Post on 19-Jul-2018
2Dmitry Chastuhin
Yet another security researcher: @_chipik
Head of security consulting at ERPScan
Know 3 Spanish words: hola, gracias, sin hogar
Agenda 4
5
Conclusion
Introduction to POS 6
James Jacob Ritty The first cash Register
Introduction to POS 7
8Introduction to POS
9
The previous work
Lucas Zaichkowsky
“Point of Sale System Architecture and Security”
10The previous work
11
Magstripe readers
Unencrypted data
AND
12EMV chip
Chip contains magstripe“equivalent” data
unencrypted
13The previous work
Ross Anderson
“How Smartcard Payment Systems Fail”
14The No-PIN attack
Insert a device between card and terminal
Make card thinks: signature Make terminal thinks: pin
Nils and Jon Butler
15
“PinPadPwn” “Mission mPOSsible”
The previous work
16A “Chippy Pin” game on the terminal
Peter Fillmore
“Crash and Pay: Owning and Cloning Payment Devices”
17The previous work
Stawomir Jasek
“Hacking challenge: steal a car!”
18The previous work
19MITM POS mobile
20
Why did we choose POS software for our research?
21
Credit cardbrand network
Consumers
Payment ServiceProvider (PSP)
Issuer
Acquirers
POS SoftwarePOS HardwareSTART HERE
POS Backend
22
Consumers
Payment ServiceProvider (PSP)
Issuer
POS SoftwarePOS Hardware POS Backend
Credit cardbrand network Acquirers
23
Consumers
Payment ServiceProvider (PSP)
Issuer
POS SoftwarePOS Hardware POS Backend
Credit cardbrand network Acquirers
24
Consumers
Payment ServiceProvider (PSP)
Issuer
POS SoftwarePOS Hardware POS Backend
Credit cardbrand network Acquirers
25
Consumers
Payment ServiceProvider (PSP)
Issuer
POS SoftwarePOS Hardware POS Backend
Credit cardbrand network Acquirers
26
Business day
Business day. The beginning 27
Manager
Store
Open
Manager
Open
Terms Terms
ServerGet
Cashiers
Login
Business day 28
Business day. End of Day 29
Manager
Store
Close
Manager
Close
Terms TermsServer
Send
Cashiers
Logout
30
How did we choose POS system?
31
33
SAP Point of Sale
WHOIS SAP POS
Platform: Windows 32-bit and 64-bit
34
Language: C++
Actual version: SAP POS 2.3 SP 11 build 1171
Old name: Triversity Transactionware GM (2005)
Architecture POS Client
35
Store Server Head Office
Store Configurator
POS Client
Xpress POS Server
Database Store Manager
36POS Client
Map
37POS Client
Map
38POS Client
Map
39POS Client
Map
40POS Client
Map
41POS Client
Map
42Xpress Server
Map
43Xpress Server
Map
44Xpress Server
Map
45Store Manager
Map
46Store Configurator
Map
47Store Configurator
Map
48
SAP POS: Going Deeper
Store Configurator
POS Clients
49
Store Server Head Office
Database
Xpress POS Server
Store Manager
PART I
POS Client
POS Clients
50
Store Server Head Office
PART IIPOS Client
Store Configurator
Database
Xpress POS Server
Store Manager
POS Clients
51
Store Server Head Office
PART III
POS ClientStore
Configurator
Database
Xpress POS Server
Store Manager
How does it work? Part 1 52
Store Server Head Office
Xpress POS Server
Store Configurator
/ SAP/Retail Systems/Store Configurator/
data/parm/
/ SAP/Retail Systems/Xpress Server/parm/
SMB
Go from the back.
Xpress ServerFile Architecture
53
…\Xpress Server\ dnloaddocumentemaillogs
rdatasdatatxnsave…
FRENCHGERMANITALIANSPANISHcnummask.cmkrcptlogo.rcpcashier.clgLAYOUT.UI0…
Parm
Store Manager
How does it work? Part 2 54
Store Server Store Server
Xpress POS Server
Monitoring is not always good
Port: 2202
Port: [1433,1521,2638…]Database
Handmade… 60
61
999 *** XPRESS SERVER MOST COMMON COMMAND HELP ***999 MONXPS [ON|OFF] 999 [SHOWTERM|TERMINAL-STATUS] [ALL|Term#]999 [MONTERM|MONITOR-TERMINAL] [ALL|XPS|Term#] [START|STOP|ON|OFF]999 OPEN-TERMINAL [ALL|Term#]999 OPEN-STORE [TODAY|NumberOfSecsSinceJan1-1970] 999 CLOSE-TERMINAL [ALL|Term#] [FORCE|NO-FORCE|ABORT]999 TERMINAL-BALANCE [Term#] [BAL|UNBAL]999 CASHIER-BALANCE [Cashier#] [1|2|3] [ShortOver Amount] [netTenderTotal] <-- 1=BALANCED 2=UNBALANCED 3=PREVIOUS BALANCE NOW OUT OF DATE
Help response
62
999 UPDATE-CASHIER [Cashier#]999 DELETE-CASHIER [Cashier#]999 END-OF-DAY [FORCE|NO-FORCE|ABORT] 999 STORE-TOTALS [CLOSE-DAY|CLOSE-WEEK|CLOSE-PERIOD|DONE-END-OF-DAY|...] 999 STORE-TOTALS CONSOL-DAY [RTOT|SRTOT|CTOT|SPROD|...] 999 COMMS-RESET [1|2|3] <-- 1=ALL 2=REMOTE 3=MODEMS 999 FLUSH-PLUCACHE 999 TRIGGER-NEWPROMOS 999 SHUTDOWN 999 . <-- Use to repeat previous command
DEMO 163
64
BACKDOORS
BACKDOORS EVERYWHERE
65
66
67
23%
77%
Methods
PublicPrivate
68
Correct password and login:APM-VALIDATE-PASSWD 0 1119 1 1337;1234567a
1119 0 1 1 Disp=Authenticated;APMCode=0;
Correct login:
Incorrect login:
Request Response
APM-VALIDATE-PASSWD 0 1119 1 1337;123451119 0 1 1 Disp=Authenticated;APMCode=1;
APM-VALIDATE-PASSWD 0 1119 1 1337;123451119 0 1 1 Disp=Authenticated;APMCode=10;
Password and Login are OK
Wrong Password
Wrong Login
69
Reset passwordAPM-RESET-PASSWD 0 1119 1 1337;CHANGEDPWD1
1119 0 1 1 Disp=Authenticated;APMCode=0;
Update Database rowsUPDATE-CASHIER 1337
170 CASHIER-UPDATED 1337
70
FILE-FIND [file_path]FILE-FIND C:\1234.txt
168 FILE-FIND 32 34680 19073 7 1234.txt
FILE-OPEN [file-path] [mode]FILE-OPEN C:\windows\win.ini
160 FILE-OPEN 0
FILE-READ [file_id] [buff_size]FILE-READ 0 120
EGVideo m4v=MPEGVideo mod=MPEGVideo …
DEMO 2
71
POS Client
How does it work? Part 3 72
POS Clients Store Server
Xpress POS ServerPort: 2200
73
{ } , , ;Type Len Where? What? End
Message standardMT_FILE_BAD = 42h BMT_FILE_END = 43h CMT_DATAGRAM = 44h DMT_FILE_REQ_ERR = 45h EMT_FILE_DATA = 46h FMT_FILE_GOOD = 47h GMT_REQ_DIR = 49h IMT_FILE_REQ_SEND = 52h RMT_FILE_SEND = 53h SMT_UNTYPED = 55h UMT_SEND_CANCEL = 58h XMT_RESP_DIR = 69h iMT_RECV_CANCEL = 78h x
74
75
Attacker Xpress ServerS Len Where? What? Size xps.exe
76
Attacker Xpress ServerS Len Where? What? Size xps.exe
77
Attacker Xpress ServerS Len Where? What? Size xps.exe
F DATASize
78
Attacker Xpress ServerS Len Where? What? Size xps.exe
F DATASize
79
Attacker Xpress ServerS Len Where? What? Size xps.exe
F DATASize
C
80
Attacker Xpress ServerS Len Where? What? Size xps.exe
F DATASize
C
81
Attacker Xpress ServerS Len Where? What? Size xps.exe
F DATASize
C
Write file
82
Attacker Xpress ServerS Len Where? What? Size
G
xps.exe
F DATASize
C
Write file
83
Attacker Xpress ServerS Len Where? What? Size
G
xps.exe
F DATASize
C
Write file
G
84
DEMO 3
85
How to buy MacBook for $3
86
Xpress Server
POS Client
POS client
87
Xpress Server
POS Client
POS client
88
Xpress Server
POS Client
POS client
89
90
91
92
93
94
Xpress Server
POS client
95
Step by step we`ll get success
964 facts about SAP POScan help us make a trick
1. Store configurator creates config files and Xpress Server will apply them, if it finds a ”newparm.trg” file in the special directory.
2. We can write any data we want in any file on Xpress Server using port 2200.
3. POS Clients (Terminals) update their parameters after opening.4. We can close and open POS Terminals using telnet and port 2202.
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
100
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
1 Evil Configuration files
101
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
103
100
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
101
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
102
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
6 Close Terminal
107
104
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
6 Close Terminal
7 Open Terminal
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
6 Close Terminal
7 Open Terminal
8 Open Terminal
109
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
6 Close Terminal
7 Open Terminal
8 Open Terminal
9 Get evil Configuration files
110
Attacker Xpress Server
POS Client
PORT 2202
Database
PORT 2200
1 Evil Configuration files
2 Trigger file ”newparm.trg”
3 Apply new settings
4 Write some of them in database
5 Close Terminal
6 Close Terminal
7 Open Terminal
8 Open Terminal
9 Get evil Configuration files
111
108
Any additional features?
109
110
Attacker
Xpress Server
PORT
220
0
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
Listening PORT
111
Attacker
Xpress Server
PORT
220
01 “XPSPARM.bat”
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
Listening PORT
112
Attacker
Xpress Server
PORT
220
01 “XPSPARM.bat”
…\SAP\Xpress Server\... …\Xpress Server\PARM\...2 “newparm.trg”
Listening PORT
113
Attacker
Xpress Server
PORT
220
01 “XPSPARM.bat”
…\SAP\Xpress Server\... …\Xpress Server\PARM\...2 “newparm.trg”
3 Found “newparm.trg”
Listening PORT
114
Attacker
Xpress Server
PORT
220
01 “XPSPARM.bat”
…\SAP\Xpress Server\... …\Xpress Server\PARM\...2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Listening PORT
115
Attacker
Xpress Server
PORT
220
01 “XPSPARM.bat”
…\SAP\Xpress Server\... …\Xpress Server\PARM\...2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Listening PORT
5 Search for “XPSPARM.bat”
116
Attacker
Xpress Server
PORT
220
01 “XPSPARM.bat”
…\SAP\Xpress Server\... …\Xpress Server\PARM\...2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Listening PORT
5 Search for “XPSPARM.bat”6 Execute “XPSPARM.bat”
117
Attacker
Xpress Server
PORT
220
01 “XPSPARM.bat”
…\SAP\Xpress Server\... …\Xpress Server\PARM\...2 “newparm.trg”
Found “newparm.trg”
Delete “newparm.trg”
Listening PORT
Search for “XPSPARM.bat”Execute “XPSPARM.bat”
7 Make shell back connect
3
4
56
118
Attacker
Xpress Server
PORT
220
01 “XPSPARM.bat”
…\SAP\Xpress Server\... …\Xpress Server\PARM\...2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Listening PORT
5 Search for “XPSPARM.bat”6 Execute “XPSPARM.bat”
7 Make shell back connect
8 Any command
119
Attacker
Xpress Server
PORT
220
01 “XPSPARM.bat”
…\SAP\Xpress Server\... …\Xpress Server\PARM\...2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Listening PORT
5 Search for “XPSPARM.bat”6 Execute “XPSPARM.bat”
7 Make shell back connect
8 Any command9 Execute command
120
DEMO 4
Fixes
121
122
Note # Title Priority CVSS
2476601 Missing Authentication checks in SAP Point of Sale (POS) Retail Xpress Server High 8.1
Security note was released on the July Patch Day
11th of July 2017
… A new setting, BACKOFFICEIPADDRESS is added. The user can use it to specify the IP address of the system that hosts the Back Office Applications. It is used only if the Back Office Applications are not hosted at the same system as the Xpress Server...
from SAP NOTE #2476601, July 2017
123
124
125
Better late than never
126
Patching
127
One more patch?
128
129
Note # Title Priority CVSS
2520064 Missing Authentication check in SAP Point of Sale (POS) Retail Xpress Server High 8.1
Another security note was released
18th of August 2017
Need more goldsecurity notes...
130
131
Note # Title Priority
2529966 Store Manager crashes after entering credentials.
Correction with medium priority
7th of September2017
All SAP notes 132
• 2476601 – first patch• 252520064 – patch for the first patch• 2529966 – patch for the patch that patched first patch• 2528596 – backdoor user problem
133Conclusion• POS is not only POS terminals and pin pads• Communication between POS workstations and POS server
is insecure• Little bugs bring big troubles for stores and to customers
Conclusion
1. Include SAP systems in scope of your existing services• GDPR audit• ISMS implementation for SAP systems in scope• Threat detection and SAP – SIEM integration
2. Prove your selling proposition is unique with ROI of SAP security
3. Create a 360-degree image of an SAP security provider
134
How We Can Help? 135
SAP Security Consulting:• Implementation of SAP Vulnerability
Management process• SAP security plans, architecture and
project documents expertise• SAP risk assessment
ERPScan Monitoring Suite:• SAP vulnerability assessment• Source Code scanning• Segregation of Duties
assessment
SAP Penetration Testing:• simulate external and internal attacks• provide a list of vulnerabilities• escalate privileges and show you how
much data can leak• try to reach connected systems• estimate overall harm to business
operations
SAP Security Audit:• security assessment of network, OS,
DBMS related to SAP• SAP vulnerability assessment;• security configuration checks• critical access control checks• custom code security review • segregation of duties analysis
Thank you
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
erpscan.cominbox@erpscan.com
Read our blogerpscan.com/category/press-center/blog/
Join our webinarserpscan.com/category/press-center/events/
Subscribe to our newsletterseepurl.com/bef7h1
Dmitry ChastuhinLead SAP Security Analystd.chastuhin@erpscan.com
136