Escolar Documentos
Profissional Documentos
Cultura Documentos
@asintsov
Security
Dsecrg
Erpscan
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Alexander Polyakov
Tweet
@sh2kerr
a.polyakov@dsec.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Agenda
SAP security in common (mostly old)
Attacking SAP users
(mostly old )
SAPStuxnet Prototype
(NEW)
Mitgations
(NEW)
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
11
ERP-Enterprise resource planning is an integrated computerbased system used to manage internal and external resources
including tangible assets, financial resources, materials, and
human resources.
from Wikipedia
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Why Aware?
http://dsecrg.com/pages/pub/show.php?id=30
OWASP-EAS
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Application_Security_Project
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
SAP
Security
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Development:
Architecture
Program errors
Control:
Policies
Security
assessment
Awareness
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Application_Security_Project
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Network / Architecture
OS
Database
Application (BASIS/JAVA + IGS,ICM, j2EE telnet etc)
Client-side
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Attacking SAP users with sapsploit Alexander Polyakov @HITB AMS 2010
http://dsecrg.com/pages/pub/show.php?id=27
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
SAPGUI
JAVAGUI (usually in NIX so dont touch this :)
WEBGUI (Browser)
NWBC
RFC
Applications such as VisualAdmin, Mobile client
and many-many other stuff
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Application_Security_Project#tab=Development_guides
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Vulnerable
Component
Author
Vulnerability
Link
04.01.2007
rfcguisink
Mark Litchfield
BOF
http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysapstack-overflow/
04.01.2007
Kwedit
Mark Litchfield
BOF
http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysapstack-overflow/
07.11.2008
mdrmsap
Will Dormann
BOF
http://www.securityfocus.com/bid/32186/info
07.01.2009
Sizerone
Carsten Eiram
BOF
http://www.securityfocus.com/bid/33148/info
31.03.2009
WebWiewer3D
Will Dormann
BOF
http://www.securityfocus.com/bid/34310/info
15.04.2009
Kwedit
Carsten Eiram
Insecure Method
http://secunia.com/secunia_research/2008-56/
08.06.2009
Sapirrfc
BOF
http://dsecrg.com/pages/vul/show.php?id=115
28.09.2009
WebWiewer3D
Insecure Method
http://dsecrg.com/pages/vul/show.php?id=143
28.09.2009
WebWiewer2D
Insecure Method
http://dsecrg.com/pages/vul/show.php?id=144
07.10.2009
VxFlexgrid
Elazar Broad ,
Alexander Polyakov (DSecRG)
BOF
http://dsecrg.com/pages/vul/show.php?id=117
23.03.2010
BExGlobal
Insecure Method
http://dsecrg.com/pages/vul/show.php?id=164
???
Kwedit
Insecure Method
http://dsecrg.com/pages/vul/show.php?id=145
???
DSECRG-09-069
Memory Corruption
Later or dsecrg.com
???
DSECRG-09-070
Format String
Later or dsecrg.com
???
DSECRG-00173
Insecure Method
Later or dsecrg.com
18
http://dsecrg.com/pages/vul/show.php?id=117
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
+
+
+
+
+
+
+
+
+
+
+
+
+
+
[DSECRG-09-017] http://dsecrg.com/pages/vul/
show.php?id=117
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Possibility to run vbs scripts that can repeat manual work on Frontend
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Also exist
Still patching
We will talk about them at next conferences
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Password encryption
Data encryption
Mitigation
SAPGUI
DIAG (compressed
and can be
decompressed)
DIAG (compressed
and can be
decompressed)
SNC
JAVAGUI
DIAG
DIAG
SNC
WEBGUI
Base64
NO
SSL
RFC
DIAG
SNC
Visual Admin
Proprietary encoding
(vulnerable
DSECRG-00124)
NO
SSL
Mobile Admin
NO
NO
SSL
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Password encryption
Data encryption
Mitigation
SAPGUI
DIAG (compressed
and can be
decompressed)
DIAG (compressed
and can be
decompressed)
SNC
JAVAGUI
DIAG
DIAG
SNC
WEBGUI
Base64
NO
SSL
RFC
DIAG
SNC
Visual Admin
Proprietary encoding
(vulnerable
DSECRG-00124)
NO
SSL
Mobile Admin
NO
NO
SSL
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Storage
Sapshortcut.ini users/passwords
Saplogon.ini servers/clientid
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Password encryption
Data encryption
Mitigation
WEBGUI
Base64
NO
SSL
Mobile Admin
NO
NO
SSL
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Details
Possible in SAP Front End applications (SAPGui.exe, BExAnalyzer.exe)
Attacker can place shortcuts for Business Explorer (.bex) or SAP GUI
(.sap)
Mitigations
Awareness (erpscan.com free)
http://support.microsoft.com/kb/2264107
ERPSCAN for SAP Frontend (comercial)
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Application_Security_Project#tab=Implementation_guides
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Automation
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Sapsploit
sapsploit - tool for automatic sap clients exploitation using all kind of ActiveX
vulnerabilities. Developed by DSecRG researchers:
Alexander Polyakov (@sh2kerr) architect
Alexey Sintsov (@asintsov) coding
Modular structure
http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Transfer it encrypted
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Saptrojan
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Collect info
By default:
C:\WINDOWS\saplogon.ini
D:\WINDOWS\saplogon.ini
C:\WINNT\saplogon.ini
D:\WINNT\saplogon.ini
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Or upload keylogger
USER
PASSWORD
CLIENT
SAP*
06071992
DDIC
19920706
000 001
TMSADM
PASSWORD
000
SAPCPIC
ADMIN
000 001
EARLYWATCH
SUPPORT
066
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Other fun
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
DEMO
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Attacking WEB
clients
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
WWW
Many SAP systems transferred to the web
For example SAP CRM, SRM, Portal
There are also many custom web applications
All those applications store many vulnerabilities
Despite that vulnerabilities are found in WEB servers, most
of the attacks are targeted at SAP clients.
Thus, speaking about safety of SAP-clients it is necessary to mention
typical client-side vulnerabilities in web applications
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Why web?
There was another real life example.
One company uses SRM system supplier resource management system. This
system was developed for automated tender management. Any company (and
not only :) can register in that system and publish a tender information. This
Application is visible from outside using web
qq
q
http://dsecrg.com/pages/pub/show.php?id=27
Sorry no time for it now
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Ufff
Its time for stuxnet 2 :)
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Why Aware?
What
Why
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Stuxnet 101
Use 5 0-days
Default password in SCADA
Hook application Api
Thanks to Alexey Sintsov (DSECRG) and Alexandr Matrosov (ESET) for info and help
More on www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Stuxnet scenario
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
DONT DO THIS!
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Mitigations
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Mitigations
NEED
Tired of showing how to hack and want to help people too
Second idea make it easy to use for end users and make it available to
as many people as possible
Third idea statistical information may be good awareness too (like ssl
project)
Result
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
DEMO
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
Conclusion
ERP - main business element of any company
We saw many problems in just one of presentation levels
Client-site level is not less important than any other
Problems are with architecture, software and users mind
SAP HAS solutions for almost all possible security problems (patches, guides)
But the number of these problems very huge, and admins dont patch
If u can have a special skilled department and work 24/7 to secure SAP
do this. If not keep it to professionals
For Server
For Frontend
Erpscan.com
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru
A.polyakov@dsec.ru
@sh2kerr
erpscan.com
dsecrg.com
owasp.org
20022010, Digital Security
dsecrg.com
erpscan.com
pcidssru.com
dsec.ru
pcidss.ru