Yvan ‘iggy’ GENUER

SAP : ALL YOUR $$ ARE BELONG TO US

SAP Security overview

Securimag - 22/01/2015

AGENDA

2

● /whois me ?

● /wtf is SAP (‘functionally’)

● /wtf is SAP (‘technically’)

● /SAP and Security

● /attack SAP

● /demo

● /links - sources

/WHOIS ME ?

3

● Not a security expert

● But expert SAP with some security skills

● 12 years experiences in SAP

● Last 2 years in SAP Security (audit, pentest, recommendation, etc)

● Many customers, projects, blablabla

WTF IS SAP ?

4

/WTF IS SAP ?

5

● Leader, expensive, complex

● More than 200,000 companies

run SAP in 120 countries

● SAP Customers :

- Transport -> 1 billion flight

passengers per year

- Produce -> 65% of all TV’s

- Produce -> 77.000 cars per day

- And…

● ERP

● 72% of the world-wide beers

are produced by companies

running SAP !

Source : Virtual Forge GmbH

/WTF IS SAP ?

6

WTF IS SAP (TECHNICALLY)

7

/WTF IS SAP (TECHNICALY ?)

8

● Example for standard SAP ABAP Netweaver 7.40 ERP 6.0

● Vocabulary...

- ABAP : Advanced Business Application Programming

- FM : Function Module (in ABAP)

- Report : Program ABAP

- SID : System IDentifiant

- Client (‘mandant’) : Organizational unit in SAP. Use to separate business

objects

- Transaction : ‘alias’ to launch reports directly

- Tables : ~80.000 (~100.000 indexes)

- Programs : ~35.000

- Params : ~1.500

- Db size (just after installation) : ~80 GB

/WTF IS SAP (TECHNICALY ?)

9

● Supported Database

● Supported OS ● Supported OS

/WTF IS SAP (TECHNICALY ?)

10

● SAP Classical Architecture

SAP AND SECURITY

11

/SAP AND SECURITY

12

● SAP Security Notes

3000+ since 2009

/SAP AND SECURITY

13

● Complexity

- Security don’t like complexity... SAP could be very complex, with many

interfaces on different platforms. Vulnerabilities at all level, from network to

application.

● Risky

- SAP store critical information, and run critical business flow. Patch or

changing something could be very risky. ‘You take the risk ?’

● Customization

- Companies can customize their SAP systems. More SAP is customized

more secure it is a nightmare.

/SAP AND SECURITY

14

● Root = is not the goal

- Flag is : Access sensitive business data or critical flow

● Training

- Dangerous for business

- Create a test lab is a lot of investisment

- SAP is not taught in school

- Framework (msf, bizploit)

- SAP offer Security training course... For ‘only’ $5.000 (5 days).

ATTACK SAP

15

/ATTACK SAP

16

● Target ?

/ATTACK SAP

17

● Myth : “SAP isn’t connected to internet”

● Google, shodan... sapscan.com !

/ATTACK SAP

18

● Issues ranking - from EAS-SEC Procject (Open security project)

Critical issue Access Severity Simplicity

1. Patch management flaws Anonymous High Easy

2. Default passwords Anonymous High Easy

3. Unnecessary functionnality Anonymous High Easy

4. Open remote management interface Anoymouse High Medium

5. Insecure settings Anonymous Medium Medium

6. Unencrypted connections Anonymous Medium Medium

7. Access control and SOD conflicts User High Medium

8. Insecure trusted connections User High Easy

9. Security events logging Administrator High Medium

/ATTACK SAP

19

● Issues ranking - from EAS-SEC Procject (Open security project)

Critical issue Access Severity Simplicity

1. Patch management flaws Anonymous High Easy

2. Default passwords Anonymous High Easy

3. Unnecessary functionnality Anonymous High Easy

4. Open remote management interface Anoymouse High Medium

5. Insecure settings Anonymous Medium Medium

6. Unencrypted connections Anonymous Medium Medium

7. Access control and SOD conflicts User High Medium

8. Insecure trusted connections User High Easy

9. Security events logging Administrator High Medium

/ATTACK SAP - PATCH MANAGEMENT FLAWS

20

● SAP Security Notes (patch)

● SAP components updates

● SAP kernel update

● Change process flow could be very long in big companies

- Zero day is useless

- Using last 6 months public bugs is enough

/ATTACK SAP - PATCH MANAGEMENT FLAWS

21

/ATTACK SAP - PATCH MANAGEMENT FLAWS

22

/ATTACK SAP - PATCH MANAGEMENT FLAWS

23

/ATTACK SAP – DEFAULT PASSWORD

24

● One of the biggest mistake in SAP System...

How ?

HOW it’s possible !!??

/ATTACK SAP – DEFAULT PASSWORD

25

● Not one, or two but at least 5 defaults users was created in all SAP

System after a fresh installation.

USER Password Client

SAP* 06071992, PASS 000, 001, 066, <all new clients>

DDIC 19920706, SAP4ALL, change 000, 001, <all new clients>

EARLYWATCH SUPPORT 066

SAPCPIC admin 000, 001

TMSADM Null, PASSWORD, $1Pawd2& 000, 001, 066, <all new clients>

/ATTACK SAP – DEFAULT PASSWORD

26

● Above example, SAP System with 3 customs clients

- 27 defaults users (!)

- Most of these defaults credentials had high privileges

- Some of them could be reinitialize from different SAP System

- Only one is enough to compromise the SAP System

000 001 066 100 200 600

SAP* no no no no no no

DDIC no no no no no no

EARLYWATCH no no no no

SAPCPIC no no no no no

TMSADM no no YES no no no

/ATTACK SAP – SAP GATEWAY

27

● The SAP Gateway is a technical component of SAP System. It

manages RFC communications between SAP and the rest of world

(other SAP system or external program).

/ATTACK SAP – SAP GATEWAY

28

SAP Netweaver ABAP Database

SAP

Gateway

SAP Gui

SAP Server

External appli

Work

Processes

Operating System

(1) RFC call ABAP Function modules

(1) (1)

/ATTACK SAP – SAP GATEWAY

29

SAP Netweaver ABAP Database

SAP

Gateway

SAP Gui

SAP Server

External appli

Work

Processes

Operating System

(1) RFC call ABAP Function modules

(2) RFC call to start OS commands (list file, transport, interface, etc)

(2)

(2)

/ATTACK SAP – SAP GATEWAY

30

SAP Netweaver ABAP Database

SAP

Gateway

SAP Gui

SAP Server

External appli

Work

Processes

Operating System

/bin/sh

Insert into usr02…

(1) RFC call ABAP Function modules

(3) Wait ? OS command ? -> I can do anything…

(2) RFC call to start OS commands (list file, transport, interface, etc)

(3)

(3)

(3)

(3)

/ATTACK SAP – SAP GATEWAY

31

● The SAP Gateway security is controlled by 2 files :

- reginfo file (gw/reg_info parameter) = who can coming ?

- sec_info file (gw/sec_info parameter) = who can execute OS command ?

/ATTACK SAP - UNENCRYPTED CONNECTIONS

32

● Could be encrypted with SAP SNC layer (Secure Network

Connection)… but disable by default.

● Wireshark plugins : SAP dissection !

Proprietary protocols

SNC (Secure Network Communication)

NI (Network Interface) Protocol

RFC DIAG Router Msg Enq

Standard protocols

SSL

HTTP

SOAP

/ATTACK SAP - UNENCRYPTED CONNECTIONS

33

XOR encryption

with static key

/ATTACK SAP - INSECURE TRUSTED CONNECTIONS

34

● RFC connections that store user credential

● Trusted system with low security level

DEV INT PRD

trusted trusted

Trusted ? Trusted ?

Trusted ???

DEMOS

35

/DEMOS

36

attacker

SAP Production

Appear protected

No easy vuln, creds, etc

Don’t ’trust’ everyone

/DEMOS

37

attacker

SAP Production SAP Development

(1) Default password

(2) Not up to date

(3) Full control

(1)

(2)

(3)

/DEMOS

38

attacker

SAP Production SAP Development

(1) ‘configure’ development (1) Default password

(2) Not up to date

(3) Full control

(1)

/DEMOS

39

attacker

SAP Production SAP Development

(1) ‘configure’ development

(2) Production ‘trust’ development

(1) Default password

(2) Not up to date

(3) Full control

(1) (2)

/DEMOS

40

attacker

SAP Production SAP Development

(1) ‘configure’ development

(2) Production ‘trust’ development

(1) Default password

(2) Not up to date

(3) Full control

(1) (2)

/DEMOS

41

attacker

SAP Production SAP Development

(1) ‘configure’ development

(2) Production ‘trust’ development

(2) (3) Bad SAP Gateway ACL

(1) Default password

(2) Not up to date

(3) Full control

(1) (2)

(3)

/DEMOS

42

attacker

SAP Production SAP Development

(1) ‘configure’ development

(2) Production ‘trust’ development

(2) (3) Bad SAP Gateway ACL

(4) Full control

(1) Default password

(2) Not up to date

(3) Full control

(1) (2)

(3)

(4)

SOURCES LINKS

43

QUESTIONS ?

44

THANKS YOU