software servers pwning your company's enterprise an ... · an unauthenticated journey to root...
TRANSCRIPT
![Page 1: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/1.jpg)
An Unauthenticated Journey to Root : Pwning Your Company's Enterprise
Software ServersPablo Artuso - Yvan Genuer
#BHUSA @BLACKHATEVENTS
![Page 2: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/2.jpg)
Onapsis Inc. | All Rights Reserved
Disclaimer
• This presentation contains references to the products of SAP SE. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.
• Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.
• SAP SE is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
2
![Page 3: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/3.jpg)
Onapsis Inc. | All Rights Reserved
Who are we?
Security Researcher
Security Researcher
![Page 4: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/4.jpg)
Onapsis Inc. | All Rights Reserved
1. Introduction
2. The Target: SolMan
3. From Unauthenticated Restricted Access...
4. ...to RCE as Agent administrator
5. ...to root them all!
6. Recommendations
7. Conclusion
![Page 5: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/5.jpg)
Onapsis Inc. | All Rights Reserved
1. Introduction
2. The Target: SolMan
3. From Unauthenticated Restricted Access...
4. ...to RCE as Agent administrator
5. ...to root them all!
6. Recommendations
7. Conclusion
![Page 6: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/6.jpg)
Onapsis Inc. | All Rights Reserved
Introduction - SAP ?
6
![Page 7: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/7.jpg)
Onapsis Inc. | All Rights Reserved
Introduction
7
BI ERP CRMBI ERP CRMBI ERP CRMBI ERP CRM
![Page 8: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/8.jpg)
Onapsis Inc. | All Rights Reserved
1. Introduction
2. The Target: SolMan
3. From Unauthenticated Restricted Access...
4. ...to RCE as Agent administrator
5. ...to root them all!
6. Recommendations
7. Conclusion
![Page 9: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/9.jpg)
Onapsis Inc. | All Rights Reserved
The Target: SolMan
9
• SAP Solution Manager
• Technical SAP System dedicated to Administrators
• Highly connected into SAP landscape
• Used to manage all other SAP systems, OS independent, SAP product independant
![Page 10: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/10.jpg)
Onapsis Inc. | All Rights Reserved
The Target: SolMan
10
![Page 11: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/11.jpg)
Onapsis Inc. | All Rights Reserved
The Target: SolMan
11
![Page 12: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/12.jpg)
Onapsis Inc. | All Rights Reserved
The Target: SolMan
12
Why is SolMan a target ?
![Page 13: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/13.jpg)
Onapsis Inc. | All Rights Reserved
The Target: SolMan
13
Because, it is the technicalheart of the SAP landscape !
![Page 14: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/14.jpg)
Onapsis Inc. | All Rights Reserved
The Target: SolMan
14
• SolMan is not working alone
• It uses software agents installed on every SAP server
• Called SMDAgent for “SAP Solution Manager Diagnostic Agent”
• This agent manages communications, instance monitoring and diagnostic feedback to the SolMan
![Page 15: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/15.jpg)
Onapsis Inc. | All Rights Reserved
The Target: SolMan
15
![Page 16: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/16.jpg)
Onapsis Inc. | All Rights Reserved
The Target: SolMan
16
• SolMan is accessible using SAPGui or through its own web server
![Page 17: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/17.jpg)
Onapsis Inc. | All Rights Reserved
1. Introduction
2. The Target: SolMan
3. From Unauthenticated Restricted Access...
4. ...to RCE as Agent administrator
5. ...to root them all!
6. Recommendations
7. Conclusion
![Page 18: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/18.jpg)
Onapsis Inc. | All Rights Reserved
From Unauthenticated Restricted Access… Almost missed it
18
• Where to start ?• Looking for all web applications exposed by SolMan related to SMDAgent
• What we found ?• Around 60+ applications• Name like
• tc~smd~agent~application*• tc~smd~*
• 20+ of them accessible through HTTP GET, POST or SOAP requests
![Page 19: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/19.jpg)
Onapsis Inc. | All Rights Reserved19
...SOAP http://solman:50200/smd/ws/configuration/upgrade/agentportsSOAP http://solman:50200/smd/ws/configuration/upgrade/setupAuthenticationGET http://solman:50200/smd/upgrade/JavaSslPortCheckGET http://solman:50200/smd/upgrade/UMECheckServletSOAP http://solman:50200/DiagSetupServices/DiagSetupConfSOAP http://solman:50200/SMDAgentRepository/ConfigurationODPOST http://solman:50200/tc~smd~agent~application~e2emai/CollectorSimulationGET http://solman:50200/tc~smd~agent~application~eem/EEMGET http://solman:50200/tc~smd~agent~application~logfilecollector/LogServiceGET http://solman:50200/E2eTraceGatewayW/E2eTraceServletSOAP http://solman:50200/AgentConfigurationWS/AgentConfigurationSOAP http://solman:50200/ExmSetupServices/ExmSetupConf/SOAP http://solman:50200/ManagedSetupWS/Config1GET http://solman:50200/tc~smd~selfcheck~repository/SelfCheckTestSOAP http://solman:50200/SVGConvertService/SVGConvert...
From Unauthenticated Restricted Access… Almost missed it
![Page 20: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/20.jpg)
Onapsis Inc. | All Rights Reserved20
Hey look this one ! Unfortunately authentication
required, but sounds powerful.
Euh… no… it’s not authenticated !
Damn, you are right ! Almost missed it :)
From Unauthenticated Restricted Access… Almost missed it
![Page 21: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/21.jpg)
Onapsis Inc. | All Rights Reserved
End-user Experience Monitoring (EEM)
• What: Web application running in SolMan’s webserver.
• Goal: Evaluating availability and performance of systems from client side.
• How: Mimic end-user activities with automated scripts. These scripts are uploaded to the EEM and later deployed to the EEM robots. SMD agents are EEM Robots by default.
• old(UxMon) = EEM.
![Page 22: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/22.jpg)
Onapsis Inc. | All Rights Reserved
End-user Experience Monitoring (EEM)
![Page 23: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/23.jpg)
Onapsis Inc. | All Rights Reserved
Script
End-user Experience Monitoring (EEM)
1. Administrator uploads a script
![Page 24: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/24.jpg)
Onapsis Inc. | All Rights Reserved
End-user Experience Monitoring (EEM)
ScriptScriptScript
Script
2. Script is deployed to a EEM robot
![Page 25: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/25.jpg)
Onapsis Inc. | All Rights Reserved
End-user Experience Monitoring (EEM)
ScriptScriptScript
Script
Wait.. You said EEM had no authentication at all?
![Page 26: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/26.jpg)
Onapsis Inc. | All Rights Reserved
End-user Experience Monitoring (EEM)
Script
![Page 27: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/27.jpg)
Onapsis Inc. | All Rights Reserved
1. Introduction
2. The Target: SolMan
3. From Unauthenticated Restricted Access...
4. ...to RCE as Agent administrator
5. ...to root them all!
6. Recommendations
7. Conclusion
![Page 28: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/28.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: EEM Technical Analysis
28
• runScript parameters:• Script• Agent name
<errorMessage>com.sap.smd.eem.admin.EemException: EEM is not enabled on this agent. Operation only supported when EEM is enabled.</errorMessage>
“foo_script”SMD host
• First attempt, not-so-happy answer:
![Page 29: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/29.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: EEM Technical Analysis
29
• getAllAgentInfo no parameters required.
• Type of information retrieved:• Versions of OS, JVM, SDK.• User environmental variables• EEM properties:
• …• eem.enable = false• ...
![Page 30: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/30.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: EEM Technical Analysis
30
• setAgeletProperties parameters:• Agent name• Key• Value
SMD hosteem.enableTrue
<errorMessage>com.sap.smd.eem.admin.EemException: Script foo_script not found.</errorMessage>
• getAllAgentInfo• eem.enable = True
• runScript
![Page 31: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/31.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: EEM Technical Analysis
31
• uploadResource parameters:• Agent name SMD host• Content (b64) b64(rand_string)
<errorMessage>FatalError validating XML document: Content is not allowed in prolog</errorMessage>
<errorMessage>FatalError validating XML document: Premature end of file.</errorMessage>
• Content (b64) b64(xml_prolog)
![Page 32: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/32.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: EEM Technical Analysis
32
• From documentation• Protocols: RFC, DIAG, HTTP, SOAP.• EEM editor.• SAP provides you an HTTP example script.
• Develop custom script based on error messages
Error validating XML document: Invalid content was found starting with element 'blahblah'. One of '{Annotation,
Headers, Param, Check, Search, Part}' is expected
• GOT SSRF!
![Page 33: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/33.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: Going for RCE
33
• Scripting language to mimic user actions → Powerful and flexible
• Blackbox → Whitebox (java application)
• Found the “Grammar” of the scripting language• Message-based language.• Message types:
![Page 34: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/34.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: Going for RCE
34
• From message parser analysis
• Some available commands:• Assign• AssignFromList• AssignFromFile
• AssignJS• WriteVariableToFile• ReadVariableFromFile
![Page 35: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/35.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: Going for RCE
35
• While analyzing those commands:
• Serious and common mistake in JAVA• expression is not sanitized and it’s controlled by the attacker.
• Access to perform scripts→execute commands in SMD Agents
EVERYONE (no auth) Run commands as daaadm
![Page 36: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/36.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: EEM Technical Analysis
36
1. Attacker gets data from agents.
![Page 37: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/37.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: EEM Technical Analysis
37
2. Attacker chooses target and change its configuration.
![Page 38: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/38.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: Going for RCE
38
3. Attacker uploads RCE script to target
RCEScript
![Page 39: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/39.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator: Going for RCE
39
4. RCE as daaadm executed
![Page 40: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/40.jpg)
Onapsis Inc. | All Rights Reserved
![Page 41: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/41.jpg)
Onapsis Inc. | All Rights Reserved
...to RCE as Agent administrator
41
![Page 42: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/42.jpg)
Onapsis Inc. | All Rights Reserved
1. Introduction
2. The Target: SolMan
3. From Unauthenticated Restricted Access...
4. ...to RCE as Agent administrator
5. ...to root them all!
6. Recommendations
7. Conclusion
![Page 43: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/43.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : SAP Host Agent
43
![Page 44: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/44.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : What is that ?
44
• Agent that can accomplish several life-cycle tasks• operating system monitoring• database monitoring• system instance control• upgrade preparation
• Installed automatically during the installation of new SAP system
• OS independent
Source : https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/48/c6f9627a004da5e10000000a421937/content.htm
![Page 45: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/45.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Why we take a look ?
45
# ps -ef | grep hostctrlroot 92067 1 0 /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profilesapadm 92072 1 0 /usr/sap/hostctrl/exe/sapstartsrv pf=/usr/sap/hostctrl/exe/host_profileroot 92338 1 0 /usr/sap/hostctrl/exe/saposcol -l -w60 pf=/usr/sap/hostctrl/exe/host_profile
# ss -larntp | grep 92072LISTEN 0 20 *:1128 *:* users:(("sapstartsrv",pid=92072,fd=18))
# grep daaadm /usr/sap/hostctrl/exe/host_profileservice/admin_users = daaadm
Only 3 commands convinced us :
![Page 46: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/46.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Why we take a look ?
46
# ps -ef | grep hostctrlroot 92067 1 0 /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profilesapadm 92072 1 0 /usr/sap/hostctrl/exe/sapstartsrv pf=/usr/sap/hostctrl/exe/host_profileroot 92338 1 0 /usr/sap/hostctrl/exe/saposcol -l -w60 pf=/usr/sap/hostctrl/exe/host_profile
# ss -larntp | grep 92072LISTEN 0 20 *:1128 *:* users:(("sapstartsrv",pid=92072,fd=18))
# grep daaadm /usr/sap/hostctrl/exe/host_profileservice/admin_users = daaadm
Only 3 commands convinced us :Services running as root
![Page 47: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/47.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Why we take a look ?
47
# ps -ef | grep hostctrlroot 92067 1 0 /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profilesapadm 92072 1 0 /usr/sap/hostctrl/exe/sapstartsrv pf=/usr/sap/hostctrl/exe/host_profileroot 92338 1 0 /usr/sap/hostctrl/exe/saposcol -l -w60 pf=/usr/sap/hostctrl/exe/host_profile
# ss -larntp | grep 92072LISTEN 0 20 *:1128 *:* users:(("sapstartsrv",pid=92072,fd=18))
# grep daaadm /usr/sap/hostctrl/exe/host_profileservice/admin_users = daaadm
Only 3 commands convinced us :
Service exposed remotely
![Page 48: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/48.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Why we take a look ?
48
# ps -ef | grep hostctrlroot 92067 1 0 /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profilesapadm 92072 1 0 /usr/sap/hostctrl/exe/sapstartsrv pf=/usr/sap/hostctrl/exe/host_profileroot 92338 1 0 /usr/sap/hostctrl/exe/saposcol -l -w60 pf=/usr/sap/hostctrl/exe/host_profile
# ss -larntp | grep 92072LISTEN 0 20 *:1128 *:* users:(("sapstartsrv",pid=92072,fd=18))
# grep daaadm /usr/sap/hostctrl/exe/host_profileservice/admin_users = daaadm
Only 3 commands convinced us :
‘our’ daaadm is mentioned in configuration file
![Page 49: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/49.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all!
49
![Page 50: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/50.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all!
50
![Page 51: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/51.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Features
51
• Locally, as root or local Administrators, it is possible to perform several tasks using the binary saphostctrl
# /usr/sap/hostctrl/exe/saphostctrlUsage: saphostctrl [generic option]... -function <Webmethod> [argument]... saphostctrl -help [<Webmethod>]
• Each function can have several different parameters
![Page 52: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/52.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Functions
52
Ping GetDatabaseStatus GetCapabilitiesStartInstance GetDatabaseSystemStatus ListOSProcessesStopInstance StartDatabase GetSAPOSColVersionListInstances StopDatabase GetSAPOSColHWConfACOSPrepare AttachDatabase AddIpAddressGetOperationResults DetachDatabase RemoveIpAddressCancelOperation GetDatabaseProperties GetIpAddressPropertiesIsOperationFinished SetDatabaseProperty MoveIpAddressExecuteOperation LiveDatabaseUpdate DetectManagedObjectsGetCIMObject PrepareDatabaseCopy DeployManagedObjectsFromSARGetComputerSystem FinalizeDatabaseCopy ExecuteOutsideDiscoveryListDatabases RegisterInstanceService ConfigureOutsideDiscoveryListDatabaseSystems UnregisterInstanceService ConfigureOutsideDiscoveryPathListDatabaseMetrics ExecuteInstallationProcedure ReloadConfigurationListDatabaseConfiguration ExecuteUpgradeProcedure EnableCORSExecuteDatabaseOperation DeployConfiguration DisableCORS
• 45+ functions :
![Page 53: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/53.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Configuration
53
• The configuration file handles interesting content
SAPSYSTEMNAME = SAPSAPSYSTEM = 99service/porttypes = SAPHostControl SAPOscol SAPCCMSDIR_LIBRARY = /usr/sap/hostctrl/exeDIR_EXECUTABLE = /usr/sap/hostctrl/exeDIR_PROFILE = /usr/sap/hostctrl/exeDIR_GLOBAL = /usr/sap/hostctrl/exeDIR_INSTANCE = /usr/sap/hostctrl/exeDIR_HOME = /usr/sap/hostctrl/workservice/admin_users = daaadm sidadmservice/trace = 1hostexec/trace = 1
![Page 54: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/54.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Configuration
54
• The configuration file handles interesting content
SAPSYSTEMNAME = SAPSAPSYSTEM = 99service/porttypes = SAPHostControl SAPOscol SAPCCMSDIR_LIBRARY = /usr/sap/hostctrl/exeDIR_EXECUTABLE = /usr/sap/hostctrl/exeDIR_PROFILE = /usr/sap/hostctrl/exeDIR_GLOBAL = /usr/sap/hostctrl/exeDIR_INSTANCE = /usr/sap/hostctrl/exeDIR_HOME = /usr/sap/hostctrl/workservice/admin_users = daaadm sidadmservice/trace = 1hostexec/trace = 1
Additional OS users authorized for system
administration
![Page 55: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/55.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Configuration
55
• The configuration file handles interesting content
SAPSYSTEMNAME = SAPSAPSYSTEM = 99service/porttypes = SAPHostControl SAPOscol SAPCCMSDIR_LIBRARY = /usr/sap/hostctrl/exeDIR_EXECUTABLE = /usr/sap/hostctrl/exeDIR_PROFILE = /usr/sap/hostctrl/exeDIR_GLOBAL = /usr/sap/hostctrl/exeDIR_INSTANCE = /usr/sap/hostctrl/exeDIR_HOME = /usr/sap/hostctrl/workservice/admin_users = daaadm sidadmservice/trace = 1hostexec/trace = 1
But logged in is not enough… authentication is
required directly when calling saphostctrl
![Page 56: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/56.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Configuration
56
• The configuration file handles interesting content
SAP Server
SAP Host Agent
daaadm
Request Function
daaadm password ?
![Page 57: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/57.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Configuration
57
• The configuration file handles interesting content
SAPSYSTEMNAME = SAPSAPSYSTEM = 99service/porttypes = SAPHostControl SAPOscol SAPCCMSDIR_LIBRARY = /usr/sap/hostctrl/exeDIR_EXECUTABLE = /usr/sap/hostctrl/exeDIR_PROFILE = /usr/sap/hostctrl/exeDIR_GLOBAL = /usr/sap/hostctrl/exeDIR_INSTANCE = /usr/sap/hostctrl/exeDIR_HOME = /usr/sap/hostctrl/workservice/admin_users = daaadm sidadmservice/trace = 1hostexec/trace = 1
Enabled Web service ports
![Page 58: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/58.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Configuration
58
• The configuration file handles interesting content
SAPSYSTEMNAME = SAPSAPSYSTEM = 99service/porttypes = SAPHostControl SAPOscol SAPCCMSDIR_LIBRARY = /usr/sap/hostctrl/exeDIR_EXECUTABLE = /usr/sap/hostctrl/exeDIR_PROFILE = /usr/sap/hostctrl/exeDIR_GLOBAL = /usr/sap/hostctrl/exeDIR_INSTANCE = /usr/sap/hostctrl/exeDIR_HOME = /usr/sap/hostctrl/workservice/admin_users = daaadm sidadmservice/trace = 1hostexec/trace = 1
Enabled Web service ports
![Page 59: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/59.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Configuration
59
• The configuration file handles interesting content
SAPSYSTEMNAME = SAPSAPSYSTEM = 99service/porttypes = SAPHostControl SAPOscol SAPCCMSDIR_LIBRARY = /usr/sap/hostctrl/exeDIR_EXECUTABLE = /usr/sap/hostctrl/exeDIR_PROFILE = /usr/sap/hostctrl/exeDIR_GLOBAL = /usr/sap/hostctrl/exeDIR_INSTANCE = /usr/sap/hostctrl/exeDIR_HOME = /usr/sap/hostctrl/workservice/admin_users = daaadm sidadmservice/trace = 1hostexec/trace = 1
Enabled Web service ports
![Page 60: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/60.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Local Traffic Analysis
60
Confirm that saphostctrl command line perform SOAP request locally
![Page 61: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/61.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Curious credential
61
• Password change at every request• Username still the same
{2D4A6FB8-37F1-43d7-88BE-AD279C89DCD7}:2702282443137234634522881264230474671502
![Page 62: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/62.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Binary Analysis
62
• Using the username as entry point
![Page 63: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/63.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Binary Analysis
63
• Using the username as entry point• Understand that a ‘Trusted Internal Connection” feature exist
![Page 64: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/64.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Trusted Connection
64
SAP Server
SAP Host Agent
daaadm
RequestLogonFile
logon42
![Page 65: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/65.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Trusted Connection
65
SAP Server
SAP Host Agentreadfile() /usr
/sap /hostctrl /work /sapcontrol_logon /logon42
daaadm
![Page 66: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/66.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Trusted Connection
66
SAP Server
SAP Host Agent
daaadm /usr /sap /hostctrl /work /sapcontrol_logon /logon42
2702282443137234634522881264230474671502
![Page 67: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/67.jpg)
Onapsis Inc. | All Rights Reserved
Password ?
...to root them all : Trusted Connection
67
SAP Server
SAP Host Agent
Request Function
270228244313723463...
OKdaaadm
![Page 68: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/68.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Trusted Connection
68
![Page 69: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/69.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Trusted Connection
69
Knowing the daaadm password is not necessary anymore...
![Page 70: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/70.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all!
70
![Page 71: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/71.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all!
71
![Page 72: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/72.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Functions
72
Ping GetDatabaseStatus GetCapabilitiesStartInstance GetDatabaseSystemStatus ListOSProcessesStopInstance StartDatabase GetSAPOSColVersionListInstances StopDatabase GetSAPOSColHWConfACOSPrepare AttachDatabase AddIpAddressGetOperationResults DetachDatabase RemoveIpAddressCancelOperation GetDatabaseProperties GetIpAddressPropertiesIsOperationFinished SetDatabaseProperty MoveIpAddressExecuteOperation LiveDatabaseUpdate DetectManagedObjectsGetCIMObject PrepareDatabaseCopy DeployManagedObjectsFromSARGetComputerSystem FinalizeDatabaseCopy ExecuteOutsideDiscoveryListDatabases RegisterInstanceService ConfigureOutsideDiscoveryListDatabaseSystems UnregisterInstanceService ConfigureOutsideDiscoveryPathListDatabaseMetrics ExecuteInstallationProcedure ReloadConfigurationListDatabaseConfiguration ExecuteUpgradeProcedure EnableCORSExecuteDatabaseOperation DeployConfiguration DisableCORS
• 45+ functions :
![Page 73: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/73.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Vulnerabilities
73
Ping GetDatabaseStatus GetCapabilitiesStartInstance GetDatabaseSystemStatus ListOSProcessesStopInstance StartDatabase GetSAPOSColVersionListInstances StopDatabase GetSAPOSColHWConfACOSPrepare AttachDatabase AddIpAddressGetOperationResults DetachDatabase RemoveIpAddressCancelOperation GetDatabaseProperties GetIpAddressPropertiesIsOperationFinished SetDatabaseProperty MoveIpAddressExecuteOperation LiveDatabaseUpdate DetectManagedObjectsGetCIMObject PrepareDatabaseCopy DeployManagedObjectsFromSARGetComputerSystem FinalizeDatabaseCopy ExecuteOutsideDiscoveryListDatabases RegisterInstanceService ConfigureOutsideDiscoveryListDatabaseSystems UnregisterInstanceService ConfigureOutsideDiscoveryPathListDatabaseMetrics ExecuteInstallationProcedure ReloadConfigurationListDatabaseConfiguration ExecuteUpgradeProcedure EnableCORSExecuteDatabaseOperation DeployConfiguration DisableCORS
• 45+ functions :
![Page 74: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/74.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Vulnerabilities
74
Ping GetDatabaseStatus GetCapabilitiesStartInstance GetDatabaseSystemStatus ListOSProcessesStopInstance StartDatabase GetSAPOSColVersionListInstances StopDatabase GetSAPOSColHWConfACOSPrepare AttachDatabase AddIpAddressGetOperationResults DetachDatabase RemoveIpAddressCancelOperation GetDatabaseProperties GetIpAddressPropertiesIsOperationFinished SetDatabaseProperty MoveIpAddressExecuteOperation LiveDatabaseUpdate DetectManagedObjectsGetCIMObject PrepareDatabaseCopy DeployManagedObjectsFromSARGetComputerSystem FinalizeDatabaseCopy ExecuteOutsideDiscoveryListDatabases RegisterInstanceService ConfigureOutsideDiscoveryListDatabaseSystems UnregisterInstanceService ConfigureOutsideDiscoveryPathListDatabaseMetrics ExecuteInstallationProcedure ReloadConfigurationListDatabaseConfiguration ExecuteUpgradeProcedure EnableCORSExecuteDatabaseOperation DeployConfiguration DisableCORS
• 45+ functions :
![Page 75: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/75.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all : Vulnerabilities
75
Ping GetDatabaseStatus GetCapabilitiesStartInstance GetDatabaseSystemStatus ListOSProcessesStopInstance StartDatabase GetSAPOSColVersionListInstances StopDatabase GetSAPOSColHWConfACOSPrepare AttachDatabase AddIpAddressGetOperationResults DetachDatabase RemoveIpAddressCancelOperation GetDatabaseProperties GetIpAddressPropertiesIsOperationFinished SetDatabaseProperty MoveIpAddressExecuteOperation LiveDatabaseUpdate DetectManagedObjectsGetCIMObject PrepareDatabaseCopy DeployManagedObjectsFromSARGetComputerSystem FinalizeDatabaseCopy ExecuteOutsideDiscoveryListDatabases RegisterInstanceService ConfigureOutsideDiscoveryListDatabaseSystems UnregisterInstanceService ConfigureOutsideDiscoveryPathListDatabaseMetrics ExecuteInstallationProcedure ReloadConfigurationListDatabaseConfiguration ExecuteUpgradeProcedure EnableCORSExecuteDatabaseOperation DeployConfiguration DisableCORS
• 45+ functions :
![Page 76: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/76.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all!
76
![Page 77: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/77.jpg)
Onapsis Inc. | All Rights Reserved
...to root them all!
77
![Page 78: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/78.jpg)
Onapsis Inc. | All Rights Reserved
![Page 79: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/79.jpg)
Onapsis Inc. | All Rights Reserved
1. Introduction
2. The Target: SolMan
3. From Unauthenticated Restricted Access...
4. ...to RCE as Agent administrator
5. ...to root them all!
6. Recommendations
7. Conclusion
![Page 80: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/80.jpg)
Onapsis Inc. | All Rights Reserved
Recommendations - Prevention
80
• Missing Authentication Check in SAP Solution Manager
• Logon in SolMan NWA• Navigate to
• Configuration• Connectivity• Single Service Administration.
• Search for EemAdmin service• Modify the security part
SAP Patch : 2890213CVE-2020-6207
![Page 81: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/81.jpg)
Onapsis Inc. | All Rights Reserved
Recommendations - Prevention
81
• Privilege Escalation in SAP Host Agent
<SOAP-ENV:Fault> <faultcode> SOAP-ENV:Server </faultcode> <faultstring> Forbidden: The user daaadm is not authorized to process the operation ExecuteInstallationProcedure </faultstring></SOAP-ENV:Fault>
SAP Patch : 2902645 & 2902456CVE-2020-6234 & CVE-2020-6236
![Page 82: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/82.jpg)
Onapsis Inc. | All Rights Reserved
Recommendations - Prevention
Reduce attack surface by filtering access!
Keep SAP Solution Manageras up to date as possible !
![Page 83: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/83.jpg)
Onapsis Inc. | All Rights Reserved
Recommendations - Patches
83
• Am I vulnerable?
• SOLMANDIAG 720 SP004 000011
• SOLMANDIAG 720 SP005 000012
• SOLMANDIAG 720 SP006 000013
• SOLMANDIAG 720 SP007 000020
• SOLMANDIAG 720 SP008 000016
• SOLMANDIAG 720 SP009 000008
• SOLMANDIAG 720 SP010 000002
• SAP HOST AGENT 720 Patch 46
![Page 84: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/84.jpg)
Onapsis Inc. | All Rights Reserved
Recommendations - Patches
84
• Other important recent security patches related to SolMan
SSN CVE Title CVSS
• 2931391 CVE-2020-6271 Missing XML Validation in SAP Solution Manager 8.2
• 2906994 CVE-2020-6235 Missing Authentication check in SAP Solution Manager 8.6
• 2845377 CVE-2020-6198 Missing Authentication check in SAP Solution Manager 9.8
• 2748699 CVE-2019-0291 Information Disclosure in Solution Manager 7.2 7.1
• 2738791 CVE-2019-0318 Information Disclosure in SAP NetWeaver AS Java 5.3
• 2772266 CVE-2019-0307 Information Disclosure in Solution Manager 7.2 3.4
• 2808158 CVE-2019-0330 OS Command Injection vulnerability in SAP Diagnostics Agent 9.1
• More: 2904933, 2839864, 2823733, 2849096, 2219592, 2130510
![Page 85: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/85.jpg)
Onapsis Inc. | All Rights Reserved
Recommendations - Detection (EEM activity)
85
• Maintain tracing level: nwa/log-config• Tracing location: com.sap.smd.eem.admin.EemAdminService
• Log name• defaultTrace_00.<x>.trc
• Actions that can be logged• Script actions (stop/start)• Files uploaded• Information asked• more..
![Page 86: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/86.jpg)
Onapsis Inc. | All Rights Reserved
Recommendations - Detection (Host Agent activity)
86
• Maintain tracing level: Profile configuration• More information: SAP Note 2451419
• Log name• dev_saphostexec• sapstartsrv.log
• Full of activity
![Page 87: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/87.jpg)
Onapsis Inc. | All Rights Reserved
1. Introduction
2. The Target: SolMan
3. From Unauthenticated Restricted Access...
4. ...to RCE as Agent administrator
5. ...to root them all!
6. Recommendations
7. Conclusion
![Page 88: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/88.jpg)
Onapsis Inc. | All Rights Reserved
Conclusion : Chain of vulnerabilities
88
![Page 89: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/89.jpg)
Onapsis Inc. | All Rights Reserved
Conclusion : Chain of vulnerabilities
89
Gain restricted access to one SAP Solution Manager service
![Page 90: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/90.jpg)
Onapsis Inc. | All Rights Reserved
Conclusion : Chain of vulnerabilities
90
Execute arbitrary OS command as daaadm on every SAP
servers
![Page 91: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/91.jpg)
Onapsis Inc. | All Rights Reserved
Conclusion : Chain of vulnerabilities
91
Execute arbitrary OS command as root or system on every
SAP servers
![Page 92: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/92.jpg)
Onapsis Inc. | All Rights Reserved
Conclusion : Post exploitation
92
Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc.
Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
Paralyze the operation of the organization by shutting down the SAP system or the server, disrupting interfaces with other systems and deleting critical information, etc.
Espionnage
Fraud
Sabotage
![Page 93: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/93.jpg)
Onapsis Inc. | All Rights Reserved
![Page 94: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/94.jpg)
Onapsis Inc. | All Rights Reserved
Conclusion : Final word
94
SAP Solution Manager is a great product. Secure it !
![Page 95: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/95.jpg)
Onapsis Inc. | All Rights Reserved
• Patch 2902645 https://launchpad.support.sap.com/#/notes/2902645
• Patch 2902456 https://launchpad.support.sap.com/#/notes/2902456
• Patch 2890213 https://launchpad.support.sap.com/#/notes/2890213
• Patch 2808158 https://launchpad.support.sap.com/#/notes/2808158
• Patch 2823733 https://launchpad.support.sap.com/#/notes/2823733
• Patch 2839864 https://launchpad.support.sap.com/#/notes/2839864
• Patch 2849096 https://launchpad.support.sap.com/#/notes/2849096
• Patch 2772266 https://launchpad.support.sap.com/#/notes/2772266
• Patch 2738791 https://launchpad.support.sap.com/#/notes/2738791
• Patch 2748699 https://launchpad.support.sap.com/#/notes/2748699
• Patch 2845377 https://launchpad.support.sap.com/#/notes/2845377
• Patch 2904933 https://launchpad.support.sap.com/#/notes/2904933
Conclusion : References
95
![Page 96: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/96.jpg)
Onapsis Inc. | All Rights Reserved
• SAP Product Respond [email protected]
• Onapsis Security Research Lab [email protected]
• Julien Tomasi🎥
• Cuervo Studio 🎥
Conclusion : Greetings
96
![Page 97: Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA](https://reader036.vdocument.in/reader036/viewer/2022081615/5fd52c1d47d52b4d486a353c/html5/thumbnails/97.jpg)
Onapsis Inc. | All Rights Reserved
Thank you!
Questions ?
@onapsis
www.onapsis.com