INTEGRITY

Security (A)SAP(very) Short introduction to SAP security

Bruno Morisson <bm@integrity.pt>

INTEGRITY

About

Consultant and Partner @ INTEGRITY Leading Consulting and Penetration Testing engagements Breaking things, and finding how to fix them OSCP, CISSP-ISSMP, CISA, ISO27001LA Currently doing the MSc in Information Security @ Royal Holloway, University of London.Organizing BSidesLisbon 2013

@morissonhttp://www.linkedin.com/in/morisson

INTEGRITY

What is SAP ?SAP, started in 1972 by five former IBM employees in Mannheim, Germany, states that it is the world's largest inter-enterprise software company and the world's fourth-largest independent software supplier, overall.

The original name for SAP was German: Systeme, Anwendungen, Produkte, German for "Systems Applications and Products." The original SAP idea was to provide customers with the ability to interact with a common corporate database for a comprehensive range of applications. Gradually, the applications have been assembled and today many corporations, including IBM and Microsoft, are using SAP products to run their own businesses.

Source: http://searchsap.techtarget.com/definition/SAP

INTEGRITY

Say that again??

Customer Relationship Management (CRM)

Enterprise Resource Planning (ERP)

Product Lifecycle Management (PLM)

Supply Chain Management (SCM)

Supplier Relationship Management (SRM)

INTEGRITY

tl;dr

Extremely complex software that huge enterprises depend on for business critical applications

INTEGRITY

So, what about security ?

INTEGRITY

INTEGRITY

INTEGRITY

SAP Security Notes

0

7.5

15

22.5

30

Oct’11 Dec’11 Feb’12 Apr’12 Jun’12 Aug’12 Oct’12Dec’12

Feb’13Apr’13

Jun’13

INTEGRITY

SAP Security Notes

INTEGRITY

How often do you upgrade a complex business critical application ?

INTEGRITY

Common Problems

Integration

Default users/passwords

Misconfigured permissions

Lack of authentication

Cleartext protocols

Command Injection

Buffer overflows

SQLi

XSS

XXE

SSRF

...

INTEGRITY

Standing on the shoulders of giantsChris John Riley - SAP (in)Security

http://www.slideshare.net/ChrisJohnRiley/sap-insecurity-scrubbing-sap-clean-with-soap

David Hartley (nmonkee) - SAP Slappin’

http://labs.mwrinfosecurity.com/publications/2012/04/27/sap-slapping/

Mariano di Croce - The SAProuter

http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Mariano%20Nunez%20Di%20Croce%20-%20SAProuter%20.pdf

Alexander Polyakov - Breaking SAP portal

http://erpscan.com/presentations/breaking-sap-portal-from-hashdays-2012/

INTEGRITY

So I sneezed...

SAP Security Note 1816536 / CVE-2013-3319

INTEGRITY

SAP Security Note 181653621 Aug 2012 – Reported vulnerability to vendor

23 Aug 2012 – Vendor acknowledged vulnerability

22 Oct 2012 – Vendor contact, with status update

23 Jan 2013 – Contacted vendor, requesting status update

23 Jan 2013 – Vendor replied with status update

9 Apr 2013 – Vendor releases patch

9 Jul 2013 – Advisory released

INTEGRITY

SAP Security Note 1816536

Summary

Symptom

An attacker can discover information relating to used Operating System Version, Databases Version who uses SAP Host Agent.

This information could be used to allow the attacker to specialize their

attacks against the Operating System and Databases Software.

INTEGRITY

INTEGRITY

DEMO

INTEGRITY

INTEGRITY

SAProuterWhat is SAProuter ?

SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP Systems, or between SAP Systems and external networks. SAProuter controls the access to your network (application level gateway), and, as such, is a useful enhancement to an existing firewall system (port filter).                  Figuratively speaking, the firewall acts as an impenetrable wall around your network. However, since particular types of connections need to penetrate this wall, a “hole” has to be made in the firewall. SAProuter assumes the control of this hole.                            

Source: http://help.sap.com/saphelp_nw70/helpdata/en/4f/992d39446d11d189700000e8322d00/content.htm

INTEGRITY

SAProuter

INTEGRITY

SAProuter

Permission From To Serv PassP * * 3200S * * 3200D * + *

INTEGRITY

SAProuter

INTEGRITY

sap_router_portscanner.rbmsf auxiliary(sap_router_portscanner) > show options

Module options (auxiliary/scanner/sap/sap_router_portscanner):

Name Current Setting Required Description

---- --------------- -------- -----------

CONCURRENCY 1 yes The number of concurrent ports to check per host

INSTANCES 00-99 no SAP instance numbers to scan (NN in PORTS definition)

MODE SAP_PROTO yes Connection Mode: SAP_PROTO or TCP (accepted: SAP_PROTO, TCP)

PORTS 32NN yes Ports to scan (e.g. 3200-3299,5NN13)

RHOSTS 192.168.1.175 yes The target address range or CIDR identifier

SAPROUTER_HOST 192.168.1.25 yes SAPRouter address

SAPROUTER_PORT 3299 yes SAPRouter TCP port

THREADS 1 yes The number of concurrent threads

msf auxiliary(sap_router_portscanner)

INTEGRITY

DEMO

INTEGRITY

INTEGRITY

Questions ?