Onapsis Inc. , profile picture
Uploaded byOnapsis Inc.
752 views

How Hackers can Open the Safe and Take the Jewels

The document discusses the vulnerabilities in ERP systems that make them targets for cyberattacks, particularly focusing on methods employed by hackers to exploit these weaknesses. It outlines historical context, attack vectors, and various types of attacks such as sabotage, espionage, and fraud, highlighting their impact on business-critical processes and sensitive information. The document emphasizes the importance of improving ERP security practices due to the increasing focus on cyber threats since 2009.

Embed presentation

Downloaded 28 times
ERP Security: How hackers can open the safe and take the jewels September 25-27, 2013 Ekoparty Security Conference Buenos Aires, Argentina Ezequiel GutesmanEzequiel Gutesman (@gutes)(@gutes) egutesman@onapsis.comegutesman@onapsis.com Jordan SantarsieriJordan Santarsieri (@jsansec)(@jsansec) jsantarsieri@onapsis.comjsantarsieri@onapsis.com
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 2 Disclaimer This publication is copyright 2013 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. This publication contains references to the products of Oracle and services mentioned herein are trademarks or registered trademarks of Oracle in all countries all over the world. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for its content, and Oracle Corporation shall not be liable for errors or omissions with respect to the materials.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 3 Agenda 1.Introduction ● Why bothering about ERPs? ● History of ERP Security ● ERP Security for hackers 2.Targeting ERPs ● Reinventing the wheel: Technology stacks ● Attack Vectors ● Demo time! ● Sabotage ● Espionage ● Fraud 3.Conclusions
1. Introduction
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 5 Why bothering about ERPs? SALESSALES PRODUCTIONPRODUCTION FINANCIAL PLANNINGFINANCIAL PLANNING INVOICINGINVOICING PROCUREMENTPROCUREMENT TREASURYTREASURY LOGISTICSLOGISTICS PAYROLLPAYROLL BILLINGBILLING HUMAN RESOURCESHUMAN RESOURCES
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 6 Why bothering about ERPs? Forbes 500 Mid-size companies
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 7 Why bothering about ERPs? Zombies → Botnets → Hacktivism(*) Vulns (*) http://suelette.home.xs4all.nl/underground/underground.txt Cyberwarfare & Surveillance
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 8 Why bothering about ERPs? • They run business-critical processes • They Store the most sensitive information • Organizations are highly-dependent on them ERP
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 9 History of ERP security
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 10 History of ERP security 1970 1980 1990 2000 2013 1993 SAP R/3 Realtime 3-tier 1972 – SAP RF → R/1 1980 SAP R/2 (mainframe) 1988 Morris Worm 2004 SAP Netweaver 2003 “SAP” Password Sicherheit 2008 SAP @JtR 2009 (3) Attacking SAP clients Decompression of SAP's DIAG protocol The risks of downward compatibility 2002 SAP “virus” SAPVir Wir hacken eine SAP Datenbank 2007 Exploiting SAP Internals 2010 (5+) SAP Knowledge Management Attacking users with SAPSploit Rootkits and Trojans on your SAP Landscape The truth about ABAP Security Protecting SAP Applications Against Common Attacks (SAP) SAP Security Notes 2011 (5+) The Invoker Servlet SAP Backdoors & Rootikts Arch. & program vulns in SAP's J2EE engine Security of Enterprise Business Application Systems Attacks to SAP Web Applications 2012(10+) 30 years of SoD 13 years 1996 Ping of Death 1972 Buffer Overflows 1995 XSS 2002 SQLiCSRF 2001 Heap SprayingOWASP 2003 Metasploit 2006 Bluepill 2010 Practical Padding Oracles 2011 BEAST 2012 CRIME 2008 Debian PRNG Bug @
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 11 ERP Security for hackers FRAUD ESPIONAGESABOTAGE Extract customer/vendor/HR data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. Paralyze the operation of the organization by shutting down the ERP system, disrupting interfaces with other systems and deleting critical information, etc. Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
2. Targeting ERPs
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 13 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors Client (web/API/thick client) Application Server DB OS Proprietary protocols / HTTP / SOAP / CORBA Trust relationships / ODBC / Other External Servers & Other Application servers
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 14 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors - SAP http://bit.ly/19AXe7Y
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 15 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors - SAP http://bit.ly/19AXe7Y
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 16 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors – Oracle JD Edwards http://bitly.com/QB12xx HTTP HTTP HTTP JDENET O DBC ODBC Web Server JDE Java Application Server (JAS) JDE Enterprise Server Database Server JDE Deployment Server
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 17 Attack Vectors • Components and servers through protocols – P4, DIAG, RFC, NI, CORBA, SOAP, JDENET, HTTP, SNC, etc, etc. • Crypto – Stored keys, default certificates, proprietary schemes • Business through data manipulation – Default credentials, lack of checks • Apps – Web , companion apps. , transactions, reports, external tools, APIs • DB – Connectors, trust relationships, default accounts
Demo Time!
SABOTAGE
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 20 JD Edwards: Shutdown via UDP The JDENet component listens on port 6015 (UDP) for control commands: SHOWCONN TOGGLE_LOG CONNECT_FROM CONNECT_TO CONNECT_REJECT GET_WRKMGT VIEW_KERNEL_TRACE SHUTDOWN USRBROADCAST … Wait...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 21 JD Edwards: Shutdown via UDP Demo
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 22 JD Edwards: Shutdown via UDP >>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN")) 0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F 0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT 0020 44 4F 57 4E DOWN An attacker needs: – Access to port 6015 on target – Send UDP packet An Attacker gets: – Immediate JDE Enterprise Server shutdown
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 23 JD Edwards: Shutdown via UDP >>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN")) 0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F 0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT 0020 44 4F 57 4E DOWN An attacker needs: – Access to port 6015 on target – Send UDP packet An Attacker gets: – Immediate JDE Enterprise Server shutdown Fix: Apply the latest Oracle Critical Patch Update, as the fix for this attack was released by oracle in a scheduled CPU.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 24 Siebel: Bypass log in The Anonymous user • Required even if the applications do not allow access by unregistered users • Used at start up, to connect to“datasource” • If deleted, no user could access Siebel • At installation time, Siebel asks you to choose an already created user that will become the Anonymous user • Should have low privileges, but to avoid configuration issues...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 25 Siebel: Bypass log in An attacker needs: – Access to the application – Insecure configuration of Anonymous user An Attacker gets: – Complete control of the Siebel installation
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 26 Siebel: Bypass log in Demo
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 27 Siebel: Bypass log in Demo Fix: In the Siebel configuration file, set the “anonymous user” property to a low-privileged user.
FRAUD
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 29 SAP* w/Master password on installation SAP: Diverting payments (default credentials) SAP Clients (or mandants) – Entity w/ independent data (like a tenant) – 3-digit identifiers – “special” default clients (created on installation) • 000 → Cross-client tasks • 001 → Template for new clients • 066 → SAP support http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm SAP* left w/pass 06071992 Catch: SAP* in client 066 not w/ SAP_ALL privileges, but...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 30 SAP: Diverting payments (default credentials) Demo
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 31 SAP: Diverting payments (default credentials) Demo Fix: - Change SAP* password on all clients (specially 066) - Correctly assign SAP* permissions
ESPIONAGE
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 33 JD Edwards: Stealing passwords Again, the JDENet... is also listening on port 6015 (TCP) for JDEMsg commands Remotely retrieve information from the JDE.INI file, and also sensitive information in clear-text Kernel types and configuration Security Server configuration SSO Node information Database information
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 34 JD Edwards: Stealing passwords An Attacker needs: – Access to port 6015 on target (TCP) – Send function call (JdeMsg number 563) •Use hard-coded key and provide victim's username An Attacker gets: – Victim's password
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 35 JD Edwards: Stealing passwords Demo Fix: Apply the latest Oracle Critical Patch Update, as the fix for this attack was released by oracle in a scheduled CPU.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 36 Siebel: Search Inside Siebel Query Language (no, it's not SQL) • Used everywhere in Siebel • Originally designed to filter data inside Applets • Executing queries not restricted by authorization checks (privilege independent)
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 37 Siebel: Search Inside Access control in Siebel @ View Level @ Business Component Level Who can access the views Who can access the data
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 38 Siebel Query Language Injection Demo Fix: Using eScript, catch the pre-query or Invoke query methods applying a custom filter which should prevent the use of dangerous functions.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 39 SAP: Getting DB Admin rights “The J2EE Engine provides a secure storage area where applications or service components on the J2EE Engine can store sensitive data such as passwords or communication destinations, in encrypted form” (*) (*) http://help.sap.com/saphelp_nw73/helpdata/en/47/b08e68542e3378e10000000a421937/content.htm /usr/sap/<SID>/SYS/global/security/data/SecStore.properties 3DES Problem #1 get the file Problem #2 decrypt file Problem #3 access DB
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 40 SAP: Getting DB Admin rights 1. Getting the Secure Store File https://service.sap.com/sap/support/notes/1682613 RMI CORBA P4 (RMI) SAP NetWeaver Application Server Uses P4 for: • Communication between objects in different namespaces (e.g. FileTransfer_Stub) • Reliable client-server connections • Transparent failover for clustered remote objects • Etc /usr/sap/<SID>/SYS/global/security/data/SecStore.properties
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 41 SAP: Getting DB Admin rights 2.Decrypt Secure Store 3.Access DB 3DES Key bundle? /usr/sap/<SID>/SYS/global/security/data/SecStore.properties /usr/sap/<SID>/SYS/global/security/data/SecStore.key
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 42 SAP: Getting DB Admin rights Demo Fix: - Apply note https://service.sap.com/sap/support/notes/1682613 - Correctly handle access to SecStore.key file
3. Conclusions
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 44 Conclusions ● ERP Systems are among the most critical systems in the organization and that makes them a really interesting target to the attackers ● ERP security has a long history, most of it was about SoD ● Technical vulnerabilities are more critical than SoD since the attacker doesn't need any user in the system ● The attack surface is huge, proprietary protocols and custom technologies are everywhere ● Inherited code from the past ● Patching practices are delayed due to complexity and cost ● Since 2009 ERP cyber-security is getting more attention. Leading organizations are already leading with this.
Ezequiel GutesmanEzequiel Gutesman (@gutes)(@gutes) egutesman@onapsis.comegutesman@onapsis.com Jordan SantarsieriJordan Santarsieri (@jsansec)(@jsansec) jsantarsieri@onapsis.comjsantarsieri@onapsis.com blog.onapsis.comblog.onapsis.com adventure.onapsis.comadventure.onapsis.com

More Related Content

PDF
Pen Testing SAP Critical Information Exposed
byOnapsis Inc.
 
PDF
Penetration Testing SAP Systems
byOnapsis Inc.
 
PDF
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
byOnapsis Inc.
 
PDF
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
byOnapsis Inc.
 
PDF
Attacks Based on Security Configurations
byOnapsis Inc.
 
PDF
Preventing Vulnerabilities in SAP HANA based Deployments
byOnapsis Inc.
 
PDF
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
byOnapsis Inc.
 
PDF
Blended Web and Database Attacks on Real Time In-memory Platforms
byOnapsis Inc.
 
Pen Testing SAP Critical Information Exposed
byOnapsis Inc.
 
Penetration Testing SAP Systems
byOnapsis Inc.
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
byOnapsis Inc.
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
byOnapsis Inc.
 
Attacks Based on Security Configurations
byOnapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
byOnapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
byOnapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
byOnapsis Inc.
 

What's hot

PDF
Onapsis SAP Backdoors
byOnapsis Inc.
 
PDF
SAP Forensics Detecting White Collar Cyber-crime
byOnapsis Inc.
 
PDF
Practical SAP pentesting workshop (NullCon Goa)
byERPScan
 
PDF
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
byOnapsis Inc.
 
PDF
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
bymichelemanzotti
 
PDF
Practical SAP pentesting (B-Sides San Paulo)
byERPScan
 
PDF
Assess and monitor SAP security
byERPScan
 
PDF
Attacking SAP users with sapsploit
byERPScan
 
PDF
Sap penetration testing_defense_in_depth
byIgor Igoroshka
 
PDF
5 real ways to destroy business by breaking SAP applications
byERPScan
 
PDF
All your SAP passwords belong to us
byERPScan
 
PDF
SAP SDM Hacking
byERPScan
 
PPT
Sap security – thinking with a hacker’s hat
byn|u - The Open Security Community
 
PDF
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
byOnapsis Inc.
 
PDF
Cyber-attacks to SAP Systems
byOnapsis Inc.
 
PDF
SAP Business Objects Attacks
byOnapsis Inc.
 
PDF
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
byOnapsis Inc.
 
PDF
Incident Response and SAP Systems
byOnapsis Inc.
 
PDF
If I want a perfect cyberweapon, I'll target ERP - second edition
byERPScan
 
PDF
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
byOnapsis Inc.
 
Onapsis SAP Backdoors
byOnapsis Inc.
 
SAP Forensics Detecting White Collar Cyber-crime
byOnapsis Inc.
 
Practical SAP pentesting workshop (NullCon Goa)
byERPScan
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
byOnapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
bymichelemanzotti
 
Practical SAP pentesting (B-Sides San Paulo)
byERPScan
 
Assess and monitor SAP security
byERPScan
 
Attacking SAP users with sapsploit
byERPScan
 
Sap penetration testing_defense_in_depth
byIgor Igoroshka
 
5 real ways to destroy business by breaking SAP applications
byERPScan
 
All your SAP passwords belong to us
byERPScan
 
SAP SDM Hacking
byERPScan
 
Sap security – thinking with a hacker’s hat
byn|u - The Open Security Community
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
byOnapsis Inc.
 
Cyber-attacks to SAP Systems
byOnapsis Inc.
 
SAP Business Objects Attacks
byOnapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
byOnapsis Inc.
 
Incident Response and SAP Systems
byOnapsis Inc.
 
If I want a perfect cyberweapon, I'll target ERP - second edition
byERPScan
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
byOnapsis Inc.
 

Similar to How Hackers can Open the Safe and Take the Jewels

PDF
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
byPROIDEA
 
PDF
Practical pentesting of ERPs and business applications
byERPScan
 
PDF
SAP security made easy
byERPScan
 
PDF
ERP Security. Myths, Problems, Solutions
byERPScan
 
PDF
SAP security in figures
byERPScan
 
PDF
SAP portal: breaking and forensicating
byERPScan
 
PDF
Top 10 most interesting vulnerabilities and attacks in SAP
byERPScan
 
PDF
Architecture vulnerabilities in SAP platforms
byERPScan
 
PPSX
Enterprise mobileapplicationsecurity
byVenkat Alagarsamy
 
PDF
Unbreakable oracle er_ps_siebel_jd_edwards
byOnapsis Inc.
 
PPTX
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
byTunde Ogunkoya
 
PDF
What CISOs should know about SAP security
byERPScan
 
PDF
Forgotten world - Corporate Business Application Systems
byERPScan
 
PDF
EAS-SEC Project
byERPScan
 
PDF
Assessing and Securing SAP Solutions
byERPScan
 
PDF
Short introduction to SAP security research (sitNL)
byTwan van den Broek
 
PDF
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
byERPScan
 
PDF
If I want a perfect cyberweapon, I'll target ERP
byERPScan
 
PDF
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
byCODE BLUE
 
PDF
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
byERPScan
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
byPROIDEA
 
Practical pentesting of ERPs and business applications
byERPScan
 
SAP security made easy
byERPScan
 
ERP Security. Myths, Problems, Solutions
byERPScan
 
SAP security in figures
byERPScan
 
SAP portal: breaking and forensicating
byERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
byERPScan
 
Architecture vulnerabilities in SAP platforms
byERPScan
 
Enterprise mobileapplicationsecurity
byVenkat Alagarsamy
 
Unbreakable oracle er_ps_siebel_jd_edwards
byOnapsis Inc.
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
byTunde Ogunkoya
 
What CISOs should know about SAP security
byERPScan
 
Forgotten world - Corporate Business Application Systems
byERPScan
 
EAS-SEC Project
byERPScan
 
Assessing and Securing SAP Solutions
byERPScan
 
Short introduction to SAP security research (sitNL)
byTwan van den Broek
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
byERPScan
 
If I want a perfect cyberweapon, I'll target ERP
byERPScan
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
byCODE BLUE
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
byERPScan
 

Recently uploaded

PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
December Patch Tuesday
byIvanti
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
The Landscape of Computer Software Development Companies
byYash Singh
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
December Patch Tuesday
byIvanti
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 

How Hackers can Open the Safe and Take the Jewels

  • 1.
    ERP Security: How hackerscan open the safe and take the jewels September 25-27, 2013 Ekoparty Security Conference Buenos Aires, Argentina Ezequiel GutesmanEzequiel Gutesman (@gutes)(@gutes) egutesman@onapsis.comegutesman@onapsis.com Jordan SantarsieriJordan Santarsieri (@jsansec)(@jsansec) jsantarsieri@onapsis.comjsantarsieri@onapsis.com
  • 2.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 2 Disclaimer This publication is copyright 2013 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. This publication contains references to the products of Oracle and services mentioned herein are trademarks or registered trademarks of Oracle in all countries all over the world. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for its content, and Oracle Corporation shall not be liable for errors or omissions with respect to the materials.
  • 3.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 3 Agenda 1.Introduction ● Why bothering about ERPs? ● History of ERP Security ● ERP Security for hackers 2.Targeting ERPs ● Reinventing the wheel: Technology stacks ● Attack Vectors ● Demo time! ● Sabotage ● Espionage ● Fraud 3.Conclusions
  • 4.
  • 5.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 5 Why bothering about ERPs? SALESSALES PRODUCTIONPRODUCTION FINANCIAL PLANNINGFINANCIAL PLANNING INVOICINGINVOICING PROCUREMENTPROCUREMENT TREASURYTREASURY LOGISTICSLOGISTICS PAYROLLPAYROLL BILLINGBILLING HUMAN RESOURCESHUMAN RESOURCES
  • 6.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 6 Why bothering about ERPs? Forbes 500 Mid-size companies
  • 7.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 7 Why bothering about ERPs? Zombies → Botnets → Hacktivism(*) Vulns (*) http://suelette.home.xs4all.nl/underground/underground.txt Cyberwarfare & Surveillance
  • 8.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 8 Why bothering about ERPs? • They run business-critical processes • They Store the most sensitive information • Organizations are highly-dependent on them ERP
  • 9.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 9 History of ERP security
  • 10.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 10 History of ERP security 1970 1980 1990 2000 2013 1993 SAP R/3 Realtime 3-tier 1972 – SAP RF → R/1 1980 SAP R/2 (mainframe) 1988 Morris Worm 2004 SAP Netweaver 2003 “SAP” Password Sicherheit 2008 SAP @JtR 2009 (3) Attacking SAP clients Decompression of SAP's DIAG protocol The risks of downward compatibility 2002 SAP “virus” SAPVir Wir hacken eine SAP Datenbank 2007 Exploiting SAP Internals 2010 (5+) SAP Knowledge Management Attacking users with SAPSploit Rootkits and Trojans on your SAP Landscape The truth about ABAP Security Protecting SAP Applications Against Common Attacks (SAP) SAP Security Notes 2011 (5+) The Invoker Servlet SAP Backdoors & Rootikts Arch. & program vulns in SAP's J2EE engine Security of Enterprise Business Application Systems Attacks to SAP Web Applications 2012(10+) 30 years of SoD 13 years 1996 Ping of Death 1972 Buffer Overflows 1995 XSS 2002 SQLiCSRF 2001 Heap SprayingOWASP 2003 Metasploit 2006 Bluepill 2010 Practical Padding Oracles 2011 BEAST 2012 CRIME 2008 Debian PRNG Bug @
  • 11.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 11 ERP Security for hackers FRAUD ESPIONAGESABOTAGE Extract customer/vendor/HR data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. Paralyze the operation of the organization by shutting down the ERP system, disrupting interfaces with other systems and deleting critical information, etc. Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
  • 12.
  • 13.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 13 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors Client (web/API/thick client) Application Server DB OS Proprietary protocols / HTTP / SOAP / CORBA Trust relationships / ODBC / Other External Servers & Other Application servers
  • 14.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 14 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors - SAP http://bit.ly/19AXe7Y
  • 15.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 15 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors - SAP http://bit.ly/19AXe7Y
  • 16.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 16 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors – Oracle JD Edwards http://bitly.com/QB12xx HTTP HTTP HTTP JDENET O DBC ODBC Web Server JDE Java Application Server (JAS) JDE Enterprise Server Database Server JDE Deployment Server
  • 17.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 17 Attack Vectors • Components and servers through protocols – P4, DIAG, RFC, NI, CORBA, SOAP, JDENET, HTTP, SNC, etc, etc. • Crypto – Stored keys, default certificates, proprietary schemes • Business through data manipulation – Default credentials, lack of checks • Apps – Web , companion apps. , transactions, reports, external tools, APIs • DB – Connectors, trust relationships, default accounts
  • 18.
  • 19.
  • 20.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 20 JD Edwards: Shutdown via UDP The JDENet component listens on port 6015 (UDP) for control commands: SHOWCONN TOGGLE_LOG CONNECT_FROM CONNECT_TO CONNECT_REJECT GET_WRKMGT VIEW_KERNEL_TRACE SHUTDOWN USRBROADCAST … Wait...
  • 21.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 21 JD Edwards: Shutdown via UDP Demo
  • 22.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 22 JD Edwards: Shutdown via UDP >>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN")) 0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F 0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT 0020 44 4F 57 4E DOWN An attacker needs: – Access to port 6015 on target – Send UDP packet An Attacker gets: – Immediate JDE Enterprise Server shutdown
  • 23.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 23 JD Edwards: Shutdown via UDP >>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN")) 0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F 0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT 0020 44 4F 57 4E DOWN An attacker needs: – Access to port 6015 on target – Send UDP packet An Attacker gets: – Immediate JDE Enterprise Server shutdown Fix: Apply the latest Oracle Critical Patch Update, as the fix for this attack was released by oracle in a scheduled CPU.
  • 24.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 24 Siebel: Bypass log in The Anonymous user • Required even if the applications do not allow access by unregistered users • Used at start up, to connect to“datasource” • If deleted, no user could access Siebel • At installation time, Siebel asks you to choose an already created user that will become the Anonymous user • Should have low privileges, but to avoid configuration issues...
  • 25.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 25 Siebel: Bypass log in An attacker needs: – Access to the application – Insecure configuration of Anonymous user An Attacker gets: – Complete control of the Siebel installation
  • 26.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 26 Siebel: Bypass log in Demo
  • 27.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 27 Siebel: Bypass log in Demo Fix: In the Siebel configuration file, set the “anonymous user” property to a low-privileged user.
  • 28.
  • 29.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 29 SAP* w/Master password on installation SAP: Diverting payments (default credentials) SAP Clients (or mandants) – Entity w/ independent data (like a tenant) – 3-digit identifiers – “special” default clients (created on installation) • 000 → Cross-client tasks • 001 → Template for new clients • 066 → SAP support http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm SAP* left w/pass 06071992 Catch: SAP* in client 066 not w/ SAP_ALL privileges, but...
  • 30.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 30 SAP: Diverting payments (default credentials) Demo
  • 31.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 31 SAP: Diverting payments (default credentials) Demo Fix: - Change SAP* password on all clients (specially 066) - Correctly assign SAP* permissions
  • 32.
  • 33.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 33 JD Edwards: Stealing passwords Again, the JDENet... is also listening on port 6015 (TCP) for JDEMsg commands Remotely retrieve information from the JDE.INI file, and also sensitive information in clear-text Kernel types and configuration Security Server configuration SSO Node information Database information
  • 34.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 34 JD Edwards: Stealing passwords An Attacker needs: – Access to port 6015 on target (TCP) – Send function call (JdeMsg number 563) •Use hard-coded key and provide victim's username An Attacker gets: – Victim's password
  • 35.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 35 JD Edwards: Stealing passwords Demo Fix: Apply the latest Oracle Critical Patch Update, as the fix for this attack was released by oracle in a scheduled CPU.
  • 36.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 36 Siebel: Search Inside Siebel Query Language (no, it's not SQL) • Used everywhere in Siebel • Originally designed to filter data inside Applets • Executing queries not restricted by authorization checks (privilege independent)
  • 37.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 37 Siebel: Search Inside Access control in Siebel @ View Level @ Business Component Level Who can access the views Who can access the data
  • 38.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 38 Siebel Query Language Injection Demo Fix: Using eScript, catch the pre-query or Invoke query methods applying a custom filter which should prevent the use of dangerous functions.
  • 39.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 39 SAP: Getting DB Admin rights “The J2EE Engine provides a secure storage area where applications or service components on the J2EE Engine can store sensitive data such as passwords or communication destinations, in encrypted form” (*) (*) http://help.sap.com/saphelp_nw73/helpdata/en/47/b08e68542e3378e10000000a421937/content.htm /usr/sap/<SID>/SYS/global/security/data/SecStore.properties 3DES Problem #1 get the file Problem #2 decrypt file Problem #3 access DB
  • 40.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 40 SAP: Getting DB Admin rights 1. Getting the Secure Store File https://service.sap.com/sap/support/notes/1682613 RMI CORBA P4 (RMI) SAP NetWeaver Application Server Uses P4 for: • Communication between objects in different namespaces (e.g. FileTransfer_Stub) • Reliable client-server connections • Transparent failover for clustered remote objects • Etc /usr/sap/<SID>/SYS/global/security/data/SecStore.properties
  • 41.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 41 SAP: Getting DB Admin rights 2.Decrypt Secure Store 3.Access DB 3DES Key bundle? /usr/sap/<SID>/SYS/global/security/data/SecStore.properties /usr/sap/<SID>/SYS/global/security/data/SecStore.key
  • 42.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 42 SAP: Getting DB Admin rights Demo Fix: - Apply note https://service.sap.com/sap/support/notes/1682613 - Correctly handle access to SecStore.key file
  • 43.
  • 44.
    ERP Security: Howhackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 44 Conclusions ● ERP Systems are among the most critical systems in the organization and that makes them a really interesting target to the attackers ● ERP security has a long history, most of it was about SoD ● Technical vulnerabilities are more critical than SoD since the attacker doesn't need any user in the system ● The attack surface is huge, proprietary protocols and custom technologies are everywhere ● Inherited code from the past ● Patching practices are delayed due to complexity and cost ● Since 2009 ERP cyber-security is getting more attention. Leading organizations are already leading with this.
  • 45.
    Ezequiel GutesmanEzequiel Gutesman(@gutes)(@gutes) egutesman@onapsis.comegutesman@onapsis.com Jordan SantarsieriJordan Santarsieri (@jsansec)(@jsansec) jsantarsieri@onapsis.comjsantarsieri@onapsis.com blog.onapsis.comblog.onapsis.com adventure.onapsis.comadventure.onapsis.com