SlideShare a Scribd company logo

Exploiting Critical Attack Vectors to Gain Control of SAP Systems

Onapsis Inc.
Onapsis Inc.

The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it. This presentation will highlight three attack vectors targeting SAP. - SAP Portal Header Authentication - Verb Tampering - Abuse of JAVA Core Services You will learn techniques to mitigate these threats.

1 of 22
Download to read offline
Exploiting Critical Attack Vectors To Gain Control Of SAP Systems March 12th, 2013 BIZEC Workshop Mariano Nunez mnunez@onapsis.com @marianonunezdc Juan Perez-Etchegoyen jppereze@onapsis.com @jp_pereze
2www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Disclaimer This publication is copyright 2013 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. Bizec workshop
3www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Who is Onapsis Inc.?  Company focused in protecting ERP systems from cyber-attacks (SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).  Working with Global Fortune-100 and large governmental organizations.  What does Onapsis do?  Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit).  ERP security professional services.  Trainings on ERP security. Who are we?  Mariano Nunez, CEO at Onapsis.  Juan Perez-Etchegoyen, CTO at Onapsis. Discovered several vulnerabilities in SAP and Oracle ERPs...  Speakers/Trainers at BlackHat, RSA, SAP RC, HITB, Source, DeepSec… Attacks on SAP Solution ManagerBizec workshop
4www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved SAP Application Security • SAP systems are built upon several layers. • Segregation of Duties (SoD) controls apply at the Business Logic layer. • The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. Operating System Database SAP Business Logic SAP Application Layer SAP Solution Base Infrastructure Bizec workshop
5www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved The SAP J2EE engine and Enterprise Portal (EP) ● Latest Web technology from SAP. ● Goal: Provide an unique access point to the organization's SAP (and non- SAP) systems through the Web. ● It “provides employees, partners, customers, and other workers with immediate, secure, and role-based access to key information and applications”. ● Technically, it’s a complex Java application running in the SAP J2EE Engine. Attacks on the Java Application Server or the Java Portal could lead to the compromise of rest of the related systems. Bizec workshop
6www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attack #1 SAP Portal Header Authentication Bizec workshop
7www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to “Secured” Enterprise Portals ● SAP Enterprise Portal supports different authentication mechanisms, such as User & Password, X.509 Client Certificates, Logon Tickets, Kerberos, etc… ● The authentication is handled by the SAP J2EE Engine. ● Many organizations already have Web Access Management (WAM) solutions in place, providing two-factor authentication mechanisms. ● They use them to enable secured access to the systems (tokens, biometrics, etc) and Single-Sign On. ● Some examples: ● RSA ClearTrust ● CA SiteMinder ● Oracle Oblix ● Entrust GetAccess ● Microsoft Integrated Windows Authentication (now deprecated) Bizec workshop
8www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved A Special Authentication Scheme ● The Portal is integrated with these solutions, by using the Header Variables Login Module. ● In these scenarios, the authentication procedure works a follow: 1. The user provides authentication information to the EAM/WAM solution. 2. The solution checks provided credentials. 3. If successful, connects to the Enterprise Portal and sends the user to authenticate in a HTTP header. 4. The Enterprise Portal verifies that the user is valid (it exists), and returns an SAP SSO logon ticket to the user. 5. The user is authenticated. Bizec workshop
9www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved The Header Authentication Scheme Bizec workshop
10www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 1. The user provides authentication information to the EAM/WAM solution. The Header Authentication Scheme Bizec workshop
11www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 2. The solution checks provided credentials. The Header Authentication Scheme Bizec workshop
12www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 3. If successful, connects to the Enterprise Portal and sends the user to authenticate in a HTTP header. The Header Authentication Scheme Bizec workshop
13www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 4. The Enterprise Portal verifies that the user is valid (it exists), and returns an SAP SSO logon ticket to the user. The Header Authentication Scheme Bizec workshop
14www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 5. The user is authenticated. cookie The Header Authentication Scheme Bizec workshop
15www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 If the attacker can connect directly with the SAP Enterprise Portal, nothing prevents him from impersonation the EAM/WAM solution! cookie The Attack Bizec workshop
16www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 If the attacker can connect directly with the SAP Enterprise Portal, nothing prevents him from impersonation the EAM/WAM solution! cookie Rough header_auth The Attack Bizec workshop
17www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 After my research and discovery, I found out this was documented since 2006 (!) cookie Rough header_auth cookie The Attack Bizec workshop
18www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attack #2 Verb Tampering Bizec workshop
19www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Verb tampering attacks ●This kind of vulnerabilities are based on an old and widespread concept, called “VERB Tampering”. The attack vector involves sending HTTP requests using uncommon HTTP methods, like HEAD, PUT, DELETE... ● In the SAP J2EE Engine, applications are configured using an XML file, defining the profiles required to access the application and the “constraints” applying to each HTTP method. ● Some applications only restrict access to GET and POST!!! ● There is a vulnerable application (CTC runtime) that can be bypassed by sending HEAD requests. This application can be used to create users and execute OS commands!!! Check if SAP Security Note 1624450 is implemented in your systems! Bizec workshop
20www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attack #3 Abuse of JAVA Core Service Bizec workshop
21www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedBizec workshop Abuse of JAVA core service ● The Application Server JAVA exposes several “Remote Object” interfaces. One of these interfaces is based on a proprietary protocol called P4. This interface is exposed on TCP service 5XX04 ( where XX is the instance number). ● Due to the lack of authentication in a core service, it is possible to access arbitrary files. ● Any file can be read or written according to the privileges of the <SID>adm user (prdadm, devadm…) ● This could potentially lead to a full compromise of the SAP system. Check if SAP Security Note 1682613 is implemented in your systems!
24www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Thank you! Bizec workshop

Recommended

Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
Onapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
Onapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMS
Onapsis Inc.
 

Recommended

Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
Onapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
Onapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMS
Onapsis Inc.
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
Onapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP Backdoors
Onapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Onapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
Onapsis Inc.
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
ERPScan
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
SAP PartnerEdge program for Application Development
 

More Related Content

What's hot

SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
Onapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP Backdoors
Onapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Onapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
Onapsis Inc.
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
ERPScan
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 

What's hot (20)

SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP Backdoors
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 

Similar to Exploiting Critical Attack Vectors to Gain Control of SAP Systems

SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
SAP PartnerEdge program for Application Development
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
SAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 OverviewSAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 Overview
SAP Technology
 
Ad507
Ad507Ad507
Ad507
Christian Holsing
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NoSuchCon
 
01 oracle application integration overview
01 oracle application integration overview01 oracle application integration overview
01 oracle application integration overview
nksolanki
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
Cyber Security Alliance
 
vue-storefront - PWA eCommerce for Magento2 MM17NYC presentation
vue-storefront - PWA eCommerce for Magento2 MM17NYC presentationvue-storefront - PWA eCommerce for Magento2 MM17NYC presentation
vue-storefront - PWA eCommerce for Magento2 MM17NYC presentation
Divante
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatności
klagrz
 
InApp Inc. Corporate Profile
InApp Inc. Corporate ProfileInApp Inc. Corporate Profile
InApp Inc. Corporate Profile
inapp
 
Sap fundamentals overview_for_sap_minors
Sap fundamentals overview_for_sap_minorsSap fundamentals overview_for_sap_minors
Sap fundamentals overview_for_sap_minors
Cenk Ersoy
 
lokananth_resume-new
lokananth_resume-newlokananth_resume-new
lokananth_resume-new
lok ananth
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New Risks
Virtual Forge
 
Microsoft WebsiteSpark & Windows Platform Installer
Microsoft WebsiteSpark & Windows Platform InstallerMicrosoft WebsiteSpark & Windows Platform Installer
Microsoft WebsiteSpark & Windows Platform Installer
George Kanellopoulos
 

Similar to Exploiting Critical Attack Vectors to Gain Control of SAP Systems (19)

SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
SAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 OverviewSAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 Overview
 
Ad507
Ad507Ad507
Ad507
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
 
01 oracle application integration overview
01 oracle application integration overview01 oracle application integration overview
01 oracle application integration overview
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
vue-storefront - PWA eCommerce for Magento2 MM17NYC presentation
vue-storefront - PWA eCommerce for Magento2 MM17NYC presentationvue-storefront - PWA eCommerce for Magento2 MM17NYC presentation
vue-storefront - PWA eCommerce for Magento2 MM17NYC presentation
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatności
 
InApp Inc. Corporate Profile
InApp Inc. Corporate ProfileInApp Inc. Corporate Profile
InApp Inc. Corporate Profile
 
Sap fundamentals overview_for_sap_minors
Sap fundamentals overview_for_sap_minorsSap fundamentals overview_for_sap_minors
Sap fundamentals overview_for_sap_minors
 
lokananth_resume-new
lokananth_resume-newlokananth_resume-new
lokananth_resume-new
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New Risks
 
Microsoft WebsiteSpark & Windows Platform Installer
Microsoft WebsiteSpark & Windows Platform InstallerMicrosoft WebsiteSpark & Windows Platform Installer
Microsoft WebsiteSpark & Windows Platform Installer
 

Exploiting Critical Attack Vectors to Gain Control of SAP Systems

  • 1. Exploiting Critical Attack Vectors To Gain Control Of SAP Systems March 12th, 2013 BIZEC Workshop Mariano Nunez mnunez@onapsis.com @marianonunezdc Juan Perez-Etchegoyen jppereze@onapsis.com @jp_pereze
  • 2. 2www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Disclaimer This publication is copyright 2013 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. Bizec workshop
  • 3. 3www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Who is Onapsis Inc.?  Company focused in protecting ERP systems from cyber-attacks (SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).  Working with Global Fortune-100 and large governmental organizations.  What does Onapsis do?  Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit).  ERP security professional services.  Trainings on ERP security. Who are we?  Mariano Nunez, CEO at Onapsis.  Juan Perez-Etchegoyen, CTO at Onapsis. Discovered several vulnerabilities in SAP and Oracle ERPs...  Speakers/Trainers at BlackHat, RSA, SAP RC, HITB, Source, DeepSec… Attacks on SAP Solution ManagerBizec workshop
  • 4. 4www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved SAP Application Security • SAP systems are built upon several layers. • Segregation of Duties (SoD) controls apply at the Business Logic layer. • The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. Operating System Database SAP Business Logic SAP Application Layer SAP Solution Base Infrastructure Bizec workshop
  • 5. 5www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved The SAP J2EE engine and Enterprise Portal (EP) ● Latest Web technology from SAP. ● Goal: Provide an unique access point to the organization's SAP (and non- SAP) systems through the Web. ● It “provides employees, partners, customers, and other workers with immediate, secure, and role-based access to key information and applications”. ● Technically, it’s a complex Java application running in the SAP J2EE Engine. Attacks on the Java Application Server or the Java Portal could lead to the compromise of rest of the related systems. Bizec workshop
  • 6. 6www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attack #1 SAP Portal Header Authentication Bizec workshop
  • 7. 7www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to “Secured” Enterprise Portals ● SAP Enterprise Portal supports different authentication mechanisms, such as User & Password, X.509 Client Certificates, Logon Tickets, Kerberos, etc… ● The authentication is handled by the SAP J2EE Engine. ● Many organizations already have Web Access Management (WAM) solutions in place, providing two-factor authentication mechanisms. ● They use them to enable secured access to the systems (tokens, biometrics, etc) and Single-Sign On. ● Some examples: ● RSA ClearTrust ● CA SiteMinder ● Oracle Oblix ● Entrust GetAccess ● Microsoft Integrated Windows Authentication (now deprecated) Bizec workshop
  • 8. 8www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved A Special Authentication Scheme ● The Portal is integrated with these solutions, by using the Header Variables Login Module. ● In these scenarios, the authentication procedure works a follow: 1. The user provides authentication information to the EAM/WAM solution. 2. The solution checks provided credentials. 3. If successful, connects to the Enterprise Portal and sends the user to authenticate in a HTTP header. 4. The Enterprise Portal verifies that the user is valid (it exists), and returns an SAP SSO logon ticket to the user. 5. The user is authenticated. Bizec workshop
  • 9. 9www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved The Header Authentication Scheme Bizec workshop
  • 10. 10www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 1. The user provides authentication information to the EAM/WAM solution. The Header Authentication Scheme Bizec workshop
  • 11. 11www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 2. The solution checks provided credentials. The Header Authentication Scheme Bizec workshop
  • 12. 12www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 3. If successful, connects to the Enterprise Portal and sends the user to authenticate in a HTTP header. The Header Authentication Scheme Bizec workshop
  • 13. 13www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 4. The Enterprise Portal verifies that the user is valid (it exists), and returns an SAP SSO logon ticket to the user. The Header Authentication Scheme Bizec workshop
  • 14. 14www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 5. The user is authenticated. cookie The Header Authentication Scheme Bizec workshop
  • 15. 15www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 If the attacker can connect directly with the SAP Enterprise Portal, nothing prevents him from impersonation the EAM/WAM solution! cookie The Attack Bizec workshop
  • 16. 16www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 If the attacker can connect directly with the SAP Enterprise Portal, nothing prevents him from impersonation the EAM/WAM solution! cookie Rough header_auth The Attack Bizec workshop
  • 17. 17www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved john:pass123 After my research and discovery, I found out this was documented since 2006 (!) cookie Rough header_auth cookie The Attack Bizec workshop
  • 18. 18www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attack #2 Verb Tampering Bizec workshop
  • 19. 19www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Verb tampering attacks ●This kind of vulnerabilities are based on an old and widespread concept, called “VERB Tampering”. The attack vector involves sending HTTP requests using uncommon HTTP methods, like HEAD, PUT, DELETE... ● In the SAP J2EE Engine, applications are configured using an XML file, defining the profiles required to access the application and the “constraints” applying to each HTTP method. ● Some applications only restrict access to GET and POST!!! ● There is a vulnerable application (CTC runtime) that can be bypassed by sending HEAD requests. This application can be used to create users and execute OS commands!!! Check if SAP Security Note 1624450 is implemented in your systems! Bizec workshop
  • 20. 20www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attack #3 Abuse of JAVA Core Service Bizec workshop
  • 21. 21www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedBizec workshop Abuse of JAVA core service ● The Application Server JAVA exposes several “Remote Object” interfaces. One of these interfaces is based on a proprietary protocol called P4. This interface is exposed on TCP service 5XX04 ( where XX is the instance number). ● Due to the lack of authentication in a core service, it is possible to access arbitrary files. ● Any file can be read or written according to the privileges of the <SID>adm user (prdadm, devadm…) ● This could potentially lead to a full compromise of the SAP system. Check if SAP Security Note 1682613 is implemented in your systems!
  • 22. 24www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Thank you! Bizec workshop