Exploiting Critical Attack Vectors to Gain Control of SAP Systems

Exploiting Critical Attack Vectors To

Gain Control Of SAP Systems

March 12th, 2013

BIZEC Workshop

Mariano Nunez [email protected]

@marianonunezdc

Juan Perez-Etchegoyen [email protected]

@jp_pereze

2 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

Disclaimer

This publication is copyright 2013 Onapsis Inc. – All rights reserved.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP

NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and

services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in

several other countries all over the world.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions,

Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are

trademarks or registered trademarks of Business Objects in the United States and/or other countries.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content,

and SAP Group shall not be liable for errors or omissions with respect to the materials.

Bizec workshop

3 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications

Who is Onapsis Inc.? Company focused in protecting ERP systems from cyber-attacks

(SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).

Working with Global Fortune-100 and large governmental organizations.

What does Onapsis do?

Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit).

ERP security professional services.

Trainings on ERP security.

Who are we? Mariano Nunez, CEO at Onapsis.

Juan Perez-Etchegoyen, CTO at Onapsis.

Discovered several vulnerabilities in SAP and Oracle ERPs...

Speakers/Trainers at BlackHat, RSA, SAP RC, HITB, Source, DeepSec…

Attacks on SAP Solution Manager Bizec workshop

http://www.onapsis.com/x1




http://www.onapsis.com/ips



http://www.onapsis.com/bizploit




SAP Application Security

• SAP systems are built upon several layers.

• Segregation of Duties (SoD) controls apply at the Business Logic

layer.

• The SAP Application Layer (NetWeaver/BASIS) is common to most

modern SAP solutions, serving as the base technological framework.

Operating System

Database

SAP Business Logic

SAP Application Layer SAP Solution

Base Infrastructure

Bizec workshop


The SAP J2EE engine and Enterprise Portal (EP)

● Latest Web technology from SAP.

● Goal: Provide an unique access point to the organization's SAP (and non-

SAP) systems through the Web.

● It “provides employees, partners, customers, and other workers with immediate,

secure, and role-based access to key information and applications”.

● Technically, it’s a complex Java application running in the SAP J2EE Engine.

Attacks on the Java Application Server or the Java Portal could lead to the

compromise of rest of the related systems.

Bizec workshop


Attack #1 SAP Portal Header Authentication

Bizec workshop


Attacks to “Secured” Enterprise Portals

● SAP Enterprise Portal supports different authentication mechanisms, such as

User & Password, X.509 Client Certificates, Logon Tickets, Kerberos, etc…

● The authentication is handled by the SAP J2EE Engine.

● Many organizations already have Web Access Management (WAM) solutions in

place, providing two-factor authentication mechanisms.

● They use them to enable secured access to the systems (tokens, biometrics, etc)

and Single-Sign On.

● Some examples:

● RSA ClearTrust

● CA SiteMinder

● Oracle Oblix

● Entrust GetAccess

● Microsoft Integrated Windows Authentication (now deprecated)

Bizec workshop


A Special Authentication Scheme

● The Portal is integrated with these solutions, by using the Header Variables Login

Module.

● In these scenarios, the authentication procedure works a follow:

1. The user provides authentication information to the EAM/WAM solution.

2. The solution checks provided credentials.

3. If successful, connects to the Enterprise Portal and sends the user to

authenticate in a HTTP header.

4. The Enterprise Portal verifies that the user is valid (it exists), and returns an

SAP SSO logon ticket to the user.

5. The user is authenticated.

Bizec workshop


The Header Authentication Scheme

Bizec workshop


john:pass123

1. The user provides authentication information to the EAM/WAM solution.


Bizec workshop


john:pass123

2. The solution checks provided credentials.


Bizec workshop


john:pass123

3. If successful, connects to the Enterprise Portal and sends the user to

authenticate in a HTTP header.


Bizec workshop


john:pass123

4. The Enterprise Portal verifies that the user is valid (it exists), and returns an

SAP SSO logon ticket to the user.


Bizec workshop


john:pass123

5. The user is authenticated.

cookie


Bizec workshop


john:pass123

If the attacker can connect directly with the SAP Enterprise Portal,

nothing prevents him from impersonation the EAM/WAM solution!

cookie

The Attack

Bizec workshop


john:pass123

If the attacker can connect directly with the SAP Enterprise Portal,

nothing prevents him from impersonation the EAM/WAM solution!

cookie

Rough header_auth

The Attack

Bizec workshop


john:pass123

After my research and discovery, I found out this was

documented since 2006 (!)

cookie

Rough header_auth

cookie

The Attack

Bizec workshop


Attack #2 Verb Tampering

Bizec workshop


Verb tampering attacks

●This kind of vulnerabilities are based on an old and widespread concept, called

“VERB Tampering”. The attack vector involves sending HTTP requests using

uncommon HTTP methods, like HEAD, PUT, DELETE...

● In the SAP J2EE Engine, applications are configured using an XML file, defining

the profiles required to access the application and the “constraints” applying to each

HTTP method.

● Some applications only restrict access to GET and POST!!!

● There is a vulnerable application (CTC runtime) that can be bypassed by sending

HEAD requests. This application can be used to create users and execute OS

commands!!!

Check if SAP Security Note 1624450 is implemented in your systems!

Bizec workshop


Attack #3 Abuse of JAVA Core Service

Bizec workshop

21 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Bizec workshop

Abuse of JAVA core service

● The Application Server JAVA exposes several “Remote Object”

interfaces. One of these interfaces is based on a proprietary protocol

called P4. This interface is exposed on TCP service 5XX04 ( where XX is

the instance number).

● Due to the lack of authentication in a core service, it is possible to

access arbitrary files.

● Any file can be read or written according to the privileges of the

<SID>adm user (prdadm, devadm…)

● This could potentially lead to a full compromise of the SAP system.

Check if SAP Security Note 1682613 is implemented in your systems!


Thank you!

Bizec workshop

Exploiting Critical Attack Vectors to Gain Control of SAP Systems

Documents

Transcript of Exploiting Critical Attack Vectors to Gain Control of SAP Systems