sap security hacks and mitigation - timeless attacks
TRANSCRIPT
Ertunga Arsal Chaos Communication Congress 2010
Rootkits and Trojans on your SAP Landscape
1
Agenda
• Introduc.ontoEnterpriseSecurity• SAP*Applica.onsinGeneral• BASIS(SAPinfrastructure)Security• A>ackstoABAPPrograms• ABAPRootkits• TheThreatAgents• HowToStaySecure
*SAPreferstoSAPR/3andNetweaverapplica.onsthroughoutthispresenta.on,notthecompany.
2
AboutMe
• ErtungaArsal<[email protected]>–SecurityResearcherwithfocusonEnterpriseSystems–FounderofESNCGmbH,acompanyspecializedinSAPSecurity
• OfficiallyacknowledgedforthefollowingSecurityPatches:• SAPNote1484692-Protectreadaccesstopasswordhashtables• SAPNote1497104-ProtectaccesstoPSE• SAPNote1421005-Secureconfigura.onofthemessageserver• SAPNote1483525-NewsecuritycenterinSAPGUI7.20• SAPNote1485029-Protectreadaccesstokeytables• SAPNote1488406-HandlingthegenerateduserTMSADM• SAPNote1511107-Execu.ngfreelydeterminedcodeusingtransac.onSE37• SAPNote1510704-MissingAuthoriza.onCheckinAFXWorkbenchreport
3
TypicalEnterprise
• Hasmorethanathousandofemployees• IsacircusofITSystems
–Mixtureofopera.ngsystems,databases,applica.ons• Andtheirdifferentversions• Usuallyimplementedbydifferentteams• Spanningtoalotofyears
• Decisionmakerscaremoreabouttheirbonusthantheinterestofthecompany
4
TypicalEnterpriseSecurity
• EvenmediumlevelofITsecurityistooexpensivetoachieve–Missingassetmanagement(howmanyOracleDBs,Windowsservers,etc?)–Tonsofsecurityscanning,tofewremedia.onchasing–Manyofthevulnerabili.escannotbemi.gated
• ObsessedbyCrossSiteScrip.ng• ITsecuritydepartmentscannotinfluencesecuritydecisionsofbusinessapplica.onsmuch,becauseofpoli.calreasons
• NobodycaresaboutthehackedUNIXmachine,SQLDB,orothers– Iftheyarenotdirectlyheldresponsible(CYAS-CoverYourAssSecurity)
• SoX,PCI-DSS,legalrequirements,...
• Defacementsandsimilarsecurityincidentsarebudgetapprovers
5
SAPSystems
• Businessspecific–HR,Finances,Logis.cs…
• Industrysolu.ons–Defense&Aerospace,Oil&Gas,Banking,Chemicals...
• HoldtheCrownJewels–Hence“Business”
• Areusuallyextensivelycustomized– SAPconsultantson-site– Longrunningimplementa.onprojects
• Lessexposuretotypicalhackers–WhowouldlearnABAPforhacking?–Howwouldsomeonetryitathome?
6
Su>on’sLaw
• Mainprinciple:“Whendiagnosing,oneshouldfirstconsidertheobvious”
• Namedauerabankrobber,WillieSu>on–Su>onwasaskedwhyherobbedthebanks–Hisresponse*:“Becausethat’swherethemoneyis”
• Probablyheneversaidthis
7
SAPSecurity
• Securitymostlyfocusesonauthoriza.onsandsegrega.onofdu.es– SOD’smainfocusistheac.onsofasingleperson– Twoguysgettogether=throwawayyourSODinvestments
–Weakpasswords(99%ofthecase)=throwawayyourSODinvestments
• Intrusionpreven.oniss.llababy–HowmanysignaturesdoesyourexpensiveIDPhaveforbusinessapps?
• Risksareunderes.mated/generalITSecurityeffortsaretypicallyunbalancedatcompanies
–HowmanyGlobal500sarerunningSAPforthecorebusiness?
–HowmanypeoplefromtheirITSecurityteamshaveSAPsecurityskills?
• Unlikee.gAc.veDirectory,SAPsystemsbelongtothebusiness,nottheIT• Securitydepartmentsusuallyfailwhentheyarechallenged
– Eithermissingskillsor“Thisa'ackistoosophis-cated,nobodycandoit”response
8
SAP:SimplifiedConnec.onOverview
9
• DIAGProtocol:GUIusers–TCP3200-3299
• RFCProtocol:Serviceusers–TCP3300-3399
• RFCProtocoloverSOAP:ServiceUsers–TCP8000-8099(Usually)
SAPLoadBalancer
• “MessageServer”• Ifnotproperlyconfigured,ana>ackercanregisteritsownservers[toppic-PoC]
• Canfaketheclients,MITMormore– Implementms/acl_infoaccesscontroltoprotectit!
10
SAPApplica.onServer
• Realnamethe“Gateway”• Built-inremoteshellfunc.onalityviaRFC
–Goodforremoteadministra.onwithoutauthen.ca.on–Supportsallopera.ngsystems(AIX,HP-UX,Z/OS,Win...)–CanberestrictedviasecinfoACLconfigura.on–Marianomen.onedthisatBHin2007
• Secinfo/reginfocanbebypassedwithease–Makesureyouapplythelatestkernelsecuritypatchesandyouhavearestric.vesecinfo/reginfoconfigura.on!
11
DEMO:RemoteShell
12
IP: 5.5.5.7 we attack hereour application
talks RFC
“GUIusersarethemostpowerfulusers”mythandRFC
• RFC(RemoteFunc.onCall)protocolletsyourunfunc.onsremotely–Torun;useJava,C,etc.withRFC-SDKorsimplyexecutethetestprogramstartrfc.Followingcreatesanewuserwithgodrights:startrfc -3 -h 10.1.5.4 -s 05 -c 010 -u ERTUNGA -p CCC42 -F SUSR_RFC_USER_INTERFACE -E USER=SATRIANI -E ACTIVITY=01 -E PASSWORD=RUBINA -E USER_TYPE=A -T USER_PROFILES,12,r=-<press ENTER>SAP_ALL<press enter> <press ctrl-z and enter>
• Thereisnoexploitinvolved.Everythingisintendedfunc.onality.–Beats“RFCusersarenotathreatbecausetheycannotloginviaSAPGUI”–Timetorecheckcompany’ssharedfoldersandeliminatehardcodedpasswords.
• RFC(a.k.acommunica.on)usersarethusveryveryimportant!–Securetheirpasswordsandmakethempartofthepasswordchangeprocess–Don’tforget:GUI(dialog)userswhichhaveS_RFCrightscanalsoexecuteremotely–SAP_ALLFORCOMMUNICATIONUSERSISANOGO!
13
AFewRFC’stonotedownandprotect:(Properuserauthoriza.onsisthekey)
• RFC_READ_TABLE–Readsthecontentsofanytable(Includingoneswithsensi.vedatae.gsalaryinforma.on)– Hasbugsinconver.nge.gbinaryfields
• 1Byte=2Hex,so20bytehash->40hexchars• Onlyreturnsfirst20charsbecauseofmiscalcula.on->onlyfirsthalfofthepasswordhashes
• SUSR_RFC_USER_INTERFACE–canbeusedforcrea.ng/modifyingusers.
• RFC_ABAP_INSTALL_AND_RUN– TakesABAPsourcelinesandexecutesthem
• doesnotexecuteonproduc.onsystemsbutnon-produc.ondoesnotmeanthatsystemisunimportant!
– Widelyknown!!!.ghtenuserauthoriza.onstopreventabuse– MorerestrictedinlatestNetWeaverSystems
• SAP_ALLRFCusersdon’thavethoserestric.ons!!!
• !!!RFCcanbeencapsulatedinSOAPmessages(SOAPRFC)–Company’sinternalproxysuddenlyopensthedoorstoallSAPsystems–Disableitifnotused!
14
SingleSign-on(SSO2)
• Isaconveniencefeature,notasecurityfeature• RTFM:SecureStoreandForward[SSF]documenta.on• PersonalSecurityEnvironmentfilesholdtheprivatekeydata
–StoredperdefaultinSAPSYS.psefileorDBtableSSF_PSE_D
• Ifana>ackerobtainsit,itcancreateauthen.ca.on.cketsforthevic.msystem–Accep.ngthese.cketsisenabledperdefault–A>ackercanlogonasanyuser
• Theideaofhomebrewedauthen.ca.on.cketsfirstcamefromanSAPguru:RalfNellessen
15
DEMO:Cer.ficateA>acks
16
SingleSign-on(SSO2)
• Theprivatekeycontainer(PSE)canbepin-protected
• Iwastryingtoseewhetherthepinmechanismhadanyflaws–Foundaway,sogoogledformoreinfo
–Somebodywasunconsciouslyaheadandevendocumentedthat:)
• Disableaccep.ng.cketsusingrelevantprofileparameters!
17
ConfiguringSecureNetworkCommunica.onsforSAP(h>p://dlc.sun.com/pdf/820-5064/820-5064.pdf)
SAPApplica.ons(ABAP)
• ABAPcodeholdsalmostallofthebusinesslogic• Morethan2.000.000programsarepresentatanSAPECC6.0systemauerinstalla.on.–Someprogramshavemorethan50.000linesofsourcecode
• ABAPLanguageisverypowerfulandeasytolearn–Highlevelandeasytoreadapplica.ons– Lowlevelfunc.onalityisproxiedtothekernelexecutableswhenrequired.e.gforencryp.on.• ABAPstackcan“call”thekernel.• We’llonlyfocusonthena.veABAPcodeforthispresenta.on.
18
DynamicABAP
• Statement:GENERATESUBROUTINEPOOL–DynamicallygeneratesABAPcode.– Ifthecodeisgeneratedviauserspecifiedinput,mistakesmean:
• ABAPInjec.on• Gameover
–AnexampleistheTMS_CI_START_SERVICEvulnerability
19
TMS_CI_START_SERVICEExecutableFunc.on
• TransportManagementSystemrequiredthis–Transport==SouwareInstalla.on
• ItisanRFC–RemotelyExecutableFunc.onCall
• Takesaninputtableassourcecodeandiftheparametersarespecifiedproperly,executesthecontentsofit.–Bingo!
20
TMS_CI_START_SERVICEExecutableFunc.on
• Hereisasimplerepresenta.onofthevulnerablepartofit:Generatesubroutinepoolpp_tablenameix_context.
perform(ix_command)inprogram(ix_context)tablespp_table.
• SAPpatcheditvia:–SAPNote1298160:Forbiddenprogramexecu.onpossible
• TMSADMdefaultpasswordisatleastforthelast5yearspublic–Passwordis“PASSWORD”
21
DEMO:ABAPInjec.on
22
SQLInjec.on
• ABAPtypicallyusesparametrizedqueries.–Developerscans.llspecifypartsofsqlstatementsdynamicallybyparentheses
• Notdynamic:–SELECT ColumnA FROM TableA INTO[...]
• Dynamic:–SELECT(var_ColumName)FROM(var_TableName)INTO[...]WHERE(var_WhereClause)
• Avoiddynamicstatementswherepossible!
23
SQLInjec.on
• It’snotabug,itsafeatureinconcept“RunTimeTypeCrea.on”– (e.gZ_RTTCreportinNSPTestsystem)–h>ps://wiki.sdn.sap.com/wiki/display/Snippets/Concept+of+Run+Time+Type+Crea.on
• Meansgenerictableaccess-ifnotdoneproperly• !!!Alsocheckthe“EXECSQL”
– ItallowsDBspecificdynamicqueries
24
CrossSiteScrip.ng
• Hardtobelieveweares.lltalkingaboutitin2011• Propersani.za.on/encodingoftheinputdataisthekeyforselfdevelopedwebcodesuchasBSPs.
• Ifnotdone,ana>ackercandoeverythingrelatedtoXSS,plussteale.gtheSSO2(Authen.ca.on)cookiesfromtheclients– SSO2cookiesarestatelesssoclientimpersona.onisabreeze.
• Avoidusingthismechanismwithoutpropercontrols
– IfyouhaveF5’sorsimilardevices,encryptcookiesbasedonoriginip• cankillbusinessifyouencryptbasedonfullip(32bits)• canbetooopenifyoujustencrypt/24ofthatip• WhathappenstoNATclients,Firesheep?
25
ABAPExecutableManipula.on
• Statement:INSERTREPORT
• WritescustomcodetoanyABAPprogram• It’sevenpossibletocallaneditortomakeitmoreuserfriendly–CallededitorissimilartotheABAPdevelopmentenvironment
• Verysuspiciousiffoundinselfdevelopedcode
26
RS_REPAIR_SOURCEExecutableProgram
• Unpatchedversiondoesnothaveauthoriza.onchecking.
• Peoplewithe.gSE38rightscanexecutethisandmanipulatethesystemanddataofit.
• SameasABAPinjec.on,onlymoreconvenient.• SAPpatcheditvia:
– SAPNote1167258:ProgramRS_REPAIR_SOURCE
• Therearemanyothercri.calABAPstatementsbuttheyarebeyondourscopefortoday.[onehour.melimithit]
27
ABAPRootkits
• So,itispossibletomodifysystemexecutables(ABAPs)• Ana>ackercaneasilyinfectimportantonesexecutablesandinstallanABAProotkit
• SAPhasRFCfunc.onsthatdonotrequireuserauthen.ca.onbydefault(SRFCFunc.onGroup).Thiscouldbeonecandidate.
• Installedrootkitcangiveanonymousaccesstothea>ackerwithfunc.onalitysuchas:– InstallingSAP_ALLusers–Manipula.ngABAPreports–RunningOScommands– StealinghashesorPSEfiles–Dele.ngLogs
28
TheFrontEnd:SAPGUI
• Mainapplica.onforSAPsystems• Runsondifferentpla�orms• Haspowerfulfeatures• HasanAPIforclientac.ons
–Downloading–Uploading– Execute–RegistryAccess– etc.
• WithSAPGUI7.20,thereisa“SecurityCenter”wherecertainac.onscanbeblockedwithanACL
29
DEMO:Execu.ngcodeontheclient
3012
our application talks RFC1 we attack here2
4 Code is executed at victims machine After next connect
Logon Code gets manipulated3
Triple-Penetra.onA>acks
• Penetra-on1:A>ackerexploitstheweakestsystem–Typicalenterprisesetup:
• Tes.ng/Development->QualityAssurance->Produc.on
–Amongthem,mostunprotectedaretest/developmentsystems• Whoconnecttothesesystems?Usually,adminsanddevelopers
–TAGS:PasswordSecurity,Protec.onofthePSEfiles,MessageServerSecurity,DatabaseSecurity,OSSecurity,NetworkSniffing,MissingPatchesetc...
31
Triple-Penetra.onA>acks
• Penetra-on2:A>ackerinfectsclientswhichconnecttotheweakestsystem–Startswithmodifica.on/infec.onofthecri.calareassuchaslogonscreenABAPcode
–Whenadmins/developerssuccessfullylogin,maliciouspayloadisdownloadedandexecutedontheseusers’computers• An.virusbypass,usermoderootkits,etc.• SniffingSAPcreden.alse.gbytamperingsaplogon.ini
32
Triple-Penetra.onA>acks
• Penetra-on3:Vic.minfectsallthesystemsitlaterconnectsto–Modifica.onofcri.calcomponentsofthenewlyaccessedSAPsystems• Internalproduc.onsystems• Partnersystemsorothercri.calsystems
33
0wnHalftheW0rld’sT0pBusinesses
• Especiallywhenini.altargetisanSAPHos.ngorTrainingprovider–A>ackerpaysasmallamounttogetatestaccount– Infectsthesystem– Sitsdownandwaitsfortheadminorotheruserstospreadtheinfec.ontothesystemstheyconnectto
• ConfigureyourSAPGUIsecurityse�ngsandavoidsharedSAPsystemswherepossible!
• Protectyourendusersviaproperendpointprotec.on!34
TheRobinHoodW0rmforFunandProfit
• Wormcanaccesstothefinancialapplica.onsanddata!– Sortofthe“Wormwriter’swetdream”
• Checksthebalanceattheyearendclosing• Ifthecompanyhasprofit:
–Donates%0.01ofthatamounttoRedCross,RedCrescent[putyourfavoriteredorganiza.onhere],SaveTheChildrenorWikileaks
• IfinfectedsystemscontainHRsystems:–Wormpublishessalaryinforma-onoftheemployeesonline
• Tensofthousandsofpeopleno.cethatthejerkfromdepartmentXgetstwiceasmuchmoney
• Alsoconsiderthelegalimplica.onsonthebusinesses
35
TheThreatAgent:ABAPDeveloper
• Writescodethatrunsattheheartofthesystem• Theuserrightsandpermissionsdon’tapplytohim• Hecanassigngodrightstoitselfviacode
–Auditlogsaretypicallydisabledondevelopmentsystems• Ifenabled,mostprobablydeveloperswillbeabletodisable/tamperthem• remembertoalwayslogtoanexternalsystem.
• Youneedtotrustthedevelopersmorethanyoursecurityteam–WouldyouhireanABAPdeveloperwhorecentlyworkedatacompe.tor?
• IFanswerEQUALS”HELL,YEAH”,thinkagainnow.–Howaboutthecontractedonesthatalsoprovideservicestoothercompaniesatthesame.me?
36
TheThreatAgent:DarkOrganisa.ons
• STUXNETisverypopularbut…–SAPsouwareisusedforproduc.onoffighterjets,runningpowergrids,oil&gas,cri.calproduc.onsystemsandmore.Especiallyproduc.on,materialsmanagement,logis.csandfinancialsapplica.ons…
• h>p://www.sap.com/industries/
–Hasmuchbe>erAPIanddocumenta.onthanPLCsandStep7
• ComparedtotheeffortspentforSTUXNET,itwouldbeunreasonabletothinkthatsimilarisnotalreadydoneforsuchsystems–WhathappenswhenyouorderwrongmaterialsforthenextEurofighteraircrau?
–Howwouldyoudetectit?
37
Howtostaysecure?(somemore.ps)
• Propersystemsarchitectureisaprerequisite.–ReadandApplythe“SECURECONFIGURATIONSAPNETWEAVER-APPLICATIONSERVERABAP”documentfromSAP
• Makesurerelevantpeopleinyourcompanyalsoreadit!• Check:h>ps://service.sap.com/~sapidb/011000358700000968282010E.pdf
• Implementsecinfo/reginfoandms_aclinfoACLsbeforesystemisfirstonline
• AnalyzeyoursystemsoruseanABAPintegritycheckingtoolfordetec.ngmalicioussystemtamperingandrootkitinfec.ons.–Currentlyonlytwoproductsknowntome.FromOnapsisandESNCGmbH
• Nevergivethedevelopmentsystemswritepermissionstotheproduc.onsystems’transportimportfolders
38
Howtostaysecure?
• Haveproper“check-in”and“leaversprocess”thattaketheABAPdeveloperrisksintoconsidera.on–e.g.Fulluserpasswordresetsoncertaindevelopmentsystemsorotherprecau.onswhenadeveloperleavesthecompany
–Alsoconsiderpu�ngexternalconsultantsinthescope
• Auditthecodeagainstsecurityvulnerabili.esbeforetranspor.ngtoproduc.onsystems–Currentlyonly2automa.onproductsknowntome.FromESNCGmbHandfromVirtualForgeGmbH
• Syncingpasswordstodevelopmentsystemsmeans,possibilityofdeveloperstocapturevalidpasswordsforproduc.onsystems.Avoidit!
39
Howtostaysecure?
• Getridofinsecureand/ordefaultpasswords• Disablebackwardscompa.bilityofpasswords• Followvendor’ssecuritynotesandguidelines
–h>ps://service.sap.com/securitynotes
• Convincetheuppermanagementthatstaying2yearsbehindthesecuritypatchesisabadidea!
• Installthelatestsecuritypatches• Installthelatestsecuritypatches• Installthelatestsecuritypatches
40
Credits/Thanks
• StefanFuenfrockenfromEUROSEC• RalfNellessenfromTRUSTWERK• Chris.anWippermannfromSAP• Everyone@ProductSecurityResponseTeam/SAP
41
Ques.ons?
ErtungaArsalertungaat_sabanciuniv.edu
42
Thispublica.oncontainsreferencestoproductsofSAPAG.SAP,ABAP,SAPGUIandothernamedSAPproductsandassociatedlogosarebrandnamesorregisteredtrademarksofSAPAGinGermanyandothercountriesintheworld.SAPAGisneithertheauthornorthepublisherofthispublica.onandisnotresponsibleforitscontent.
Thispresenta.onandtheaccompanyingpaperisforeduca.onalpurposesonly,Iwillnotbeheldresponsibleforwhatyoudowiththisinforma.on,youuseitatyourownrisk.
SomeToolsForProtec.ngYourSAPSystems
• SAPVulnerabilityScanandPenetra.onTes.ng:–ESNCSecuritySuite–h>ps://www.esnc.de/esnc-sap-security-audit-souware/esnc-security-suite-sap-security-scanner/index.html
• SAPSIEMIntegra.onandReal-.meA>ackDetec.on:–EnterpriseThreatMonitor–h>ps://www.enterprise-threat-monitor.com
43