exploiting critical attack vectors to gain control of sap systems
TRANSCRIPT
Exploiting Critical Attack Vectors To
Gain Control Of SAP Systems
March 12th, 2013
BIZEC Workshop
Mariano Nunez [email protected]
@marianonunezdc
Juan Perez-Etchegoyen [email protected]
@jp_pereze
2 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Disclaimer
This publication is copyright 2013 Onapsis Inc. – All rights reserved.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP
NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions,
Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are
trademarks or registered trademarks of Business Objects in the United States and/or other countries.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content,
and SAP Group shall not be liable for errors or omissions with respect to the materials.
Bizec workshop
3 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications
Who is Onapsis Inc.? Company focused in protecting ERP systems from cyber-attacks
(SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).
Working with Global Fortune-100 and large governmental organizations.
What does Onapsis do?
Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit).
ERP security professional services.
Trainings on ERP security.
Who are we? Mariano Nunez, CEO at Onapsis.
Juan Perez-Etchegoyen, CTO at Onapsis.
Discovered several vulnerabilities in SAP and Oracle ERPs...
Speakers/Trainers at BlackHat, RSA, SAP RC, HITB, Source, DeepSec…
Attacks on SAP Solution Manager Bizec workshop
4 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
SAP Application Security
• SAP systems are built upon several layers.
• Segregation of Duties (SoD) controls apply at the Business Logic
layer.
• The SAP Application Layer (NetWeaver/BASIS) is common to most
modern SAP solutions, serving as the base technological framework.
Operating System
Database
SAP Business Logic
SAP Application Layer SAP Solution
Base Infrastructure
Bizec workshop
5 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
The SAP J2EE engine and Enterprise Portal (EP)
● Latest Web technology from SAP.
● Goal: Provide an unique access point to the organization's SAP (and non-
SAP) systems through the Web.
● It “provides employees, partners, customers, and other workers with immediate,
secure, and role-based access to key information and applications”.
● Technically, it’s a complex Java application running in the SAP J2EE Engine.
Attacks on the Java Application Server or the Java Portal could lead to the
compromise of rest of the related systems.
Bizec workshop
6 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Attack #1 SAP Portal Header Authentication
Bizec workshop
7 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Attacks to “Secured” Enterprise Portals
● SAP Enterprise Portal supports different authentication mechanisms, such as
User & Password, X.509 Client Certificates, Logon Tickets, Kerberos, etc…
● The authentication is handled by the SAP J2EE Engine.
● Many organizations already have Web Access Management (WAM) solutions in
place, providing two-factor authentication mechanisms.
● They use them to enable secured access to the systems (tokens, biometrics, etc)
and Single-Sign On.
● Some examples:
● RSA ClearTrust
● CA SiteMinder
● Oracle Oblix
● Entrust GetAccess
● Microsoft Integrated Windows Authentication (now deprecated)
Bizec workshop
8 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
A Special Authentication Scheme
● The Portal is integrated with these solutions, by using the Header Variables Login
Module.
● In these scenarios, the authentication procedure works a follow:
1. The user provides authentication information to the EAM/WAM solution.
2. The solution checks provided credentials.
3. If successful, connects to the Enterprise Portal and sends the user to
authenticate in a HTTP header.
4. The Enterprise Portal verifies that the user is valid (it exists), and returns an
SAP SSO logon ticket to the user.
5. The user is authenticated.
Bizec workshop
9 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
The Header Authentication Scheme
Bizec workshop
10 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
john:pass123
1. The user provides authentication information to the EAM/WAM solution.
The Header Authentication Scheme
Bizec workshop
11 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
john:pass123
2. The solution checks provided credentials.
The Header Authentication Scheme
Bizec workshop
12 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
john:pass123
3. If successful, connects to the Enterprise Portal and sends the user to
authenticate in a HTTP header.
The Header Authentication Scheme
Bizec workshop
13 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
john:pass123
4. The Enterprise Portal verifies that the user is valid (it exists), and returns an
SAP SSO logon ticket to the user.
The Header Authentication Scheme
Bizec workshop
14 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
john:pass123
5. The user is authenticated.
cookie
The Header Authentication Scheme
Bizec workshop
15 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
john:pass123
If the attacker can connect directly with the SAP Enterprise Portal,
nothing prevents him from impersonation the EAM/WAM solution!
cookie
The Attack
Bizec workshop
16 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
john:pass123
If the attacker can connect directly with the SAP Enterprise Portal,
nothing prevents him from impersonation the EAM/WAM solution!
cookie
Rough header_auth
The Attack
Bizec workshop
17 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
john:pass123
After my research and discovery, I found out this was
documented since 2006 (!)
cookie
Rough header_auth
cookie
The Attack
Bizec workshop
18 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Attack #2 Verb Tampering
Bizec workshop
19 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Verb tampering attacks
●This kind of vulnerabilities are based on an old and widespread concept, called
“VERB Tampering”. The attack vector involves sending HTTP requests using
uncommon HTTP methods, like HEAD, PUT, DELETE...
● In the SAP J2EE Engine, applications are configured using an XML file, defining
the profiles required to access the application and the “constraints” applying to each
HTTP method.
● Some applications only restrict access to GET and POST!!!
● There is a vulnerable application (CTC runtime) that can be bypassed by sending
HEAD requests. This application can be used to create users and execute OS
commands!!!
Check if SAP Security Note 1624450 is implemented in your systems!
Bizec workshop
20 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Attack #3 Abuse of JAVA Core Service
Bizec workshop
21 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Bizec workshop
Abuse of JAVA core service
● The Application Server JAVA exposes several “Remote Object”
interfaces. One of these interfaces is based on a proprietary protocol
called P4. This interface is exposed on TCP service 5XX04 ( where XX is
the instance number).
● Due to the lack of authentication in a core service, it is possible to
access arbitrary files.
● Any file can be read or written according to the privileges of the
<SID>adm user (prdadm, devadm…)
● This could potentially lead to a full compromise of the SAP system.
Check if SAP Security Note 1682613 is implemented in your systems!
24 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Thank you!
Bizec workshop