SlideShare a Scribd company logo

Вектор атаки на SAP — система CUA

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days
Technology
1 of 32
SAP CUA as an SAP Attack Vector Dmitry Gutsko Business System Security Assessment Group Positive Technologies PHDays IV
Agenda ― What is SAP CUA? ― Deployment schemes ― SAP CUA user privileges ― Attack vectors • Compromising a child system • Analysis of network packets ― Protection/Countermeasures
What is SAP CUA? SAP HCM SAP CRM SAP ECC SAP BW SAP FI SAP CUA
What is SAP CUA? SAP CUA Central System Child System Child System Child System
SAP CUA deployment
SAP CUA deployment (trusted connections)
SAP CUA User Privileges (SAP Recommendations) ― Client side (SAP CUA child system) • SAP_BC_USR_CUA_CLIENT • SAP_BC_USR_CUA_SETUP_CLIENT ― Server side (SAP CUA central system) • SAP_BC_USR_CUA_CENTRAL • SAP_BC_USR_CUA_CENTRAL_BDIST • SAP_BC_USR_CUA_SETUP_CENTRAL
SAP CUA User privileges
SAP CUA User privileges
SAP CUA User privileges
Attack vectors ― Compromising SAP CUA central system No comments ― Compromising a child system 1. Bypassing a SAP CUA child system’s restrictions 2. Escalation of privileges in the SAP CUA model 3. Gathering information in the SAP CUA model ― Compromising a network 4. Intercepting data sent between child and central systems
SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target
SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1. Central system compromising 2. Escalation of privileges at the central system 3. Creating account in a child system 1 2 3
SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1 1. Another child system compromising 2. Escalation of privileges in the CUA model 3. Creating account in a child system 2 3
Bypassing a SAP CUA child system’s restrictions ― Create a user ― Change a password ― Assign a profile
Bypassing a SAP CUA child system’s restrictions (video)
Bypassing a SAP CUA child system’s restrictions ― Create a user: Execute FM BAPI_USER_CREATE1 (transaction SE37) in a child system ― Change a password: Edit the USRFLDSEL table (transaction SE16n) in a child system ― Assign a profile/role: Edit the USRFLDSEL table (transaction SE16n) in a child system
SAP CUA Central System Child System Child System Child System Child System Attacker Child System Child System Escalation of privileges in the SAP CUA model
SAP CUA Central System Child System Child System Child System Child System SAP CUA users SAP_BC_USR_CUA_CLIENT SAP_BC_USR_CUA_SETUP_CLIENT SAP_BC_USR_CUA_CENTRAL SAP_BC_USR_CUA_CENTRAL_BDIST SAP_BC_USR_CUA_SETUP_CENTRAL RFC Connection to the central CUA system RFC Connection to a child CUA system Attacker RSECTAB, RFCDES tables = User credentials SE37 transaction = FM remote execution
Escalation of privileges in the SAP CUA model (video)
Escalation of privileges in the SAP CUA model ― Reassign a User-System: Execute FM BAPI_USER_SYSTEM_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Assign a profile: Execute FM BAPI_USER_LOCPROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Assign a role: Execute FM BAPI_USER_LOCACTGROUPS_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Gather information (continued)
Gathering information about the SAP CUA model ― CUA Users/hashes: Execute in the central system FM RFC_READ_TABLE (USR02, USH02, …) (Role SAP_BC_USR_CUA_CENTRAL) ― The CUA model: Locally execute Transaction SCUA Execute in a central system FM RFC_READ_TABLE (USZBVSYS, …) = CUA logs Read local tables RFCDES, RSECTAB = RFC destinations
SAP Security Note 1997455
Central System SAP CUA Child System Child System Child System Child System RFC/IDoc (compressed) Usr02.Bname: PHD-USER Usr02.Bcode: 283D7893C91674A0 Usr02.Ustyp: A Usr02.Uflag: 0 User Accounts RFC User Account to Child System RFC User Account to Central System Hacker Intercepting data sent between child and central systems RFC/IDoc User Creation Confirmation
Sending user credentials to a child system RFC account password recovery UserID Encrypted password Length For gamma generating XORed password Password
Sending user credentials to a child system User credentials data recovery
Obtained account sent to a child system ― Get user list: Execute FM BAPI_USER_GETLIST (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Create users: Execute FM BAPU_USER_CREATE1 (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Assign privileges: Execute FM BAPI_USER_PROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Lock/Unlock users: Execute FM BAPI_USER_LOCK/BAPI_USER_UNLOCK (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT)
Protection/Countermeasures ― Do not combine SAP systems of various security classifications in a single CUA model ― Delete SETUP roles for CUA users ― Apply Note 1997455 or modify SAP_BC_USR_CUA_CENTRAL role ― Activate table logging (USRFLDSEL) ― Enable SNC encryption for RFC connections ― Use trusted connections; assign S_RFC, S_ICF, S_RFCACL authorization objects to system users ― Control access to critical transactions: SM49, SE37, SCUA, ST04,… ― Configure ACL for SAP Gateway ― Do not forget about other clients
Thank you for your attention!
Additional information Transactions: SCUA– Display System Landscape (CUA model) SCUL– Log Display for Central User Administration SCUM – User Distribution Field Selection SCUG – Central User Administration Structure Display SE37- ABAP Function Modules Notes: 492589 – Minimum authorizations for communication users 333441 - CUA: Tips for problem analysis 376856 - Password synchronization - Single Sign-On/CUA 1997455 - Potential information disclosure in BC-SEC-USR-ADM Tables: USZBVSYS - CUA: Assignment of Systems to Users USRFLDSEL- CUA: Field Attributes
Вектор атаки на SAP — система CUA

Recommended

SAP hands on lab_ru
SAP hands on lab_ruSAP hands on lab_ru
SAP hands on lab_ruPositive Hack Days
 
ERP Глазами Злоумышленника
ERP Глазами ЗлоумышленникаERP Глазами Злоумышленника
ERP Глазами ЗлоумышленникаPositive Hack Days
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
SENTHIL RAMADOSS CV
SENTHIL RAMADOSS CVSENTHIL RAMADOSS CV
SENTHIL RAMADOSS CVsenthil ramadoss
 
Sap security training !! sap securtiy online training !! sap security video ...
Sap security training !! sap securtiy online training !! sap security video ...Sap security training !! sap securtiy online training !! sap security video ...
Sap security training !! sap securtiy online training !! sap security video ...sapdocs
 
Security
SecuritySecurity
Securitysapitsapitsap
 
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015SQL Server 2014 Backup to Azure - SQL Saturday CR 2015
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015Christian Sanabria MSc, PMP, CSM
 
SAP BASIS Online Training | SAP Training
SAP BASIS Online Training | SAP TrainingSAP BASIS Online Training | SAP Training
SAP BASIS Online Training | SAP TrainingVenkat reddy
 

Recommended

SAP hands on lab_ru
SAP hands on lab_ruSAP hands on lab_ru
SAP hands on lab_ruPositive Hack Days
 
ERP Глазами Злоумышленника
ERP Глазами ЗлоумышленникаERP Глазами Злоумышленника
ERP Глазами ЗлоумышленникаPositive Hack Days
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
SENTHIL RAMADOSS CV
SENTHIL RAMADOSS CVSENTHIL RAMADOSS CV
SENTHIL RAMADOSS CVsenthil ramadoss
 
Sap security training !! sap securtiy online training !! sap security video ...
Sap security training !! sap securtiy online training !! sap security video ...Sap security training !! sap securtiy online training !! sap security video ...
Sap security training !! sap securtiy online training !! sap security video ...sapdocs
 
Security
SecuritySecurity
Securitysapitsapitsap
 
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015SQL Server 2014 Backup to Azure - SQL Saturday CR 2015
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015Christian Sanabria MSc, PMP, CSM
 
SAP BASIS Online Training | SAP Training
SAP BASIS Online Training | SAP TrainingSAP BASIS Online Training | SAP Training
SAP BASIS Online Training | SAP TrainingVenkat reddy
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
SAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIALSAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIALAbhishek_005
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...akquinet enterprise solutions GmbH
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Harin Vadodaria
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerablePrecisely
 
SAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP Technology
 
SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7Thecreating Experts
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesAruba, a Hewlett Packard Enterprise company
 
Catherine Ner-Nacional
Catherine Ner-NacionalCatherine Ner-Nacional
Catherine Ner-NacionalCatherine Nacional
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL ServerGeorgi Kodinov
 
HANA SPS07 Security
HANA SPS07 Security HANA SPS07 Security
HANA SPS07 Security SAP Technology
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?Sage Computing Services
 
Vpd
VpdVpd
VpdSage Computing Services
 
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...akquinet enterprise solutions GmbH
 
Transform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User AcceptanceTransform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User AcceptanceIvanti
 
CA Performance Management Deep Dive
CA Performance Management Deep DiveCA Performance Management Deep Dive
CA Performance Management Deep DiveCA Technologies
 
SAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxSAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxjuancusa
 
Stored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayiStored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayiMuhammed Thanveer M
 
Sap basis
Sap basisSap basis
Sap basisSri Nivas
 
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 

More Related Content

Similar to Вектор атаки на SAP — система CUA

SAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIALSAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIALAbhishek_005
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...akquinet enterprise solutions GmbH
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Harin Vadodaria
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerablePrecisely
 
SAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP Technology
 
SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7Thecreating Experts
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL ServerGeorgi Kodinov
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?Sage Computing Services
 
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...akquinet enterprise solutions GmbH
 
Transform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User AcceptanceTransform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User AcceptanceIvanti
 
CA Performance Management Deep Dive
CA Performance Management Deep DiveCA Performance Management Deep Dive
CA Performance Management Deep DiveCA Technologies
 
SAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxSAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxjuancusa
 
Stored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayiStored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayiMuhammed Thanveer M
 

Similar to Вектор атаки на SAP — система CUA (20)

An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
SAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIALSAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIAL
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i Vulnerable
 
SAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP HANA SPS09 - Security
SAP HANA SPS09 - Security
 
SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issues
 
Catherine Ner-Nacional
Catherine Ner-NacionalCatherine Ner-Nacional
Catherine Ner-Nacional
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
 
HANA SPS07 Security
HANA SPS07 Security HANA SPS07 Security
HANA SPS07 Security
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?
 
Vpd
VpdVpd
Vpd
 
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...
 
Transform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User AcceptanceTransform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User Acceptance
 
CA Performance Management Deep Dive
CA Performance Management Deep DiveCA Performance Management Deep Dive
CA Performance Management Deep Dive
 
SAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxSAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docx
 
Stored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayiStored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayi
 
Sap basis
Sap basisSap basis
Sap basis
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

Вектор атаки на SAP — система CUA

  • 1.
  • 2. SAP CUA as an SAP Attack Vector Dmitry Gutsko Business System Security Assessment Group Positive Technologies PHDays IV
  • 3. Agenda ― What is SAP CUA? ― Deployment schemes ― SAP CUA user privileges ― Attack vectors • Compromising a child system • Analysis of network packets ― Protection/Countermeasures
  • 4. What is SAP CUA? SAP HCM SAP CRM SAP ECC SAP BW SAP FI SAP CUA
  • 5. What is SAP CUA? SAP CUA Central System Child System Child System Child System
  • 8. SAP CUA User Privileges (SAP Recommendations) ― Client side (SAP CUA child system) • SAP_BC_USR_CUA_CLIENT • SAP_BC_USR_CUA_SETUP_CLIENT ― Server side (SAP CUA central system) • SAP_BC_USR_CUA_CENTRAL • SAP_BC_USR_CUA_CENTRAL_BDIST • SAP_BC_USR_CUA_SETUP_CENTRAL
  • 9. SAP CUA User privileges
  • 10. SAP CUA User privileges
  • 11. SAP CUA User privileges
  • 12. Attack vectors ― Compromising SAP CUA central system No comments ― Compromising a child system 1. Bypassing a SAP CUA child system’s restrictions 2. Escalation of privileges in the SAP CUA model 3. Gathering information in the SAP CUA model ― Compromising a network 4. Intercepting data sent between child and central systems
  • 14. SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1. Central system compromising 2. Escalation of privileges at the central system 3. Creating account in a child system 1 2 3
  • 15. SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1 1. Another child system compromising 2. Escalation of privileges in the CUA model 3. Creating account in a child system 2 3
  • 16. Bypassing a SAP CUA child system’s restrictions ― Create a user ― Change a password ― Assign a profile
  • 17. Bypassing a SAP CUA child system’s restrictions (video)
  • 18. Bypassing a SAP CUA child system’s restrictions ― Create a user: Execute FM BAPI_USER_CREATE1 (transaction SE37) in a child system ― Change a password: Edit the USRFLDSEL table (transaction SE16n) in a child system ― Assign a profile/role: Edit the USRFLDSEL table (transaction SE16n) in a child system
  • 20. SAP CUA Central System Child System Child System Child System Child System SAP CUA users SAP_BC_USR_CUA_CLIENT SAP_BC_USR_CUA_SETUP_CLIENT SAP_BC_USR_CUA_CENTRAL SAP_BC_USR_CUA_CENTRAL_BDIST SAP_BC_USR_CUA_SETUP_CENTRAL RFC Connection to the central CUA system RFC Connection to a child CUA system Attacker RSECTAB, RFCDES tables = User credentials SE37 transaction = FM remote execution
  • 21. Escalation of privileges in the SAP CUA model (video)
  • 22. Escalation of privileges in the SAP CUA model ― Reassign a User-System: Execute FM BAPI_USER_SYSTEM_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Assign a profile: Execute FM BAPI_USER_LOCPROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Assign a role: Execute FM BAPI_USER_LOCACTGROUPS_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Gather information (continued)
  • 23. Gathering information about the SAP CUA model ― CUA Users/hashes: Execute in the central system FM RFC_READ_TABLE (USR02, USH02, …) (Role SAP_BC_USR_CUA_CENTRAL) ― The CUA model: Locally execute Transaction SCUA Execute in a central system FM RFC_READ_TABLE (USZBVSYS, …) = CUA logs Read local tables RFCDES, RSECTAB = RFC destinations
  • 24. SAP Security Note 1997455
  • 25. Central System SAP CUA Child System Child System Child System Child System RFC/IDoc (compressed) Usr02.Bname: PHD-USER Usr02.Bcode: 283D7893C91674A0 Usr02.Ustyp: A Usr02.Uflag: 0 User Accounts RFC User Account to Child System RFC User Account to Central System Hacker Intercepting data sent between child and central systems RFC/IDoc User Creation Confirmation
  • 26. Sending user credentials to a child system RFC account password recovery UserID Encrypted password Length For gamma generating XORed password Password
  • 27. Sending user credentials to a child system User credentials data recovery
  • 28. Obtained account sent to a child system ― Get user list: Execute FM BAPI_USER_GETLIST (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Create users: Execute FM BAPU_USER_CREATE1 (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Assign privileges: Execute FM BAPI_USER_PROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Lock/Unlock users: Execute FM BAPI_USER_LOCK/BAPI_USER_UNLOCK (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT)
  • 29. Protection/Countermeasures ― Do not combine SAP systems of various security classifications in a single CUA model ― Delete SETUP roles for CUA users ― Apply Note 1997455 or modify SAP_BC_USR_CUA_CENTRAL role ― Activate table logging (USRFLDSEL) ― Enable SNC encryption for RFC connections ― Use trusted connections; assign S_RFC, S_ICF, S_RFCACL authorization objects to system users ― Control access to critical transactions: SM49, SE37, SCUA, ST04,… ― Configure ACL for SAP Gateway ― Do not forget about other clients
  • 30. Thank you for your attention!
  • 31. Additional information Transactions: SCUA– Display System Landscape (CUA model) SCUL– Log Display for Central User Administration SCUM – User Distribution Field Selection SCUG – Central User Administration Structure Display SE37- ABAP Function Modules Notes: 492589 – Minimum authorizations for communication users 333441 - CUA: Tips for problem analysis 376856 - Password synchronization - Single Sign-On/CUA 1997455 - Potential information disclosure in BC-SEC-USR-ADM Tables: USZBVSYS - CUA: Assignment of Systems to Users USRFLDSEL- CUA: Field Attributes