A Holistic View on SAP Security Why Securing Production Systems Is Not Enough

March 12th, 2013

BIZEC Workshop

Mariano Nunez mnunez@onapsis.com

@marianonunezdc

Juan Perez-Etchegoyen jppereze@onapsis.com

@jp_pereze

2 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

Disclaimer

This publication is copyright 2013 Onapsis Inc. – All rights reserved.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP

NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and

services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in

several other countries all over the world.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions,

Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are

trademarks or registered trademarks of Business Objects in the United States and/or other countries.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content,

and SAP Group shall not be liable for errors or omissions with respect to the materials.

3 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

A Cyber-criminal & SAP systems

● If an attacker is after an SAP system, he’s probably looking

forward to perform:

ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc.

SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc.

FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.

4 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

What is his goal?

The SAP Production System

SALES

PRODUCTION

FINANCIAL PLANNING

INVOICING

PROCUREMENT

TREASURY

LOGISTICS

PAYROLL

BILLING

HUMAN RESOURCES

5 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

Where an attacker would probably hit…

• SAP systems are built upon several layers.

• Segregation of Duties (SoD) controls apply at the Business Logic

layer.

• The SAP Application Layer (NetWeaver/BASIS) is common to most

modern SAP solutions, serving as the base technological framework.

Operating System

Database

SAP Business Logic

SAP Application Layer SAP Solution

Base Infrastructure

On October 30th 2012, Anonymous

claimed intent to exploit SAP systems

They claimed to have broken into the Greek Ministry of Finance

(to be confirmed) and mentioned:

"We have new guns in our arsenal. A sweet 0day

SAP exploit is in our hands and oh boy we're gonna

sploit the hell out of it."

So we know that the SAP Application

Layer is the weak spot and where the

attacker will hit.

But… which system will he attack first?

8 www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved

PRD?

9 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications

Forensics on

SAP systems

QAS?

10 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications

Forensics on

SAP systems

DEV?

11 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

Why attacking DEV?

● Production systems usually fall under the scope of

internal/external audits they are more “secure”.

● Development systems are not considered security-

sensitive.

● Access controls and security settings are relaxed high chances of

exploiting SAP application-layer vulnerabilities.

● No Security Auditing features enabled low chances of being detected.

● They usually have explicit and implicit relationships with

target systems they are the perfect “pivot”.

12 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

DEV – Explicit Relationships

● Injection of backdoors / rootkits in ABAP programs that get to

PRD.

● Abuse of insecure RFC destinations.

© SAP

13 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

DEV – Implicit Relationships

● Password Cracking & Shared Passwords

● SAP Administrators passwords tend to be the same

across several systems.

● Once inside DEV, he would:

1. Access the USR02 table

2. Obtain the passwords hashes for users with SAP_ALL

privileges

3. Crack the password hashes with John The Ripper

4. Login to SAP PRD simply using SAPGUI!

14 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

Securing PRD Holistically

● Regular audits focus on:

● The Production System:

● Production Client

● Central Instance

● But.. what about the “other” clients?

000

001

066

400

Default Clients

Production Client

15 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

D

Securing PRD Holistically

● And... what about the “other” instances?

D D D

CI

PRD

16 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications

Conclusions

17 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications

Conclusions

● Real-world attackers would likely not target the Production system

directly, but rather go after the weakest link in the chain.

● Even “compliant” and “secure” Production systems can be

compromised if the security of the platform has not been thought

holistically.

● In order to do so, we have to think like a potential attacker and mitigate

the vulnerabilities with the highest risk (easiest to exploit & resulting in

high privileges).

● Holistic security at the SAP Application Layer involves every

landscape, every system and every instance and client.

18 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications

Questions?

Stay tuned!

@onapsis

@marianonunezdc

@jp_pereze

19 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved

Thank you!