Slide 1 - CanSecWest - CanSecWest Applied Security
Download
Report
Transcript Slide 1 - CanSecWest - CanSecWest Applied Security
Mo’ Budget, Mo’ Problems
Steve Lord, Mandalorian
What is this talk about?
Large IT Projects
System Integrators
SAP
What is SAP?
Enterprise Resource Planning (SAP R/3)
CRM
EP
HR
FI/CO
BW
MM
PP
What is SAP/R3, really?
Business process re-implementation
Fancy MIS framework with template
processes
Big basket for corporate eggs
Fundamentals of Large Projects
The bigger the budget, the harder the
fall
Compound delays due to complex
dependencies
Corners cut to meet deadlines
Functionality Vs. Security
Decision rarely based upon business case
When
was the last time you signed off $xxx
million?
Don’t believe me?
Irish HSE PPARs and FISP
Systems
PPARs (HR) and FISP (FI/CO)
Projected Combined Cost - £6.2mil
PPARs Cost when halted in 2005 - £80mil
FISP Cost when halted - £20.7mil
Revenues for Deloitte & Touche - £34.5mil
Revenues for SAP – Undisclosed (not part of
D&T’s fees)
PPARs
“It’s like a case study in how not to run a
project … It’s appaling stuff.” – Enda
Kenny, Fine Gael Leader
PPARs could’ve paid for:
A 600 bed Hospital
20 St. Patrick’s Day beers for Every Man,
Woman and Child in Ireland
HP’s Internal Failure
iGSO
Launched in 2002
Consolidate 350 Digital, Compaq, HP,
Tandem systems
Expected finish date 2007
HP: The Adaptive Enterprise that
couldn’t adapt
Total cost of Implementation failure
US$400 mil (revenue)
US$275 mil (operating profit)
3 Executives heads
Did I mention this was the total for Q3
2002?
How is SAP Implemented
Internally?
Usually Poorly
Inadequate Skills/Experience
Poor/No Business Requirements Capture
Technology Driven Implementation
Poor Documentation
Usually very expensive ($20mil+)
How is SAP implemented by
External Integrators?
Poorly
Front-loading Skills
Business Requirements Capture?
Partner-driven Implementation
Poor/No Documentation
Subject to contract wrangling
Can be extremely expensive ($50mil+)
Where does it all go wrong?
Lack of:
Communication
Contingency
Requirements Capture/Analysis
Simplicity
Security
Where does Security come in?
At the end of a long queue
By the time it reaches us, it is:
Non
or semi-functional
Delayed
Costing the business
Security’s role is to
SUSO (Shut Up, Sign Off)
Show me the SUSO
You need to sign this off
If you don’t
You’re
blocking the business
You’re costing us money
You’re getting in the way of the project
If you do
It’s
your backside on the dotted line
End of Talk
Oh you want more?
This is the price, right?
Come on down!
This is the price, right?
Quiz Show
Prizes
Need Victims Volunteers
How it works
Question is asked
Potential answers are shown
You have to guess which one of the
answers was an actual response
This is the price, right?
Question 1
Why can’t we use SSH?
A) It (PuTTY) isn’t vendor supported
B) SFTP Doesn’t support ASCII
C) We don’t have a PKI
D) Key Management is too difficult
E) The TCO for OpenSSH is too high
Why can’t we switch off RSH?
A) It requires a server rebuild
B) It requires extensive testing that
would cost millions
C) CowboyNeal
D) We use telnet, you insensitive clod!
E) We don’t know what it would break
Why did the SI buy the tin prior to
completing the design stage?
A) Because the vendor rebate would be lower
next year
B) Because the client will have to write off the
hardware expenditure anyway
C) Because it’s easier to justify spending on
one round of big tin than two rounds of
smaller tin
D) If the client has already paid a fortune up
front they’re less likely to pull the plug later
Why were all the consultants on
the job South African?
A) Because of S.A’s extensive investment
in enterprise technology training
B) Because all the experienced guys are
from Joburg
C) Because they’re cheaper than native
employees and have a lesser
understanding of local employment law
Why are these not risks?
A) Because it’s not live yet
B) Because you need an account to access the
systems
C) Because you’d need to have an RSH client
and a copy of finger to access the systems
D) Because you’d need to have an FTP client
to gain access to an unshadowed /etc/passwd
E) Because there are plenty of other ways in
F) Because you’re holding the project up so
just sign off or there’ll be trouble
Well done!
The good news is
People got prizes
The bad news is
We’re all losers in the end
Breaking SAP
Send in the clowns
SAP Structure
Infrastructure Issues
Front-End Application
Business Logic
Business Processes
Database Skullduggery
Infrastructure Issues
Let me paint you a picture
What does an SAP deployment
look like?
What does an SAP deployment
look like?
Points of interest
There is no standard deployment
There should be Firewalls involved
If there are, Any-Any rules may be used
Sometimes the File Server(s) are shared
between dev, test and live too
Sometimes the App Server(s) are shared
between dev, test and live too
How (not) to conduct an SAP
Pentest
Nmap
Amap
Nikto
Nessus
Metasploit
How to conduct an SAP Pentest
Nmap (-sS and –sU only, no –sV or –A
and watch timings)
Manual confirmation of services with
standard client tools
RSH, Finger, Net View, Showmount, FTP
No active exploitation
Password guessing possible, but not
automated
SAP Systems are
Unpatched
Unhardened
Unmaintained (caveat: security)
Unmanaged (caveat: security)
Once you’ve got local access
Useful tools
R3Trans
TP
SQL Trusts
OSQL –E
SQLPLUS “/ as sysdba”
MySQL –u root, mysqld_safe
R3Trans
Uses SAP’s abstracted SQL model (TSQL)
Uses ‘control files’ to perform actions
upon databases
R3Trans –d –v
Test database connection
R3Trans Control File
EXPORT
FILE=‘/tmp/.export/’
CLIENT=000
SELECT * FROM USR02
Start with:
R3Trans /tmp/control
Don’t forget to check trans.log
Where to look
/usr/sap/trans
/usr/sap/<SID>
/home/<SID>adm
There is no reason for these directories
to be world writeable!
Most should be 700, 770 or 775
From the trenches
“We use RSH to copy files around the
environment. RSH has a feature call
.rhosts which enables us to restrict
access to specific users or hosts”
Front-End Issues
Busting down the door citing section 404
What front-end?
SAP has many
SAPGUI
WebGUI/NetWeaver/ITS/EP
SAPRFC
For the sake of time we will focus on
SAPGUI
These issues do apply elsewhere though
SAPGUI
SAPGUI
See the box up next to the green tick?
Use /? to start debugging
Type in a transaction code (T-Code) to start a
transaction
SAP Transactions of Note
SU01 – User Authorization
SU02 – User Profile Administration
RZ04 – Maintain SAP Instances
SECR – Audit Information System
SE11 – Data Dictionary
SE38 – ABAP Editor
SE61 – R/3 Documentation
SM21 – System Log
SM31 – Table Maintenance
SM51 – List of Targets SAP Servers
SU24 – Disable Authorization Checks
SM49 – Execute Operating System Commands
SU12 – Delete All Users
PE51 – HR Form Editor (HR)
P013 – Maintain Positions (HR)
P001 – Maintain Jobs (HR)
SAP Transactions of Note
AL08 – Users Logged On
AL11 – Display SAP Directories
OS01 – LAN Check with Ping
OS03 – Local OS Parameter changes
OS04 – Local System Configuration
OSO5 – Remote System Configuration
OSS1 – SAP’s Online Service System
PFCG – Profile Generator
RZ01 – Job Scheduling Monitor
RZ20 – CCMS Monitoring
RZ21 – Customize CCMS Monitor
SA38 – ABAP/4 Reporting
SCC0 – Client Copy
SE01 – Transport and Correction System
SE13 – Maintain Technical Settings (Tables)
SUIM – Repository Information System
You can’t access those!
I can access them (or equivalents) if
restrictions are based on:
Easy Access Menu Items
Transactions only
Custom-tables (e.g a ZUSERS table of allowed
users)
Restrictions need to be implemented at the
Authorization level
So what else is there?
Reports
RPCIFU01 – Display File
RPCIFU03 – Download Unix File
RPCIFU04 – Upload Unix File
RPR_ABAP_SOURCE_SCAN – Search ABAP for
a string ;)
RSBDCOS0 – Execute OS Command
RSPARAM – Check System Parameters
RSORAREL – Get the Oracle System Release
Tables
Accessible through:
SE16 (Maintain Tables)
SE17 (Display Tables)
SA38 (Execute ABAP)
SE38 (ABAP Editor)
Customizations (ZZ_TABLE_ADMIN etc.)
Will Be Covered Later
Job Scheduler
Can’t get OS access?
Use SM36 or SM36WIZ Instead
Specify
Immediate Start
External Program as Step
Custom Transaction fun
Input Validation
Selection Criteria Expansion
Path specification (../../, // etc)
Shell Escapes (; /bin/ls, |”/bin/ls”| etc)
SQL Injection
Export/Import file fun and games
Bypass Authorization Checks
From the trenches
“As discussed in the meeting on
<redacted> with <redacted>, we’ve
agreed that there is no further action
required. I appreciate that you are on
holiday at the moment, but we will take
your expected non-response in advance
as agreement upon the matter.”
Database Skullduggery
Here be Dragons
Database Stuff
The Database contains all the data.
The Database is accessed by SAP users
through the SAP system.
The SAP database is not subject to the
same controls as SAP itself.
WARNING: DO NOT MODIFY THE
DATABASE WITHOUT PERMISSION
SIGNED IN BLOOD (not yours)
Getting In
Patch Weaknesses
Brute Force
Roundhouse Kicks
Default Accounts
Speaking of Default Accounts
Default Accounts (with Oracle Hashes)
DDIC/199220706 (4F9FFB093F909574)
SAP/SAPR3 (BEAA1036A464F9F0)
SAP/6071992
(B1344DC1B5F3D903)
SAPR3/SAP (58872B4319A76363)
EARLYWATCH/SUPPORT
(8AA1C62E08C76445)
Note about Schemas
<610 has SAPR3 as Schema Owner
>610 uses SAP as Schema Owner
Database Queries of Note
Select
MANDT,BNAME,BCODE,USTYP,CLASS
from <SAPDB>..USR02
SELECT * FROM UST04
SELECT * FROM TSTCT WHERE SPRSL =
‘E’
SELECT * FROM DBCON
exec master.dbo.xp_cmdshell 'cmd.exe
/c net view’
Common Values in the DB
ACTVT – Activity Code
USTYP – User Type
MANDT – Client Number
BUKRS – Company Code
BEGRU – Authorization
USTYP values
USTYP specifies the type of user (used in
USR02)
A – Dialog (interactive user)
C – Communications (CPIC)
D – System (BDC)
S – Service
L – Reference
People often don’t change passwords on CPIC
users as they’re not sure what breaks
Tables to look at
BKPF – Accounting Header (FI)
BSEG – Accounting Document Segment (FI)
CEPC – Profit Master Data
EKKO – PO Header
RSEG – Incoming Invoice
RBKP – Invoice Receipts
KNA1 – Customer Master Records
LFA1 – Vendor Master Records
PNP – Personnel Data (HR Only)
CSKS – Cost Centre Master (HR)
T569V – Payroll Control Records (HR)
Subverting Business Logic
It’s not a lie, we just didn’t tell you that
How SAP Controls Access
Local logon details in USR02
Profile details in UST04, USR04 etc.
Authorizations & Profiles
Custom SAP Code and Access
Control
ABAPs and Auths 101
Authorization checks
AUTHORITY-CHECK
OBJECT <object>
If the authority check statement isn’t
there, it is assumed that you can go
ahead!
SAP Authorization Concept
Common Authorization Snafus
‘Pyramid Structure’ Approach
Overly Restrictive Approach
Use Standard SAP Profiles Approach
Transactions/Menu only Approach
Objects only Approach
So what happens when things go
wrong?
When things go wrong
Too much access
Too little access
Disgruntled Employees and no audit trail
Enron style fun
Business Process Hacking
Where you too can be like Neo
Business Process Hacking
When your business processes are
correctly aligned all is good.
When they aren’t…
… And it’s even worse when it’s
legislation
BPH Vs. Social Engineering
From the Canadian charter of rights and freedoms:
20. (1) Any member of the public in Canada has the right to
communicate with, and to receive available services from, any
head or central office of an institution of the Parliament or
government of Canada in English or French, and has the
same right with respect to any other office of any such
institution where
a) there is a significant demand for communications with and
services from that office in such language; or
b) due to the nature of the office, it is reasonable that
communications with and services from that office be available in
both English and French.
Is this charter open to abuse?
BPH Example
User provisioning policy not correctly
implemented
Weakness: New users created but old ones
not disabled
Result: Accounts can be used after owners
leave
BPH Example #2
Evening meal expense claim requires
signature of most senior person present
Then signed off by person at higher grade
No requirement to list people present
How does this tie into SAP?
SAP process integration
If the process fits…
If it doesn’t?
A word from our sponsors
Well, Steve has to get revenue somehow
A word from our sponsors
OWASP-EAS
Stays crisp in milk
OWASP-EAS
What?
Why?
How?
When?
What?
OWASP-Enterprise Application Security
Project
Enterprise Grade Schnizzle
Requirements Guidelines
Audit Programmes
Business-level and tech guidance docs
Why?
OWASP is great for Web-based stuff
It’s great for toy applications
It’s not great for large business systems
Not applicable
Not relevant
Not ‘Enterprise Grade’
How?
Initial Launch
Parent OWASP-EAS Mailing List
Develop industry links
Initial projects
OWASP-EAS
RFP Guide
Security Document Templates
SAP Assessment Guide
White Papers
When?
Real Soon Now*
Formal launch in June ‘06
‘Soft’ Launch End April
Mailing
List
Sub-Projects Initiation
*may contain nuts
Conclusions
Conclusions
SAP is teh r0x0r
The people who implement it aren’t
necessarily so
OWASP-EAS will help them… to a point