Transcription
SAP’SNETWORKPROTOCOLSREVISITEDMARTIN GALLOMARCH 2014PA G E 1
AGENDASAP SECURITYNETWORK PENETRATION TESTINGTHIS TALKAPPROACHTOOLSCLASSIC SAP ENVSAP ROUTERSAP GATEWAY/RFCSAP DISPATCHER/DIAGSAP MESSAGE SERVERSAP ENQUEUE SERVERMODERN SAP ENVSAP NW GATEWAYSAP HANADISCOVERY & INFO GATHERINGVULN ASSESSMENT & EXPLOITATIONDEFENSECONCLUSIONSPA G E 2
SAP SECURITY INFO TOOLS STANDARS RESEARCH COMPANIES MEDIA ATTENTIONPA G E 3
SAP SECURITY- NON-SPECIALISTS- MOST ON APP LAYER- STEEP LEARNING CURVE- NON-TARGETED PENTEST- MEDIA ATTENTIONPA G E 4
NETWORKPENETRATION TESTINGDISCOVERYINFO GATHERINGVULN ASSESSMENTEXPLOITAITIONPOST-EXPLOITATIONPA G E 5
NETWORKPENETRATION TESTINGPA G E 6
THIS TALKOLD & NEWEXCLUDED WEBNOT ALL COVEREDNOT A PENTEST GUIDEPA G E 7
APPROACHBLACK-BOXWORK IN PROGRESSINCREMENTAL LEARNINGRELY ON OTHER’S WORKNOT COMPLETE ACCURATEPA G E 8
TOOLSpysapPYTHON LIBRARYCRAFT PACKETSWIRESHARK PLUGINDISSECT SAP PROTOCOLSPA G E 9pysapWireshark plugin
CLASSIC SAP ENVPA G E 1 0
CLASSIC SAP ENVSAP ROUTERSAP GATEWAY/RFCSAP DISPATCHER/DIAGSAP MESSAGE SERVERSAP ENQUEUE SERVERPA G E 1 1
SAP ROUTERAPPLICATION LEVEL-GATEWAYREVERSE PROXYSTAND ALONE APPON ALL SAPs INSTALLATIONSUNENCRYPTED BY DEFAULTINTERNET EXPOSEDPA G E 1 2
PA G E 1 3
SAP ROUTERWELL-KNOWN ATTACKS:INFO REQUESTUSE AS A PROXYSNIFF ROUTE/PASSWORDSSCAN INTERNAL NETWORKSPA G E 1 4Mariano’s talk at HITB 2010Dave’s SAP Smashing blog post
SAP ROUTERLOOKING INSIDE:ADMIN PACKETSCONTROL MESSAGESERROR INFORMATIONROUTE REQUESTPONGPA G E 1 5
SAP ROUTERADMIN PACKETS:REMOTE ADMINISTRATIONFOUND UNDOCUMENTEDCOMMANDS: SET/CLEAR PEER TRACE,TRACE CONNECTIONPA G E 1 6
SAP ROUTERCONTROL MESSAGES:INTERNAL CONTROLUNDOCUMENTED OPCODES:VERSION REQUEST/REPONSE, SETHANDLE, SNC REQUEST/ACKPA G E 1 7
SAP ROUTERROUTE REQUEST:ROUTE STRINGLIST OF ROUTING HOPSPASSWORD PROTECTED (OPTIONAL)PA G E 1 8
SAP ROUTERRECENT ATTACKS:INFO DISCLOSUREROUTE STRING HEAP OVERFLOWERPScan’s DSECRG-13-013 advisorySAP Security Notes 1820666 / 1663732PA G E 1 9
SAP ROUTERSECURITY MEASURES:PATCHENFORCE SNC USEHARDEN ROUTE TABLEPUT BEHIND FIREWALLDON’T USE PASSWORDSPA G E 2 1
SAP GATEWAY/RFCRFC INTERFACEINTEGRATION W/EXT SERVERSUNENCRYPTED BY DEFAULTGENERALLY EXPOSEDPA G E 2 2
SAP GATEWAY/RFCWELL-KNOWN ATTACKS:INFO GATHERINGMONITOR MODEMITM / SNIFFINGSOME RCE VULNSPA G E 2 3Mariano’s Attacking the Giants talk at BlackHat and Deepsec 2007and SAP Penetration Testing talk at BlackHat 2009
SAP GATEWAY/RFCWELL-KNOWN ATTACKS:LOGIN BRUTE-FORCE TONS OF ATTACKS ON RFCsRFC EXEC, SAPXPG,CALLBACK, EVIL TWIN, PA G E 2 4Mariano’s Attacking the Giants talk at BlackHat and Deepsec 2007and SAP Penetration Testing talk at BlackHat 2009
SAP GATEWAY/RFCLOOKING INSIDE:MAIN PACKETSMONITOR PACKETSRFC TABLESPA G E 2 5
SAP GATEWAY/RFCSECURITY MEASURES:PATCH (CLIENT/SERVER)USE ACLsDISABLE MONITORENFORCE SNC USEENABLE (AND REVIEW) LOGSSecurity Settings in the SAP GatewayPA G E 2 6
SAP DISPATCHER/DIAGCOMM BETWEEN GUI/APP SERVERRFC EMBEDDED CALLSONLY COMPRESSEDUNENCRYPTED BY DEFAULTPA G E 2 7
SAP DISPATCHER/DIAGWELL-KNOWN ATTACKS:ATTACKS ON GUI CLIENTSSNIFFING LOGIN CREDENTIALSPA G E 2 8Secaron’s sniffing paperIan’s Talk at 44con 2011Andrea’s Talk at Troopers 2011
SAP DISPATCHER/DIAGRECENT ATTACKS:INFO GATHERINGLOGIN BRUTE-FORCEROGUE SERVER GUI SHORTCUTBUFFER OVERFLOWS (W/TRACE ON)PA G E 2 9Talk at Defcon 20/Brucon 2012CORE-2012-0123 Advisory
SAP DISPATCHER/DIAGSECURITY MEASURES:PATCH (SERVER / GUI)ENFORCE SNC USEPA G E 3 0
SAP MESSAGE SERVERONE PER SYSTEMLOAD BALANCING FOR GUI/RFCINTERNAL COMM W/APP SERVERSINT/EXT TCP PORT HTTPPA G E 3 1
SAP MESSAGE SERVERWELL-KNOWN ATTACKS:MONITOR MODEINFO GATHERING (HOW?)IMPERSONATE APP SERVER (HOW?)OLD BUFFER OVERFLOWS ON HTTPPA G E 3 2
SAP MESSAGE SERVERLOOKING INSIDE:MAIN PACKETSADM PACKETS 60 ADMIN OPCODES 75 REGULAR OPCODESPA G E 3 3
SAP MESSAGE SERVERLOOKING INSIDE:DUMP DATAMONITOR CLIENTSSEND/RECV MESSAGESCHANGE CONFIG PARAMPA G E 3 4
SAP MESSAGE SERVERRECENT ATTACKS:MS BUFFER OVERFLOWSZDI-12-104/111/112 AdvisoriesSAP Security Notes 1649838 / 1649840PA G E 3 5
SAP MESSAGE SERVERRECENT ATTACKS:MS MEMORY CORRUPTIONGIVE CONN ADMIN PRIVSOVERWRITE CHANGE PARAM FUNCTION POINTERSEND CHANGE PARAM WITH PAYLOADPWNCORE-2012-1128 AdvisorySAP Security Note 1800603PA G E 3 6
SAP MESSAGE SERVERNEW/OLD ATTACKS:IMPERSONATE APP SERVERPA G E 3 7
SAP MESSAGE SERVERACCESS LEVEL:EXTERNALPORTINTERNAL PORTMONITOR CLIENTSXMS BUFFER OVERFLOWXXMS MEMORY CORRUPTIONXXDUMP DATAXIMPERSONATE APP SERVERXCHANGE PARAMXPA G E 3 8MONITORMODEX
SAP MESSAGE SERVERSECURITY MEASURES:PATCHUSE ACLsDISABLE MONITORSEPARATE INT/EXT PORTENABLE (AND REVIEW) LOGSSecurity Settings for the SAP Message ServerSAP Security Note 821875PA G E 3 9
SAP ENQUEUE SERVERONE PER SYSTEMLOCK MECHANISMCAN RUN STANDALONEREPLICATION SERVER FOR HAPA G E 4 0
PA G E 4 1
SAP ENQUEUE SERVERWELL-KNOWN ATTACKS:?SERVER CRASHES (?)TRANSFER FILES (?)SAP Security Notes 948457 / 959877PA G E 4 2
SAP ENQUEUE SERVERLOOKING INSIDE:CONNECTION ADMINSERVER ADMINREPLICATIONSTATSPA G E 4 3
SAP ENQUEUE SERVERSECURITY MEASURES:PATCHUSE ACLsENABLE (AND REVIEW) LOGSRESTRICT ACCESS TO THE SERVICE(NO SNC SUPPORTED?)SAP Security Notes 1879601 /1495075PA G E 4 5
CLASSIC SAP ENVSAP ROUTERSAP GATEWAY/RFCSAP DISPATCHER/DIAGSAP MESSAGE SERVERSAP ENQUEUE SERVERPA G E 4 6
MODERN SAP ENVAPI CLIENTSPA G E 4 7
MODERN SAP ENVSAP HANAPA G E 4 8
MODERN SAP ENVSAP NETWEAVER GATEWAYSAP HANAPA G E 4 9
SAP NW GATEWAYREST APIINTEGRATIONODATA/ATOM PROTOCOLSADD-ON FOR SAP NW ABAPPA G E 5 0ODataSAP Netweaver Gateway and Odata
SAP HANAIN-MEMORY DATABASEPROTOCOL SPEC AVAILABLESAP HANA SQL Command Network ProtocolPA G E 5 1
DISCOVERY & INFOGATHERINGSERVICE DISCOVERYINFO DISCLOSUREBRUTE FORCE ON AUTH SERVICESPA G E 5 2
VULN ASSESSMENT &EXPLOITATIONSNIFF/MITMINVOLVE CLIENTSABUSE FUNCTIONSSEVERAL RCE VULNSREACH PRIVILEGE CONNECTIONPA G E 5 3
SERVICE / PROTOCOLDISCOVERY & INFOGATHERINGVULN ASSESS &EXPLOITATIONROUTERINFO REQUESTINFO DISCLOSUREINTERNAL NETWORK SCANSNIFFPROXYHEAP OVERFLOWINFOBRUTE FORCERCESNIFFMONITORRFC ATTACKSINFOBRUTE FORCERCESNIFFROGUE SERVERATTACK GUI USERSDUMP DATAMONITOR APP SERVERSRCEMONITORIMPERSONATEBUFF OVERFLOWMEMORY CORRUPTIONINFOTRANSFER FILESSERVER CRASHES?GATEWAY/RFCDISPATCHER/DIAGMESSAGE SERVERENQUEUE SERVERPA G E 5 4
DEFENSETEST, TEST AND TESTPATCH, PATCH AND PATCHUSE ENCRYPTED CHANNELSENABLE AND MONITOR LOGSRESTRICT ACLs ON ALL SERVICESPA G E 5 5
CONCLUSIONSNEW & RECENT ATTACKSOLD ATTACKS PRACTICALDEFENSE & HARDENINGMORE PROTOCOL’S DETAILSPA G E 5 6
Q&APA G E 5 7
Thank you !mgallo@coresecurity.comThanks toDiego, Sebas, Ivan, Francisco, Dana and EugeCover photo Marcelo SchiavonPA G E 5 8
UPDATED TOOLSpysap & wireshark plugin v0.1.4 PROTOCOLS EXAMPLES IMPROVEMENTS & FIXESTHANKS JORIS, FLORIAN, DAVE, DANIEL & ARNOLDFOR VALUABLE FEEDBACK AND BUG REPORTSPA G E 5 9pysapWireshark plugin
UPDATED TOOLSpysap & wireshark plugin v0.1.4STILL NEED WORK ON:BUGFIXES AND TESTIMPROVE: RFC, DIAGNEW PROTOCOLS: P4? HANA?MORE EXAMPLES AND ATTACKSSUPPORT FOR SAP GUI/NW VERSIONSPA G E 6 0pysapWireshark plugin
UPDATED TOOLSNMAP SERVICE DISCOVERYIMPROVED/ADDED SERVICE PROBES FORTHE SERVICES REVIEWED:SAPROUTER, DISPATCHER/DIAG, MS,ENQUEUE, GW/RFCPA G E 6 1
sap security network penetration testing this talk approach . sap gateway/rfc sap dispatcher/diag sap message server sap enqueue server modern sap env sap nw gateway sap hana discovery & info gathering vuln assessment & exploitation defense conclusions . p a g e 3 . sap router admin packets: remote administration found undocumented .