1. SAP CUA as an SAP Attack Vector Dmitry Gutsko Business System Security Assessment Group Positive Technologies PHDays IV

2. Agenda What is SAP CUA? Deployment schemes SAP CUA user privileges Attack vectors Compromising a child system Analysis of network packets Protection/Countermeasures 3. What is SAP CUA? SAP HCM SAP CRM SAP ECC SAP BW SAP FI SAP CUA 4. What is SAP CUA? SAP CUA Central System Child System Child System Child System 5. SAP CUA deployment 6. SAP CUA deployment (trusted connections) 7. SAP CUA User Privileges (SAP Recommendations) Client side (SAP CUA child system) SAP_BC_USR_CUA_CLIENT SAP_BC_USR_CUA_SETUP_CLIENT Server side (SAP CUA central system) SAP_BC_USR_CUA_CENTRAL SAP_BC_USR_CUA_CENTRAL_BDIST SAP_BC_USR_CUA_SETUP_CENTRAL 8. SAP CUA User privileges 9. SAP CUA User privileges 10. SAP CUA User privileges 11. Attack vectors Compromising SAP CUA central system No comments Compromising a child system 1. Bypassing a SAP CUA child systems restrictions 2. Escalation of privileges in the SAP CUA model 3. Gathering information in the SAP CUA model Compromising a network 4. Intercepting data sent between child and central systems 12. SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 13. SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1. Central system compromising 2. Escalation of privileges at the central system 3. Creating account in a child system 1 2 3 14. SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1 1. Another child system compromising 2. Escalation of privileges in the CUA model 3. Creating account in a child system 2 3 15. Bypassing a SAP CUA child systems restrictions Create a user Change a password Assign a profile 16. Bypassing a SAP CUA child systems restrictions (video) 17. Bypassing a SAP CUA child systems restrictions Create a user: Execute FM BAPI_USER_CREATE1 (transaction SE37) in a child system Change a password: Edit the USRFLDSEL table (transaction SE16n) in a child system Assign a profile/role: Edit the USRFLDSEL table (transaction SE16n) in a child system 18. SAP CUA Central System Child System Child System Child System Child System Attacker Child System Child System Escalation of privileges in the SAP CUA model 19. SAP CUA Central System Child System Child System Child System Child System SAP CUA users SAP_BC_USR_CUA_CLIENT SAP_BC_USR_CUA_SETUP_CLIENT SAP_BC_USR_CUA_CENTRAL SAP_BC_USR_CUA_CENTRAL_BDIST SAP_BC_USR_CUA_SETUP_CENTRAL RFC Connection to the central CUA system RFC Connection to a child CUA system Attacker RSECTAB, RFCDES tables = User credentials SE37 transaction = FM remote execution 20. Escalation of privileges in the SAP CUA model (video) 21. Escalation of privileges in the SAP CUA model Reassign a User-System: Execute FM BAPI_USER_SYSTEM_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) Assign a profile: Execute FM BAPI_USER_LOCPROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) Assign a role: Execute FM BAPI_USER_LOCACTGROUPS_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) Gather information (continued) 22. Gathering information about the SAP CUA model CUA Users/hashes: Execute in the central system FM RFC_READ_TABLE (USR02, USH02, ) (Role SAP_BC_USR_CUA_CENTRAL) The CUA model: Locally execute Transaction SCUA Execute in a central system FM RFC_READ_TABLE (USZBVSYS, ) = CUA logs Read local tables RFCDES, RSECTAB = RFC destinations 23. SAP Security Note 1997455 24. Central System SAP CUA Child System Child System Child System Child System RFC/IDoc (compressed) Usr02.Bname: PHD-USER Usr02.Bcode: 283D7893C91674A0 Usr02.Ustyp: A Usr02.Uflag: 0 User Accounts RFC User Account to Child System RFC User Account to Central System Hacker Intercepting data sent between child and central systems RFC/IDoc User Creation Confirmation 25. Sending user credentials to a child system RFC account password recovery UserID Encrypted password Length For gamma generating XORed password Password 26. Sending user credentials to a child system User credentials data recovery 27. Obtained account sent to a child system Get user list: Execute FM BAPI_USER_GETLIST (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) Create users: Execute FM BAPU_USER_CREATE1 (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) Assign privileges: Execute FM BAPI_USER_PROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) Lock/Unlock users: Execute FM BAPI_USER_LOCK/BAPI_USER_UNLOCK (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) 28. Protection/Countermeasures Do not combine SAP systems of various security classifications in a single CUA model Delete SETUP roles for CUA users Apply Note 1997455 or modify SAP_BC_USR_CUA_CENTRAL role Activate table logging (USRFLDSEL) Enable SNC encryption for RFC connections Use trusted connections; assign S_RFC, S_ICF, S_RFCACL authorization objects to system users Control access to critical transactions: SM49, SE37, SCUA, ST04, Configure ACL for SAP Gateway Do not forget about other clients 29. Thank you for your attention! 30. Additional information Transactions: SCUA Display System Landscape (CUA model) SCUL Log Display for Central User Administration SCUM User Distribution Field Selection SCUG Central User Administration Structure Display SE37- ABAP Function Modules Notes: 492589 Minimum authorizations for communication users 333441 - CUA: Tips for problem analysis 376856 - Password synchronization - Single Sign-On/CUA 1997455 - Potential information disclosure in BC-SEC-USR-ADM Tables: USZBVSYS - CUA: Assignment of Systems to Users USRFLDSEL- CUA: Field Attributes