SlideShare une entreprise Scribd logo

Systems Applications Proxy Pwnage

SensePost
SensePost

Presentation by Ian deVilliers at 44Con in 2011. This presentation is about the protocol used by SAP GUI and how it makes SAP applications vulnerable to attack. SApCap and SAPProx , tools developed by the presenter are discussed. SAPProx is a SAP GUI proxy tool. SApCap is a packet sniffer,decompressor and protocol analysis tool for SAP GUI. A few practical SAP app attacks are discussed.

Technologie
1  sur  146
Télécharger pour lire hors ligne
Systems Applications Proxy Pwnage! ian@sensepost.com! [SensePost  –  2011]  
about: us! Ian de Villiers! [SensePost  –  2011]  
What weʼre going to talk about! •  Why this Talk ?! •  The history of decompressing SAP DIAG! •  Understanding the fundamentals! •  New Attacks! •  Conclusion! [SensePost  –  2011]  
Why this Talk ?! •  SAP systems carry business critical data! –  Root is nice, but itʼs all about the data… ! •  Any numbers of attacks against SAP systems! –  This talk is not about them…! •  Fundamental security shortcoming in the SAP GUI (DIAG) protocol! –  Unencrypted. By Default! –  Compressed! –  This is old news…! [SensePost  –  2011]  
#include <Disclaimer.h>! •  SAP is a behemoth! •  Very little documentation out there! –  service.sap.com require user accounts ! •  Documentation for DIAG protocol requires NDA (apparently)… ! •  Custom toolsets require development! •  SAP Basis version used is reasonably outdated..! –  Fine for protocol analysis! –  Some attack scenarios may not be applicable! [SensePost  –  2011]  
#include <Disclaimer.h>! •  SensePost Assessments! –  Covered a lot of ground…! –  … but virtually impossible to do a complete job on something as complex! –  Research has been on an “as-time-allows” approach between projects! •  Releasing tools and research as-is…! –  Letʼs see some SAP 0-day in the next couple of months… ! •  Lack of documentation means analysis is probably not spot-on! [SensePost  –  2011]  
#include <Disclaimer.h>! •  Planned to present with SAP on second laptop! •  Some technical issues yesterday! –  Running SAP in a VM! –  Laptop is a dog in terms of speed at the moment! [SensePost  –  2011]  
What weʼre going to talk about! •  Why this Talk ?! •  The history of decompressing SAP DIAG! •  Understanding the fundamentals! •  New Attacks! •  Conclusion! [SensePost  –  2011]  
The History…! •  Sniffing SAP GUI Passwords! –  Andreas Baus && René Ledosquet from Securon! –  Published 6th July, 2009! •  Dealt with playing back captured packets to SAP GUI! •  Decompressed data obtained from SAP GUI memory with debugger! [SensePost  –  2011]  
But wait…
 Thereʼs more…! [SensePost  –  2011]  
The History…! •  Dennis Yurichev! –  Published 2nd June, 2010! •  Discovered that similar compression method was employed in MaxDB! –  Open Source MaxDB code available! •  Wrote utility for decompressing SAP traffic! –  Required manual reassembly of data segments over multiple packets! [SensePost  –  2011]  
The History…! •  Dennisʼ research required:! –  Identification of SAP compressed packets by magic! •  0x1f @ packet.data[17]! •  0x9d @ packet.data[18]! –  Stringing together of subsequent packets without magic at 17 and 18! –  Once complete “message” had been assembled, we could decompress the data! •  (Decompression wonʼt work until we have the complete stream)! [SensePost  –  2011]  
SAPDecompress – In Pictures! [SensePost  –  2011]  
SAPDecompress – In Pictures! [SensePost  –  2011]  
SAPDecompress – In Pictures! 1f  9d  ==  SAP  Compressed  Message  Magic   At  packet.data[17]  and  packet.data[18]   [SensePost  –  2011]  
SAPDecompress – In Pictures! [SensePost  –  2011]  
SAPDecompress – In Pictures! [SensePost  –  2011]  
SAPDecompress – In Pictures! [SensePost  –  2011]  
SAPDecompress – In Pictures! [SensePost  –  2011]  
SAPDecompress – In Pictures! [SensePost  –  2011]  
SAPDecompress – In Pictures! Compressed   SAPDecompress.exe   Decompressed   Message   Message   [SensePost  –  2011]  
SAPDecompress – In Pictures! Compressed   SAPDecompress.exe   Decompressed   Message   Message   [SensePost  –  2011]  
The History…! •  Dennis Yurichevʼs work is *awesome*…! •  My work is based very much on his discovery…! [SensePost  –  2011]  
What weʼre going to talk about! •  Why this Talk ?! •  The history of decompressing SAP DIAG! •  Understanding the fundamentals! •  New Attacks! •  Conclusion! [SensePost  –  2011]  
The Fundamentals! •  Understand the compression! •  Understand the compressed protocol! –  Simplify the sniffing and decompression! •  Recompression! •  Understand the application protocol! –  What makes SAP GUI tick ?! •  Identify SAP attack vectors not previously considered…! [SensePost  –  2011]  
The Compression Algorithm! •  Variants of Lempel-Ziv! –  LZC! –  LZH! –  SAP Supports both (tried and tested)! [SensePost  –  2011]  
The Compression Algorithm! •  Variant of Lempel-Ziv! –  LZC! –  LZH! –  SAP Supports both (tried and tested)! •  Makes one believe that SAP and MaxDB share same compression code-base… ! .Compression   .Decompression   ==   .Compression   .Decompression   [SensePost  –  2011]  
The Compression Algorithm! •  Variant of Lempel-Ziv! –  LZC! –  LZH! –  SAP Supports both (tried and tested)! •  Makes one believe that SAP and MaxDB share same compression code-base… ! •  Version used per message is determined by the Compression Header…! –  This is described in a minute…! [SensePost  –  2011]  
The Fundamentals! •  Understand the compression! •  Understand the compressed protocol! –  Simplify the sniffing and decompression! –  Recompression! •  Understand the application protocol! –  What makes SAP GUI tick ?! •  Identify SAP attack vectors not previously considered…! [SensePost  –  2011]  
The Core, Compressed Protocol! •  Easy to parse…! [SensePost  –  2011]  
The Core, Compressed Protocol! •  Easy to parse…! •  In the absence of documentation, Iʼve had to make my own names…! [SensePost  –  2011]  
The Core, Compressed Protocol! •  Easy to parse…! •  In the absence of documentation, Iʼve had to make my own names…! –  SAP Header! –  Compression Header! –  Compressed Data! [SensePost  –  2011]  
The Core, Compressed Protocol! SAP    Header   •  Easy to parse…! •  Consist of:! –  “SAP Header”! –  “Compression Header”! –  Compressed Data! [SensePost  –  2011]  
The Core, Compressed Protocol! SAP    Header   •  Easy to parse…! Compression    Header   •  Consist of:! –  “SAP Header”! –  “Compression Header”! –  Compressed Data! [SensePost  –  2011]  
The Core, Compressed Protocol! SAP    Header   •  Easy to parse…! Compression    Header   •  Consist of:! Compressed  Data   –  “SAP Header”! –  “Compression Header”! –  Compressed Data! [SensePost  –  2011]  
The SAP Header! •  Bytes [0] – [11]! [SensePost  –  2011]  
The SAP Header! •  Bytes [0] – [11]! –  Bytes [0] – Bytes [3]! •  Len(Sheader) + Len(Cheader) + Len(Cdata) - 4! [SensePost  –  2011]  
The SAP Header! •  Bytes [0] – [11]! –  Bytes [0] – Bytes [3]! •  Len(Sheader) + Len(Cheader) + Len(Cdata) – 4! 316  bytes  –  4  bytes  ==    312  bytes   0x0000138  ==  312   [SensePost  –  2011]  
The SAP Header! •  Bytes [0] – [11]! –  Bytes [0] – Bytes [3]! •  Len(Sheader) + Len(Cheader) + Len(Cdata) – 4! 316  bytes  –  4  bytes  ==    312  bytes   0x0000138  ==  312   –  Bytes [4] – Bytes [11]! •  Unknown (Tampering makes *no* difference)! [SensePost  –  2011]  
The Compression Header! •  Bytes [12] – [19]! [SensePost  –  2011]  
The Compression Header! •  Bytes [12] – [19]! –  Bytes [12] – Bytes [15]! •  Length of decompressed stream! •  Little-Endian! [SensePost  –  2011]  
The Compression Header! •  Bytes [12] – [19]! –  Bytes [12] – Bytes [15]! •  Length of decompressed stream! •  Little-Endian! 0x00001af  ==  431   [SensePost  –  2011]  
The Compression Header! •  Bytes [12] – [19]! –  Bytes [12] – Bytes [15]! •  Length of decompressed stream! •  Little-Endian! 0x00001af  ==  431   [SensePost  –  2011]  
The Compression Header! •  Bytes [12] – [19]! –  Bytes [16]! •  Version of compression (LZH / LZC)! •  LZC == byte & 0x0f = 0x00! •  LZH == byte & 0x0f = 0x02! [SensePost  –  2011]  
The Compression Header! •  Bytes [12] – [19]! –  Bytes [16]! •  Version of compression (LZH / LZC)! •  LZC == byte & 0x0f = 0x00! •  MZH == byte & 0x0f = 0x02! [SensePost  –  2011]  
The Compression Header! •  Bytes [12] – [19]! –  Bytes [17] – Bytes [18]! •  Compression Magic! •  Always 1f 9d! [SensePost  –  2011]  
The Compression Header! •  Bytes [12] – [19]! –  Bytes [19]! •  MaxBits! [SensePost  –  2011]  
Compressed Data! •  Bytes [20] – [N]! –  The compressed stream! [SensePost  –  2011]  
As an Aside…! •  Bytes [12] – Bytes [15]! –  Length of decompressed stream! –  Little-Endian! 0x00001af  ==  431   –  Field is user-controlled, but programmatic type is SAP_INT! –  Signed integer! •  What if the original length was 0xffffff ?! •  (thanks Behrang Fouladi)! [SensePost  –  2011]  
As an Aside…! •  Bytes [12] – Bytes [15]! –  Length of decompressed stream! –  Little-Endian! 0x00001af  ==  431   –  User input is user-controlled, but programmatic type is SAP_INT! –  What if the original length was 0xffffff ?! [SensePost  –  2011]  
As an Aside…! •  Bytes [12] – Bytes [15]! –  Length of decompressed stream! –  Little-Endian! 0x00001af  ==  431   –  User input is user-controlled, but programmatic type is SAP_INT! –  What if the original length was 0xffffff ?! [SensePost  –  2011]  
As an Aside…! •  Bytes [12] – Bytes [15]! –  Length of decompressed stream! –  Little-Endian! 0x00001af  ==  431   –  User input is user-controlled, but programmatic type is SAP_INT! –  What if the original length was 0xffffff ?! [SensePost  –  2011]  
Sniffing SAP Traffic! •  SAP traffic does not lend itself very well to WireShark dissectors…! •  Answer was to write a custom protocol analysis tool in Java! •  Used 3rd Party pCap JNI interface! –  Allows us to use standard pCap filters / dump files! •  Use custom built JNI interface built from MaxDB code! [SensePost  –  2011]  
SApCap! [SensePost  –  2011]  
SApCap! •  Jpcap! –  JNI interface for pCap! –  Responsible for reading packets! •  pCap dump files! •  Sniffing! –  Filtering packets using standard pCap filters! –  Saving information as pCap dump files! [SensePost  –  2011]  
SApCap! •  SApCap! –  Java! –  Responsible for:! •  Parsing packet data! •  Decompressing messages! •  Queue management! [SensePost  –  2011]  
SApCap! •  SapCompress! –  JNI interface! –  Implements MaxDB functions for decompression! •  int[] doDecompress(int[])! [SensePost  –  2011]  
Demo: SApCap! [SensePost  –  2011]  
The Fundamentals! •  Understand the compression! •  Understand the compressed protocol! –  Simplify the sniffing and decompression! •  Recompression! •  Understand the application protocol! –  What makes SAP GUI tick ?! •  Identify SAP attack vectors not previously considered…! [SensePost  –  2011]  
Recompression ?! •  Core decompression functions are defined in vpa105CsObjInt.cpp! –  CsDecompr()! [SensePost  –  2011]  
Recompression ?! •  But… vpa105CsObjInt.cpp also contains function for what would appear to be compression…! –  CsCompr()! [SensePost  –  2011]  
Recompression ?! •  We modify our JNI library to make use of MaxDB code! –  doCompress()! –  doDecompress()! [SensePost  –  2011]  
Recompression ?! •  We now have programmatic interface to:! –  Decompress SAP traffic! •  doDecompress()! •  Useful for interception and sniffing! –  Compress SAP traffic! •  doCompress()! •  Useful for MiTM attacks! •  Useful for assessment of SAP Gui Applications! [SensePost  –  2011]  
The Fundamentals! •  Understand the compression! •  Understand the compressed protocol! –  Simplify the sniffing and decompression! •  Recompression! •  Understand the application protocol! –  What makes SAP GUI tick ?! •  Identify SAP attack vectors not previously considered…! [SensePost  –  2011]  
The Application Protocol! •  Multiplexed! –  Single connection per-user per-location per- host! [SensePost  –  2011]  
The Application Protocol! •  Multiplexed! –  Single connection per-user per-location per- host! •  Initial hand-shake is uncompressed! [SensePost  –  2011]  
The Application Protocol! •  Multiplexed! –  Single connection per-user per-location per- host! •  Initial hand-shake is uncompressed! •  Server response is compressed! [SensePost  –  2011]  
The Application Protocol! •  Multiplexed! –  Single connection per-user per-location per- host! •  Initial hand-shake is uncompressed! •  Server response is compressed! •  Uncompressed component is static! –  Terminal name! –  Options change depending on capabilities of SAP GUI (support bits)! [SensePost  –  2011]  
The Application Protocol! •  Multiplexed! –  Single connection per-user per-location per- host! •  Initial hand-shake is uncompressed! •  Server response is compressed! •  Hand shake is static (apart from “terminal name”)! [SensePost  –  2011]  
Message Types! •  Two basic Types of Messages! –  Simple Messages! –  Complex Messages! •  Message structures differ in terms of direction! –  GUI -> Server! –  Server -> GUI! [SensePost  –  2011]  
Simple Messages : GUI -> SAP! •  Header! –  “OK Code”! –  Character Encoding! –  GUI Version! •  Data! –  Input values! –  XML Stream defining screen metrics! [SensePost  –  2011]  
Simple Messages : GUI -> SAP! •  Header! –  “OK Code”! –  Character Encoding! –  GUI Version! •  Data! –  Input values! –  XML Stream defining screen metrics! [SensePost  –  2011]  
Simple Messages : SAP -> GUI! •  Header! •  Data! •  “TH”! [SensePost  –  2011]  
Simple Messages : SAP -> GUI! •  Header! –  Encoding! [SensePost  –  2011]  
Simple Messages : SAP -> GUI! •  Header! –  Encoding! –  Transaction ID! [SensePost  –  2011]  
Simple Messages : SAP -> GUI! •  Header! –  Encoding! –  Transaction ID! –  System & Hostname! [SensePost  –  2011]  
Simple Messages : SAP -> GUI! •  Header! –  Encoding! –  Transaction ID! –  System Name! –  Host name! –  Theme! [SensePost  –  2011]  
Simple Messages : SAP -> GUI! •  Data! –  SAP Program Context & SAP Screen! [SensePost  –  2011]  
Simple Messages : SAP -> GUI! •  Data! –  SAP Program Context & SAP Screen! –  Menus & Keyboard Accelerators! [SensePost  –  2011]  
Simple Messages : SAP -> GUI! •  Data! –  SAP Program Context & SAP Screen! –  Menus & Keyboard Accelerators! –  Input dialogs! [SensePost  –  2011]  
Simple Messages : SAP -> GUI! •  Data! –  SAP Program Context & SAP Screen! –  Menus & Keyboard Accelerators! –  Input dialogs! –  Screen Data! [SensePost  –  2011]  
Simple Messages : SAP -> GUI! •  “TH”! –  System Name! –  Transaction! –  Transaction ID! [SensePost  –  2011]  
Dialogs! •  All input fields accept strings! –  No client-side validation! –  Data is validated on the server! •  Input field lengths can be manipulated! [SensePost  –  2011]  
Dialogs! •  All input fields accept strings! –  No client-side validation! –  Data is validated on the server! •  Input field lengths can be manipulated! [SensePost  –  2011]  
Dialogs! •  All input fields accept strings! –  No client-side validation! –  Data is validated on the server! •  Input field lengths can be manipulated! [SensePost  –  2011]  
Dialogs! •  All input fields accept strings! –  No client-side validation! –  Data is validated on the server! •  Input field lengths can be manipulated! [SensePost  –  2011]  
Dialogs! •  All input fields accept strings! –  No client-side validation! –  Data is validated on the server! •  Input field lengths can be manipulated! [SensePost  –  2011]  
Dialogs! •  Length of submitted strings can be adjusted in a similar fashion…! [SensePost  –  2011]  
Dialogs! •  Length of submitted strings can be adjusted in a similar fashion…! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! –  VERBS! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! –  VERBS! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! –  VERBS! –  VARS! [SensePost  –  2011]  
Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! –  VERBS! –  VARS! [SensePost  –  2011]  
PARAMS, VARS and VERBS! •  Work in conjunction! •  Define actions to be performed on / by objects on the GUI / Server! •  Lists of “indexed data” are decompressed and parsed by ABAP to various fixed- length data structures! [SensePost  –  2011]  
PARAMS, VARS and VERBS! •  Decompressed, they look as follows:! –  PARAMS:! [SensePost  –  2011]  
PARAMS, VARS and VERBS! •  Decompressed, they look as follows:! –  PARAMS:! –  VERBS:! [SensePost  –  2011]  
PARAMS, VARS and VERBS! •  Decompressed, they look as follows:! –  PARAMS:! –  VERBS:! –  VARS:! [SensePost  –  2011]  
PARAMS, VARS and VERBS! •  Parsed by ABAP into structured variables! •  CASE ABAP PARAM-TYP.! –  WHEN ʻSʼ:! •  Set Value Of! –  WHEN ʻGʼ:! •  Get Value Of! –  WHEN ʻCʼ:! •  Call Method Of! •  Thoughts of eval() spring to mind…! [SensePost  –  2011]  
PARAMS, VARS and VERBS! •  Graphic example:! [SensePost  –  2011]  
PARAMS, VARS and VERBS! •  Graphic example:! [SensePost  –  2011]  
PARAMS, VARS and VERBS! •  Graphic example:! [SensePost  –  2011]  
PARAMS, VARS and VERBS! •  Graphic example:! [SensePost  –  2011]  
PARAMS, VARS and VERBS! •  Details on these structures can be found in ABAP code…! •  Refer to ABAP Structures && where used:! –  OLE_PA! –  OLE_VERBS! –  SWCBCONT! [SensePost  –  2011]  
RFC_QUEUE! •  Contains META and internal table data in use by the current application / screen! •  Only ever seems to appear in SAP responses! –  This assumption may be incorrect! [SensePost  –  2011]  
RFC_QUEUE! •  Contains META and internal table data in use by the current application / screen! •  Only ever seems to appear in SAP responses! –  This assumption may be incorrect! [SensePost  –  2011]  
The Fundamentals! •  Understand the compression! •  Understand the compressed protocol! –  Simplify the sniffing and decompression! •  Recompression! •  Understand the application protocol! –  What makes SAP Gui tick ?! •  Identify SAP attack vectors not previously considered…! [SensePost  –  2011]  
SAPProx! [SensePost  –  2011]  
SAPProx! •  SapCompress! –  JNI interface! –  Implements MaxDB functions for decompression && compression! •  int[] doDecompress(int[])! •  Int[] doCompress(int[])! [SensePost  –  2011]  
SAPProx! •  SAPProx! –  Java! –  Responsible for:! •  Parsing packet data! •  Decompressing messages! •  Interception! •  Compressing modified messages! •  Queue management! [SensePost  –  2011]  
Demo: SAPProx! [SensePost  –  2011]  
Attack API! •  Users can write their own exploits! •  In a scripting language of their choice…! –  Jython! –  Groovy! –  Jruby! –  *! •  Script locations specified in configuration! •  Allow for canned exploits! •  (thanks Willem Mouton)! [SensePost  –  2011]  
Demo: Attacks / Scripting! [SensePost  –  2011]  
What weʼre going to talk about! •  Why this Talk ?! •  The history of decompressing SAP DIAG! •  Understanding the fundamentals! •  New Attacks! •  Conclusion! [SensePost  –  2011]  
New (Old) Attacks ?! •  We now have a proxy for SAP GUI! –  WebScarab for SAP! •  For what I believe is the first time, we get an unprecedented view into SAP GUI applications…! •  … and we know where that left us with web applications …! [SensePost  –  2011]  
New (Old) Attacks ?! •  Authorisation! •  Authentication! [SensePost  –  2011]  
Demo: Auth*! [SensePost  –  2011]  
New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! [SensePost  –  2011]  
Demo: State & Business Logic! [SensePost  –  2011]  
New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! •  Validation! [SensePost  –  2011]  
Demo: Validation! [SensePost  –  2011]  
New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! •  Validation! •  Replay! [SensePost  –  2011]  
Demo: Replay! [SensePost  –  2011]  
New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! •  Validation! •  Replay! •  Client-Side attacks! [SensePost  –  2011]  
Client-Side Attacks! •  Many business cases require the execution of applications on the client.! –  Provided for by ABAP! •  Deprecated: GUI_RUN or WS_EXECUTE! •  Current: cl_gui_frontend_services! •  Newer clients still support old methods! –  Backwards compatibility! –  Do prompt when applications execute! •  (thanks Steve Lord)! [SensePost  –  2011]  
Client-Side Attacks! •  WS_EXECUTE / GUI_RUN! [SensePost  –  2011]  
Client-Side Attacks! •  WS_EXECUTE / GUI_RUN! [SensePost  –  2011]  
Demo: Client-Side Attacks! [SensePost  –  2011]  
Client-Side Attacks! •  cl_gui_frontend_services! –  Makes use of OLE! [SensePost  –  2011]  
Client-Side Attacks! •  cl_gui_frontend_services! –  Makes use of OLE! [SensePost  –  2011]  
Client-Side Attacks! •  SAP GUI provides number of COM libraries with potentially exploitable functions! –  Saved by the fact that the controls are not marked “Safe for Scripting”! [SensePost  –  2011]  
Client-Side Attacks! •  SAP GUI provides number of COM libraries with potentially exploitable functions! –  Saved by the fact that the controls are not marked “Safe for Scripting”! [SensePost  –  2011]  
Client-Side Attacks! •  SAP GUI provides number of COM libraries with potentially exploitable functions! –  Saved by the fact that the controls are not marked “Safe for Scripting”! •  With SAPProxy we can potentially instantiate diverse COM objects! [SensePost  –  2011]  
New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! •  Validation! •  Replay! •  Client-Side attacks! •  DoS! [SensePost  –  2011]  
Demo: DoS! [SensePost  –  2011]  
New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! •  Validation! •  Replay! •  Client-Side attacks! •  DoS! •  *! [SensePost  –  2011]  
What weʼre going to talk about! •  Why this Talk ?! •  The history of decompressing SAP DIAG! •  Understanding the fundamentals! •  New Attacks! •  Conclusion! [SensePost  –  2011]  
Conclusion! •  A couple of factors have been common security knowledge for years…! –  Plain-text communication == #fail! –  Security by obscurity == #fail! •  We now have a toolset and programmatic interface into SAP DIAG protocol! –  Game Changer! –  Change the way we look at ABAP! –  Happy Haxoring! [SensePost  –  2011]  
Conclusion! •  SAP provides encryption for client components in the form of Secure Network Communications! –  Provided by 3rd Parties! –  Provided by SAP! •  SAP Clients should ensure the use of SNC is enabled and enforced! [SensePost  –  2011]  
Questions ?! •  www.sensepost.com/blog! ian@sensepost.com! [SensePost  –  2011]  

Recommandé

Spotify: behind the scenes
Spotify: behind the scenesSpotify: behind the scenes
Spotify: behind the scenesRicardo Vice Santos
 
Spotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessSpotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessNick Barkas
 
Spotify architecture - Pressing play
Spotify architecture - Pressing playSpotify architecture - Pressing play
Spotify architecture - Pressing playNiklas Gustavsson
 
Introduction to column oriented databases in PHP
Introduction to column oriented databases in PHPIntroduction to column oriented databases in PHP
Introduction to column oriented databases in PHPZend by Rogue Wave Software
 
Spotify: P2P music streaming
Spotify: P2P music streamingSpotify: P2P music streaming
Spotify: P2P music streamingRicardo Vice Santos
 
Distributed "Web Scale" Systems
Distributed "Web Scale" SystemsDistributed "Web Scale" Systems
Distributed "Web Scale" SystemsRicardo Vice Santos
 
Spotify: P2P music-on-demand streaming
Spotify: P2P music-on-demand streamingSpotify: P2P music-on-demand streaming
Spotify: P2P music-on-demand streamingRicardo Vice Santos
 
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?panagenda
 

Recommandé

Spotify: behind the scenes
Spotify: behind the scenesSpotify: behind the scenes
Spotify: behind the scenesRicardo Vice Santos
 
Spotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessSpotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessNick Barkas
 
Spotify architecture - Pressing play
Spotify architecture - Pressing playSpotify architecture - Pressing play
Spotify architecture - Pressing playNiklas Gustavsson
 
Introduction to column oriented databases in PHP
Introduction to column oriented databases in PHPIntroduction to column oriented databases in PHP
Introduction to column oriented databases in PHPZend by Rogue Wave Software
 
Spotify: P2P music streaming
Spotify: P2P music streamingSpotify: P2P music streaming
Spotify: P2P music streamingRicardo Vice Santos
 
Distributed "Web Scale" Systems
Distributed "Web Scale" SystemsDistributed "Web Scale" Systems
Distributed "Web Scale" SystemsRicardo Vice Santos
 
Spotify: P2P music-on-demand streaming
Spotify: P2P music-on-demand streamingSpotify: P2P music-on-demand streaming
Spotify: P2P music-on-demand streamingRicardo Vice Santos
 
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?panagenda
 
Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...
Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...
Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...panagenda
 
Talk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand Streaming
Talk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand StreamingTalk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand Streaming
Talk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand StreamingSameera Horawalavithana
 
Spotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for moreSpotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for moreNick Barkas
 
Cassandra nyc
Cassandra nycCassandra nyc
Cassandra nycNoa Resare
 
Engage 2020 - HCL Notes V11 Performance Boost
Engage 2020 - HCL Notes V11 Performance BoostEngage 2020 - HCL Notes V11 Performance Boost
Engage 2020 - HCL Notes V11 Performance BoostChristoph Adler
 
PelletServer: REST and Semantic Technologies
PelletServer: REST and Semantic TechnologiesPelletServer: REST and Semantic Technologies
PelletServer: REST and Semantic TechnologiesClark & Parsia LLC
 
Troopers Diffray v1.1
Troopers Diffray v1.1Troopers Diffray v1.1
Troopers Diffray v1.1pinkflawd
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tpinkflawd
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesTrowalts
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Running MongoDB in the Cloud
Running MongoDB in the CloudRunning MongoDB in the Cloud
Running MongoDB in the CloudTony Tam
 
Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...
Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...
Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...Chris Fregly
 
Hadoop for the Absolute Beginner
Hadoop for the Absolute BeginnerHadoop for the Absolute Beginner
Hadoop for the Absolute BeginnerIke Ellis
 
Inside Wordnik's Architecture
Inside Wordnik's ArchitectureInside Wordnik's Architecture
Inside Wordnik's ArchitectureTony Tam
 
Message:Passing - lpw 2012
Message:Passing - lpw 2012Message:Passing - lpw 2012
Message:Passing - lpw 2012Tomas Doran
 
2013 CPM Conference, Nov 6th, NoSQL Capacity Planning
2013 CPM Conference, Nov 6th, NoSQL Capacity Planning2013 CPM Conference, Nov 6th, NoSQL Capacity Planning
2013 CPM Conference, Nov 6th, NoSQL Capacity Planningasya999
 
OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...
OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...
OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...NETWAYS
 
Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Docker, Inc.
 
TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015Bipin Singh
 

Contenu connexe

Tendances

Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...
Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...
Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...panagenda
 
Talk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand Streaming
Talk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand StreamingTalk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand Streaming
Talk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand StreamingSameera Horawalavithana
 
Spotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for moreSpotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for moreNick Barkas
 
Engage 2020 - HCL Notes V11 Performance Boost
Engage 2020 - HCL Notes V11 Performance BoostEngage 2020 - HCL Notes V11 Performance Boost
Engage 2020 - HCL Notes V11 Performance BoostChristoph Adler
 
PelletServer: REST and Semantic Technologies
PelletServer: REST and Semantic TechnologiesPelletServer: REST and Semantic Technologies
PelletServer: REST and Semantic TechnologiesClark & Parsia LLC
 

Tendances (6)

Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...
Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...
Way #5 Don’t end up in a ditch because you weren’t aware of roadblocks in you...
 
Talk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand Streaming
Talk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand StreamingTalk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand Streaming
Talk on Spotify: Large Scale, Low Latency, P2P Music-on-Demand Streaming
 
Spotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for moreSpotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for more
 
Cassandra nyc
Cassandra nycCassandra nyc
Cassandra nyc
 
Engage 2020 - HCL Notes V11 Performance Boost
Engage 2020 - HCL Notes V11 Performance BoostEngage 2020 - HCL Notes V11 Performance Boost
Engage 2020 - HCL Notes V11 Performance Boost
 
PelletServer: REST and Semantic Technologies
PelletServer: REST and Semantic TechnologiesPelletServer: REST and Semantic Technologies
PelletServer: REST and Semantic Technologies
 

En vedette

Troopers Diffray v1.1
Troopers Diffray v1.1Troopers Diffray v1.1
Troopers Diffray v1.1pinkflawd
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tpinkflawd
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesTrowalts
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 

En vedette (7)

Troopers Diffray v1.1
Troopers Diffray v1.1Troopers Diffray v1.1
Troopers Diffray v1.1
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren't
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 

Similaire à Systems Applications Proxy Pwnage

Running MongoDB in the Cloud
Running MongoDB in the CloudRunning MongoDB in the Cloud
Running MongoDB in the CloudTony Tam
 
Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...
Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...
Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...Chris Fregly
 
Hadoop for the Absolute Beginner
Hadoop for the Absolute BeginnerHadoop for the Absolute Beginner
Hadoop for the Absolute BeginnerIke Ellis
 
Inside Wordnik's Architecture
Inside Wordnik's ArchitectureInside Wordnik's Architecture
Inside Wordnik's ArchitectureTony Tam
 
Message:Passing - lpw 2012
Message:Passing - lpw 2012Message:Passing - lpw 2012
Message:Passing - lpw 2012Tomas Doran
 
2013 CPM Conference, Nov 6th, NoSQL Capacity Planning
2013 CPM Conference, Nov 6th, NoSQL Capacity Planning2013 CPM Conference, Nov 6th, NoSQL Capacity Planning
2013 CPM Conference, Nov 6th, NoSQL Capacity Planningasya999
 
OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...
OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...
OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...NETWAYS
 
Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Docker, Inc.
 
TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015Bipin Singh
 
Midwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & howMidwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & howdotCloud
 
PHP is the king, nodejs is the prince and Python is the fool - Alessandro Cin...
PHP is the king, nodejs is the prince and Python is the fool - Alessandro Cin...PHP is the king, nodejs is the prince and Python is the fool - Alessandro Cin...
PHP is the king, nodejs is the prince and Python is the fool - Alessandro Cin...Codemotion
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolAlessandro Cinelli (cirpo)
 
Why databases cry at night
Why databases cry at nightWhy databases cry at night
Why databases cry at nightMichael Yarichuk
 
From a student to an apache committer practice of apache io tdb
From a student to an apache committer practice of apache io tdbFrom a student to an apache committer practice of apache io tdb
From a student to an apache committer practice of apache io tdbjixuan1989
 
DSpace Under the Hood
DSpace Under the HoodDSpace Under the Hood
DSpace Under the HoodDuraSpace
 
NGS Informatics and Interpretation - Hardware Considerations by Michael McManus
NGS Informatics and Interpretation - Hardware Considerations by Michael McManusNGS Informatics and Interpretation - Hardware Considerations by Michael McManus
NGS Informatics and Interpretation - Hardware Considerations by Michael McManusKnome_Inc
 
Vote NO for MySQL
Vote NO for MySQLVote NO for MySQL
Vote NO for MySQLUlf Wendel
 
Brussels Spark Meetup Oct 30, 2015: Spark After Dark 1.5:  Real-time, Advanc...
Brussels Spark Meetup Oct 30, 2015: Spark After Dark 1.5:  Real-time, Advanc...Brussels Spark Meetup Oct 30, 2015: Spark After Dark 1.5:  Real-time, Advanc...
Brussels Spark Meetup Oct 30, 2015: Spark After Dark 1.5:  Real-time, Advanc...Chris Fregly
 
Microsoft Big Data @ SQLUG 2013
Microsoft Big Data @ SQLUG 2013Microsoft Big Data @ SQLUG 2013
Microsoft Big Data @ SQLUG 2013Nathan Bijnens
 
IN-MEMORY DATABASE SYSTEMS FOR BIG DATA MANAGEMENT.SAP HANA DATABASE.
IN-MEMORY DATABASE SYSTEMS FOR BIG DATA MANAGEMENT.SAP HANA DATABASE.IN-MEMORY DATABASE SYSTEMS FOR BIG DATA MANAGEMENT.SAP HANA DATABASE.
IN-MEMORY DATABASE SYSTEMS FOR BIG DATA MANAGEMENT.SAP HANA DATABASE.George Joseph
 

Similaire à Systems Applications Proxy Pwnage (20)

Running MongoDB in the Cloud
Running MongoDB in the CloudRunning MongoDB in the Cloud
Running MongoDB in the Cloud
 
Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...
Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...
Paris Spark Meetup Oct 26, 2015 - Spark After Dark v1.5 - Best of Advanced Ap...
 
Hadoop for the Absolute Beginner
Hadoop for the Absolute BeginnerHadoop for the Absolute Beginner
Hadoop for the Absolute Beginner
 
Inside Wordnik's Architecture
Inside Wordnik's ArchitectureInside Wordnik's Architecture
Inside Wordnik's Architecture
 
Message:Passing - lpw 2012
Message:Passing - lpw 2012Message:Passing - lpw 2012
Message:Passing - lpw 2012
 
2013 CPM Conference, Nov 6th, NoSQL Capacity Planning
2013 CPM Conference, Nov 6th, NoSQL Capacity Planning2013 CPM Conference, Nov 6th, NoSQL Capacity Planning
2013 CPM Conference, Nov 6th, NoSQL Capacity Planning
 
OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...
OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...
OSDC 2014: Christian Kniep - Understand your data center by overlaying multi...
 
Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?
 
TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015TIBCO Advanced Analytics Meetup (TAAM) - June 2015
TIBCO Advanced Analytics Meetup (TAAM) - June 2015
 
Midwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & howMidwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & how
 
PHP is the king, nodejs is the prince and Python is the fool - Alessandro Cin...
PHP is the king, nodejs is the prince and Python is the fool - Alessandro Cin...PHP is the king, nodejs is the prince and Python is the fool - Alessandro Cin...
PHP is the king, nodejs is the prince and Python is the fool - Alessandro Cin...
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the fool
 
Why databases cry at night
Why databases cry at nightWhy databases cry at night
Why databases cry at night
 
From a student to an apache committer practice of apache io tdb
From a student to an apache committer practice of apache io tdbFrom a student to an apache committer practice of apache io tdb
From a student to an apache committer practice of apache io tdb
 
DSpace Under the Hood
DSpace Under the HoodDSpace Under the Hood
DSpace Under the Hood
 
NGS Informatics and Interpretation - Hardware Considerations by Michael McManus
NGS Informatics and Interpretation - Hardware Considerations by Michael McManusNGS Informatics and Interpretation - Hardware Considerations by Michael McManus
NGS Informatics and Interpretation - Hardware Considerations by Michael McManus
 
Vote NO for MySQL
Vote NO for MySQLVote NO for MySQL
Vote NO for MySQL
 
Brussels Spark Meetup Oct 30, 2015: Spark After Dark 1.5:  Real-time, Advanc...
Brussels Spark Meetup Oct 30, 2015: Spark After Dark 1.5:  Real-time, Advanc...Brussels Spark Meetup Oct 30, 2015: Spark After Dark 1.5:  Real-time, Advanc...
Brussels Spark Meetup Oct 30, 2015: Spark After Dark 1.5:  Real-time, Advanc...
 
Microsoft Big Data @ SQLUG 2013
Microsoft Big Data @ SQLUG 2013Microsoft Big Data @ SQLUG 2013
Microsoft Big Data @ SQLUG 2013
 
IN-MEMORY DATABASE SYSTEMS FOR BIG DATA MANAGEMENT.SAP HANA DATABASE.
IN-MEMORY DATABASE SYSTEMS FOR BIG DATA MANAGEMENT.SAP HANA DATABASE.IN-MEMORY DATABASE SYSTEMS FOR BIG DATA MANAGEMENT.SAP HANA DATABASE.
IN-MEMORY DATABASE SYSTEMS FOR BIG DATA MANAGEMENT.SAP HANA DATABASE.
 

Plus de SensePost

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile explorationSensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationSensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitSensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksSensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed OverviewSensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsSensePost
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine cloudsSensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemSensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get HackedSensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application HackingSensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorismSensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and DefencesSensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2SensePost
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nationSensePost
 

Plus de SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
 

Dernier

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Dernier (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Systems Applications Proxy Pwnage

  • 1. Systems Applications Proxy Pwnage! ian@sensepost.com! [SensePost  –  2011]  
  • 2. about: us! Ian de Villiers! [SensePost  –  2011]  
  • 3. What weʼre going to talk about! •  Why this Talk ?! •  The history of decompressing SAP DIAG! •  Understanding the fundamentals! •  New Attacks! •  Conclusion! [SensePost  –  2011]  
  • 4. Why this Talk ?! •  SAP systems carry business critical data! –  Root is nice, but itʼs all about the data… ! •  Any numbers of attacks against SAP systems! –  This talk is not about them…! •  Fundamental security shortcoming in the SAP GUI (DIAG) protocol! –  Unencrypted. By Default! –  Compressed! –  This is old news…! [SensePost  –  2011]  
  • 5. #include <Disclaimer.h>! •  SAP is a behemoth! •  Very little documentation out there! –  service.sap.com require user accounts ! •  Documentation for DIAG protocol requires NDA (apparently)… ! •  Custom toolsets require development! •  SAP Basis version used is reasonably outdated..! –  Fine for protocol analysis! –  Some attack scenarios may not be applicable! [SensePost  –  2011]  
  • 6. #include <Disclaimer.h>! •  SensePost Assessments! –  Covered a lot of ground…! –  … but virtually impossible to do a complete job on something as complex! –  Research has been on an “as-time-allows” approach between projects! •  Releasing tools and research as-is…! –  Letʼs see some SAP 0-day in the next couple of months… ! •  Lack of documentation means analysis is probably not spot-on! [SensePost  –  2011]  
  • 7. #include <Disclaimer.h>! •  Planned to present with SAP on second laptop! •  Some technical issues yesterday! –  Running SAP in a VM! –  Laptop is a dog in terms of speed at the moment! [SensePost  –  2011]  
  • 8. What weʼre going to talk about! •  Why this Talk ?! •  The history of decompressing SAP DIAG! •  Understanding the fundamentals! •  New Attacks! •  Conclusion! [SensePost  –  2011]  
  • 9. The History…! •  Sniffing SAP GUI Passwords! –  Andreas Baus && René Ledosquet from Securon! –  Published 6th July, 2009! •  Dealt with playing back captured packets to SAP GUI! •  Decompressed data obtained from SAP GUI memory with debugger! [SensePost  –  2011]  
  • 10. But wait…
 Thereʼs more…! [SensePost  –  2011]  
  • 11. The History…! •  Dennis Yurichev! –  Published 2nd June, 2010! •  Discovered that similar compression method was employed in MaxDB! –  Open Source MaxDB code available! •  Wrote utility for decompressing SAP traffic! –  Required manual reassembly of data segments over multiple packets! [SensePost  –  2011]  
  • 12. The History…! •  Dennisʼ research required:! –  Identification of SAP compressed packets by magic! •  0x1f @ packet.data[17]! •  0x9d @ packet.data[18]! –  Stringing together of subsequent packets without magic at 17 and 18! –  Once complete “message” had been assembled, we could decompress the data! •  (Decompression wonʼt work until we have the complete stream)! [SensePost  –  2011]  
  • 13. SAPDecompress – In Pictures! [SensePost  –  2011]  
  • 14. SAPDecompress – In Pictures! [SensePost  –  2011]  
  • 15. SAPDecompress – In Pictures! 1f  9d  ==  SAP  Compressed  Message  Magic   At  packet.data[17]  and  packet.data[18]   [SensePost  –  2011]  
  • 16. SAPDecompress – In Pictures! [SensePost  –  2011]  
  • 17. SAPDecompress – In Pictures! [SensePost  –  2011]  
  • 18. SAPDecompress – In Pictures! [SensePost  –  2011]  
  • 19. SAPDecompress – In Pictures! [SensePost  –  2011]  
  • 20. SAPDecompress – In Pictures! [SensePost  –  2011]  
  • 21. SAPDecompress – In Pictures! Compressed   SAPDecompress.exe   Decompressed   Message   Message   [SensePost  –  2011]  
  • 22. SAPDecompress – In Pictures! Compressed   SAPDecompress.exe   Decompressed   Message   Message   [SensePost  –  2011]  
  • 23. The History…! •  Dennis Yurichevʼs work is *awesome*…! •  My work is based very much on his discovery…! [SensePost  –  2011]  
  • 24. What weʼre going to talk about! •  Why this Talk ?! •  The history of decompressing SAP DIAG! •  Understanding the fundamentals! •  New Attacks! •  Conclusion! [SensePost  –  2011]  
  • 25. The Fundamentals! •  Understand the compression! •  Understand the compressed protocol! –  Simplify the sniffing and decompression! •  Recompression! •  Understand the application protocol! –  What makes SAP GUI tick ?! •  Identify SAP attack vectors not previously considered…! [SensePost  –  2011]  
  • 26. The Compression Algorithm! •  Variants of Lempel-Ziv! –  LZC! –  LZH! –  SAP Supports both (tried and tested)! [SensePost  –  2011]  
  • 27. The Compression Algorithm! •  Variant of Lempel-Ziv! –  LZC! –  LZH! –  SAP Supports both (tried and tested)! •  Makes one believe that SAP and MaxDB share same compression code-base… ! .Compression   .Decompression   ==   .Compression   .Decompression   [SensePost  –  2011]  
  • 28. The Compression Algorithm! •  Variant of Lempel-Ziv! –  LZC! –  LZH! –  SAP Supports both (tried and tested)! •  Makes one believe that SAP and MaxDB share same compression code-base… ! •  Version used per message is determined by the Compression Header…! –  This is described in a minute…! [SensePost  –  2011]  
  • 29. The Fundamentals! •  Understand the compression! •  Understand the compressed protocol! –  Simplify the sniffing and decompression! –  Recompression! •  Understand the application protocol! –  What makes SAP GUI tick ?! •  Identify SAP attack vectors not previously considered…! [SensePost  –  2011]  
  • 30. The Core, Compressed Protocol! •  Easy to parse…! [SensePost  –  2011]  
  • 31. The Core, Compressed Protocol! •  Easy to parse…! •  In the absence of documentation, Iʼve had to make my own names…! [SensePost  –  2011]  
  • 32. The Core, Compressed Protocol! •  Easy to parse…! •  In the absence of documentation, Iʼve had to make my own names…! –  SAP Header! –  Compression Header! –  Compressed Data! [SensePost  –  2011]  
  • 33. The Core, Compressed Protocol! SAP    Header   •  Easy to parse…! •  Consist of:! –  “SAP Header”! –  “Compression Header”! –  Compressed Data! [SensePost  –  2011]  
  • 34. The Core, Compressed Protocol! SAP    Header   •  Easy to parse…! Compression    Header   •  Consist of:! –  “SAP Header”! –  “Compression Header”! –  Compressed Data! [SensePost  –  2011]  
  • 35. The Core, Compressed Protocol! SAP    Header   •  Easy to parse…! Compression    Header   •  Consist of:! Compressed  Data   –  “SAP Header”! –  “Compression Header”! –  Compressed Data! [SensePost  –  2011]  
  • 36. The SAP Header! •  Bytes [0] – [11]! [SensePost  –  2011]  
  • 37. The SAP Header! •  Bytes [0] – [11]! –  Bytes [0] – Bytes [3]! •  Len(Sheader) + Len(Cheader) + Len(Cdata) - 4! [SensePost  –  2011]  
  • 38. The SAP Header! •  Bytes [0] – [11]! –  Bytes [0] – Bytes [3]! •  Len(Sheader) + Len(Cheader) + Len(Cdata) – 4! 316  bytes  –  4  bytes  ==    312  bytes   0x0000138  ==  312   [SensePost  –  2011]  
  • 39. The SAP Header! •  Bytes [0] – [11]! –  Bytes [0] – Bytes [3]! •  Len(Sheader) + Len(Cheader) + Len(Cdata) – 4! 316  bytes  –  4  bytes  ==    312  bytes   0x0000138  ==  312   –  Bytes [4] – Bytes [11]! •  Unknown (Tampering makes *no* difference)! [SensePost  –  2011]  
  • 40. The Compression Header! •  Bytes [12] – [19]! [SensePost  –  2011]  
  • 41. The Compression Header! •  Bytes [12] – [19]! –  Bytes [12] – Bytes [15]! •  Length of decompressed stream! •  Little-Endian! [SensePost  –  2011]  
  • 42. The Compression Header! •  Bytes [12] – [19]! –  Bytes [12] – Bytes [15]! •  Length of decompressed stream! •  Little-Endian! 0x00001af  ==  431   [SensePost  –  2011]  
  • 43. The Compression Header! •  Bytes [12] – [19]! –  Bytes [12] – Bytes [15]! •  Length of decompressed stream! •  Little-Endian! 0x00001af  ==  431   [SensePost  –  2011]  
  • 44. The Compression Header! •  Bytes [12] – [19]! –  Bytes [16]! •  Version of compression (LZH / LZC)! •  LZC == byte & 0x0f = 0x00! •  LZH == byte & 0x0f = 0x02! [SensePost  –  2011]  
  • 45. The Compression Header! •  Bytes [12] – [19]! –  Bytes [16]! •  Version of compression (LZH / LZC)! •  LZC == byte & 0x0f = 0x00! •  MZH == byte & 0x0f = 0x02! [SensePost  –  2011]  
  • 46. The Compression Header! •  Bytes [12] – [19]! –  Bytes [17] – Bytes [18]! •  Compression Magic! •  Always 1f 9d! [SensePost  –  2011]  
  • 47. The Compression Header! •  Bytes [12] – [19]! –  Bytes [19]! •  MaxBits! [SensePost  –  2011]  
  • 48. Compressed Data! •  Bytes [20] – [N]! –  The compressed stream! [SensePost  –  2011]  
  • 49. As an Aside…! •  Bytes [12] – Bytes [15]! –  Length of decompressed stream! –  Little-Endian! 0x00001af  ==  431   –  Field is user-controlled, but programmatic type is SAP_INT! –  Signed integer! •  What if the original length was 0xffffff ?! •  (thanks Behrang Fouladi)! [SensePost  –  2011]  
  • 50. As an Aside…! •  Bytes [12] – Bytes [15]! –  Length of decompressed stream! –  Little-Endian! 0x00001af  ==  431   –  User input is user-controlled, but programmatic type is SAP_INT! –  What if the original length was 0xffffff ?! [SensePost  –  2011]  
  • 51. As an Aside…! •  Bytes [12] – Bytes [15]! –  Length of decompressed stream! –  Little-Endian! 0x00001af  ==  431   –  User input is user-controlled, but programmatic type is SAP_INT! –  What if the original length was 0xffffff ?! [SensePost  –  2011]  
  • 52. As an Aside…! •  Bytes [12] – Bytes [15]! –  Length of decompressed stream! –  Little-Endian! 0x00001af  ==  431   –  User input is user-controlled, but programmatic type is SAP_INT! –  What if the original length was 0xffffff ?! [SensePost  –  2011]  
  • 53. Sniffing SAP Traffic! •  SAP traffic does not lend itself very well to WireShark dissectors…! •  Answer was to write a custom protocol analysis tool in Java! •  Used 3rd Party pCap JNI interface! –  Allows us to use standard pCap filters / dump files! •  Use custom built JNI interface built from MaxDB code! [SensePost  –  2011]  
  • 55. SApCap! •  Jpcap! –  JNI interface for pCap! –  Responsible for reading packets! •  pCap dump files! •  Sniffing! –  Filtering packets using standard pCap filters! –  Saving information as pCap dump files! [SensePost  –  2011]  
  • 56. SApCap! •  SApCap! –  Java! –  Responsible for:! •  Parsing packet data! •  Decompressing messages! •  Queue management! [SensePost  –  2011]  
  • 57. SApCap! •  SapCompress! –  JNI interface! –  Implements MaxDB functions for decompression! •  int[] doDecompress(int[])! [SensePost  –  2011]  
  • 58. Demo: SApCap! [SensePost  –  2011]  
  • 59. The Fundamentals! •  Understand the compression! •  Understand the compressed protocol! –  Simplify the sniffing and decompression! •  Recompression! •  Understand the application protocol! –  What makes SAP GUI tick ?! •  Identify SAP attack vectors not previously considered…! [SensePost  –  2011]  
  • 60. Recompression ?! •  Core decompression functions are defined in vpa105CsObjInt.cpp! –  CsDecompr()! [SensePost  –  2011]  
  • 61. Recompression ?! •  But… vpa105CsObjInt.cpp also contains function for what would appear to be compression…! –  CsCompr()! [SensePost  –  2011]  
  • 62. Recompression ?! •  We modify our JNI library to make use of MaxDB code! –  doCompress()! –  doDecompress()! [SensePost  –  2011]  
  • 63. Recompression ?! •  We now have programmatic interface to:! –  Decompress SAP traffic! •  doDecompress()! •  Useful for interception and sniffing! –  Compress SAP traffic! •  doCompress()! •  Useful for MiTM attacks! •  Useful for assessment of SAP Gui Applications! [SensePost  –  2011]  
  • 64. The Fundamentals! •  Understand the compression! •  Understand the compressed protocol! –  Simplify the sniffing and decompression! •  Recompression! •  Understand the application protocol! –  What makes SAP GUI tick ?! •  Identify SAP attack vectors not previously considered…! [SensePost  –  2011]  
  • 65. The Application Protocol! •  Multiplexed! –  Single connection per-user per-location per- host! [SensePost  –  2011]  
  • 66. The Application Protocol! •  Multiplexed! –  Single connection per-user per-location per- host! •  Initial hand-shake is uncompressed! [SensePost  –  2011]  
  • 67. The Application Protocol! •  Multiplexed! –  Single connection per-user per-location per- host! •  Initial hand-shake is uncompressed! •  Server response is compressed! [SensePost  –  2011]  
  • 68. The Application Protocol! •  Multiplexed! –  Single connection per-user per-location per- host! •  Initial hand-shake is uncompressed! •  Server response is compressed! •  Uncompressed component is static! –  Terminal name! –  Options change depending on capabilities of SAP GUI (support bits)! [SensePost  –  2011]  
  • 69. The Application Protocol! •  Multiplexed! –  Single connection per-user per-location per- host! •  Initial hand-shake is uncompressed! •  Server response is compressed! •  Hand shake is static (apart from “terminal name”)! [SensePost  –  2011]  
  • 70. Message Types! •  Two basic Types of Messages! –  Simple Messages! –  Complex Messages! •  Message structures differ in terms of direction! –  GUI -> Server! –  Server -> GUI! [SensePost  –  2011]  
  • 71. Simple Messages : GUI -> SAP! •  Header! –  “OK Code”! –  Character Encoding! –  GUI Version! •  Data! –  Input values! –  XML Stream defining screen metrics! [SensePost  –  2011]  
  • 72. Simple Messages : GUI -> SAP! •  Header! –  “OK Code”! –  Character Encoding! –  GUI Version! •  Data! –  Input values! –  XML Stream defining screen metrics! [SensePost  –  2011]  
  • 73. Simple Messages : SAP -> GUI! •  Header! •  Data! •  “TH”! [SensePost  –  2011]  
  • 74. Simple Messages : SAP -> GUI! •  Header! –  Encoding! [SensePost  –  2011]  
  • 75. Simple Messages : SAP -> GUI! •  Header! –  Encoding! –  Transaction ID! [SensePost  –  2011]  
  • 76. Simple Messages : SAP -> GUI! •  Header! –  Encoding! –  Transaction ID! –  System & Hostname! [SensePost  –  2011]  
  • 77. Simple Messages : SAP -> GUI! •  Header! –  Encoding! –  Transaction ID! –  System Name! –  Host name! –  Theme! [SensePost  –  2011]  
  • 78. Simple Messages : SAP -> GUI! •  Data! –  SAP Program Context & SAP Screen! [SensePost  –  2011]  
  • 79. Simple Messages : SAP -> GUI! •  Data! –  SAP Program Context & SAP Screen! –  Menus & Keyboard Accelerators! [SensePost  –  2011]  
  • 80. Simple Messages : SAP -> GUI! •  Data! –  SAP Program Context & SAP Screen! –  Menus & Keyboard Accelerators! –  Input dialogs! [SensePost  –  2011]  
  • 81. Simple Messages : SAP -> GUI! •  Data! –  SAP Program Context & SAP Screen! –  Menus & Keyboard Accelerators! –  Input dialogs! –  Screen Data! [SensePost  –  2011]  
  • 82. Simple Messages : SAP -> GUI! •  “TH”! –  System Name! –  Transaction! –  Transaction ID! [SensePost  –  2011]  
  • 83. Dialogs! •  All input fields accept strings! –  No client-side validation! –  Data is validated on the server! •  Input field lengths can be manipulated! [SensePost  –  2011]  
  • 84. Dialogs! •  All input fields accept strings! –  No client-side validation! –  Data is validated on the server! •  Input field lengths can be manipulated! [SensePost  –  2011]  
  • 85. Dialogs! •  All input fields accept strings! –  No client-side validation! –  Data is validated on the server! •  Input field lengths can be manipulated! [SensePost  –  2011]  
  • 86. Dialogs! •  All input fields accept strings! –  No client-side validation! –  Data is validated on the server! •  Input field lengths can be manipulated! [SensePost  –  2011]  
  • 87. Dialogs! •  All input fields accept strings! –  No client-side validation! –  Data is validated on the server! •  Input field lengths can be manipulated! [SensePost  –  2011]  
  • 88. Dialogs! •  Length of submitted strings can be adjusted in a similar fashion…! [SensePost  –  2011]  
  • 89. Dialogs! •  Length of submitted strings can be adjusted in a similar fashion…! [SensePost  –  2011]  
  • 90. Complex Messages! •  Contain the same structures as simple messages…! [SensePost  –  2011]  
  • 91. Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! [SensePost  –  2011]  
  • 92. Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! [SensePost  –  2011]  
  • 93. Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! [SensePost  –  2011]  
  • 94. Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! [SensePost  –  2011]  
  • 95. Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! [SensePost  –  2011]  
  • 96. Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! [SensePost  –  2011]  
  • 97. Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! –  VERBS! [SensePost  –  2011]  
  • 98. Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! –  VERBS! [SensePost  –  2011]  
  • 99. Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! –  VERBS! –  VARS! [SensePost  –  2011]  
  • 100. Complex Messages! •  Contain the same structures as simple messages…! •  … But include XML structure:! –  <SVARS>! •  Include compressed streams:! –  PARAMS! –  RFC_QUEUE! –  VERBS! –  VARS! [SensePost  –  2011]  
  • 101. PARAMS, VARS and VERBS! •  Work in conjunction! •  Define actions to be performed on / by objects on the GUI / Server! •  Lists of “indexed data” are decompressed and parsed by ABAP to various fixed- length data structures! [SensePost  –  2011]  
  • 102. PARAMS, VARS and VERBS! •  Decompressed, they look as follows:! –  PARAMS:! [SensePost  –  2011]  
  • 103. PARAMS, VARS and VERBS! •  Decompressed, they look as follows:! –  PARAMS:! –  VERBS:! [SensePost  –  2011]  
  • 104. PARAMS, VARS and VERBS! •  Decompressed, they look as follows:! –  PARAMS:! –  VERBS:! –  VARS:! [SensePost  –  2011]  
  • 105. PARAMS, VARS and VERBS! •  Parsed by ABAP into structured variables! •  CASE ABAP PARAM-TYP.! –  WHEN ʻSʼ:! •  Set Value Of! –  WHEN ʻGʼ:! •  Get Value Of! –  WHEN ʻCʼ:! •  Call Method Of! •  Thoughts of eval() spring to mind…! [SensePost  –  2011]  
  • 106. PARAMS, VARS and VERBS! •  Graphic example:! [SensePost  –  2011]  
  • 107. PARAMS, VARS and VERBS! •  Graphic example:! [SensePost  –  2011]  
  • 108. PARAMS, VARS and VERBS! •  Graphic example:! [SensePost  –  2011]  
  • 109. PARAMS, VARS and VERBS! •  Graphic example:! [SensePost  –  2011]  
  • 110. PARAMS, VARS and VERBS! •  Details on these structures can be found in ABAP code…! •  Refer to ABAP Structures && where used:! –  OLE_PA! –  OLE_VERBS! –  SWCBCONT! [SensePost  –  2011]  
  • 111. RFC_QUEUE! •  Contains META and internal table data in use by the current application / screen! •  Only ever seems to appear in SAP responses! –  This assumption may be incorrect! [SensePost  –  2011]  
  • 112. RFC_QUEUE! •  Contains META and internal table data in use by the current application / screen! •  Only ever seems to appear in SAP responses! –  This assumption may be incorrect! [SensePost  –  2011]  
  • 113. The Fundamentals! •  Understand the compression! •  Understand the compressed protocol! –  Simplify the sniffing and decompression! •  Recompression! •  Understand the application protocol! –  What makes SAP Gui tick ?! •  Identify SAP attack vectors not previously considered…! [SensePost  –  2011]  
  • 114. SAPProx! [SensePost  –  2011]  
  • 115. SAPProx! •  SapCompress! –  JNI interface! –  Implements MaxDB functions for decompression && compression! •  int[] doDecompress(int[])! •  Int[] doCompress(int[])! [SensePost  –  2011]  
  • 116. SAPProx! •  SAPProx! –  Java! –  Responsible for:! •  Parsing packet data! •  Decompressing messages! •  Interception! •  Compressing modified messages! •  Queue management! [SensePost  –  2011]  
  • 117. Demo: SAPProx! [SensePost  –  2011]  
  • 118. Attack API! •  Users can write their own exploits! •  In a scripting language of their choice…! –  Jython! –  Groovy! –  Jruby! –  *! •  Script locations specified in configuration! •  Allow for canned exploits! •  (thanks Willem Mouton)! [SensePost  –  2011]  
  • 119. Demo: Attacks / Scripting! [SensePost  –  2011]  
  • 120. What weʼre going to talk about! •  Why this Talk ?! •  The history of decompressing SAP DIAG! •  Understanding the fundamentals! •  New Attacks! •  Conclusion! [SensePost  –  2011]  
  • 121. New (Old) Attacks ?! •  We now have a proxy for SAP GUI! –  WebScarab for SAP! •  For what I believe is the first time, we get an unprecedented view into SAP GUI applications…! •  … and we know where that left us with web applications …! [SensePost  –  2011]  
  • 122. New (Old) Attacks ?! •  Authorisation! •  Authentication! [SensePost  –  2011]  
  • 123. Demo: Auth*! [SensePost  –  2011]  
  • 124. New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! [SensePost  –  2011]  
  • 125. Demo: State & Business Logic! [SensePost  –  2011]  
  • 126. New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! •  Validation! [SensePost  –  2011]  
  • 127. Demo: Validation! [SensePost  –  2011]  
  • 128. New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! •  Validation! •  Replay! [SensePost  –  2011]  
  • 129. Demo: Replay! [SensePost  –  2011]  
  • 130. New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! •  Validation! •  Replay! •  Client-Side attacks! [SensePost  –  2011]  
  • 131. Client-Side Attacks! •  Many business cases require the execution of applications on the client.! –  Provided for by ABAP! •  Deprecated: GUI_RUN or WS_EXECUTE! •  Current: cl_gui_frontend_services! •  Newer clients still support old methods! –  Backwards compatibility! –  Do prompt when applications execute! •  (thanks Steve Lord)! [SensePost  –  2011]  
  • 132. Client-Side Attacks! •  WS_EXECUTE / GUI_RUN! [SensePost  –  2011]  
  • 133. Client-Side Attacks! •  WS_EXECUTE / GUI_RUN! [SensePost  –  2011]  
  • 134. Demo: Client-Side Attacks! [SensePost  –  2011]  
  • 135. Client-Side Attacks! •  cl_gui_frontend_services! –  Makes use of OLE! [SensePost  –  2011]  
  • 136. Client-Side Attacks! •  cl_gui_frontend_services! –  Makes use of OLE! [SensePost  –  2011]  
  • 137. Client-Side Attacks! •  SAP GUI provides number of COM libraries with potentially exploitable functions! –  Saved by the fact that the controls are not marked “Safe for Scripting”! [SensePost  –  2011]  
  • 138. Client-Side Attacks! •  SAP GUI provides number of COM libraries with potentially exploitable functions! –  Saved by the fact that the controls are not marked “Safe for Scripting”! [SensePost  –  2011]  
  • 139. Client-Side Attacks! •  SAP GUI provides number of COM libraries with potentially exploitable functions! –  Saved by the fact that the controls are not marked “Safe for Scripting”! •  With SAPProxy we can potentially instantiate diverse COM objects! [SensePost  –  2011]  
  • 140. New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! •  Validation! •  Replay! •  Client-Side attacks! •  DoS! [SensePost  –  2011]  
  • 141. Demo: DoS! [SensePost  –  2011]  
  • 142. New (Old) Attacks ?! •  Authorisation! •  Authentication! •  State Management! •  Business Logic! •  Validation! •  Replay! •  Client-Side attacks! •  DoS! •  *! [SensePost  –  2011]  
  • 143. What weʼre going to talk about! •  Why this Talk ?! •  The history of decompressing SAP DIAG! •  Understanding the fundamentals! •  New Attacks! •  Conclusion! [SensePost  –  2011]  
  • 144. Conclusion! •  A couple of factors have been common security knowledge for years…! –  Plain-text communication == #fail! –  Security by obscurity == #fail! •  We now have a toolset and programmatic interface into SAP DIAG protocol! –  Game Changer! –  Change the way we look at ABAP! –  Happy Haxoring! [SensePost  –  2011]  
  • 145. Conclusion! •  SAP provides encryption for client components in the form of Secure Network Communications! –  Provided by 3rd Parties! –  Provided by SAP! •  SAP Clients should ensure the use of SNC is enabled and enforced! [SensePost  –  2011]  
  • 146. Questions ?! •  www.sensepost.com/blog! ian@sensepost.com! [SensePost  –  2011]