attack on sap mobile
TRANSCRIPT
Invest in securityto secure investments
Attacks on SAP Mobile
Vahagn Vardanyan. ERPScan
Vahagn Vardanyan
SAP and Web application researcher
Specialist degree in information security
2
@vah_13
About ERPScan
• The only 360-degree SAP Security solution - ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ )• 60+ presentations key security conferences worldwide• 25 Awards and nominations• Research team - 20 experts with experience in different areas of
security• Headquarters in Palo Alto (US) and Amsterdam (EU)
3
Agenda
4
About SAP Mobile PlatformSAP Control CenterSAP SQL Anywhere servicesSAP Mobile Server
SAP Mobile Platform vulnerabilityDecrypt GIOP protocolXXE SAP Control CenterCSRF in SMP 3.0Cassini 1.0SQL Anywhere BoFSAP EMR Unwired SQL injection
Conclusion
SAP Mobile Platform
5
SMP architecture
6
SMP protocols
SUP 2.1.3 SUP 2.2 SMP 2.3 SMP 3.0
SMP Messaging x x x xSMP Replication x x x xHTTP Rest API x x xSAP Agentry x x
8
SMP services
SAP Control CenterSAP SQL Anywhere servicesSAP Mobile Server
9
SAP Control Center
• Working process: sccservice.exe • Open ports:
• 2100 (Messaging service)• 8282/8283 ( SCC )• 9999 (RMI)
10
SMP services
SAP Control Center SAP SQL Anywhere services SAP Mobile Server
11
SQL Anywhere
• Version 3: 1992 ………………………….• Version 10: 2006 - renamed SQL Anywhere (high availability, intra-
query parallelism, materialized views)
• Version 11: 2008 (full text search, BlackBerry support)
• Version 12: 2010 (support for spatial data)
• Version 16: April 18, 2013 - (faster synchronization and improved security)
12
SQL Anywhere
13
SMP services
SAP Control Center SAP SQL Anywhere services SAP Mobile Server
14
SAP Mobile Server
• MobiLink• AdminWebServices• MlsrvWrapper• InfoboxMultiplexer• OBMO• JMSBridge
15
SAP Mobile Server (MobiLink)
16
AdminWebServices
• Uses Cassini Web Server 1.0• Listens to the local port 5100
17
SAP Mobile Platform vulnerabilities
18
Decrypting the SAP Mobile Platform GIOP protocol
19
Decrypting the SAP Mobile Platform GIOP protocol
• GIOP – General Inter-ORB Protocol (GIOP) is the abstract protocol by which object request brokers (ORBs) communicate
• Uses mlsrv16.exe (Mobilink) – port 2000
20
XXE in the SAP Mobile Platform portal page
CVE-2015-2813
21
XXE in the SAP Mobile Platform portal page…
22
XXE in the SAP Mobile Platform portal page…
• Portal URL: https://IP_ADDR:8283/scc• web.xml & services-config.xml
C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jetty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\web.xml
<servlet-mapping><servlet-name>MessageBrokerServlet</servlet-name>
<url-pattern>/messagebroker/*</url-pattern></servlet-mapping>
23
…XXE…
C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jetty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\flex\services-config.xml
********************************<channel-definition id="scc-http"
class="mx.messaging.channels.HTTPChannel"><endpoint
url="http://{server.name}:{server.port}/scc/messagebroker/http" class="flex.messaging.endpoints.HTTPEndpoint" />
</channel-definition>********************************
1. /scc/messagebroker/amfpolling2. /scc/messagebroker/amfsecurepolling3. /scc/messagebroker/http4. /scc/messagebroker/httpsecure5. /scc/messagebroker/amflongpolling
24
…XXE
25
Read file with XXE
C:\SAP\MobilePlatform\Servers\UnwiredServer\Repository\Instance\com\sybase\sup\server\SUPServer\sup.properties
sup.imo.upa = 457ba103a46559486a81350d552a9e47fb085927eb6df0ccc79231bc3d
26
Decrypt sup.imo.upa
27
SAP Mobile Platform unauthenticated access to other servlets
• Architecture and program vulnerabilities in SAP’s J2EE engine (BlackHat USA 2011)
• web.xml files revealed hidden methods to:– Read and generate logs
28
Prevention
Install SAP security note 2125358SAP Mobile Platform XXE vulnarability
29
CSRF in SMP 3.0
30
CSRF in SMP 3.0
31
CSRF in SMP 3.0
32
CSRF in SMP 3.0
33
• addAdministrator• addRepository• removeServerLogs• createApplication• createBackendConnection ********************
Prevention
Install SAP security note 2114316SAP Mobile Platform CSRF vulnarability
34
Cassini 1.0
35
AdminWebService
POST /MobileOffice/Admin.asmx/AddAdminUser HTTP/1.1Host: 127.0.0.1Content-Type: application/x-www-form-urlencodedContent-Length: length
strUserName=Admin2&strActivationCode=123QWEasd&iExpirationHours=100
36
AdminWebService
37
SAP SQL Anywhere Buffer Overflow/Code Execution
CVE-2015-2819
38
SAP SQL Anywhere BoF/Code Execution
• CVE-2008-0912– The MobiLink server is affected by a heap overflow which happens during
the handling of strings like username, version, and remote ID (all pre-auth) which are longer than 128 bytes
• CVE-2014-9264 – Stack-based buffer overflow in the .NET Data Provider in SAP SQL
Anywhere allows remote attackers to execute arbitrary code via a crafted column alias
39
First PSH request
40
First PSH request
•
41
SQL Anywhere BoF
42
Prevention
Install SAP security note 2108161Denial of service in SAP SQL Anywhere
43
SAP EMR Unwired SQL injection
CVE-2013-7096
44
SAP EMR Unwired SQL injection
• CVE-2013-7096 (CVSS 7.5)• AndroidManifest.xml: <provider
android:name=".providers.ModiDataDbProvider" android:authorities="com.sap.mobi.docsprovider" />
1. content://com.sap.mobi.docsprovider/documents/offline_cat2. content://com.sap.mobi.docsprovider/documents/offline/3. content://com.sap.mobi.docsprovider/documents/sample4. content://com.sap.mobi.docsprovider/documents/online5. content://com.sap.mobi.docsprovider/documents/offline_auth6. content://com.sap.mobi.docsprovider/documents/offline7. content://com.sap.mobi.docsprovider/documents/online_auth8. content://com.sap.mobi.docsprovider/documents/sample/9. content://com.sap.mobi.docsprovider/documents/online_cat
45
Prevention
Install SAP security note 1864518Security Improvements for MOB-APP-EMR-AND
46
Conclusion
47
SAP Guides
Regular security assessments
Monitoring technical security
Segregation of Duties
Security events monitoring
Each SAP landscape is unique and we pay close attention to the requirements of our customers and prospects. ERPScan development team constantly addresses these specific needs and is actively involved in product advancement. If you wish to know whether our scanner addresses a particular aspect, or simply have a feature wish list, please e-mail us. We will be glad to consider your suggestions for the future releases or monthly updates.
48
About
228 Hamilton Avenue, Fl. 3,Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
EU HQ
www.erpscan.com [email protected]