SlideShare a Scribd company logo

Onapsis SAP Backdoors

Onapsis Inc.
Onapsis Inc.

- SAP systems are critical to many large businesses but contain inherent vulnerabilities that could allow backdoors to be installed. - Several technical vulnerabilities in SAP systems and their databases could allow an attacker to gain high privileges and modify code, including the authentication process. - Onapsis has developed a tool called Integrity Analyzer for SAP that can detect modifications to SAP code that may indicate backdoors, as it is difficult to detect them from within the compromised SAP system itself. Regular monitoring and security assessments are needed to minimize risks.

Technology
1 of 39
Download to read offline
SAP® Backdoors A ghost at the heart of your business Mariano Nuñez Di CroceMariano Nuñez Di CroceMariano Nuñez Di CroceMariano Nuñez Di Croce mnunez@onapsis.commnunez@onapsis.com April 14, 2010 Black Hat Europe 2010 Briefings
Disclaimer This publication is copyright Onapsis SRL 2010 – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, 2www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. SAP Backdoors Presentation
Who is Onapsis? Specialized company focused in the Security of Business-critical Applications (SAP®, Siebel®, Oracle® E-Business SuiteTM, JD Edwards® …). Core business areas:Core business areas: Development of specialized security software solutions. Security consultancy services. Trainings on business-critical systems security. Who am I? Director of Research and Development at Onapsis. 3www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved Director of Research and Development at Onapsis. Degree in Computer System Engineering. Originally devoted to Penetration Testing and Vulnerability Research. Discovered vulnerabilities in Microsoft, Oracle, SAP, IBM, … Speaker/Trainer at Black Hat, HITB, Sec-T, Hack.lu, DeepSec, Ekoparty.. SAP Backdoors Presentation
Agenda Introduction A Ghost in the User Master Backdoors in SAP Business Modules Backdoors in the Authentication Procedure Onapsis Integrity Analyzer for SAP Conclusions 4www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
IntroductionIntroduction 5www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
What is SAP? ● Largest provider of business management solutions in the world. ● More than 140.000 implementations around the globe. ● More than 90.000 customers in 120 countries. ● Used by Fortune-500 world-wide companies, governmental organizations and defense facilities to run their every-day business processes. ● Such as Revenue / Production / Expenditure business cycles. 6www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● Such as Revenue / Production / Expenditure business cycles. SALESSALES PRODUCTIONPRODUCTION FINANCIAL PLANNINGFINANCIAL PLANNING INVOICINGINVOICING PROCUREMENTPROCUREMENT TREASURYTREASURY LOGISTICSLOGISTICS PAYROLLPAYROLL BILLINGBILLING SAP Backdoors Presentation
Backdoor … special methods that are implemented in an information system, usually after an unauthorized compromise, with the purpose of securing future access to the system while attemptingto the system while attempting to remain undetected….
Why are SAP Backdoors special? ● Backdoors have been known since the origins of computer systems.systems. ● However, there is very little (no) public information about how they can affect SAP platforms. ● “Not Public” != “Not currently being exploited” ● The biggest mis-conception in the term “SAP Security”: SAP 8www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved Security is much more than Segregation of Duties! ● Most standards & regulations still don’t get it. ● Most Auditing companies still don’t get it. ● Some customers still don’t get it. SAP Backdoors Presentation
SoD is not enough to prevent Backdoors! From the trenches: During an assessment, a “SoD compliant” SAP system (which had cost $$$$^n to implement), could be remotely compromised in a matter of seconds through the exploitation of a vulnerability in a technological component. With that kind of privilege, a backdoor could have been installed. Ok, but… which is the real risk?
CONFIDENTIALITY AVAILABILITY INTEGRITYINTEGRITY
ESPIONAGE SABOTAGE FRAUDFRAUD
The Initial Compromise ● In order to install a backdoor, the attacker needs to compromise the system first, and obtain high privileges.the system first, and obtain high privileges. ● The Threat Model map includes the following components: SAP Business Application Layer SAP IT Application Layer 12www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved Database Layer Operating System Layer SAP Backdoors Presentation
Wide Attack Surface ● Due to intrinsic Trust relationships, a high-privileged takeover of one technological component results in atakeover of one technological component results in a complete compromise of the whole platform. ● OS Administrator <==> DBA <==> SAP_ALL !! ● Check the Onapsis’ “Penetration Testing SAP Systems” Presentation[1] 13www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved for further insights. SAP Backdoors Presentation
A Ghost in theA Ghost in the User MasterUser Master 14www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
Welcome to the SAP world… ● You connect to your company’s Production SAP system through SAPGUI.SAPGUI. ● You have to specify access credentials: ● Client (logical “independent” unit in the SAP system) ● Username ● Password ● The system checks your saved password from the User Master. ● If your provided passwords matches the stored one… access granted. 15www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● If your provided passwords matches the stored one… access granted. ● You start performing business processes and making the company earn billions. SAP Backdoors Presentation
Oops! Downwards compatibility… ● SAP has implemented different password hashing mechanisms to make systems stronger (from 8-characters MD5 to 40-characters SHA-1)make systems stronger (from 8-characters MD5 to 40-characters SHA-1) ● The problem happens when a “weak” system wants to connect with a “strong” one… integration fails -> business fails. ● Workaround: By default, the User Master shall contain the 16www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved downwards-compatible hashes, as well as the strong one. ● More than one password hash per user. ● This opens room for several attacks. Check Onapsis’s “SAP Security In-Depth” Publication, issue #2 [2] SAP Backdoors Presentation
Oops! Downwards compatibility… ● Which password hash to use for comparison? ● Controlled through profile parameter login/password_downwards_compatibility● Controlled through profile parameter login/password_downwards_compatibility Value Impact 0 Downwards-compatibility disabled. No weak hashes are generated. 1 Downwards-compatibility enabled. Weak hashes generated for integration with older releases. Weak hashes not evaluated. 2 If the logon attempt using the downwards-incompatible password fails, check if the downwards-compatible would work. Log and deny access. 17www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved 3 The same as with 2, but the logon is considered as successful. This is registered in the system log. 4 The same as with 3, but no system log entry is written. ● Parameter can be modified dynamically! (No SAP restart required) SAP Backdoors Presentation
Live demo 18www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
Protection / Countermeasure Monitor the value of the specified profile parameter to detect insecure values. Implement a dedicated authorization group for U* tables. Check SAP Note 1023437. 19www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
Backdoors in SAPBackdoors in SAPBackdoors in SAPBackdoors in SAP Business ModulesBusiness Modules 20www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
Welcome (back) to the SAP World… ● Once logged-in, you interact with the system running Transactions. ● In fact, you are running ABAP Programs/Reports. ● ABAP Programs can be divided in: ● Standard (Developed and Shipped by SAP A.G) ● Custom (Developed in-house by the company. Starts with Z* or Y*) ● Standard programs can be modified, but strongly discouraged. ● SSCR steps in =>You must ask SAP A.G for a special key. 21www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● SSCR steps in =>You must ask SAP A.G for a special key. ● ABAP Programs are stored in the system’s database. ● Table REPOSRC contains compressed source-code. ● Table REPOLOAD contains ABAP load (~ bytecode). SAP Backdoors Presentation
The Change and Transport System ● Typical SAP system landscape: ● Developments and changes “can only be done in the DEV system”. ● The PRD system is configured to block any attempt to modify 22www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● The PRD system is configured to block any attempt to modify programs directly in the system. ● Through this procedure, it is expected that “the quality and availability of the SAP production systems is maximized”. SAP Backdoors Presentation
Unauthorized modification of ABAP Programsof ABAP Programs directly in the Production System is possible. 23www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved is possible. SAP Backdoors Presentation
SAP’s Heart: The Database ● Unauthorized modification at the SAP layer may be possible, but not trivial. ● What about the usually mis-configured-left-by-default-LAN- accesible Database?? ● SAP + Oracle Authentication Weakness. ● Default SAP Database user’s credentials. ● Database exploits. ● The attacker can still get to the Database through the SAP system, due 24www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● The attacker can still get to the Database through the SAP system, due to the intrinsic Trust relationships! ● No CRC or signature check on the stored ABAP code. ● Simple SQL queries will do the trick! SAP Backdoors Presentation
Live demo 25www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
Backdoors in theBackdoors in theBackdoors in theBackdoors in the Authentication ProcedureAuthentication Procedure 26www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
Protection for Critical ABAP Programs ● Certain critical standard ABAP programs are protected to prevent access to their source code from the SAP System, i.e. using transaction SE80. ● Started researching on how this feature was implemented: ● REPOSRC.SQLX = ‘X’ ? No noticeable results. ● Special ABAP “Magic String”: *@#@@[SAP] 27www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● If the source code contains the magic string, the SAP Kernel rejects access to the source code. ● However, there seems to be something else… SAP Backdoors Presentation
SAPMSYST – The SAP’s Cop ● Probably the most critical ABAP piece of code in an SAP system. ● Handles the User Authentication Procedure.● Handles the User Authentication Procedure. ● This program is protected through a specific, hard-coded Kernel check! ● The check is performed on the ABAP program’s name… 28www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● Bypass is possible by pivoting the program in the Database. SAP Backdoors Presentation
Live demo 29www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
Protection / Countermeasure It’s not possible to detect and protect against backdoors from within the SAP system itself. External tools are needed. 30www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
Onapsis IntegrityOnapsis IntegrityOnapsis IntegrityOnapsis Integrity Analyzer for SAPAnalyzer for SAP 31www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
Onapsis Integrity Analyzer for SAP ● Purpose: Detect modifications of ABAP code in an SAP system. ● Free download from http://www.onapsis.com/ianalizer (upcoming...)● Free download from http://www.onapsis.com/ianalizer (upcoming...) ● Proof-of-concept: Only working for SAP/Oracle 10g. ● Developed by Jordan Santarsieri and me @ the Onapsis Research Labs. ● Why you need it? It’s not feasible to detect backdoors from inside the SAP system itself: 32www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved the SAP system itself: ● Backdoors can leave the Program’s “Last modified date” untouched. ● The analysis programs may have also been manipulated to hide the backdoor’s presence! SAP Backdoors Presentation
Onapsis Integrity Analyzer for SAP ● Want to do it manually? Number of SAP programs are measured in hundred of thousands (and even more).hundred of thousands (and even more). ● Onapsis Integrity Analyzer connects with the Database and performs “snapshots” of sensitive ABAP report tables. ● Periodically, new snapshots are compared with older snapshots and modified programs are identified. ● Tracking of SAP Notes is also considered. 33www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved The detection of suspicious modifications should trigger a special investigation. SAP Backdoors Presentation
Live demo 34www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
ConclusionsConclusions 35www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
Some Thoughts on SAP Backdoors ●The Backdoor threat affects every information system; it’s not a specific SAP platform’s risk.specific SAP platform’s risk. ● Once an attacker obtained maximum privileges over an information system, it is really difficult to restrict his activities, and SAP is not the exception. ● It’s possible to modify ABAP programs directly in Production. ● SAP Backdoors can have devastating impacts over Business. ● Attacks are possible through other vectors than DB access. 36www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● Attacks are possible through other vectors than DB access. ● These backdoors won’t be installed for fun, it’s about MONEY. ● Onapsis’s Integrity Analyzer for SAP can help you to implement more in-depth reactive controls. SAP Backdoors Presentation
Some Thoughts on SAP Backdoors ● The best cost/effective protection: Minimize probability of the initial compromise.initial compromise. ● Automated controls. ● Periodic technical security assessments of SAP platforms. ● Vulnerability Assessments. ● Penetration Tests. ● Security Audits. 37www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved The only sustainable choice the industry faces is the objective and responsible analysis of this threat. SAP Backdoors Presentation
¿Questions?¿Questions? 38www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved mnunez@onapsis.commnunez@onapsis.com SAP Backdoors Presentation
Thank you!Thank you!Thank you!Thank you! 39www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved www.onapsis.com SAP Backdoors Presentation

Recommended

Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
Onapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Onapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
Onapsis Inc.
 

Recommended

Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
Onapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Onapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
Onapsis Inc.
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Onapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMS
Onapsis Inc.
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
Onapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
Onapsis Inc.
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
CEH - Module 6 : Trojans and Backdoors
CEH - Module 6 : Trojans and BackdoorsCEH - Module 6 : Trojans and Backdoors
CEH - Module 6 : Trojans and Backdoors
Avirot Mitamura
 
Detection of running backdoors
Detection of running backdoorsDetection of running backdoors
Detection of running backdoors
mridulahuja
 

More Related Content

What's hot

Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Onapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMS
Onapsis Inc.
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
Onapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
Onapsis Inc.
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 

What's hot (20)

Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMS
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 

Viewers also liked

CEH - Module 6 : Trojans and Backdoors
CEH - Module 6 : Trojans and BackdoorsCEH - Module 6 : Trojans and Backdoors
CEH - Module 6 : Trojans and Backdoors
Avirot Mitamura
 
Detection of running backdoors
Detection of running backdoorsDetection of running backdoors
Detection of running backdoors
mridulahuja
 
CyberLab CCEH Session - 6 Trojans and Backdoors
CyberLab CCEH Session - 6 Trojans and BackdoorsCyberLab CCEH Session - 6 Trojans and Backdoors
CyberLab CCEH Session - 6 Trojans and Backdoors
CyberLab
 
Keyloggers
KeyloggersKeyloggers
Keyloggers
kdore
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer Jungle
Jason S
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
Chaitali Patel
 
KeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timeKeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long time
n|u - The Open Security Community
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoors
jibinmanjooran
 
Cehv8 - Module 06: Trojans and Backdoors
Cehv8 - Module 06: Trojans and BackdoorsCehv8 - Module 06: Trojans and Backdoors
Cehv8 - Module 06: Trojans and Backdoors
Vuz Dở Hơi
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
Gaurav Dalvi
 

Viewers also liked (10)

CEH - Module 6 : Trojans and Backdoors
CEH - Module 6 : Trojans and BackdoorsCEH - Module 6 : Trojans and Backdoors
CEH - Module 6 : Trojans and Backdoors
 
Detection of running backdoors
Detection of running backdoorsDetection of running backdoors
Detection of running backdoors
 
CyberLab CCEH Session - 6 Trojans and Backdoors
CyberLab CCEH Session - 6 Trojans and BackdoorsCyberLab CCEH Session - 6 Trojans and Backdoors
CyberLab CCEH Session - 6 Trojans and Backdoors
 
Keyloggers
KeyloggersKeyloggers
Keyloggers
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer Jungle
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
 
KeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timeKeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long time
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoors
 
Cehv8 - Module 06: Trojans and Backdoors
Cehv8 - Module 06: Trojans and BackdoorsCehv8 - Module 06: Trojans and Backdoors
Cehv8 - Module 06: Trojans and Backdoors
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
 

Similar to Onapsis SAP Backdoors

SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]
akquinet enterprise solutions GmbH
 
SAP AC020 - Investment Management
SAP AC020 - Investment ManagementSAP AC020 - Investment Management
SAP AC020 - Investment Management
Vannak9
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatności
klagrz
 
SAP Systems in the Cloud (Oct 2010)
SAP Systems in the Cloud (Oct 2010)SAP Systems in the Cloud (Oct 2010)
SAP Systems in the Cloud (Oct 2010)
Frank Stienhans
 
SUSE Technical Webinar: Build HANA Apps in the Framework of the SAP and SUSE ...
SUSE Technical Webinar: Build HANA Apps in the Framework of the SAP and SUSE ...SUSE Technical Webinar: Build HANA Apps in the Framework of the SAP and SUSE ...
SUSE Technical Webinar: Build HANA Apps in the Framework of the SAP and SUSE ...
SAP PartnerEdge program for Application Development
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NoSuchCon
 
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
SAP PartnerEdge program for Application Development
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
Cyber Security Alliance
 
SAP HANA SPS10- Multitenant Database Containers
SAP HANA SPS10- Multitenant Database ContainersSAP HANA SPS10- Multitenant Database Containers
SAP HANA SPS10- Multitenant Database Containers
SAP Technology
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
akquinet enterprise solutions GmbH
 
Monitoring with Icinga2 at Adobe
Monitoring with Icinga2 at AdobeMonitoring with Icinga2 at Adobe
Monitoring with Icinga2 at Adobe
Icinga
 
CoreToEdge Company Presentation
CoreToEdge Company PresentationCoreToEdge Company Presentation
CoreToEdge Company Presentation
Core To Edge
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
CODE BLUE
 
openSAP_fiops1_Week_1_All_Slides.pdf
openSAP_fiops1_Week_1_All_Slides.pdfopenSAP_fiops1_Week_1_All_Slides.pdf
openSAP_fiops1_Week_1_All_Slides.pdf
Sathish Kumar Elumalai
 
PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...
PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...
PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...
SAP PartnerEdge program for Application Development
 

Similar to Onapsis SAP Backdoors (18)

SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]
 
SAP AC020 - Investment Management
SAP AC020 - Investment ManagementSAP AC020 - Investment Management
SAP AC020 - Investment Management
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatności
 
SAP Systems in the Cloud (Oct 2010)
SAP Systems in the Cloud (Oct 2010)SAP Systems in the Cloud (Oct 2010)
SAP Systems in the Cloud (Oct 2010)
 
SUSE Technical Webinar: Build HANA Apps in the Framework of the SAP and SUSE ...
SUSE Technical Webinar: Build HANA Apps in the Framework of the SAP and SUSE ...SUSE Technical Webinar: Build HANA Apps in the Framework of the SAP and SUSE ...
SUSE Technical Webinar: Build HANA Apps in the Framework of the SAP and SUSE ...
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
 
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
SAP HANA SPS10- Multitenant Database Containers
SAP HANA SPS10- Multitenant Database ContainersSAP HANA SPS10- Multitenant Database Containers
SAP HANA SPS10- Multitenant Database Containers
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
 
Monitoring with Icinga2 at Adobe
Monitoring with Icinga2 at AdobeMonitoring with Icinga2 at Adobe
Monitoring with Icinga2 at Adobe
 
CoreToEdge Company Presentation
CoreToEdge Company PresentationCoreToEdge Company Presentation
CoreToEdge Company Presentation
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
 
openSAP_fiops1_Week_1_All_Slides.pdf
openSAP_fiops1_Week_1_All_Slides.pdfopenSAP_fiops1_Week_1_All_Slides.pdf
openSAP_fiops1_Week_1_All_Slides.pdf
 
PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...
PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...
PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...
 

Recently uploaded

Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 

Recently uploaded (20)

Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 

Onapsis SAP Backdoors

  • 1. SAP® Backdoors A ghost at the heart of your business Mariano Nuñez Di CroceMariano Nuñez Di CroceMariano Nuñez Di CroceMariano Nuñez Di Croce mnunez@onapsis.commnunez@onapsis.com April 14, 2010 Black Hat Europe 2010 Briefings
  • 2. Disclaimer This publication is copyright Onapsis SRL 2010 – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, 2www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. SAP Backdoors Presentation
  • 3. Who is Onapsis? Specialized company focused in the Security of Business-critical Applications (SAP®, Siebel®, Oracle® E-Business SuiteTM, JD Edwards® …). Core business areas:Core business areas: Development of specialized security software solutions. Security consultancy services. Trainings on business-critical systems security. Who am I? Director of Research and Development at Onapsis. 3www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved Director of Research and Development at Onapsis. Degree in Computer System Engineering. Originally devoted to Penetration Testing and Vulnerability Research. Discovered vulnerabilities in Microsoft, Oracle, SAP, IBM, … Speaker/Trainer at Black Hat, HITB, Sec-T, Hack.lu, DeepSec, Ekoparty.. SAP Backdoors Presentation
  • 4. Agenda Introduction A Ghost in the User Master Backdoors in SAP Business Modules Backdoors in the Authentication Procedure Onapsis Integrity Analyzer for SAP Conclusions 4www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 5. IntroductionIntroduction 5www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 6. What is SAP? ● Largest provider of business management solutions in the world. ● More than 140.000 implementations around the globe. ● More than 90.000 customers in 120 countries. ● Used by Fortune-500 world-wide companies, governmental organizations and defense facilities to run their every-day business processes. ● Such as Revenue / Production / Expenditure business cycles. 6www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● Such as Revenue / Production / Expenditure business cycles. SALESSALES PRODUCTIONPRODUCTION FINANCIAL PLANNINGFINANCIAL PLANNING INVOICINGINVOICING PROCUREMENTPROCUREMENT TREASURYTREASURY LOGISTICSLOGISTICS PAYROLLPAYROLL BILLINGBILLING SAP Backdoors Presentation
  • 7. Backdoor … special methods that are implemented in an information system, usually after an unauthorized compromise, with the purpose of securing future access to the system while attemptingto the system while attempting to remain undetected….
  • 8. Why are SAP Backdoors special? ● Backdoors have been known since the origins of computer systems.systems. ● However, there is very little (no) public information about how they can affect SAP platforms. ● “Not Public” != “Not currently being exploited” ● The biggest mis-conception in the term “SAP Security”: SAP 8www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved Security is much more than Segregation of Duties! ● Most standards & regulations still don’t get it. ● Most Auditing companies still don’t get it. ● Some customers still don’t get it. SAP Backdoors Presentation
  • 9. SoD is not enough to prevent Backdoors! From the trenches: During an assessment, a “SoD compliant” SAP system (which had cost $$$$^n to implement), could be remotely compromised in a matter of seconds through the exploitation of a vulnerability in a technological component. With that kind of privilege, a backdoor could have been installed. Ok, but… which is the real risk?
  • 12. The Initial Compromise ● In order to install a backdoor, the attacker needs to compromise the system first, and obtain high privileges.the system first, and obtain high privileges. ● The Threat Model map includes the following components: SAP Business Application Layer SAP IT Application Layer 12www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved Database Layer Operating System Layer SAP Backdoors Presentation
  • 13. Wide Attack Surface ● Due to intrinsic Trust relationships, a high-privileged takeover of one technological component results in atakeover of one technological component results in a complete compromise of the whole platform. ● OS Administrator <==> DBA <==> SAP_ALL !! ● Check the Onapsis’ “Penetration Testing SAP Systems” Presentation[1] 13www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved for further insights. SAP Backdoors Presentation
  • 14. A Ghost in theA Ghost in the User MasterUser Master 14www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 15. Welcome to the SAP world… ● You connect to your company’s Production SAP system through SAPGUI.SAPGUI. ● You have to specify access credentials: ● Client (logical “independent” unit in the SAP system) ● Username ● Password ● The system checks your saved password from the User Master. ● If your provided passwords matches the stored one… access granted. 15www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● If your provided passwords matches the stored one… access granted. ● You start performing business processes and making the company earn billions. SAP Backdoors Presentation
  • 16. Oops! Downwards compatibility… ● SAP has implemented different password hashing mechanisms to make systems stronger (from 8-characters MD5 to 40-characters SHA-1)make systems stronger (from 8-characters MD5 to 40-characters SHA-1) ● The problem happens when a “weak” system wants to connect with a “strong” one… integration fails -> business fails. ● Workaround: By default, the User Master shall contain the 16www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved downwards-compatible hashes, as well as the strong one. ● More than one password hash per user. ● This opens room for several attacks. Check Onapsis’s “SAP Security In-Depth” Publication, issue #2 [2] SAP Backdoors Presentation
  • 17. Oops! Downwards compatibility… ● Which password hash to use for comparison? ● Controlled through profile parameter login/password_downwards_compatibility● Controlled through profile parameter login/password_downwards_compatibility Value Impact 0 Downwards-compatibility disabled. No weak hashes are generated. 1 Downwards-compatibility enabled. Weak hashes generated for integration with older releases. Weak hashes not evaluated. 2 If the logon attempt using the downwards-incompatible password fails, check if the downwards-compatible would work. Log and deny access. 17www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved 3 The same as with 2, but the logon is considered as successful. This is registered in the system log. 4 The same as with 3, but no system log entry is written. ● Parameter can be modified dynamically! (No SAP restart required) SAP Backdoors Presentation
  • 18. Live demo 18www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 19. Protection / Countermeasure Monitor the value of the specified profile parameter to detect insecure values. Implement a dedicated authorization group for U* tables. Check SAP Note 1023437. 19www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 20. Backdoors in SAPBackdoors in SAPBackdoors in SAPBackdoors in SAP Business ModulesBusiness Modules 20www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 21. Welcome (back) to the SAP World… ● Once logged-in, you interact with the system running Transactions. ● In fact, you are running ABAP Programs/Reports. ● ABAP Programs can be divided in: ● Standard (Developed and Shipped by SAP A.G) ● Custom (Developed in-house by the company. Starts with Z* or Y*) ● Standard programs can be modified, but strongly discouraged. ● SSCR steps in =>You must ask SAP A.G for a special key. 21www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● SSCR steps in =>You must ask SAP A.G for a special key. ● ABAP Programs are stored in the system’s database. ● Table REPOSRC contains compressed source-code. ● Table REPOLOAD contains ABAP load (~ bytecode). SAP Backdoors Presentation
  • 22. The Change and Transport System ● Typical SAP system landscape: ● Developments and changes “can only be done in the DEV system”. ● The PRD system is configured to block any attempt to modify 22www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● The PRD system is configured to block any attempt to modify programs directly in the system. ● Through this procedure, it is expected that “the quality and availability of the SAP production systems is maximized”. SAP Backdoors Presentation
  • 23. Unauthorized modification of ABAP Programsof ABAP Programs directly in the Production System is possible. 23www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved is possible. SAP Backdoors Presentation
  • 24. SAP’s Heart: The Database ● Unauthorized modification at the SAP layer may be possible, but not trivial. ● What about the usually mis-configured-left-by-default-LAN- accesible Database?? ● SAP + Oracle Authentication Weakness. ● Default SAP Database user’s credentials. ● Database exploits. ● The attacker can still get to the Database through the SAP system, due 24www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● The attacker can still get to the Database through the SAP system, due to the intrinsic Trust relationships! ● No CRC or signature check on the stored ABAP code. ● Simple SQL queries will do the trick! SAP Backdoors Presentation
  • 25. Live demo 25www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 26. Backdoors in theBackdoors in theBackdoors in theBackdoors in the Authentication ProcedureAuthentication Procedure 26www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 27. Protection for Critical ABAP Programs ● Certain critical standard ABAP programs are protected to prevent access to their source code from the SAP System, i.e. using transaction SE80. ● Started researching on how this feature was implemented: ● REPOSRC.SQLX = ‘X’ ? No noticeable results. ● Special ABAP “Magic String”: *@#@@[SAP] 27www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● If the source code contains the magic string, the SAP Kernel rejects access to the source code. ● However, there seems to be something else… SAP Backdoors Presentation
  • 28. SAPMSYST – The SAP’s Cop ● Probably the most critical ABAP piece of code in an SAP system. ● Handles the User Authentication Procedure.● Handles the User Authentication Procedure. ● This program is protected through a specific, hard-coded Kernel check! ● The check is performed on the ABAP program’s name… 28www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● Bypass is possible by pivoting the program in the Database. SAP Backdoors Presentation
  • 29. Live demo 29www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 30. Protection / Countermeasure It’s not possible to detect and protect against backdoors from within the SAP system itself. External tools are needed. 30www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 31. Onapsis IntegrityOnapsis IntegrityOnapsis IntegrityOnapsis Integrity Analyzer for SAPAnalyzer for SAP 31www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 32. Onapsis Integrity Analyzer for SAP ● Purpose: Detect modifications of ABAP code in an SAP system. ● Free download from http://www.onapsis.com/ianalizer (upcoming...)● Free download from http://www.onapsis.com/ianalizer (upcoming...) ● Proof-of-concept: Only working for SAP/Oracle 10g. ● Developed by Jordan Santarsieri and me @ the Onapsis Research Labs. ● Why you need it? It’s not feasible to detect backdoors from inside the SAP system itself: 32www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved the SAP system itself: ● Backdoors can leave the Program’s “Last modified date” untouched. ● The analysis programs may have also been manipulated to hide the backdoor’s presence! SAP Backdoors Presentation
  • 33. Onapsis Integrity Analyzer for SAP ● Want to do it manually? Number of SAP programs are measured in hundred of thousands (and even more).hundred of thousands (and even more). ● Onapsis Integrity Analyzer connects with the Database and performs “snapshots” of sensitive ABAP report tables. ● Periodically, new snapshots are compared with older snapshots and modified programs are identified. ● Tracking of SAP Notes is also considered. 33www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved The detection of suspicious modifications should trigger a special investigation. SAP Backdoors Presentation
  • 34. Live demo 34www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 35. ConclusionsConclusions 35www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reservedSAP Backdoors Presentation
  • 36. Some Thoughts on SAP Backdoors ●The Backdoor threat affects every information system; it’s not a specific SAP platform’s risk.specific SAP platform’s risk. ● Once an attacker obtained maximum privileges over an information system, it is really difficult to restrict his activities, and SAP is not the exception. ● It’s possible to modify ABAP programs directly in Production. ● SAP Backdoors can have devastating impacts over Business. ● Attacks are possible through other vectors than DB access. 36www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved ● Attacks are possible through other vectors than DB access. ● These backdoors won’t be installed for fun, it’s about MONEY. ● Onapsis’s Integrity Analyzer for SAP can help you to implement more in-depth reactive controls. SAP Backdoors Presentation
  • 37. Some Thoughts on SAP Backdoors ● The best cost/effective protection: Minimize probability of the initial compromise.initial compromise. ● Automated controls. ● Periodic technical security assessments of SAP platforms. ● Vulnerability Assessments. ● Penetration Tests. ● Security Audits. 37www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved The only sustainable choice the industry faces is the objective and responsible analysis of this threat. SAP Backdoors Presentation
  • 38. ¿Questions?¿Questions? 38www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved mnunez@onapsis.commnunez@onapsis.com SAP Backdoors Presentation
  • 39. Thank you!Thank you!Thank you!Thank you! 39www.onapsis.com – © Onapsis S.R.L. 2010 – All rights reserved www.onapsis.com SAP Backdoors Presentation