SAP, Credit Cards and the Bird that Talks Too Much. Ertunga Arsal

Similar documents
Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Payment Card Industry (PCI) Data Security Standard

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

Andreas Wiegenstein Dr. Markus Schumacher

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Global Partner Management Notice

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

PCI Requirements Coverage Summary Table

PCI Security Scan Procedures. Version 1.0 December 2004

ATTACKS TO SAP WEB APPLICATIONS

VERIFONE ENHANCED ZONE ROUTER

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

Payment Card Industry (PCI) Executive Report 08/04/2014

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Invest in security to secure investments. Breaking SAP Portal. Dmitry Chastuhin Principal Researcher at ERPScan

SAP Business Objects Attacks: Espionage and Poisoning of BI Platforms

Josiah Wilkinson Internal Security Assessor. Nationwide

GFI White Paper PCI-DSS compliance and GFI Software products

PCI Requirements Coverage Summary Table

How To Protect A Web Application From Attack From A Trusted Environment

Protect Your Connected Business Systems by Identifying and Analyzing Threats

Template for PFI Final Incident Report for Remote Investigations

Achieving PCI-Compliance through Cyberoam

EAS-SEC Project: Securing Enterprise Business Applications

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

The SAProuter An Internet Window to your SAP Platform (and beyond)

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

Payment Card Industry (PCI) Executive Report 10/27/2015

Auditing the Security of an SAP HANA Implementation

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

74% 96 Action Items. Compliance

Payment Card Industry (PCI) Data Security Standard

Top 10 most interesting SAP vulnerabilities and attacks Alexander Polyakov

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Becoming PCI Compliant

THE STATE OF SAP SECURITY 2013: VULNERABILITIES, THREATS AND TRENDS

Barracuda Web Site Firewall Ensures PCI DSS Compliance

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.0.

Reference Architecture: Enterprise Security For The Cloud

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH

Using Skybox Solutions to Achieve PCI Compliance

The McAfee SECURE TM Standard

Payment Card Industry (PCI) Data Security Standard

March

SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis

Need to be PCI DSS compliant and reduce the risk of fraud?

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

1 Introduction Product Description Strengths and Challenges Copyright... 5

Coalfire Systems Inc.

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

SonicWALL PCI 1.1 Implementation Guide

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Credit Card Processing Overview

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Payment Card Industry Data Security Standard

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.1.

Payment Card Industry Self-Assessment Questionnaire

How To Reduce Pci Dss Scope

Protecting Your Organisation from Targeted Cyber Intrusion

Introduction to PCI DSS

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Hardening of SAP HTTP- and Webservices

MITIGATING LARGE MERCHANT DATA BREACHES

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

PCI DSS Reporting WHITEPAPER

SERENA SOFTWARE Serena Service Manager Security

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Merchant guide to PCI DSS

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

SAP SECURITY OPTIMIZATION

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

Andreas Mertz (Founder/Man. Dir. it-cube SYSTEMS, CISSP) 360 SAP Security

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Achieving Compliance with the PCI Data Security Standard

CardControl. Credit Card Processing 101. Overview. Contents

Security Audit Log (BC-SEC)

Finding the Leak Access Logging for Sensitive Data. SAP Product Management Security

Transcription:

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal

Agenda Business Processes SAP Systems Exploit Demo SAP Credit Cards and Birds External Payment SoluAons on SAP How to Stay Secure About Us 2

Want to know how this happened? 3

Part I - The Business Processes The Background

SAP: The DominaAng System SAP ERP is preoy much the dominaang system which translates the business processes to the digital world Covers almost all aspects of business Allows extensive customizaaons SAP is the core of major businesses 5

AOacking the Core SAP systems are complex systems Numerous components Rarely hardened or properly patched It does not stop there SAP applicaaons contain 3rd party ABAP add- ons 6

AOack Vectors 7

How can it be aoacked? Example: BASIS Components [ESNC- 2013-003] Remote OS Command ExecuAon in SAP BASIS CommunicaAon Services Allows OS command execuaon, with the rights of the SAP applicaaon server We reported this in 2011, it got patched in 2013 [SAP Note 1674132] SAP s CVVS v2 base score for this vulnerability is 6.0 (Medium Risk) We were able to bypass the patch s protecaon Second patch came a couple of months later [SAP Note 1826162] This Ame CVSS v2 score is: 7.5 (High Risk) Same vulnerability higher CVSS score 8

How can it be aoacked? 3rd Party Components [ESNC- 2013-004] Remote ABAP Code InjecAon in OpenText/IXOS ECM for SAP NetWeaver Widely used 3 rd party component for archiving and document management. Vulnerability allows injecang ABAP code to the SAP system. 9

Exploit Demo Becoming an admin user on the SAP system

What is a Business Process? CollecAon of related acaviaes that produce a specific service or product for customers Begins with a customer s need and ends with a customer s need fulfillment. Commonly done using SAP systems Famous Example: The pin factory by Adam Smith SAP, Credit Cards and the Bird that Talks Too Much ESNC GmbH - All rights Reserved. 11

Example: AOacking the Business Processes Finding & ExploiAng Vendors which Expect Money The aoacker could directly go to vendor payment history for determining the target bank accounts of vendors. 12

Determining VicAm Bank Accounts AOacker can filter out uninteresang accounts and focus on ones where the vicam company will transfer more than 10.000 EUR 13

Determining VicAm Bank Accounts AOacker can pick the largest sum which will be paid AOacker can also check when the transfer will be done Now only one step is lei for the result Replacing the bank account of the Vendor with the aoacker s bank account 14

Changing the Bank Accounts AOacker runs the transacaon FK02 and searches vicam vendor AOacker replaces the account number of the vendor with evil one When the payment Ame comes, sum is transferred to the aoacker s account 15

End of Chapter I For the second part of the presentaaon, we assume that the aoacker has sufficient authorizaaons for execuang any acaon menaoned later. By exploiang vulnerabiliaes Collusion ExisAng rights So, system is compromised. But where else can the aoacker go from there? Before that, let s talk about credit cards and the birds 16

Part II - SAP Credit Cards and Birds Credit Card Processing on SAP

Credit Card Processing on SAP Sales and DistribuAon (SD) and many SAP modules ualize payment card processing Customer orders Retail point of sale (POS) Financial accounang Internet commerce HR - travel expenses The cardholder data passes through SAP system and it is stored on the system on many occasions Data tables Change documents TransacAon logs DB logs Only few external soluaons use tokenizing and and external portals, outside SAP 18

Credit Card Data DB Tables During our research, we found more than 50 SAP database tables which contain e.g. credit card numbers The used tables differ based on which modules and funcaonaliaes are used/acavated on the customer Some common SAP tables are: FPLTC BSEGC VCKUN VCNUM Pa0105 (Subtype 0011) PCA_SECURITY_RAW CCSEC_ENC, CCSEC_ENCV CCARDEC /PMPAY/PENCRP Payment cards: TransacAon data - SD Document - Data on Payment Card Payments Assign customer- credit card Credit card master HR Master Record: Infotype 0011 (Ext.Bank Transfers) Card Master: EncrypAon Encrypted Payment Card Data Encrypted Payment Card Data Paymetric Encrypted Paymetric Card Data (for offline usage, now obsolete) 19

Accessing Cleartext Cardholder InformaAon Recipe Type SE16 at the command bar of SAPGUI aier you logon, hit Enter. Type the table which you want to display and press Enter. E.g. FPLTC Enter your criteria (empty == all) Copy paste the data as desired to your favorite PasteBin 20

Accessing Cleartext Cardholder InformaAon Using Remote FuncAon Calls RFC (Remote FuncAon Call) protocol can be ualized SOAP- RFC over HTTP allows Internet based access to RFC funcaonality. RFC_READ_TABLE funcaon allows generic access to contents of the tables Sapsucker could be used for it? source: Wikipedia 21

Free Tool? - Sapsucker Named aier the famous bird Allows easy access to SAP tables via RFC and HTTP(s) protocols Allows reusing XSSed SAP logon cookies for RFC connecaons SNC (Secure network communicaaons) supported SAP router supported Easily extract and filter sensiave data 22

DecrypAng Encrypted Credit Card Numbers Due to PCI- DSS requirements, cardholder data must be encrypted. Tables e.g. PCA_SECURITY_RAW, CCSEC_ENC, CCSEC_ENCV, CCARDEC, /PMPAY/PENCRP contain encrypted data (if encrypaon is enabled) Program RS_REPAIR_SOURCE spawns a code editor An aoacker could use it to type malicious ABAP code, even on producaon systems 23

Are we the only ones? The data can be decrypted via funcaon modules CCARD_DEVELOPE or CCSECA_CCNUM_DECRYPTION the RFC /PMPAY/P_ENCRYP_RFC or XIPAY_E4_CRYPTO for Paymetric People are already doing this! and they are sharing their experiences 24

External Payment SoluAons on SAP

External Vendors for Payment SoluAons It is common to see external soluaons for securing CC data Paymetric XiPay- XiSecure (cool tokenizing stuff) and others such as GMAPay, PaylinX, DelegoSecure, Princeton CardConnect to name a few Secure (assuming) payment soluaon + insecure SAP system equals to? Most common soluaons use registered RFC servers for SAP connecavity 26

Standard Concept Merchant/Bank' CC_AUTHORIZATION' CC_SETTLEMENT' SAP'System' A SAP'system'can' send'requests'to' PCI'Server'over' the'gateway'via' RFC'protocol' 1 PCI'Server' Payment'Card'Interface'Server'' registers'itself'on'sap'gateway' and'accepts'connecaons' Registers'as' TP'ID=PAY.P01' Accesses'TP'PAY.P01' Gateway' Service' Accesses'TP'PAY.P01' Reginfo'ACL' defines'who'can' register'a'server'or' connect'to'a' registered'server' External Payment Card Interface ConnecAvity - with registered RFC Servers B External'programs'can'send' requests'to'pci'server'over' the'gateway'via'rfc' protocol' 27

External Payment Card Interface ConnecAvity Standard Concept - Common Security Issues Customer does not configure ACL ACL can be bypassed (missing SAP kernel patch) Customer uses SAP s tool to generate the access control list SAP s reginfo ACL generator creates access lists with ACCESS=*! SAP does not acknowledge this as a security issue Predictable TP names of payment processors enabling unauthenacated aoacks 28

External Payment Card Interface ConnecAvity With registered RFC Servers - AOacks 2 SAP'system'sends'requests'to' PCI'Server'over'the'gateway' Merchant/ Bank' CC_AUTHORIZATION' CC_SETTLEMENT' SAP'System' Registers' TP'ID=PAY.P01' Gateway' Service' Reginfo'ACL'defines'who'can' register'a'server'or'connect'to'a' registered'server' PCI'Server' 1 Payment'Card'Interface'Server'' registers'itself'on'sap'gateway' and'accepts'connecaons' A Accesses'TP'PAY.P01' Evil'external'programs'can' send'requests'to'pci'server' over'the'gateway'via'rfc' protocol'to'extract'cc' informaaon' Registers' TP'ID=PAY.P01' B MITM:An'aTacker'can' pretend'to'be'pci'server'by' registering'with'the'same'tp' ID'to'sniff'CC'informaAon'or' to'trick'the'sap'system'that' payment'is'complete' 29

Further Security Issues Modern soluaons that use e.g. SAP PI (process integraaon) are oien misconfigured with fatal flaws Debugging or system tracing is not switched off. SNC (transport encrypaon) is rarely used between PCI and SAP system RedirecAng e.g. SAP web shop users to an external provider (before payment) to avoid being in the PCI- DSS scope is the new trend Tokenizing on its own is not sufficient. The SAP system must also be hardened. PCI- DSS auditors generally have liole or no knowledge about SAP security. 30

External Payment Card Interface ConnecAvity Standard Concept - ResulAng in Man- in- the- middle aoack for CC_SETTLEMENT and CC_AUTHORIZATION funcaons Credit card data thei Fake transacaon authorizaaon SAP system can be fooled that transacaon is complete and it can deliver the goods Foreseeable consequences brand damage, legal consequences etc. And some unforeseeable consequences 31

or Something More Entertaining

ConnecAng SAP to Social Media I ve heard at many conferences that SAP should be more social networking enabled, so let s do it! Tampering the payment card interface funcaons is possible e.g. SD_CCARD_AUTH_CALL_RFC could allow capturing credit card numbers real- Ame Including validaaon status, card validaaon code cvv2 (called cvc2 for mastercard, same thing) Introducing TweetBOtM THE FIRST SAP CREDIT CARD TO TWITTER INTERFACE Allows SAP system to tweet aier a credit card transacaon Requires patching SAP s code, voids warranty! That should be the least of your worries Fallback to DNS tunneling when TwiOer is unreachable 33

TweetBOtM* Challenges TwiOer changed its API this year so HTTP is not allowed anymore *BOtM = Bird that talks too Much Good side: PCI- DSS compliant backdoor Requires imporang TwiOer s cert via transacaon STRUST Workaround by invoking SAPGENPSE! Delays: 1-3 seconds per tweet DNS tunnel fallback when outbound connecaon is blocked FuncAon module RFC_HOST_TO_IP is (mis)used as a poor man s DNS tunnel on ABAP Public source code? SAll in discussions with the legal guys. Follow me on twioer to stay informed :) 34

Part III - How to Stay Secure from unforeseeable consequences

No.1: Address The Complete Picture 36

No.2: Implement a HolisAc Process to Stay Secure Preven%on( Vulnerability) Discovery) Automa'c)Issue) Fixing) Detec%on( Real&'me)security) monitoring) SAP)event) correla'on) Response( Automa'c)Threat)Mi'ga'on) Automa'c)Firewall)Rule) Crea'on) 37

No.3: Automate It Automated SAP security scans Automated SAP PCI- DSS compliance checks Automated ABAP code correcaons Automated SAP real- Ame monitoring Automated SAP event correlaaon Automated conanuous integraaon into Security Incident Event Management - SIEM Automated SAP vulnerability/issue fixing (remediaaon) Automated SAP intrusion detecaon, prevenaon and alerang 38

About Us

ESNC GmbH - Germany ESNC assesses and fixes security vulnerabiliaes in SAP systems ESNC Security Suite: PentesAng, real- Ame SAP security monitoring and automaac vulnerability miagaaon Headquarters in Munich Customer base: Governmental insatuaons, banking, ualiaes, automaave, oil and other criacal industries Presenter: Ertunga Arsal Security researcher with long history and focus on SAP Audited hundreds of corporate and government enterprise SAP systems to date Credited by SAP for 75 security patches in 2013 (over 100 vulnerabiliaes in total) Lecturer Systems and Network Security at Sabanci University for postgraduates Speaker at CCC annual congress, Defcon Hashdays, Deepsec, Sec- T etc Founder of ESNC 40

The Menu of SAP Security A01 - SAP Audit & Assessment A02 - SAP PCI DSS 3.0 Compliance A03 - SAP RemediaAon and Risk Management A04 - Security Policy Enforcement on SAP systems A05 - SAP PenetraAon TesAng C01 - ABAP Code Security Assessment & CorrecAon R01 - SAP Real- Time Monitoring & IDP R02 - SAP SIEM IntegraAon 41

Thank you!!!!!! And many thanks to! Eric Bushman <ebushman@paymetric.com> from Paymetric for the good input and my team This document contains references to products of SAP AG. SAP, ABAP, SAPGUI and other named SAP products and associated logos are brand names or registered trademarks of SAP AG in Germany and other countries in the world. HP is a registered trademark of HewleO- Packard Company. Oracle and Java are registered trademarks of Oracle and/or its affiliates. All other trademarks are the property of their respecave owners. This document is for educaaonal purposes. It does not come with any warranty or guarantee. ESNC GmbH is not responsible of any misuse of the content. This document or parts of this document is not allowed to be distributed without ESNC s wrioen permission. 42

Ertunga Arsal Email: ertunga@esnc.de Brad Wilkinson Email: brad@esnc.de Q&A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information