Top 10 most interes.ng SAP vulnerabili.es and a9acks

Transcription

1 Invest in security to secure investments Top 10 most interes.ng SAP vulnerabili.es and a9acks Alexander Polyakov CTO at ERPScan

2 About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite for SAP Leader by the number of acknowledgements from SAP ( 150+ ) 60+ presenta.ons key security conferences worldwide 25 Awards and nomina.ons Research team - 20 experts with experience in different areas of security Headquarters in Palo Alto (US) and Amsterdam (EU) 2

3 What is SAP? Shut up And Pay 3

4 Really The most popular business applica8on More than customers 74% of Forbes 500 4

5 Agenda Intro SAP security history SAP on the Internet Top 10 latest interes8ng apacks DEMOs Conclusion 5

6 3 areas of SAP Security 2002 Business logic security (SOD) Prevents a3acks or mistakes made Solu8on: GRC 2008 ABAP Code security Prevents a3acks or mistakes made by developers Solu8on: Code audit 2010 Applica3on pla4orm security Prevents unauthorized access both insiders and remote a3ackers Solu8on: Vulnerability Assessment and Monitoring 6

7 Talks about SAP security Most popular: BlackHat HITB Troopers RSA Source DeepSec etc

8 SAP Security notes By April 26, 2012, a total of 2026 notes

9 SAP vulnerabili.es by type 1 - Directory Traversal 2 - XSS/Unauthorised modifica8on of stored 3 - Missing Auth check 4 - Informa8on Disclosure 5 - Unauthorized usage of applica8on 6 - Hard- coded creden8als 7 - Code injec8on vulnerability 8 - Verb tampering 9 - Remote Code Execu8on 10 - Denial of service 11 - BOF 12 - SQL Inj Stats from : 1Q Q Q

10 SAP on the Internet We have collected data about SAP systems in the WEB Have various stats by countries, applica8ons, versions Informa8on from Google, Shodan, Nmap scan MYTH: SAP systems a9acks available only for insiders 10

11 SAP on the Internet About 5000 systems including Dispatcher, Message server, SapHostcontrol, Web- services 11

12 SAP on the Internet 12

13 Top 10 vulnerabili.es Authen8ca8on Bypass via Verb tampering 2. Authen8ca8on Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execu8on via TH_GREP 5. MMC read SESSIONID 6. Remote portscan 7. Encryp8on in SAPGUI 8. BAPI XSS/SMBRELAY 9. XML Blowup DOS 10. GUI Scrip8ng DOS 13

14 10 GUI- Scrip.ng DOS: Descrip.on SAP users can run scripts which automate their user func8ons A script has the same rights in SAP as the user who launched it Security message which is shown to user can be turned off in the registry Almost any user can use SAP Messages (SM02 transac8on) New It is possible to run DOS apack on any user using a simple script Author: Dmitry Chastukhin (ERPScan) 14

15 10 GUI- scrip.ng: Other a9acks Script can be uploaded using: SAPGUI Ac8veX vulnerability Teensy USB flash Any other method of client exploita8on Other a9acks like changing banking accounts in LFBK also possible 15

16 10 GUI- scrip.ng: Business risks Sabotage High Espionage No Fraud No Ease of exploita.on Medium 16

17 10 GUI- scrip.ng: Preven.on SAP GUI Scrip8ng Security Guide sapgui/user_scrip8ng = FALSE Block registry modifica8on on worksta8ons 17

18 9 XML Blowup DOS: Descrip.on WEBRFC interface can be used to run RFC func8ons By default any user can have access Even without S_RFC auth SAP NetWeaver is vulnerable to malformed XML packets It is possible to run DOS apack on server using simple script It is possible to run over the Internet! New Author: Alexey Tyurin (ERPScan) 18

19 9 XML Blowup DOS: Demo 19

20 9 XML Blowup DOS: Business risks Sabotage Cri.cal Espionage No Fraud No Ease of exploita.on Medium 20

21 9 XML Blowup DOS: Preven.on Disable WEBRFC Prevent unauthorized access to WEBRFC using S_ICF Install SAP notes and

22 8 BAPI script injec.on/hash stealing : Descrip.on SAP BAPI transac8on fails to properly sani8ze input Possible to inject JavaScript code or link to a fake SMB server SAP GUI clients use Windows so their creden8als will be transferred to apackers host. Author: Dmitry Chastukhin (ERPScan) 22

23 8 BAPI script injec.on/hash stealing: Demo New 23

24 8 BAPI script injec.on/hash stealing: Business risks Espionage High Sabotage High Fraud High Ease of exploita.on Low 24

25 7 SAP GUI bad encryp.on: Descrip.on SAP FrontEnd can save encrypted passwords in shortcuts Shortcuts stored in.sap file This password uses byte- XOR algorithm with secret key Key has the same value for every installa8on of SAP GUI Any password can be decrypted in 1 second New Author: Alexey Sintsov (ERPScan) 25

26 7 SAP GUI bad encryp.on: Business risks Espionage High Sabotage Medium Fraud High Ease of exploita.on Medium 26

27 7 SAP GUI bad encryp.on: Preven.on Disable password storage in GUI 27

28 6 Remote port scan via JSP: Descrip.on It is possible to scan internal network from the Internet Authen.ca.on is not required SAP NetWeaver J2EE engine is vulnerable /ipcpricing/ui/bufferoverview.jsp? server= & port=31337 & password= & dispatcher= & targetclient= & view= Author: Alexander Polyakov (ERPScan) 28

29 6 Remote port scan via JSP: Demo HTTP port Port closed SAP port 29

30 6 Remote port scan via JSP: Business risks Sabotage Low Espionage Medium Fraud No Ease of exploita.on High 30

31 6 Remote port scan via JSP: Preven.on Install SAP notes: , , , , Disable unnecessary applica8ons 31

32 5 MMC JSESSIONID stealing: Descrip.on Remote management of SAP Platorm By default, many commands go without auth Exploits implemented in Metasploit (by ChrisJohnRiley) Most of the bugs are informa8on disclosure It is possible to find informa8on about JSESSIONID Only if trace is ON New 1) Original bug by ChrisJohnRiley 2) JSESSIONID by Alexey Sintsov and Alexey Tyurin (ERPScan) Can be authen.cated as an exis.ng user remotely 32

33 5 MMC JSESSIONID stealing: Business risks Espionage Cri.cal Fraud High Sabotage Medium Ease of exploita.on Medium 33

34 5 MMC JSESSIONID stealing: Preven.on The JSESSIONID by default will not be logged in log file Don t use TRACE_LEVEL = 3 on produc8on systems or delete traces aver use Other info hpp://help.sap.com/saphelp_nwpi71/helpdata/en/ d6/49543b1e49bc1fe a114084/frameset.htm 34

35 4 Remote command execu.on in TH_GREP: Descrip.on RCE vulnerability in RFC module TH_GREP Found by Joris van de Vis SAP was not properly patched ( ) We have discovered that the patch can be bypassed in Windows Original bug by Joris van de Vis (erp- sec) Bypass by Alexey Tyurin (ERPScan) 35

36 4 RCE in TH_GREP: Details elseif opsys = 'Windows NT'. concatenate '/c:"' string '"' filename into grep_params in character mode. else. /*if linux*/ /* 185 */ replace all occurrences of '''' in local_string with '''"''"'''. /* 186 */ concatenate '''' local_string '''' filename into grep_params /* 187*/ in character mode. /* 188*/ endif. /* 188*/ 36

37 4 RCE in TH_GREP: Demo #1 37

38 4 - RCE in TH_GREP: More details 4 ways to execute vulnerable program Using transac8on "Se37 Using transac8on SM51 (thanks to Felix Granados) Using remote RFC call "TH_GREP" Using SOAP RFC call "TH_GREP" via web 38

39 4 RCE in TH_GREP: Demo #2 39

40 4 RCE in TH_GREP: Business risks Espionage High Sabotage Medium Fraud High Ease of exploita.on medium 40

41 4 RFC in TH_GREP: Preven.on Install SAP notes , Prevent access to cri8cal transac8ons and RFC func8ons Check the ABAP code of your Z- transac8ons for similar vulnerabili8es 41

42 3 - ABAP Kernel BOF: Descrip.on Presented by Andreas Wiegenstein at BlackHat EU 2011 Buffer overflow in SAP kernel func8on C_SAPGPARAM When NAME field is more than 108 chars Can be exploited by calling an FM which uses C_SAPGPARAM Example of report RSPO_R_SAPGPARAM Author: (VirtualForge) 42

43 3 ABAP Kernel BOF: Business risks Espionage Cri.cal Sabotage Cri.cal Fraud Cri.cal Ease of exploita.on Medium 43

44 3 ABAP Kernel BOF: Preven.on Install SAP notes: Correc8ng buffer overflow in ABAP system call Poten8al remote code execu8on in SAP Kernel Prevent access to cri8cal transac8ons and RFC func8ons Check the ABAP code of your Z- transac8ons for cri8cal calls 44

45 2 Invoker Servlet: Descrip.on Rapidly calls servlets by their class name Published by SAP in their security guides Possible to call any servlet from the applica8on Even if it is not declared in WEB.XML Can be used for auth bypass 45

46 2 - Invoker Servlet: Details <servlet>! <servlet-name>criticalaction</servlet-name>! <servlet-class>com.sap.admin.critical.action</servlet-class>! </servlet>! <servlet-mapping>! <servlet-name>criticalaction</</servlet-name>! <url-pattern>/admin/critical</url-pattern>! </servlet-mapping! <security-constraint>! <web-resource-collection>! <web-resource-name>restrictedaccess</web-resource-name>! <url-pattern>/admin/*</url-pattern>! <http-method>get</http-method>! </web-resource-collection>! <auth-constraint>!<role-name>admin</role-name>!</auth-constraint>! Author: Dmitry Chastukhin (ERPScan) </security-constraint>! What if we call /servlet/com.sap.admin.cri.cal.ac.on 46

47 2 Invoker servlet: Business risks Espionage High Sabotage High Fraud High Ease of use Very easy! 47

48 2 - Invoker servlet: Preven.on Update to the latest patch , EnableInvokerServletGlobally property of the servlet_jsp must be false If you can t install patches for some reason, you can check all WEB.XML files using ERPScan web.xml scanner manually. 48

49 1 VERB Tampering 49

50 1 st Place Verb Tampering <security-constraint>! <web-resource-collection>! <web-resource-name>restrictedaccess</web-resourcename>! <url-pattern>/admin/*</url-pattern>! <http-method>get</http-method>! </web-resource-collection>!!<auth-constraint>!<role-name>admin</role-name>!</auth-constraint>! </security-constraint>! Author: Alexander Polyakov (ERPScan)! What if we use HEAD instead of GET? 50

51 1 Verb tampering: Details CTC Secret interface for managing J2EE engine Can be accessed remotely Can run user management ac8ons: Add users Add to groups Run OS commands Start/Stop J2EE Remotely without authen.ca.on! 51

52 1 Verb tampering: Demo 52

53 1 Verb tampering: More details If patched, can be bypassed by the Invoker servlet! 53

54 1 Verb tampering: Business risks Espionage Cri.cal Sabotage Cri.cal Fraud Cri.cal Ease of use Very easy! 54

55 1 st Place Verb tampering: Preven.on Preven8on: Install SAP notes , Install other SAP notes about Verb Tampering (about 18) Scan applica8ons using ERPScan WEB.XML check tool or manually Secure WEB.XML by dele8ng all <hpp- method> Disable the applica8ons that are not necessary 55

56 Conclusion It is possible to be protected from almost all those kinds of issues and we are working hard with SAP to make it secure SAP Guides Regular Security assessments Monitoring technical security ABAP Code review Segrega.on of Du.es It s all in your hands 56

57 Future work Many of the researched things cannot be disclosed now because of our good relagonship with SAP Security Response Team, whom I would like to thank for cooperagon. However, if you want to see new demos and 0- days, follow us and a3end the future presentagons: PHDays in May (Moscow) Just4Mee8ng in July (Portugal) BlackHat USA in July (Las Vegas) 57

58 web: e- mail: TwiPer: Greetz to our crew who helped: Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, Pavel Kuzmin, Evgeniy Neelov. 58