WIXLIB

Hack In The Box Conference 2011, AmsterdamDr. Markus SchumacherPPTSQLMasterfolieInjection with ABAPfrom OpenvonSQL Injectionto ADBC Injectionzur AscendingErstellungPräsentationen 2011 Virtual Forge GmbH www.virtualforge.com All rights reserved.

Who am IPPT MasterfolieAndreasWiegensteinErstellungvon Präsentationen zurCTOand founder of Virtual Forge, responsible for R&D SAP Security Researcher, active since 2003 Speaker at SAP TechEd 2004, 2005, 2006, DSAG 2009, BlackHat 2011 Co-Author of "Secure ABAP Programming" (SAP Press)Virtual Forge GmbH SAP security product company based in Heidelberg, GermanyFocus on (ABAP) application security services ABAP Security ScannerABAP Security GuidelinesABAP Security TrainingsSAP Security Consulting 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

Belief: "Our SAP system is secure."Masterfolie PPTRoles& AuthorizationsErstellungvon Präsentationen zurSegregationof Duties Secure Configuration & System / Service Hardening Encryption Secure Network Infrastructure Password Policies Patch Management Identity Management Single Sign-on 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

Reality-CheckPPT Masterfoliezur Erstellung von Präsentationen 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

InhaltPPT Masterfolie1.ABAP von PräsentationenzurAboutErstellung2. SQL Injection revisited3. Open SQL (OSQL) Overview, Risks & Mitigations4. Native SQL5. ABAP Database Connectivity (ADBC) 2011 Virtual Forge GmbH www.virtualforge.com All rights reserved.

PPTMasterfolie1. andthen there was ABAPzur Erstellung von Präsentationen 2011 Virtual Forge GmbH www.virtualforge.com All rights reserved.

Advanced Business Application ProgrammingMasterfolie PPTProprietarylanguage, exact specification not (freely) availableErstellung voncodePräsentationen zurPlatform-independent Client separation built-in * Integrated auditing capabilities System-to-System calls via SAP Remote Function Call (RFC) Client-Server communication via SAP GUI (DIAG protocol) Various programming paradigms: Programs & Forms, Reports, Function Modules, Dynpros Classes & Methods, Business Server Pages, Web Dynpro ABAP Integrated platform-independent SQL Standard: Open SQLBuilt-in authentication, roles and (explicit) authorization modelThousands of well-known standard programs and database tables150 Million Lines of Code in an ECC6.0 System 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

A closer look at Client SeparationClient SeparationPPT Masterfoliezur Erstellung von PräsentationenClient 007Client 023Client 042 2010 Virtual Forge GmbH. All rights reserved. Users log on to "clients"Clients represent business (and user) data of independent organizationsThe SAP system implicitly separates client data in the database Done via a special column that indicates, if a table is client-dependentABAP code is client-independent. Every program is available on all clients 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

Attack Surface of ABAPPPT Masterfoliezur Erstellung von Präsentationen 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

PPTMasterfolie2.SQLInjection revisitedzur Erstellung von Präsentationen 2011 Virtual Forge GmbH www.virtualforge.com All rights reserved.

SQL Injection OverviewMasterfolie PPTSpecialform of In-band Signallingzur1)Erstellungvon PräsentationenData (input) is combinedwith commands (SQL syntax)2) Result (data commands) is executed3) Commands embedded in data can corrupt the intended SQL commands Typical test patterns ' or 1 1 --' or 1 1 /* Countermeasure: Prepared Statements SQL Injections are known at least since 12/1998 (Phrack.org issue #54) 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

SAP-specific SQL Injection RisksMasterfolie PPTIllegalaccess to data in other clientsErstellungvonPräsentationen zurModificationof useraccountsand user authorizations (SOX violation) Undocumented changes to critical database tables (SOX violation) E.g. BSEGC-CCNUMAccess to bank accounts of customers and suppliers E.g. social security number (PA0002-PERID)Access to credit card data (PCI/DSS violation) No records in CDHDR, CDPOS, Read access to HR data (Privacy issue) E.g. Assign unauthorized user SAP ALL privilegesE.g. customer bank account data (KNBK-BANKN)Manipulation of financial data (SOX violation) E.g. tampering with BSEG 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

PPTMasterfolie3.OpenSQL (OSQL) Overview, Risks & Mitigationszur Erstellung von Präsentationen 2011 Virtual Forge GmbH www.virtualforge.com All rights reserved.

Open SQL OverviewMasterfolie PPTOpenSQL commands are integrated in the ABAP languagezur ErstellungvonPräsentationenSELECT, UPDATE,INSERT,DELETE, MODIFY OSQL commands are compiled together with the ABAP programMost ABAP Code ( 95%) uses Open SQL for DB queriesOpen SQL automatically enforces SAP security features Only defined database commands can be executedClient separationLogging 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

Open SQL Example #1Simple OSQL query (SELECT)PPT SQL 01.Masterfoliezur Erstellung von PräsentationenDATA lt sec TYPE sbook.REPORTPARAMETERS p carrid TYPE string.SELECT class passname fldateFROM sbookCLIENT SPECIFIEDINTO CORRESPONDING FIELDS OF lt secWHERE carrid p carridAND reserved ' '.WRITE : / lt sec-class, lt sec-passname, lt sec-fldate.ENDSELECT. 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

Open SQL Example #2OSQL query with dynamic WHERE conditionPPT SQL 02.Masterfoliezur Erstellung von PräsentationenPARAMETERS p carrid TYPE string.REPORTDATA lt secTYPE sbook.DATA lv where TYPE string.CONCATENATE carrid ' p carrid ' AND reserved ' ' INTO lv where.SELECT class passname fldateFROM sbookCLIENT SPECIFIEDINTO CORRESPONDING FIELDS OF lt secWHERE (lv where).WRITE : / lt sec-class, lt sec-passname, lt sec-fldate.ENDSELECT. 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

Open SQL Example #3OSQL query with dynamic table accessPPT SQL 03.Masterfoliezur Erstellung von PräsentationenPARAMETERS p table TYPE string.REPORTDATA lt secTYPE sbook.DATA lv table TYPE string.CONCATENATE S p tableINTO lv table.SELECT *FROM (lv table)CLIENT SPECIFIEDINTO CORRESPONDING FIELDS OF lt sec.WRITE : / lt sec-class, lt sec-passname, lt sec-fldate.ENDSELECT. 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

OSQL Injection DemosPPT Masterfoliezur Erstellung von PräsentationenDEMO 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

SAP Mitigation(s) PPTSAPMasterfolieNote 1520356 - Avoiding SQL notes/1520356)Erstellung von Präsentationen ABAP countermeasures available since 12/2010 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

SAP Mitigation(s) a closer lookMasterfolie PPTABAPstrings are usually enclosed in (back ticks)str TYPE string.zurDATAErstellungvon Präsentationenstr Hello string . ABAP char arrays are usually enclosed in ' (single quotation marks)DATA chr TYPE c LENGTH 80.chr 'Hello char'. Hence as well as ' can be used in dynamic OSQL to enclose variablesCONCATENATE carrid ' p carrid ' AND reserved ' ' INTO str.CONCATENATE 'carrid ' p carrid ' AND reserved ' INTO chr. SAP countermeasures include two methods to escape quotescl abap dyn prg escape quotes str(str) - cl abap dyn prg escape quotes(chr)' - '' 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

SAP Mitigation(s) have Risks PPTThe Masterfoliemethod-names suggest usage for a given variable typezurcl abap dyn prg escape quotes strErstellung von Präsentationen- to use for stringscl abap dyn prg escape quotes- to use for non-strings (character arrays) Careful: It's not the variable-type that's relevant but the type of quote used!Risk: The method-names are misleading and may confuse developersDATA lv where TYPE string.P carrid cl abap dyn prg escape quotes str( p carrid ).CONCATENATE carrid ' p carrid ' AND reserved ' ' INTO lv where. 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

SAP Mitigation(s) recommendationMasterfolie PPTAvoidzurcl abap dyn prg escape quotes strErstellung von Präsentationencl abap dyn prg escape quotes Usecl abap dyn prg quote strcl abap dyn prg quote These functions not only escape the input, but also wrap it in the samequote character they escapeDATA lv where TYPE string.P carrid cl abap dyn prg quote str( p carrid ).CONCATENATE carrid p carrid AND reserved ' ' INTO lv where. Examplescl abap dyn prg quote str( ) O Neill - O Neill cl abap dyn prg quote( )O'Neill - 'O''Neill' 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

PPTMasterfolie4.NativeSQLzur Erstellung von Präsentationen 2011 Virtual Forge GmbH www.virtualforge.com All rights reserved.

Native SQL OverviewMasterfolie PPT"NativeSQL" is SQL placed inside specific ABAP commandszur Erstellungvon PräsentationenEXEC SQL ENDEXEC. Used when database-specific commands have to be executed that arenot part of Open SQL Native SQL is always hard-coded Native SQL bypasses SAP security features of Open SQL Client separationRestrictive access to SQL commandsNative SQL can't access certain SAP tables Input is passed to placeholders (as in prepared statements)Cluster Tables and Pool Tables don't physically exists in the DBNo SQL Injection possible, but should not be used anyway 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

Native SQL ExampleCommand EXEC SQLPPT SQL 04.Masterfoliezur Erstellung von PräsentationenDATA: f1 TYPE s class.REPORTDATA: f2 TYPE s passname.DATA: f3 TYPE s date.PARAMETERS p carrid TYPE string.EXEC SQL.SELECT CLASS, PASSNAME, FLDATE INTO :F1, :F2, :F3 FROM SBOOKWHERE CARRID :p carrid AND RESERVED ' 'ENDEXEC.WRITE: / f1, f2, f3. 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.

PPTMasterfolie5.ABAPDatabase Connectivity (ADBC)zur Erstellung von Präsentationen 2011 Virtual Forge GmbH www.virtualforge.com All rights reserved.

ADBC OverviewMasterfolie PPTADBCallows to dynamically execute arbitrary SQL commandsErstellungvonPräsentationen zurADBCis technicallybasedon SAP kernel callsCALL 'C DB EXECUTE' CALL 'C DB FUNCTION' ADBC is provided in ABAP classes CL SQL * and a function moduleCL SQL STATEMENTCL SQL PREPARED STATEMENTDB EXECUTE SQL (Function Module) ADBC bypasses SAP security features provided by Open SQL Client separationRestrictive access to SQL commandsPrecompiled SQL statementsLike Native SQL, ADBC can't access certain SAP tables 20112011 VirtualVirtual ForgeForge GmbHGmbH www.virtualforge.comwww.virtualforge.com AllAll rightsrights reserved.reserved.