erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Post on 14-Apr-2017
370 Views
Preview:
TRANSCRIPT
Introduction
Whoami
Topics
- Jamesbond-kind-of-spionage; it’s real- A practical example of a backdoor - SAP Hana security- SAP Security baseline
Not a sexy topic
SAP Security, not allways a sexy topic. But….
007, Secret service activities
• Corporate espionage
• State-sponsored espionage
• ‘Regular’ Cybercrime
• Political motivated cybercrime
• Backdoors
Jamesbond-kind-of-spionage, it’s real
It’s China… they say…
SAP and backdoors?
SAP building backdoors for the NSA. Far fetched? Yes, strongly denied by SAP and in my believe also not true.
But what if there are backdoors SAP or customers are no aware of…. A practical example…
The challenge:
In order to effectively secure an SAP platform, you need to understand and secure all of its systems, components, infrastructure layers and related vulnerabilities and threats.
To break a SAP platform you only need one flaw/vulnerability!
If you are the good guy, you have to work harder!
But first… The challenge
A backdoor into SAP; you need one of these 3
So, to fully compromise an SAP system we need at leastone of the following:
• Gain SAP_ALL rights on application layer
• Get access to the Operating system as <sid>adm
• Get access to the Database, in particular the SAP scheme
Getting access to one of the above means you have access to all three.
A backdoor into SAP…
In this scenario we will combine 3 vulnerabilities:
1. A Default user with default password for Diagnostics purposes
2. A Remote wrapper to execute local function modules remotely without authorization check
3. A Local function module to execute native SQL without authorization check
Business risk: Leads to a full compromise
of your business critical data
1
2
3
Some details on the 3 vulnerabilities
1. Default user with default password for Diagnostics purposes
• User SMDAGENT_<SID> is used by the Wily host agent for gathering diagnostics
• It gets created via the Solution Manager “Managed System Configuration” in solman 7.0
• Exists not only in Solution Manager, but also in backend systems
2. Local function to execute native SQL without authorization check
• Function Module /SDF/RBE_NATSQL_SELECT can be used to execute native SQL
• Lacks authorization check
3. Remote wrapper without authorization check
• Function Module /SDF/GEN_PROXY can be used to execute local Function Modules remotely
• Lacks authorization check
Select password hashes from the database
Brute force privileged SAP accounts
Gain access to the SAP Solution Manager
Demo
Post-exploitation
From there?
• Use (trusted) RFC’s to the world
• Use your imagination
• And take over the world
Try and take over the world!
Mitigation
How to protect?
Change password or delete user SMDAGENT_<SID>
Apply OSS note 1774432 (CVSS score 4.6)
Apply OSS note 1727914 (CVSS score 7.5)
Monitoring / logging
Also see the SAP Whitepaper
https://scn.sap.com/docs/DOC-60424
Something about Hana Security…
0
2
4
6
8
10
12
14
16
18
20112012
20132014
2015
SAP HANA Security notes
With great power comes great responsibility
Running Hana? Better patch…
SAP Security baseline
SAP Security baseline template
• Helps you when defining a SAP Security baseline
• Contains many settings to check
• Not only on SAP application level, but also includes Database, Operating System, network and frontend level
The baseline can be accessed
on the SAP Support site at
https://support.sap.com/sos
-> Media Library
-> Security Baseline Template.
Concluding
What I hope you learned today:
• SAP Security can be sexy
• Defenders have to work harder
• Don’t forget the systems of the ‘techies’ as the SAP Solution Manager is a critical component when it comes to security
• Patch, patch, patch
• Check the SAP Teched Materials!
• Read and make use of the SAP Security Baseline document
Questions?
Website: www.erp-sec.com
Twitter: @jvis @erpsec
Need more info? Contact us...
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.
The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.
Disclaimer
Thank you!
top related