Dmitry Chastukhin, Director of security consulting at ERPScan, speaks at Deepsec Conference 2012 on SAP Security.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
1. Invest
in
security
to
secure
investments
Breaking
SAP
Portal
Alexander
Polyakov
CTO
ERPScan
Dmitry
Chastuchin
-‐
Principal
Researcher
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu8on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presentaHons
key
security
conferences
worldwide
• 25
Awards
and
nominaHons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. Agenda
• Say
hello
to
SAP
Portal
• Breaking
Portal
through
SAP
Services
• Breaking
Portal
through
J2EE
Engine
• Breaking
Portal
through
Portal
issues
• Conclusion
3
4. SAP
• The
most
popular
business
applica8on
• More
than
180000
customers
worldwide
• 74%
of
Forbes
500
run
SAP
4
6. Say
hello
to
Portal
• Point
of
web
access
to
SAP
systems
• Point
of
web
access
to
other
corporate
systems
• Way
for
aUackers
to
get
access
to
SAP
from
the
Internet
• ~17
Portals
in
Switzerland,
according
to
Shodan
• ~11
Portals
in
Switzerland,
according
to
Google
6
10. SAP
Management
Console
• SAP
MC
provides
a
common
framework
for
centralized
system
management
• Allowing
to
see
the
trace
and
log
messages
• Using
JSESSIONID
from
logs,
aUacker
can
log
into
Portal
What
we
can
find
into
logs?
Right!
File
userinterface.log
contains
calculated
JSESIONID
But…aUacker
must
have
creden8al
for
reading
log
file!
Wrong!
10
12. PrevenHon
•
Don’t
use
TRACE_LEVEL
=
3
in
produc8on
systems
or
delete
traces
•
Install
notes
927637
and
1439348
hUp://help.sap.com/saphelp_nwpi71/helpdata/en/
d6/49543b1e49bc1fe10000000a114084/frameset.htm
12
14. SSO
(old
but
sHll
works)
• SAP
implements
SSO
using
the
Header
Variable
Login
Module
creden8als
check
okay
cookie
AUacker
header_auth
cookie
tnx
Mariano
;)
14
15. PrevenHon
•
Implement
proper
network
filters
to
avoid
direct
connec8ons
to
SAP
•
J2EE
Engine.
If
you
use
it
for
Windows
authen8ca8on,
switch
to
SPNegoLoginModule
hUp://help.sap.com/saphelp_nw73ehp1/helpdata/en/d0/
a3d940c2653126e10000000a1550b0/frameset.htm
15
17. Access
control
Web
Dynpro
-‐
programma8c
Portal
iViews
-‐
programma8c
J2EE
Web
apps
-‐
declara8ve
ProgrammaHc
By
UME
DeclaraHve
By
WEB.XML
17
18. DeclaraHve
access
control
• The
central
en8ty
in
the
J2EE
authoriza8on
model
is
the
security
role.
• Programmers
define
the
applica8on-‐specific
roles
in
the
J2EE
deployment
descriptor
web.xml
web-‐j2ee-‐engine.xml
18
21. Verb
Tampering
• If
we
are
trying
to
get
access
to
an
applica8on
using
GET
–
we
need
a
login:pass
and
administrator
role
• What
if
we
try
to
get
access
to
applica8on
using
HEAD
instead
GET?
• PROFIT!
• Did
U
know
about
ctc?
21
22. Verb
Tampering
Need
Admin
account
in
SAP
Portal?
Just
send
two
HEAD
requests
• Create
new
user
blabla:blabla
HEAD
/ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla
• Add
user
blabla
to
group
Administrators
HEAD
/ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;ADD_USER_TO_GROUP;USERNAME=blabla,GROUPNAME=Administrators
Works
when
UME
uses
JAVA
database
22
23. PrevenHon
• Install
SAP
notes
1503579,1616259
• Install
other
SAP
notes
about
Verb
Tampering
• Scan
applica8ons
with
ERPScan
WEB.XML
checker
• Disable
the
applica8ons
that
are
not
necessary
23
26. Invoker
Servlet
• Want
to
execute
an
OS
command
on
J2EE
server
remotely?
• Maybe
upload
a
backdoor
in
a
Java
class?
• Or
sniff
all
traffic
?
SHll
remember
ctc?
26
28. PrevenHon
•
Update
to
the
latest
patch
1467771,
1445998
• “EnableInvokerServletGlobally”
must
be
“false”
•
Check
all
WEB.XML
files
with
ERPScan
WEBXML
checker
28
30. SAP
Portal
• User
access
rights
to
objects
are
in
the
Portal
Content
Directory
(PCD)
• Based
on
ACL
• 2
types
of
access:
– (design
8me)
for
administrators
– (run8me)
for
users
30
32. End
User
permission
The
objects
where
end
user
permission
is
enabled
affect
the
following
areas
in
Portal:
– All
Portal
Catalog
obj
with
end
user
permission
– Authorized
Portal
users
may
access
restricted
Portal
components
by
URL
if
they
are
granted
permission
in
the
appropriate
security
zone.
32
33. Administrator
permission
• Owner
=
full
control
+
modify
permissions
• Full
control
=
read/write
+
delete
obj
• Read/Write
=
read+write+edit
proper8es+
add/rem
child
• Write
(folders
only)
=
create
objects
• Read
=
view
obj+create
instances
(delta
links
and
copies)
• None
=
access
not
granted
33
34. Role
Assigner
permission
• The
Role
Assigner
permission
seyng
is
available
for
role
objects
• It
allows
you
to
determine
which
Portal
users
are
permiUed
to
assign
other
users,
groups,
or
roles
to
the
role
principle
using
the
Role
Assignment
tool
34
35. Security
Zones
• Security
zones
allow
the
system
administrator
to
control
which
Portal
components
and
Portal
services
a
Portal
user
can
launch
• A
security
zone
specifies
the
vendor
ID,
the
security
area,
and
safety
level
for
each
Portal
component
and
Portal
service
35
Why?
To
group
mul>ple
iViews
easily
like
files
in
directories
36. Security
Zones
• The
security
zone
is
defined
in
a
Portal
applica8on
descriptor
XML
file
portalapps.xml
• A
Portal
component
or
service
can
only
belong
to
one
security
zone
• Zones
allows
the
administrator
to
assign
permissions
to
a
safety
level,
instead
of
assigning
them
directly
36
Why?
To
group
mul>ple
iViews
easily
like
files
in
directories
37. 37
We
can
get
access
to
Portal
iViews
using
direct
URL:
/irj/servlet/prt/portal/prtroot/<iView_ID>
And
only
Security
Zone
rights
will
be
checked
38. Security
Zones
• So,
SecZones
offer
an
extra,
but
op8onal,
layer
of
code-‐level
security
to
iViews
– User-‐>
check
”end
user”
permission
to
the
role-‐>
view
iView
– User-‐>
check
”end
user”
permission
to
the
role-‐>
check
”end
user”
permission
to
the
SecZone
-‐>
view
iView
By
default,
this
func8onality
is
disabled
38
39. 39
So
I
wonder
how
many
Portal
applica8ons
with
NoLow
Safety
exist?
40. Safety
Levels
for
Security
Zone
• No
Safety
– Anonymous
users
are
permiUed
to
access
portal
components
defined
in
the
security
zone.
• Low
Safety
– A
user
must
be
at
least
an
authen8cated
portal
user
to
access
portal
components
defined
in
the
security
zone.
• Medium
Safety
– A
user
must
be
assigned
to
a
par8cular
portal
role
that
is
authorized
to
access
portal
components
defined
in
the
security
zone
• High
Safety
– A
user
must
be
assigned
to
a
portal
role
with
higher
administra8ve
rights
that
is
authorized
to
access
portal
components
defined
in
the
security
zone.
40
41. Zones
with
no
safety
Many
custom
applica8ons
with
low
security
level
zone
41
45. XSS
• Many
XSSs
in
Portal
• But
some8mes
“hUponly”
• But
when
we
exploit
XSS,
we
can
use
the
features
of
SAP
Portal
45
46. EPCF
EPCF
provides
a
JavaScript
API
designed
for
the
client-‐side
communica8on
between
portal
components
and
the
portal
core
framework
• Enterprise
Portal
Client
Manager
(EPCM)
• iViews
can
access
the
EPCM
object
from
every
portal
page
or
IFrame
• Every
iView
contains
the
EPCM
object
• For
example,
EPCF
used
for
transient
user
data
buffer
for
iViews
<SCRIPT>
alert(EPCM.loadClientData("urn:com.sap.myObjects",
"person");
</SCRIPT>
46
54. Breaking
SAP
Portal
• Found
a
file
in
the
OS
of
SAP
Portal
with
the
encrypted
passwords
for
administra8on
and
DB
• Found
a
file
in
the
OS
of
SAP
Portal
with
keys
to
decrypt
passwords
• Found
a
vulnerability
(another
one
;))
which
allows
reading
the
files
with
passwords
and
keys
• Decrypt
passwords
and
log
into
Portal
• PROFIT!
54
55. Read
file
How
we
can
read
the
file?
– Directory
Traversal
– OS
Command
execute
– XML
External
En8ty
(XXE)
55
59. Breaking
SAP
Portal
• Ok,
we
can
read
files
• Where
are
the
passwords?
• The
SAP
J2EE
Engine
stores
the
database
user
SAP<SID>DB;
its
password
is
here:
usrsap<SID>SYSglobalsecuritydataSecStore.proper>es
59
60. Where
are
the
passwords?
(config.proper4es)
rdbms.maximum_connec8ons=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/
SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/
SecStore.proper8es
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/
ojdbc14.jar
rdbms.connec8on=jdbc/pool/TTT
rdbms.ini8al_connec8ons=1
60
61. Where
are
the
passwords?
(config.proper4es)
rdbms.maximum_connec8ons=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/SecStore.proper8es
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar
rdbms.connec8on=jdbc/pool/TTT
rdbms.ini8al_connec8ons=1
61
65. Get
the
password
• We
have
an
encrypted
password
• We
have
a
key
to
decrypt
it
We
got
the
J2EE
admin
and
JDBC
login:password!
65
66. PrevenHon
•
Install
SAP
note
1619539
•
Restrict
read
access
to
files
SecStore.proper>es
and
SecStore.key
66
67. Portal
post
exploitaHon
• Lot
of
links
to
other
systems
in
corporate
LAN
• Using
SSRF,
aUackers
can
get
access
to
these
systems
What
is
SSRF?
67
68. SSRF
History:
Basics
• We
send
Packet
A
to
Service
A
• Service
A
ini8ates
Packet
B
to
service
B
• Services
can
be
on
the
same
or
different
hosts
• We
can
manipulate
some
fields
of
packet
B
within
packet
A
• Various
SSRF
aUacks
depend
on
how
many
fields
we
can
control
on
packet
B
Packet
A
Packet
B
68
69. ParHal
Remote
SSRF:
HTTP
afacks
on
other
services
HTTP
Server
Corporate
network
Direct
aUack
GET
/vuln.jsp
SSRF
AUack
SSRF
AUack
Get
/vuln.jst
A
B
69
70. Gopher
uri
scheme
• Using
gopher://
uri
scheme,
it
is
possible
to
send
TCP
packets
–
Exploit
OS
vulnerabili8es
–
Exploit
old
SAP
applicaHon
vulnerabiliHes
–
Bypass
SAP
security
restric8ons
–
Exploit
vulnerabili8es
in
local
services
More
info
in
our
BH2012
presenta8on:
SSRF
vs.
Business
Cri>cal
Applica>ons
hUp://erpscan.com/wp-‐content/uploads/2012/08/SSRF-‐vs-‐Businness-‐cri8cal-‐applica8ons-‐
whitepaper.pdf
70
72. Conclusion
It
is
possible
to
protect
yourself
from
these
kinds
of
issues,
and
we
are
working
close
with
SAP
to
keep
customers
secure
SAP
Guides
It’s
all
in
your
hands
Regular
security
assessments
ABAP
code
review
Monitoring
technical
security
SegregaHon
of
DuHes
72
73. Future
work
Many
of
the
researched
issues
cannot
be
disclosed
now
because
of
our
good
rela>onship
with
SAP
Product
Security
Response
Team,
whom
I
would
like
to
thank
for
coopera>on.
However,
if
you
want
to
be
the
first
to
see
new
aBacks
and
demos,
follow
us
at
@erpscan
and
aBend
future
presenta>ons:
• December
6
–
BlackHat
(UAE,
Abu
Dhabi)
• December
13
–
Syscan
360
(Beijing,
China)
73