SAP Penetration Testing & Defense In-Depth

Transcription

1 sap security, sap pentest, sap pentesting, sap pt, sap security assessment, sap vulnerability assessment, sap insecurity, sap vulnerabilities, sap vulnerability, sap defense, hardening sap, sap hardening, protecting sap SAP Penetration Testing & Defense In-Depth Mariano Nuñez Di Croce October 2-3, 2008 Ekoparty,, Buenos Aires - Argentina Copyright 2008 CYBSEC. All rights reserved.

2 Who is CYBSEC? Provides Information Security services since More than 300 customers, located in LatinAmerica, USA and Europe. Wide range of services: Strategic Management, Operation Management, Control Management, Incident Management, PCI Services, SAP Security. SAP & CYBSEC Member of the SAP Global Security Alliance (GSA). Has been working with SAP (Walldorf) since Provides specific SAP security services (Penetration Testing, Secure Architecture Design, Secure Configuration, ) 2

3 Who am I? Senior Security Researcher at CYBSEC. Devoted to Penetration Testing and Vulnerability Research. Discovered vulnerabilities in Microsoft, Oracle, SAP, Watchfire, Speaker/Trainer at Blackhat, Sec-T, Hack.lu, DeepSec, Ekoparty, CIBSI, SAP & Me Started researching in SAP Pentesting projects (customers). Discovered more than 40 vulnerabilities in SAP software. Published Attacking the Giants: Exploiting SAP Internals. Developed sapyto, the first SAP Penetration Testing Framework. CYBSEC s SAP (In)Security Training instructor. 3

4 Agenda Agenda Introduction to the SAP World Why SAP Penetration Testing? PenTest Setup SAP PenTesting Discovery Phase Exploration Phase Vulnerability Assessment Phase Exploitation Phase Case Study: SAProuter Security Assessment Conclusions 4

5 Introduction to the SAP World Basic concepts for deep knowledge 5

6 Introduction to the SAP World So what is SAP? SAP (Systems, Applications and Products in Data Processing) is a german company devoted to the development of business solutions. More than customers in more than 120 countries. More than SAP implementations around the globe. Third biggest independent software vendor (ISV). Provides different solutions: CRM, ERP, PLM, SCM, SRM, GRC, Business One, The ERP solution is composed of different functional modules (FI, CO, SD, HR, MM, etc) that implements organization business processes. Modules are linked together, integrated by the Netweaver platform. SAP runs on multiple Operating Systems and Databases. 6

7 Introduction to the SAP World SAP Basic Concepts Instance & System An instance is an administrative entity which groups related components of an SAP system, providing one or more services. Systems are identified by SAP System ID (SID). System (instance) parametrization is done in Profiles. 7

8 Introduction to the SAP World SAP Basic Concepts Client Legally and organizationally independent unit in an SAP system (company group, business unit, corporation). Identified by a three-digit number. Default clients: 000, 001 and 066. Transaction Related secuence of steps (dialog steps) aimed to perform an operation in the SAP database. Identified by a transaction code (ej: SU01, SE16, FK01, PA20, ) 8

9 Introduction to the SAP World SAP Basic Concepts ABAP ABAP is the SAP high-level programming language used to develop business applications. Reports / Programs ABAP programs that receive user input and produce a report in the form of an interactive list. Function Modules Independent ABAP modules. Can be called locally or remotely. The RFC (Remote Function Call) Interface Used to call function modules on remote systems. 9

10 Introduction to the SAP World SAP Basic Concepts The Authorization Concept (Simplified) Users are asigned roles/profiles. Each profile contains a set of Authorization objects. When a user tries to perform an activity, the required authorization objects are checked against user s authorization objects (user buffer). Controlled Activities: Starting Transactions (S_TCODE) Accessing Tables (S_TABU_DIS) Starting Programs (S_PROGRAM) Calling RFC Function Modules (S_RFC) Authorization checks can also be done programatically, through the AUTHORITY_CHECK clause. 10

11 Introduction to the SAP World Some Low Low-level level Knowledge SAP_ALL profile = SAP God. Many other profiles may enable a user become a god too. Each SAP System uses its own Database. SAP processes run under the <sid>adm or SAPService<SID> user accounts. Connections to the Database are done with the same UID. No authorization at this level Direct access to the Database means full SAP compromise! Connections between systems often based on Trust Relationships (r* services). Many customer s interfaces are implemented through FTP (cleartext, usually weak passwords). 11

12 Why SAP Penetration Testing? Or why You and your CFO should care 12

13 Why SAP Penetration Testing? Why do you Need an SAP Penetration Test? The new SAP system must be running on October 3 rd, no excuses. 13

14 Why SAP Penetration Testing? Why do you Need an SAP Penetration Test? But we haven t secured the systems yet you know, there is something called Security The new SAP system must be running on October 3 rd, no excuses. 14

15 Why SAP Penetration Testing? Why do you Need an SAP Penetration Test? But we haven t secured the systems yet you know, there is something called The new SAP system must be running on October 3 rd, no excuses. Security Security? Hmm is it French? I don t care Business *must* go on! 15

16 Why SAP Penetration Testing? Why do you Need an SAP Penetration Test? But we haven t secured the systems yet you know, there is something called The new SAP system must be running on October 3 rd, no excuses. Security Security? Hmm is it French? But we should take care of I don t care User authorizations to Business *must* go on! prevent frauds! 16

17 Why SAP Penetration Testing? Why do you Need an SAP Penetration Test? But we haven t secured the systems yet you know, there is something called The new SAP system must be running on October 3 rd, no excuses. Security Security? Hmm is it French? But we should take care of I don t care User authorizations to Business *must* go on! prevent frauds! Just give everyone full access (SAP_ALL) for three months, then we ll lock it down 17

18 Why SAP Penetration Testing? Why do you Need an SAP Penetration Test? But we haven t secured the systems yet you know, there is something called The new SAP system must be running on October 3 rd, no excuses. Security Security? Hmm is it French? But we should take care of I don t care User authorizations to Business *must* go on! prevent frauds! Just give everyone full access OK (SAP_ALL) for three months, then we ll lock it down 18

19 Why SAP Penetration Testing? Why do you Need an SAP Penetration Test? But we haven t secured the systems yet you know, there is something called The new SAP system must be running on October 3 rd, no excuses. Security Security? Hmm is it French? But we should take care of I don t care User authorizations to Business *must* go on! prevent OK Just give everyone full access (SAP_ALL) for three months, then we ll lock it down 19

20 Why SAP Penetration Testing? Why do you Need an SAP Penetration Test? (cont.) CFO s Mistake: Alert Weak SAP Security configuration can definitely result in Business Frauds! Security guy s Mistake: Alert SAP Security is much (*much*) more than User roles and authorizations! 20

21 Why SAP Penetration Testing? Why do you Need an SAP Penetration Test? (Wrap up) Security configurations of SAP systems are usually left by default. By default, many configurations are not secure. Conclusion: Many SAP implementations are not secure! Is yours secure? A Penetration Test to these systems will help you know how your SAP implementation can be attacked and which is the real impact of this. It will help you discover the weaknesses, secure them, and increase the security level of your systems (a.k.a decrease fraud risk). In this talk, we ll see some of the activities that make up the different phases of an SAP Penetration Testing (no way of covering them all). 21

22 PenTest Setup Before we begin 22

23 PenTest Setup Preparation What do you need? The Shopping List sapyto SMB client & security tools nmap BurpSuite / w3af r* tools (rsh, rlogin, rexec) Nessus SQL client tools john (patched) NFS client tools hydra Try to get as much information as possible about target platforms, usage and policies before starting the assessment. Remember that everthing that breaks while you are pentesting *will* be your fault (even if someone breaks his leg). 23

24 sapyto sapyto First SAP Penetration Testing Framework. Support for activities in all phases of the pentest. Open-source (and free). Plugin based. Developed in Python and C. Version 0.93 released at Blackhat Europe

25 sapyto Available Plugins in sapyto v0.93 Audit: RFC Ping. Registration of External Servers. Detection of RFCEXEC. Detection of SAPXPG. Get system information. Get server documentation. Attack: RFC_START_PROGRAM Dir Traversal. Run commands through RFCEXEC. Run commands through SAPXPG. StickShell. Evil Twin Attack. Get remote RFCShell. Tools: RFC Password Obfuscator / De-obfuscator. 25

26 sapyto Hot News! sapyto v0.98 Core and architecture fully re-built. Based on connectors. The SAPRFC* connectors and the RFCSDK. Plugins are now categorized in Discovery, Audit and Exploit. Discovery plugins find new targets. Audit plugins carry out the vulnerability assessments. Exploit plugins are used as proof of concepts for discovered vulns. sapytoagents deployment. New plugins for auditing SAProuters, find clients, bruteforcing, 26

27 Discovery Phase Finding SAP targets 27

28 Discovery Phase Discovering SAP Systems and Applications (Targets) Available Options: Traffic sniffing. SAP portscanning. Checking SAPGUI configurations. SAP Systems use a fixed range of ports. Most ports follows the PREFIX + SYS. NUMBER format. Common ports: 32XX, 33XX, 36XX, 39XX, 3299, 81XX, Nmap: Watch Timings (-T3) and don t use version detection. New sapyto will provide automatic discovery of SAP systems and configuration of targets/connectors for auditing! 28

29 Exploration Phase Getting as much information as possible 29

30 Exploration Phase Getting Information from SAP Application Servers The RFC_SYSTEM_INFO function module returns information about remote SAP Application Servers (implemented in sapyto s sapinfo plugin) Can be called remotely (and anonymously) by default. [5] sapinfo(target#0) { Remote System Information: RFC Log Version: 011 Release Status of SAP System: 700 Kernel Release: 700 Operating System: Linux Database Host: sapl01 Central Database System: ORACLE Integer Format: Little Endian Dayligth Saving Time: Float Type Format: IEEE Hostame: sapl01 IP Address: System ID: TL1 RFC Destination: sapl01_tl1_00 Timezone: (diff from UTC in seconds) Character Set: 4103 Machine ID:

31 Exploration Phase Getting Information from SAP Application Servers The RFC_SYSTEM_INFO function module returns information about remote SAP Application Servers (implemented in sapyto s sapinfo plugin) Can be called remotely (and anonymously) by default. [5] sapinfo(target#0) { Remote System Information: Protection / RFC Countermeasure Log Version: 011 Release Status of SAP System: 700 Kernel Release: 700 Restrict connections Operating to the System: SAP Gateway Linux at the network level. For more information, Database refer Host: to SAP sapl01 Note Central Database System: ORACLE Integer Format: Little Endian Dayligth Saving Time: Float Type Format: IEEE Hostame: sapl01 IP Address: System ID: TL1 RFC Destination: sapl01_tl1_00 Timezone: (diff from UTC in seconds) Character Set: 4103 Machine ID:

32 Exploration Phase Finding Available Clients Users are client-dependent. Default clients: 000, 001, 066. getclients(target#0) { Client 000 is available. Client 001 is available. Client 066 is available. Client 101 is available. Client 200 is available. } res: Ok 32

33 Exploration Phase Analyzing Shared Resources The Common Transport Directory (CTD) is the directory where changes (transports) are exported to and imported from in an SAP landscape. This directory must be shared for all systems in the landscape. It is often the case, where the kernel files and profiles are shared to dialog instances. $ showmount e sapserver /export/usr/sap/trans (everyone) /export/sapmnt/np1 (everyone) /export/informix/np1 (everyone) /export/interfacesnp1 (everyone) /export/interfsrcnp1 (everyone) 33

34 Exploration Phase Analyzing Shared Resources The Common Transport Directory (CTD) is the directory where changes (transports) are exported to and imported from in an SAP landscape. This directory must be shared for all systems in the landscape. It is often the case, where the kernel files and profiles are shared to dialog instances. Protection / Countermeasure Shared resource access should be restricted to SAP $ showmount e sapserver related systems and users only. /export/usr/sap/trans (everyone) /export/sapmnt/np1 (everyone) /export/informix/np1 (everyone) /export/interfacesnp1 (everyone) /export/interfsrcnp1 (everyone) 34

35 Vulnerability Assesment Phase Analyzing the discovered components 35

36 Vulnerability Assessment Phase SAP Default Users There is public information regarding the existence of default SAP user accounts. Many of these accounts are configured with high privileged profiles. User ID Description Clients Password SAP* Super user 000,001, new clients PASS DDIC ABAP Dictionary super user 000, EARLYWATCH User for the EarlyWatch Service 066 SUPPORT SAPCPIC Communication User 000, 001 ADMIN 36

37 Vulnerability Assessment Phase SAP Default Users There is public information regarding the existence of default SAP user accounts. Many of these accounts are configured with high privileged profiles. User ID SAP* DDIC Description Protection / Countermeasure Super user Default users must be secured. ABAP Dictionary super user SAP* should be deactivated. Clients Password 000,001, new clients PASS 000, Use report RSUSR003 to check the status of default users. EARLYWATCH User for the EarlyWatch Service 066 SUPPORT SAPCPIC Communication User 000, 001 ADMIN 37

38 Vulnerability Assessment Phase SAP User Account Bruteforcing Usernames are up to 12 characters long. As part of the PenTest, you can try guessing/cracking user credentials. Max. Length Case Old Passwords ( 6.40) 8 Insensitive New Passwords (> 6.40) 40 Sensitive WARNING! User locking is implemented! (usually, between 3-12 tries) Ops! In versions 6.20, lock counter is not incremented through RFC. sapyto s brutelogin plugin can work in different modes: Try default users only and SAP*:PASS in detected clients. Specific credentials wordlist. Username and Password wordlists. 38

39 Vulnerability Assessment Phase Getting Credentials from the Wire RFC Sniffing RFC (Remote Function Call) is the most widely used interface in the SAP world. In order for a system to connect through RFC, it must provide login information for the remote system. RFC is clear-text, but you won t be able to see the password in the wire Password is obfuscated! -> Use sapyto s getpassword plugin... 01a f 22 ea 45 5e..._".E^ 01b0 22 c5 10 e c0 a8 02 8b " c0 0a f rfc_server d b 81 bb 89.BCUSER... 01e0 62 fc b5 3e e b..?w.oy f E b b e 5a f d 4f 4e...ZCUST_GETMON f 22 ea 45 5e 22 c5 10 EY..._".E^" e c0 a8 02 8b c...CL e 54 5f IENT_ID...CUS ff ff ff ff T c e 80...>. for CHAR in CLEAR_TEXT_PASS: OBFUSCATED_PASS[i] = CHAR XOR KEY[i] 39

40 Vulnerability Assessment Phase Getting Credentials from the Wire RFC Sniffing RFC (Remote Function Call) is the most widely used interface in the SAP world. In order for a system to connect through RFC, it must provide login information for the remote system. RFC is clear-text, but you won t be able to see the password in the wire Password is obfuscated! -> Use sapyto s getpassword plugin... Protection / Countermeasure Enable SNC, protecting the confidentiality and integrity of the traffic. 01a f 22 ea 45 5e..._".E^ 01b0 22 c5 10 e c0 a8 02 8b " c0 0a f rfc_server d b 81 bb 89.BCUSER... 01e0 62 fc b5 3e e b..?w.oy f E b b e 5a f d 4f 4e...ZCUST_GETMON f 22 ea 45 5e 22 c5 10 EY..._".E^" e c0 a8 02 8b c...CL e 54 5f IENT_ID...CUS ff ff ff ff T c e 80...>. for CHAR in CLEAR_TEXT_PASS: OBFUSCATED_PASS[i] = CHAR XOR KEY[i] 40

41 Vulnerability Assessment Phase Analysis of the RFC Interface RFC Communication is done through the Gateway Service. The GW can connect with external RFC servers: Registered Servers: The external system registers to the GW under a Program ID. Started Servers: The GW connects to a remote system and starts a program (trust?) By exploiting Registered Servers caveats, it may be possible to obtain confidential information, DoS, perform RFC MITM and callback attacks. By exploiting Started Servers vulnerabilities, it may be possible to obtain remote code execution on misconfigured Application Servers. (check the Attacking the Giants: Exploiting SAP Internals white-paper) 41

42 Exploitation Phase Getting access and beyond 42

43 Exploitation Phase But why do we need Exploitation anyway? Vulnerability Assessments reports enumerate discovered vulnerabilities with the associated risk estimate. A security aware individual would easily see the problems. But, what about the people from the Financial areas? For them to get involved, they need to see the facts! You must show them how their information can be compromised -> screenshots, livedemos Vulnerability Assessments are 2D, Exploitation adds a new Dimension. 43

44 Exploitation Phase SAP Password Considerations & Cracking SAP has implemented different password hashing mechanisms. Passwords hashes are stored in table USR02 (BCODE, PASSCODE) and USH02. Code Vers. A B C D E F G Description Obsolete Based on MD5, 8 characters, Uppercase, ASCII Not implemented Based on MD5, 8 characters, Uppercase, UTF-8 Reserved Based on SHA1, 40 characters, Case Insensitive, UTF-8 Code Version F + Code Version B (2 hashes) On June , a patch for John The Ripper for CODVN B and F was published. 44

45 Exploitation Phase SAP Password Considerations & Cracking SAP has implemented different password hashing mechanisms. Passwords hashes are stored in table USR02 (BCODE, PASSCODE) and USH02. Code Vers. A Description Protection / Countermeasure Obsolete B Based on MD5, 8 characters, Uppercase, ASCII Access to tables USR02 and USH02 should be protected. C Not implemented Password security should be enforced through profile configuration D (login/* Based parameters). on MD5, 8 characters, Uppercase, UTF-8 Table E USR40 can Reserved be used to protect from trivial passwords. For F more information, Based on refer SHA1, to SAP 40 characters, Note Case Insensitive, UTF-8 G Code Version F + Code Version B (2 hashes) On June 26, a patch for John The Ripper for CODVN B and F was published. 45

46 Exploitation Phase Exploiting SAP/Oracle Authentication Mechanism Discovered by me in Discovered by Jochen Hein in 2003 (D oh!) Target: Default SAP/Oracle installations. The SAP+Oracle Authentication Mechanism SAP connects to the database as the OPS$<username> (eg: OPS$<SID>adm). Retrieves user and password from table SAPUSER. Re-connects to the database, using the retrieved credentials. 46

47 Exploitation Phase Exploiting SAP/Oracle Authentication Mechanism There is a special Oracle configuration parameter named REMOTE_OS_AUTHENT. If set to TRUE, Oracle trusts that the remote system has authenticated the user used for the SQL connection (!) The user is created as indentified externally in the Oracle database. Oracle recommendation: remote_os_authent = false SAP default and necessary configuration: remote_os_authent = true What do you need? Database host/port. SAP System ID. Oracle Instance ID ( = SAPSID?) 47

48 Exploitation Phase Exploiting SAP/Oracle Authentication Mechanism There is a special Oracle configuration parameter named REMOTE_OS_AUTHENT. If set to TRUE, Oracle trusts that the remote system has authenticated the user used for the SQL connection (!) The user is created as indentified externally in the Oracle database. Protection / Countermeasure Oracle recommendation: remote_os_authent = false SAP default and necessary configuration: remote_os_authent = true What do you need? Restrict who can connect to the Oracle listener: Database host/port. tcp.validnode_checking = yes tcp.invited_nodes = ( , ) SAP System ID. Oracle Instance ID ( = SAPSID?) 48

49 Exploitation Phase Exploiting Weak RFC Interface Security Possible in default configuration of SAP Systems. Allows for unauthenticated remote code execution. Starting EXPLOIT plugins weakrfc(target#1) { Creating new SHELL object... SHELL object created. ID: 536 } res: Ok sapyto> shells sapyto/shells> list Shell ID: 536 [RFCShell] Target information: Connector: SAPRFC_EXT SAP Gateway Host: sapprd01 SAP Gateway Service: sapyto/shells> start 536 Starting shell #536 RFCShell - Run commands through RFC. The remote target OS is: Win.NET. sapyto/shells/536> run whoami Call successfull. Command output: prdadm sapyto/shells/536> 49

50 Exploitation Phase Exploiting Weak RFC Interface Security Possible in default configuration of SAP Systems. Allows for unauthenticated remote code execution. Starting EXPLOIT plugins weakrfc(target#1) { Creating new SHELL object... SHELL object created. ID: 536 } res: Ok sapyto> shells sapyto/shells> list Shell ID: 536 [RFCShell] Target information: Connector: SAPRFC_EXT SAP Gateway Host: sapprd01 SAP Gateway Service: Protection / Countermeasure Starting of External RFC Servers is controlled through the file specified by the gw/sec_info profile parameter. This file should exist and restrict access to allowed systems to start specific programs in the Application Servers. The gw/reg_info file protects Registered Servers and should be configured as well. For more information, refer to SAP Note sapyto/shells> start 536 Starting shell #536 RFCShell - Run commands through RFC. The remote target OS is: Win.NET. sapyto/shells/536> run whoami Call successfull. Command output: prdadm sapyto/shells/536> 50

51 Case Study: SAProuter Security Assessment 51

52 Case Study: SAProuter Security Assessment SAProuter Introduction SAProuter is an SAP program working as a proxy, which analyzes connections between SAP systems and between SAP systems and external networks. Typical SAProuter Architecture Internal Network External User Other Internal Systems Internet DEV QAS PRD IntraWeb SSH Server Border FW SAProuter Internal Users Mainframe 52

53 Case Study: SAProuter Security Assessment SAProuter Introduction If SAProuter is in place, clients have to specify a route string to connect. /H/saprouter/S/3299/H/sapprd1/S/3200 Access in controlled through an ACL file called Route Permission Table. Entry format: P/S/D src_host dst_host dst_port pwd First-match criteria. In no match, deny connection. 53

54 Case Study: SAProuter Security Assessment The Route Permission Table Route Permission Table Example: D host1 host2 servicex P * host2 * pass123 S 10.1.*.* * * D * * * * Route Permission Table in the real life: D host1 host2 servicex P * host2 * pass123 S 10.1.*.* * * P * * * * 54

55 Case Study: SAProuter Security Assessment SAProuter Security Assessment with sapyto The saprouterspy plugin Performs Internal Network port-scan. Discovers new targets through SAProuter and configure them for auditing by other plugins. 55

56 Case Study: SAProuter Security Assessment SAProuter Security Assessment: sapytoagents Native Routing SAPRouter also supports the routing of native protocols. Useful for remote administration of Operating Systems, DB, etc. Certain limitations apply. saprouteragent plugin deploys a sapytoagent, which can be used to proxy native connections (HTTP, SSH, Telnet, etc) to internal systems. 56

57 Case Study: SAProuter Security Assessment SAProuter Introduction SAProuter is an SAP program working as a proxy, which analyzes connections between SAP systems and between SAP systems and external networks. Protection / Countermeasure Internet Typical SAProuter Architecture SAProuter should be implemented in a separate DMZ. Use VPNs and/or restrict connections at the border Firewall. DEV Internal Network The Route External Permission User Table should restrict access only to allowed parties, to specific targets and ports. SNC should be required. QAS PRD Other Internal Systems Entries containing wildcards (*) are discouraged and should be carefully analyzed. IntraWeb SSH Server Border FW SAProuter Internal Users Mainframe 57

58 Conclusions Wrapping up 58

59 Conclusions Conclusions It s impossible to cover all the activities of an SAP Pentest in a one hour talk! SAP systems deal with sensitive business information and processes. The integrity, confidentiality and availability of this information is critical. SAP systems security is often overlooked during the implementation phase, in order to avoid business delays. SAP security is much more than User Roles/Profiles and Authorizations! By default, some configurations would expose the systems to high risk threats. SAP provides many ways to secure systems and communications. Administrators should enable security settings as soon as possible. Pentesting your SAP systems will let you know the current security level of your implementation (and show your managers why you need resources to secure it :P ) CYBSEC s sapyto supports activities of all phases of the project. SAP Penetration Tests should be carried out in controlled environments, performed by qualified experts in the subject. 59

60 References References Attacking the Giants: Exploiting SAP Internals White-paper John The Ripper Patch for SAP hashes sapyto CYBSEC s SAP Security Services SAP Note Security Note: Authority Check for Function Group SRFC. SAP Note Security-related enhancement of RFCEXEC program. SAP Note ABAP systems: Protection against password hash attacks 60

61 Questions? 61

62 Thank you! 62