informa;on
encrypted
in
a
file
in
the
file
system
• The
AS
Java
stores
the
following
security-­‐relevant
informa;on
in
files
in
the
file
system:
–
Database
user
SAP<SID>DB
and
its
password
–
Database
connec;on
informa;on
–
Administrator
user
and
its
password
• Secure
storage
file
is
located
at
:
usrsap<SID>SYSglobalsecuritydataSecStore.properties
36

37. SecStore
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx
admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH
admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ
$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt
$internal/mode=encrypted
admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E
• The
AS
Java
uses
the
SAP
Java
Cryptography
Toolkit
to
encrypt
the
informa;on
in
the
secure
store
using
the
TripleDES
algorithm.
The
encryp;on
is
performed
during
the
AS
Java
installa;on
process
• Let’s
look
deeper
37

38. SecStore
• Algorithm
is
TripleDES.
We
heed
a
key
for
decryp;on
• The
main
issue
is
that
the
key
file
is
located
in
the
same
directory
as
the
encrypted
data:
usrsap<SID>SYSglobalsecuritydataSecStore.key
• The
key
consists
of
two
parts:
–
Version
informa;on
–
Encrypted
key
phrase
38

39. SecStore
•
Version
informa;on.
It
affects
the
TripleDES
key
–
If
version
>=
7.00.000,
then
the
Triple
DES
key
=
key
phrase
+
<SID>
•
Encrypted
key
phrase
–
By
default,
it
is
the
ini;al
password
which
the
administrator
sets
up
during
SAP
system
installa;on.
Olen,
this
phase
equals
to
the
DB
password
or
an
SAP
administrator
account
password
(SAP*,
DDIC,
J2EE_Admin,
etc.)
–
For
encryp;ng
the
key
phrase,
XOR
algorithm
with
sta;c
key
is
used
43,-74…,-41,-67
• That’s
why,
if
an
aacker
only
got
the
SecStore.key
file,
they
can
also
get
access
into
SAP,
because
they
have
the
ini;al
password
39

40. SecStore
• OK.
We
have
the
encrypted
password
(SecStore.properXes)
• We
have
the
decryp;on
key
(SecStore.key)
• We
can
get
all
sensi;ve
informa;on
from
Security
Storage
• As
I
said,
data’s
encrypted
by
the
TripleDES
algorithm
• More
precisely,
the
encryp;on
uses
the
TripleDES
algorithm
in
CBC
mode
using
a
secret
key
which
is
derived
from
a
password
with
the
SHA
hash
algorithm
–
The
key
is
the
key
phrase
from
SecStore.key
+
<SID>
(if
version
>=
7.00.000)
–
The
salt
is
the
value
0000000000000000
40

41. SecStore
• We
also
wrote
a
tool
which
decrypts
all
the
stuff
from
SAP
JAVA
AS
Security
Storage
(SecStore_Cr.jar)
• Also,
SAP
Secure
Store
file
can
have
another
name
(ex.
JUpgrade.proper;es)
and
store
other
interes;ng
data,
like:
–
Password
for
SAP
OS
user
(SIDADM)
–
DB
password
–
DDIC
password
–
etc…
41

42. Preven=on
•
Install
SAP
Note
1619539
•
Restrict
read
access
to
files
SecStore.properXes,
JUpgrade.properXes,
and
SecStore.key
•
Managing
secure
storage
in
the
file
system:
hp://help.sap.com/saphelp_nw70ehp2/helpdata/en/cd/
14c93ec2f7df6ae10000000a114084/content.htm
42

43. 43
Passwords
from
log
files

44. Log
files
• We
know
about
many
places
where
SAP
writes
logs
• Administrator
can
define
the
verbosity
level
• Aacker
can
found
many
interes;ng
things
in
log
files:
informa;on
about
the
system,
informa;on
about
the
users,
even
session
informa;on
• Very
interes;ng
path
with
logs:
/sapinst_instdir/
But
what
about
passwords?
44

45. Log
files
• Passwords
in
SAP
log
files
looks
like
that:
dev_umconfigurator.trc
45

46. Log
files
• Some;mes,
we
can
find
a
clear
text
password
sapinst_dev.<n>.log
46

47. Log
files
• Some;mes,
we
can
find
an
encrypted
password
47

48. Log
files
• Guess
what
type
of
encryp;on
is
used?
J
• Right!
XOR
with
a
sta;c
hardcoded
key:
31…65d
• As
a
result,
we
have
a
decryptor:
key="31XXXXXXXXXXXX5d"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))
def prepare(val):
encoco=val.split("|")
rez=""
for a in encoco:
rez= rez + str(hex(int(a)).replace("0x",""))
return rez
encr=prepare(raw_input("Enter encrypted password:"))
dec_pass=sxor(encr.decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
48

49. Log
files
•
The
same
story
with
the
config
file
usrsap<SID>configusagetypes.properXes
49

50. Preven=on
• Don’t
use
TRACE_LEVEL
=
3
• Delete
traces
when
work
is
finished
• Mask
security-­‐sensi;ve
data
in
HTTP
access
log
• Incremen;ng/decremen;ng
the
trace
level:
h p s : / / h e l p . s a p . c o m / s a p h e l p _ n w p i 7 1 / h e l p d a t a / e n /
46/962416a5a613e8e10000000a155369/content.htm
50

51. 51
Passwords
from
SLD
config
file

52. SLD
• SLD
is
the
central
informa;on
repository
for
your
system
landscape
• It
contains
informa;on
about:
–
technical
systems
–
landscapes
–
business
systems
–
products
–
solware
components
in
your
system
landscape
52

53. SLD
password
files
•
Configura;on
file:
usrsap<sid>DVEBMGS<nn>exe
slddest.cfg
–
User
name
with
DataSupplierLD
role
–
User
password
(wooot!)
–
Host
name
–
Port
Encrypted
by
DES
algorithm
in
the
early
version
of
SLD
Sta;c
default
key
is:
0A…71F
But
if
user
specifies
the
key,
then
the
key
file
is
stored
near
the
encrypted
data
file
in
slddest.cfg.key
53

54. SLD
password
files
• In
the
latest
versions
of
SLD,
another
algorithm
is
used:
TripleDES
with
hardcoded
key
54

55. Preven=on
• Restrict
read
access
to
fileslddest.cfg
and
slddest.cfg.key
• Configuring
sldreg
and
transferring
data
to
SLD:
hp://help.sap.com/saphelp_nw70/helpdata/en/42/
ea5ff4b5d61bd9e10000000a11466f/content.htm
55

56. 56
Passwords
from
ABAP
SecStore

57. Password
from
RSECTAB
• The
secure
storage
is
a
component
of
the
SAP
Web
Applica;on
Server
ABAP
• It
allows
the
encrypted
storage
of
sensi;ve
data
that
SAP
applica;ons
require
when
logging
into
other
systems
• These
SAP
applica;ons
use
the
storage
to
store
passwords:
– RFC
des;na;ons
– Exchange
Infrastructure
(XI)
– LDAP
system
users
– SAPphone
– SAPconnect
– CCMS
(Generic
Request
and
Message
Generator)
• Table
RSECTAB
select rawtohex(DATA) from SAPSR3.RSECTAB
57

58. Password
from
RSECTAB
58

59. Password
from
RSECTAB
59

60. Password
from
RSECTAB
• TripleDES
3DES
mode:
DES-­‐EDE3
• The
triple
DES
algorithm
uses
the
DES-­‐EDE3
method
where
a
24
byte
key
is
supplied.
This
means
there
are
three
DES
opera;ons
in
the
sequence
encrypt-­‐decrypt-­‐encrypt
with
the
three
different
keys.
The
first
key
will
be
bytes
1
to
8,
the
second
key
bytes
9
to
16
and
the
third
key
bytes
17
to
24
• Two
rounds
60

61. Password
from
RSECTAB
• First
round
• Encrypt:
–
char
randomPrefix[2];
–
char
payload[109];
–
char
payloadLength;
–
char
magicLocal[4];
–
char
magicGlobalSalted[4];
–
char
recordIden;fierA7Hash[16];
61

62. Password
from
RSECTAB
• Key
for
the
first
round
of
encryp;on
base
on
default
key:
Key’def[1] = Keydef[1] ^ (Hsup[0] & 0xF0)
Key’def[6] = Keydef[6] ^ (Hsup[0] & 0x0F)
Key’def[7] = Keydef[7] ^ (Hsup[3] & 0xF0)
Key’def[10] = Keydef[10] ^ (Hsup[1] & 0xF0)
Key’def[13] = Keydef[13] ^ (Hsup[1] & 0x0F)
Key’def[16] = Keydef[16] ^ (Hsup[4] & 0x0F)
Key’def[19] = Keydef[19] ^ (Hsup[2] & 0xF0)
Key’def[20] = Keydef[20] ^ (Hsup[2] & 0x0F)
• Where
Hsup
is
md5(sidA7[3]+insnoA7[10])
62

63. Password
from
RSECTAB
63

64. Password
from
RSECTAB
• Second
round
• Encrypt
all
data
with
the
default
key
64

65. Password
from
RSECTAB
• What
about
the
default
key?
• It
is
encrypted
via
3DES-­‐EDE2,
too
• But
the
key
for
this
encryp;on
is
hardcoded
65

66. Preven=on
• Change
the
default
key
• SAP
Security
Note
1902611
• Choosing
your
own
key:
hp://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/
f73d41945bdb2be10000000a1550b0/content.htm
66

67. 67
Passwords
from
DBCON
table

68. DBCON
table
• SAP
has
a
connec;on
with
different
DBs
• Administrator
can
manage
this
connec;on
via
the
transac;on
DBCO
• All
DB
connec;ons
informa;on
is
stored
encrypted
in
the
table
DBCON
(Descrip;on
of
Database
Connec;ons)
68

69. DBCON
table
•
Encrypted
data
looks
like:
V01/0030ZctvSB67Wv1OuVLazse4ORik
–
BASE64
+
DES
–
hardcoded
key:
59A…70E
–
decrypted
data
includes
sta;c
salt:
BE HAPPY
69

70. Preven=on
• Restrict
access
to
the
table
DBCON
• Restrict
access
to
the
transac;on
DBCO
• SAP
Security
Notes
1638280
and
1823566
70

71. 71
Passwords
from
HANA

72. SAP
HANA
• User
details
(including
passwords)
stored
in
hdbuserstore
• Located
in
the
/usr/sap/hdbclient
directory
• About
hdbuserstore:
‒ SSFS_HDB.DAT
‒ with
user
data
‒ with
keys
72

73. SAP
HANA
• SSFS_HDB.DAT
• Signature:
RSecSSFsData
• Algorithm:
3DES
• Default
key
is
the
same
as
in
the
ABAP
Security
Storage
73

74. SAP
HANA
• SAP
HANA
–
in
memory
database
• But
it
drops
some
data
into
FS
– Backup
– Savepoint
“The
SAP
HANA
database
holds
the
bulk
of
its
data
in
memory
for
maximum
performance,
but
it
sXll
uses
persistent
disk
storage
to
provide
a
fallback
in
case
of
failure.
Data
is
automaXcally
saved
from
memory
to
disk
at
regular
savepoints.
The
data
belonging
to
a
savepoint
represents
a
consistent
state
of
the
data
on
disk
and
remains
so
unXl
the
next
savepoint
operaXon
has
completed.
Aber
a
power
failure,
the
database
can
be
restarted
like
any
disk-­‐
based
database
and
returns
to
its
last
consistent
state,”
–
SAP
HANA
Security
Guide
74

75. SAP
HANA
•
“Data
volume
encrypXon
ensures
that
anyone
who
can
access
the
data
volumes
on
disk
using
operaXng
system
commands
cannot
see
the
actual
data.
If
data
volumes
are
encrypted,
all
pages
that
reside
in
the
data
area
on
disk
are
encrypted
using
the
AES-­‐256-­‐CBC
algorithm.”
•
“Aber
data
volume
encrypXon
has
been
enabled,
an
iniXal
page
key
is
automaXcally
generated.
Page
keys
are
never
readable
in
plain
text,
but
are
encrypted
themselves
using
a
dedicated
persistence
encrypXon
root
key.”
75

76. SAP
HANA
“SAP
HANA
uses
SAP
NetWeaver
SSFS
to
protect
the
root
encrypXon
keys
that
are
used
to
protect
all
encrypXon
keys
used
in
the
SAP
HANA
system
from
unauthorized
access.”
• SSFS_HDB.DAT
–
HDB_SERVER/PERSISTENCE/ROOTKEY
–
HDB_SERVER/DPAPI
• The
persistence
encryp;on
feature
does
not
encrypt
the
following
data:
–
Database
redo
log
files
–
Database
backups
–
Database
traces
76

77. Preven=on
• Change
the
encryp;on
key
aler
installa;on
• Restrict
access
to
the
key
file
• Restrict
access
to
the
DAT
file
• Security
guide
for
HANA
(p.
71)
h&p://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
• Secure
storage
in
the
file
system:
h&p://help.sap.com/saphelp_nw70ehp2/helpdata/en/
a0/82dd0abbde4696b98a8be133b27f3b/content.htm
77

78. Etc..
•
ICF
Password
Repository
– ICFSECPASSWD
•
FI
module
passwords
– FIEB_PASSWORD
•
Oracle
Fail
Safe
– Stores
passwords
inside
the
ENVIRONMENT
variable
(Note
1764043
p.
4)
•
SAP
BusinessObjects
LCMuser
–
hardcoded
SVN
user
– SAP
BusinessObjects
Enterprise
XI.0LCM_repositorysvn_repository
conf
•
SAP
BusinessObjects
axis2
login:password
– axis2.xml
78

79. It
is
possible
to
protect
yourself
from
these
kinds
of
issues,
and
we
are
working
close
with
SAP
to
keep
customers
secure
SAP
guides
It’s
all
in
your
hands
Regular
security
assessments
ABAP
code
review
Monitoring
technical
security
Segrega=on
of
du=es
79
Conclusion

80. I'd
like
to
thank
SAP's
Product
Security
Response
Team
for
the
great
cooperaXon
to
make
SAP
systems
more
secure.
Research
is
always
ongoing,
and
we
can't
share
all
of
it
today.
If
you
want
to
be
the
first
to
see
new
a&acks
and
demos,
follow
us
at
@erpscan
and
a&end
future
presentaXons.
PS:
• EAS-­‐SEC:
Recourse
which
combines
– Guidelines
for
assessing
enterprise
applica;on
security
– Guidelines
for
assessing
custom
code
– Surveys
about
enterprise
applica;on
security
80
Future
work