7. Introduction
Why SAP, why Now?
As presented at the SAP Teched 2014 by Yonko Yonchev (Product Security Response
Team – SAP SE):
• SAP is globally 3rd largest software company
• SAP handles 74% of the world’s financial transactions
• Majority of Fortune 500 companies run SAP
• SAP Ariba connects more than 1 million companies in 190 countries
Source: SAP Teched 2014 Session ITM114 - ITM114 – Post Heartbleed: Secure your SAP Systems and Business Secrets from Hackers!
http://events.sap.com/teched/en/session/13526
8. Introduction
SAP Product Security Response
Source: SAP Teched 2014 Session ITM114 - ITM114 – Post Heartbleed: Secure your SAP Systems and Business Secrets from Hackers!
As presented at the SAP Teched 2014 by Yonko Yonchev (Product Security Response Team – SAP SE):
http://events.sap.com/teched/en/session/13526
SAP internal process and external service to support high security levels at SAP
customers’ systems with:
• Responsible disclosures of identified vulnerabilities in collaboration with leading
external SAP Security researchers and hackers
• Managing the end-to-end SAP process for fixing and disclosing externally known /
reported vulnerabilities
• Deliver SAP Security notes in the monthly patch day
• Supply internal SAP development with best practices on security issue prioritization
and security correction disclosure
9. Introduction
SAP Security notes over the years
• Percentage of
externally reported
vulnerabilities are on
the rise
• Total number of
monthly SAP Security
notes are decreasing
• Number of external
researches is
increasing
Source: SAP Teched 2014 Session ITM114 - ITM114 – Post Heartbleed: Secure your SAP Systems and Business Secrets from Hackers!
As presented at the SAP Teched 2014 by Yonko Yonchev (Product Security Response Team – SAP SE):
http://events.sap.com/teched/en/session/13526
10. Introduction
SAP Security researchers, some statistics
Source: http://scn.sap.com/blogs/securesap/2013/04/02/statistics-tell-sap-security-know-how-is-a-scarce-resource
• There are worldwide ~100 external SAP Security researchers that
reported over 450 vulnerabilities so far
• 80% of those reported vulnerabilities in SAP products originate
from only 7 companies
• 80% of all reported vulnerabilities in SAP products originate from
only 23 researchers
• 50% of those reported vulnerabilities in SAP products originate
from only 8 researchers
12. How to do SAP Security research?
SAP Security research
• Manually
• Tools; Scanners, Fuzzers, Debuggers, Decompilers, Indexers, etc, etc…
• By using SAP differently (hacker mindset)
• Actually RTFM ;-)
• Unlimited possibilities; hardware, software, network, protocols, Database, Operating
System, application layer, frontend, ABAP, JAVA, agents, etc, etc…
13. What if you find a vulnerability?
SAP Security research
• Report it to SAP via responsible disclosure
• Give SAP the details
• Give SAP time to fix the issue
• Give customers a grace period of at least 3 months to apply the patch
14. Why do it....?
SAP Security Research
• To improve security of SAP systems
• Learn more about the inner working of SAP
• Because it is challenging and FUN
• It might bring you eternal fame and/or a T-shirt
15. Example 1; combination of vulnerabilities to completely
compromise a SAP system
Found vulnerabilities…
1. A default password for user SMDAGENT_<SID> in Solution Manager
2. Remote enabled function module /SDF/GEN_PROXY that acts like a wrapper
3. Remote enabled function module /SDF/RBE_NATSQL_SELECT that lacks
authorization checks and lets you execute native SQL commands
Use the above to select password hashes from table USR02 and bruteforce these.
16. Example 1; combination of vulnerabilities to completely
compromise a SAP system
Found vulnerabilities…
• Change password of user
SMDAGENT_<SID>
• Apply OSS note 1774432
(CVSS score 4.6)
• Apply OSS note 1727914
(CVSS score 7.5)
SOLUTION:
17. Example 2; Operating System Command Injection
Found vulnerabilities…
• Function Module EXE_SAPOSCOL can be used to inject Operating system commands
Use this for example to gain direct access to the database, stop SAP systems, create
operating users, etc, etc.
18. Found vulnerabilities…
• Apply OSS note 1577513
(CVSS score 5.5)
SOLUTION:
Example 2; Operating System Command Injection
19. Example 3; SQL Injection
Found vulnerabilities…
• RFC module RFC_RSUPG_EXEC can be used to inject SQL commands
Use this to gain direct access to the database.
21. Key Take-aways
Key Take-aways
• Secure your SAP systems by applying SAP Security notes on a regular
basis!
• If you find a bug/flaw that might have security impact; report it to the
SAP Security team (secure@sap.com)
• If you have some spare time, a SAP system (NOT IN PRD), permission
and feel like hacking… Go try and find some vulnerabilities yourself ;-)