Transcript Slide 1 - CanSecWest - CanSecWest Applied Security

Mo’ Budget, Mo’ Problems
Steve Lord, Mandalorian
What is this talk about?
Large IT Projects
 System Integrators
 SAP

What is SAP?
Enterprise Resource Planning (SAP R/3)
 CRM
 EP
 HR
 FI/CO
 BW
 MM
 PP

What is SAP/R3, really?
Business process re-implementation
 Fancy MIS framework with template
processes
 Big basket for corporate eggs

Fundamentals of Large Projects

The bigger the budget, the harder the
fall
Compound delays due to complex
dependencies
 Corners cut to meet deadlines
 Functionality Vs. Security
 Decision rarely based upon business case

 When
was the last time you signed off $xxx
million?

Don’t believe me?
Irish HSE PPARs and FISP
Systems

PPARs (HR) and FISP (FI/CO)
Projected Combined Cost - £6.2mil
 PPARs Cost when halted in 2005 - £80mil
 FISP Cost when halted - £20.7mil
 Revenues for Deloitte & Touche - £34.5mil
 Revenues for SAP – Undisclosed (not part of
D&T’s fees)

PPARs

“It’s like a case study in how not to run a
project … It’s appaling stuff.” – Enda
Kenny, Fine Gael Leader

PPARs could’ve paid for:
A 600 bed Hospital
 20 St. Patrick’s Day beers for Every Man,
Woman and Child in Ireland

HP’s Internal Failure

iGSO
Launched in 2002
 Consolidate 350 Digital, Compaq, HP,
Tandem systems
 Expected finish date 2007

HP: The Adaptive Enterprise that
couldn’t adapt

Total cost of Implementation failure
US$400 mil (revenue)
 US$275 mil (operating profit)
 3 Executives heads


Did I mention this was the total for Q3
2002?
How is SAP Implemented
Internally?

Usually Poorly
Inadequate Skills/Experience
 Poor/No Business Requirements Capture
 Technology Driven Implementation
 Poor Documentation
 Usually very expensive ($20mil+)

How is SAP implemented by
External Integrators?

Poorly
Front-loading Skills
 Business Requirements Capture?
 Partner-driven Implementation
 Poor/No Documentation
 Subject to contract wrangling
 Can be extremely expensive ($50mil+)

Where does it all go wrong?

Lack of:
Communication
 Contingency
 Requirements Capture/Analysis
 Simplicity
 Security

Where does Security come in?

At the end of a long queue

By the time it reaches us, it is:
 Non
or semi-functional
 Delayed
 Costing the business

Security’s role is to

SUSO (Shut Up, Sign Off)
Show me the SUSO

You need to sign this off

If you don’t
 You’re
blocking the business
 You’re costing us money
 You’re getting in the way of the project

If you do
 It’s
your backside on the dotted line
End of Talk

Oh you want more?
This is the price, right?
Come on down!
This is the price, right?
Quiz Show
 Prizes
 Need Victims Volunteers

How it works
Question is asked
 Potential answers are shown
 You have to guess which one of the
answers was an actual response

This is the price, right?
Question 1
Why can’t we use SSH?
A) It (PuTTY) isn’t vendor supported
 B) SFTP Doesn’t support ASCII
 C) We don’t have a PKI
 D) Key Management is too difficult
 E) The TCO for OpenSSH is too high

Why can’t we switch off RSH?
A) It requires a server rebuild
 B) It requires extensive testing that
would cost millions
 C) CowboyNeal
 D) We use telnet, you insensitive clod!
 E) We don’t know what it would break

Why did the SI buy the tin prior to
completing the design stage?




A) Because the vendor rebate would be lower
next year
B) Because the client will have to write off the
hardware expenditure anyway
C) Because it’s easier to justify spending on
one round of big tin than two rounds of
smaller tin
D) If the client has already paid a fortune up
front they’re less likely to pull the plug later
Why were all the consultants on
the job South African?
A) Because of S.A’s extensive investment
in enterprise technology training
 B) Because all the experienced guys are
from Joburg
 C) Because they’re cheaper than native
employees and have a lesser
understanding of local employment law

Why are these not risks?






A) Because it’s not live yet
B) Because you need an account to access the
systems
C) Because you’d need to have an RSH client
and a copy of finger to access the systems
D) Because you’d need to have an FTP client
to gain access to an unshadowed /etc/passwd
E) Because there are plenty of other ways in
F) Because you’re holding the project up so
just sign off or there’ll be trouble
Well done!

The good news is


People got prizes
The bad news is

We’re all losers in the end
Breaking SAP
Send in the clowns
SAP Structure
Infrastructure Issues
 Front-End Application
 Business Logic
 Business Processes
 Database Skullduggery

Infrastructure Issues
Let me paint you a picture
What does an SAP deployment
look like?
What does an SAP deployment
look like?
Points of interest
There is no standard deployment
 There should be Firewalls involved


If there are, Any-Any rules may be used
Sometimes the File Server(s) are shared
between dev, test and live too
 Sometimes the App Server(s) are shared
between dev, test and live too

How (not) to conduct an SAP
Pentest
Nmap
 Amap
 Nikto
 Nessus
 Metasploit

How to conduct an SAP Pentest
Nmap (-sS and –sU only, no –sV or –A
and watch timings)
 Manual confirmation of services with
standard client tools
 RSH, Finger, Net View, Showmount, FTP
 No active exploitation
 Password guessing possible, but not
automated

SAP Systems are
Unpatched
 Unhardened
 Unmaintained (caveat: security)
 Unmanaged (caveat: security)

Once you’ve got local access

Useful tools
R3Trans
 TP


SQL Trusts
OSQL –E
 SQLPLUS “/ as sysdba”
 MySQL –u root, mysqld_safe

R3Trans
Uses SAP’s abstracted SQL model (TSQL)
 Uses ‘control files’ to perform actions
upon databases
 R3Trans –d –v


Test database connection
R3Trans Control File
EXPORT
FILE=‘/tmp/.export/’
CLIENT=000
SELECT * FROM USR02

Start with:


R3Trans /tmp/control
Don’t forget to check trans.log
Where to look
/usr/sap/trans
 /usr/sap/<SID>
 /home/<SID>adm

There is no reason for these directories
to be world writeable!
 Most should be 700, 770 or 775

From the trenches

“We use RSH to copy files around the
environment. RSH has a feature call
.rhosts which enables us to restrict
access to specific users or hosts”
Front-End Issues
Busting down the door citing section 404
What front-end?

SAP has many
SAPGUI
 WebGUI/NetWeaver/ITS/EP
 SAPRFC


For the sake of time we will focus on
SAPGUI

These issues do apply elsewhere though
SAPGUI
SAPGUI

See the box up next to the green tick?


Use /? to start debugging
Type in a transaction code (T-Code) to start a
transaction
SAP Transactions of Note
















SU01 – User Authorization
SU02 – User Profile Administration
RZ04 – Maintain SAP Instances
SECR – Audit Information System
SE11 – Data Dictionary
SE38 – ABAP Editor
SE61 – R/3 Documentation
SM21 – System Log
SM31 – Table Maintenance
SM51 – List of Targets SAP Servers
SU24 – Disable Authorization Checks
SM49 – Execute Operating System Commands
SU12 – Delete All Users
PE51 – HR Form Editor (HR)
P013 – Maintain Positions (HR)
P001 – Maintain Jobs (HR)
SAP Transactions of Note
















AL08 – Users Logged On
AL11 – Display SAP Directories
OS01 – LAN Check with Ping
OS03 – Local OS Parameter changes
OS04 – Local System Configuration
OSO5 – Remote System Configuration
OSS1 – SAP’s Online Service System
PFCG – Profile Generator
RZ01 – Job Scheduling Monitor
RZ20 – CCMS Monitoring
RZ21 – Customize CCMS Monitor
SA38 – ABAP/4 Reporting
SCC0 – Client Copy
SE01 – Transport and Correction System
SE13 – Maintain Technical Settings (Tables)
SUIM – Repository Information System
You can’t access those!

I can access them (or equivalents) if
restrictions are based on:





Easy Access Menu Items
Transactions only
Custom-tables (e.g a ZUSERS table of allowed
users)
Restrictions need to be implemented at the
Authorization level
So what else is there?
Reports







RPCIFU01 – Display File
RPCIFU03 – Download Unix File
RPCIFU04 – Upload Unix File
RPR_ABAP_SOURCE_SCAN – Search ABAP for
a string ;)
RSBDCOS0 – Execute OS Command
RSPARAM – Check System Parameters
RSORAREL – Get the Oracle System Release
Tables

Accessible through:
SE16 (Maintain Tables)
 SE17 (Display Tables)
 SA38 (Execute ABAP)
 SE38 (ABAP Editor)
 Customizations (ZZ_TABLE_ADMIN etc.)


Will Be Covered Later
Job Scheduler

Can’t get OS access?

Use SM36 or SM36WIZ Instead
 Specify
Immediate Start
 External Program as Step
Custom Transaction fun

Input Validation
Selection Criteria Expansion
 Path specification (../../, // etc)
 Shell Escapes (; /bin/ls, |”/bin/ls”| etc)
 SQL Injection
 Export/Import file fun and games


Bypass Authorization Checks
From the trenches

“As discussed in the meeting on
<redacted> with <redacted>, we’ve
agreed that there is no further action
required. I appreciate that you are on
holiday at the moment, but we will take
your expected non-response in advance
as agreement upon the matter.”
Database Skullduggery
Here be Dragons
Database Stuff
The Database contains all the data.
 The Database is accessed by SAP users
through the SAP system.
 The SAP database is not subject to the
same controls as SAP itself.


WARNING: DO NOT MODIFY THE
DATABASE WITHOUT PERMISSION
SIGNED IN BLOOD (not yours)
Getting In
Patch Weaknesses
 Brute Force
 Roundhouse Kicks
 Default Accounts

Speaking of Default Accounts

Default Accounts (with Oracle Hashes)
DDIC/199220706 (4F9FFB093F909574)
 SAP/SAPR3 (BEAA1036A464F9F0)
 SAP/6071992
(B1344DC1B5F3D903)
 SAPR3/SAP (58872B4319A76363)
 EARLYWATCH/SUPPORT
(8AA1C62E08C76445)

Note about Schemas
<610 has SAPR3 as Schema Owner
 >610 uses SAP as Schema Owner

Database Queries of Note
Select
MANDT,BNAME,BCODE,USTYP,CLASS
from <SAPDB>..USR02
 SELECT * FROM UST04
 SELECT * FROM TSTCT WHERE SPRSL =
‘E’
 SELECT * FROM DBCON
 exec master.dbo.xp_cmdshell 'cmd.exe
/c net view’

Common Values in the DB
ACTVT – Activity Code
 USTYP – User Type
 MANDT – Client Number
 BUKRS – Company Code
 BEGRU – Authorization

USTYP values







USTYP specifies the type of user (used in
USR02)
A – Dialog (interactive user)
C – Communications (CPIC)
D – System (BDC)
S – Service
L – Reference
People often don’t change passwords on CPIC
users as they’re not sure what breaks
Tables to look at











BKPF – Accounting Header (FI)
BSEG – Accounting Document Segment (FI)
CEPC – Profit Master Data
EKKO – PO Header
RSEG – Incoming Invoice
RBKP – Invoice Receipts
KNA1 – Customer Master Records
LFA1 – Vendor Master Records
PNP – Personnel Data (HR Only)
CSKS – Cost Centre Master (HR)
T569V – Payroll Control Records (HR)
Subverting Business Logic
It’s not a lie, we just didn’t tell you that
How SAP Controls Access
Local logon details in USR02
 Profile details in UST04, USR04 etc.
 Authorizations & Profiles

Custom SAP Code and Access
Control

ABAPs and Auths 101

Authorization checks
 AUTHORITY-CHECK

OBJECT <object>
If the authority check statement isn’t
there, it is assumed that you can go
ahead!
SAP Authorization Concept
Common Authorization Snafus
‘Pyramid Structure’ Approach
 Overly Restrictive Approach
 Use Standard SAP Profiles Approach
 Transactions/Menu only Approach
 Objects only Approach

So what happens when things go
wrong?
When things go wrong
Too much access
 Too little access
 Disgruntled Employees and no audit trail
 Enron style fun

Business Process Hacking
Where you too can be like Neo
Business Process Hacking
When your business processes are
correctly aligned all is good.
 When they aren’t…
 … And it’s even worse when it’s
legislation
BPH Vs. Social Engineering

From the Canadian charter of rights and freedoms:

20. (1) Any member of the public in Canada has the right to
communicate with, and to receive available services from, any
head or central office of an institution of the Parliament or
government of Canada in English or French, and has the
same right with respect to any other office of any such
institution where



a) there is a significant demand for communications with and
services from that office in such language; or
b) due to the nature of the office, it is reasonable that
communications with and services from that office be available in
both English and French.
Is this charter open to abuse?
BPH Example

User provisioning policy not correctly
implemented
Weakness: New users created but old ones
not disabled
 Result: Accounts can be used after owners
leave

BPH Example #2

Evening meal expense claim requires
signature of most senior person present
Then signed off by person at higher grade
 No requirement to list people present

How does this tie into SAP?

SAP process integration
If the process fits…
 If it doesn’t?

A word from our sponsors
Well, Steve has to get revenue somehow
A word from our sponsors
OWASP-EAS
Stays crisp in milk
OWASP-EAS
What?
 Why?
 How?
 When?

What?
OWASP-Enterprise Application Security
Project
 Enterprise Grade Schnizzle

Requirements Guidelines
 Audit Programmes
 Business-level and tech guidance docs

Why?
OWASP is great for Web-based stuff
 It’s great for toy applications
 It’s not great for large business systems

Not applicable
 Not relevant
 Not ‘Enterprise Grade’

How?

Initial Launch
Parent OWASP-EAS Mailing List
 Develop industry links
 Initial projects

 OWASP-EAS
RFP Guide
 Security Document Templates
 SAP Assessment Guide

White Papers
When?

Real Soon Now*
Formal launch in June ‘06
 ‘Soft’ Launch End April

 Mailing
List
 Sub-Projects Initiation

*may contain nuts
Conclusions
Conclusions
SAP is teh r0x0r
 The people who implement it aren’t
necessarily so
 OWASP-EAS will help them… to a point
