A short introduction to SAP Security ResearchI found SAP vulnerabilities and all I got is this T-shirt of pretty decent quality

Agenda

SAP Security Research Introduction

What is it?

Why do it?

How to do it?

Some examples of found vulnerabilities

Key takeaways

Introduction

#whoami

Introduction

Introduction

(SAP) Security in the news on the rise

Introduction

Many Security-sessions @ Teched && d-code nowadays

Introduction

Why SAP, why Now?

As presented at the SAP Teched 2014 by Yonko Yonchev (Product Security Response Team – SAP SE):

• SAP is globally 3rd largest software company

• SAP handles 74% of the world’s financial transactions

• Majority of Fortune 500 companies run SAP

• SAP Ariba connects more than 1 million companies in 190 countries

Source: SAP Teched 2014 Session ITM114 - ITM114 – Post Heartbleed: Secure your SAP Systems and Business Secrets from Hackers! http://events.sap.com/teched/en/session/13526

Introduction

SAP Product Security Response

Source: SAP Teched 2014 Session ITM114 - ITM114 – Post Heartbleed: Secure your SAP Systems and Business Secrets from Hackers!As presented at the SAP Teched 2014 by Yonko Yonchev (Product Security Response Team – SAP SE):http://events.sap.com/teched/en/session/13526

SAP internal process and external service to support high security levels at SAP customers’ systems with:

• Responsible disclosures of identified vulnerabilities in collaboration with leading external SAP Security researchers and hackers

• Managing the end-to-end SAP process for fixing and disclosing externally known / reported vulnerabilities

• Deliver SAP Security notes in the monthly patch day

• Supply internal SAP development with best practices on security issue prioritization and security correction disclosure

Introduction

SAP Security notes over the years

• Percentage of externally reported vulnerabilities are on the rise

• Total number of monthly SAP Security notes are decreasing

• Number of external researches is increasing

Source: SAP Teched 2014 Session ITM114 - ITM114 – Post Heartbleed: Secure your SAP Systems and Business Secrets from Hackers!As presented at the SAP Teched 2014 by Yonko Yonchev (Product Security Response Team – SAP SE):http://events.sap.com/teched/en/session/13526

Introduction

SAP Security researchers, some statistics

Source: http://scn.sap.com/blogs/securesap/2013/04/02/statistics-tell-sap-security-know-how-is-a-scarce-resource

• There are worldwide ~100 external SAP Security researchers that reported over 450 vulnerabilities so far

• 80% of those reported vulnerabilities in SAP products originate from only 7 companies

• 80% of all reported vulnerabilities in SAP products originate from only 23 researchers

• 50% of those reported vulnerabilities in SAP products originate from only 8 researchers

What is it....?

SAP Security research

How to do SAP Security research?

SAP Security research

• Manually

• Tools; Scanners, Fuzzers, Debuggers, Decompilers, Indexers, etc, etc…

• By using SAP differently (hacker mindset)

• Actually RTFM ;-)

• Unlimited possibilities; hardware, software, network, protocols, Database, Operating

System, application layer, frontend, ABAP, JAVA, agents, etc, etc…

What if you find a vulnerability?

SAP Security research

• Report it to SAP via responsible disclosure

• Give SAP the details

• Give SAP time to fix the issue

• Give customers a grace period of at least 3 months to apply the patch

Why do it....?

SAP Security Research

• To improve security of SAP systems

• Learn more about the inner working of SAP

• Because it is challenging and FUN

• It might bring you eternal fame and/or a T-shirt

Example 1; combination of vulnerabilities to completely compromise a SAP system

Found vulnerabilities…

1. A default password for user SMDAGENT_<SID> in Solution Manager2. Remote enabled function module /SDF/GEN_PROXY that acts like a wrapper3. Remote enabled function module /SDF/RBE_NATSQL_SELECT that lacks

authorization checks and lets you execute native SQL commands

Use the above to select password hashes from table USR02 and bruteforce these.

Example 1; combination of vulnerabilities to completely compromise a SAP system

Found vulnerabilities…

• Change password of user SMDAGENT_<SID>

• Apply OSS note 1774432 (CVSS score 4.6)

• Apply OSS note 1727914 (CVSS score 7.5)

SOLUTION:

Example 2; Operating System Command Injection

Found vulnerabilities…

• Function Module EXE_SAPOSCOL can be used to inject Operating system commands

Use this for example to gain direct access to the database, stop SAP systems, create operating users, etc, etc.

Found vulnerabilities…

• Apply OSS note 1577513 (CVSS score 5.5)

SOLUTION:

Example 2; Operating System Command Injection

Example 3; SQL Injection

Found vulnerabilities…

• RFC module RFC_RSUPG_EXEC can be used to inject SQL commands

Use this to gain direct access to the database.

Found vulnerabilities…

• Apply OSS note 1831463 (CVSS score 4.9)

SOLUTION:

Example 3; SQL Injection

Key Take-aways

Key Take-aways

• Secure your SAP systems by applying SAP Security notes on a regular basis!

• If you find a bug/flaw that might have security impact; report it to the SAP Security team (secure@sap.com)

• If you have some spare time, a SAP system (NOT IN PRD), permission and feel like hacking… Go try and find some vulnerabilities yourself ;-)

Website: www.erp-sec.com

Twitter: @jvis @erpsec

Need more info? Contact us...

Questions?

Thank you

SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.

The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.

Disclaimer