dmitry chastukhin director of sap pentest research team
play

Dmitry Chastukhin Director of SAP pentest/research team Alexander - PowerPoint PPT Presentation

Oct 01, 2023 •257 likes •1.06k views

Invest in security to secure investments With BIGDATA comes BIG Responsibility: Practical exploiting of MDX injections Dmitry Chastukhin Director of SAP pentest/research team Alexander Bolshev Security analyst, audit department Dmitry

  1. Invest in security to secure investments With BIGDATA comes BIG Responsibility: Practical exploiting of MDX injections Dmitry Chastukhin – Director of SAP pentest/research team Alexander Bolshev – Security analyst, audit department

  2. Dmitry Chastukhin Yet another security researcher Business application security expert

  3. Alexander Bolshev Yet another man with “ somecolorhat ” Distributed systems researcher, Ph.D.

  4. Agenda • Developing software for SAP security monitoring • Leader by the number of acknowledgements from SAP • Invited to talk at more than 35 security conferences worldwide BlackHat (US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc. • First to develop software for NetWeaver J2EE assessment • The only solution to assess all areas of SAP security • Research team with experience in different areas of security from ERP and web to mobile, embedded and critical infrastructure, accumulating their knowledge on SAP research. Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities erpscan.com ERPScan — invest in security to secure investments 4

  5. Agenda OLAP and Big Data Details of technology MDX attacks: injections mdXML attacks Getting RCE with MDX Conclusion erpscan.com ERPScan — invest in security to secure investments 5

  6. OLAP & Big Data erpscan.com ERPScan — invest in security to secure investments 6

  7. WTH is OLAP? • Online analytical processing (OLAP) is an approach to formulate and answer multidimensional queries to large datasets. • OLAP technologies developed by many software giants since the 199x. • Business intelligence (BI) is a methodology that helps manager in the analysis of information inside and outside company. • OLAP is all about BI and Big Data. erpscan.com ERPScan — invest in security to secure investments 7

  8. OLAP && OLTP • Business strategy OLTP (Operations) • Business processing • Data Mining OLAP • Analytics (Information) • Decision making erpscan.com ERPScan — invest in security to secure investments 8

  9. Usage areas Retail Big Data Government Energy Healthcare Advertising erpscan.com ERPScan — invest in security to secure investments 9

  10. Main players of OLAP industry erpscan.com ERPScan — invest in security to secure investments 10

  11. Basic entities Simple table Country Date Country ? City Totals Customer Cities Supplier Supplier Product Totals What if we need to get totals by countries and suppliers vs. cities? Can we really do it in 2D? erpscan.com ERPScan — invest in security to secure investments 11

  12. So what? We’re in N -dimensions! erpscan.com ERPScan — invest in security to secure investments 12

  13. Cube will help! erpscan.com ERPScan — invest in security to secure investments 13

  14. MDX erpscan.com ERPScan — invest in security to secure investments 14

  15. WTH is MDX? • SQL isn’t convenient to access Big Data. • MDX (MultiDimension eXpressions) comes to replace it. • MDX looks like SQL, but it’s not SQL: – (usually) you can’t modify data – MDX is much stricter than SQL erpscan.com ERPScan — invest in security to secure investments 15

  16. MDX query form [ WITH <SELECT WITH clause> [ , <SELECT WITH clause>...n ] ] SELECT [ * | ( <SELECT query axis clause> [ , <SELECT query axis clause>,...n ] ) ] FROM <SELECT subcube clause> [ <SELECT slicer axis clause> ] [ <SELECT cell property list clause> ] erpscan.com ERPScan — invest in security to secure investments 16

  17. MDX SELECT query sample WITH MEMBER SelectedMeasure AS ([Measures].[Salary Paid]) SELECT { [SelectedMeasure] } ON COLUMNS , { ([Employee].[Department].[Department].[HQ Marketing], [Gender].[Gender].[M]) } ON ROWS FROM [HR] WHERE ([Store].[Store].AllMembers) erpscan.com ERPScan — invest in security to secure investments 17

  18. MDX Processing Data (SQL?) MDX mdXML OLTP OLAP Application Data erpscan.com ERPScan — invest in security to secure investments 18

  19. Attacks on MDX mdXML attacks (good old XXE and much more) MDX injections User-defined functions attacks erpscan.com ERPScan — invest in security to secure investments 19

  20. MDX Injections erpscan.com ERPScan — invest in security to secure investments 20

  21. What will help to inject? • Commentaries: – single line -- - (as in SQL) – multiline /* … */ • Special functions for dimensions and members crawling: Parent, FirstChild, LastChild, DefaultMember e.t.c. • Subqueries in FROM ( … ) erpscan.com ERPScan — invest in security to secure investments 21

  22. Where to inject? WITH MEMBER SelectedMeasure AS ([Measures]. [Salary Paid] ) SELECT here { [SelectedMeasure] } ON COLUMNS, { ([Employee].[Department].[Department].[HQ Marketing], [Gender].[Gender]. [M] ) } here ON ROWS FROM [HR] WHERE ([Store].[Store]. AllMembers ) here erpscan.com ERPScan — invest in security to secure investments 22

  23. Types of injections Pre-SELECT • You can do everything (WITH): • Partial cube info gathering and cross- In-SELECT: cube queries • Partial access to cube data In-WHERE • Blind MDX erpscan.com ERPScan — invest in security to secure investments 23

  24. Pre-SELECT injection WITH MEMBER SelectedMeasure AS ([Measures].[Salary Paid] MEMBER [Rank] AS ( Rank([Employee].[Employee].currentmember, Head([Employee].[Employee].members, Dimensions.count-1)) ) MEMBER HierName AS ( Dimensions([Rank]).uniquename ) SELECT {[Rank], [HierName]} on 0, {Head([Employee].[Employee].members, Dimensions.count-1)} on 1 FROM [HR] /* [Salary Paid]) SELECT { [SelectedMeasure] ...rest of query... erpscan.com ERPScan — invest in security to secure investments 24

  25. In-SELECT injection WITH MEMBER SelectedMeasure AS ([Measures].[Salary Paid]) SELECT { [SelectedMeasure] } ON COLUMNS, { ([Employee].[Department].[Department].[HQ Marketing], [Gender].[Gender].AllMembers, [User name].[User name].AllMembers) } ON ROWS FROM [HR] WHERE ([Store].[Store].AllMembers) /* [M] ) } ... rest of request ... erpscan.com ERPScan — invest in security to secure investments 25

  26. MDX Tips & Tricks (1) Use {null} on axis to get all or nothing You can use Dimensions to access cube dimensions LOOKUPCUBE provides access to another cube You can use /* multiline commentary without closing ‘*/’ Use DESCENDANTS to get all data around the member You can convert to/from strings to pass data within query erpscan.com ERPScan — invest in security to secure investments 26

  27. Blind MDX Injection As in SQL, it is possible to use blind injections in MDX: ON ROWS FROM [HR] WHERE (FILTER(([User name].[User name].AllMembers),LEFT([User name].CURRENTMEMBER.NAME, 10)="FoodMart\A")) /*[Store].[Store].AllMembers) This query will return null when there is no login with this starting substring, and something when it exists. • You can use InStr() MDX function to speed-up process. • When blinding dimensions in such way, you can use binary search with ‘>’ and ‘<‘ operators. erpscan.com ERPScan — invest in security to secure investments 27

  28. MDX Tips & Tricks (2) In Microsoft Analysis Services, it is a correct MDX query: SELECT * FROM $SYSTEM.MDSCHEMA_CUBES • If you control PRE-SELECT or the beginning of SELECT part of query, you’ll be probably able to retrieve ALL Cube Data and structure. • That can also be possible (in several cases) when you inject in ASP.Net applications. erpscan.com ERPScan — invest in security to secure investments 28

  29. We love you, Microsoft! erpscan.com ERPScan — invest in security to secure investments 29

  30. MDX UDF erpscan.com ERPScan — invest in security to secure investments 30

  31. User-Defined Function User-Defined Function (UDF) – these are functions written by the user or a third-party developer which can take and return values ​in the MDX syntax. «ProgramID»!«FunctionName»(«Argument1», «Argument2», ...) erpscan.com ERPScan — invest in security to secure investments 31

  32. Attack on UDF. IcCube OLAP Server IcCube OLAP Server • Popular OLAP Server • Free. Has a Community edition • Cross-platform Java app: Windows, Linux, • Fast • Has many utilities: IDE, web reports • etc… erpscan.com ERPScan — invest in security to secure investments 32

  33. IcCube OLAP Server erpscan.com ERPScan — invest in security to secure investments 33

  34. IcCube OLAP Server erpscan.com ERPScan — invest in security to secure investments 34

  35. IcCube OLAP Server • Of course IcCube used MDX, but where? • Send some request in WebReport, and look in Burp erpscan.com ERPScan — invest in security to secure investments 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SRM Dmitry Litvintsev 7th international dCache workshop, May 27-29,2013 dCache Team Dmitry

SRM Dmitry Litvintsev 7th international dCache workshop, May 27-29,2013 dCache Team Dmitry

SRM Dmitry Litvintsev 7th international dCache workshop, May 27-29,2013 dCache Team Dmitry Litvintsev Wednesday, May 29, 13 Plan SRM, a reminder SRM parameters SRM troubleshooting dCache Team 2 Dmitry Litvintsev

827 views • 34 slides
Let's make pentesting fun again! Report writing in 5 minutes. Adrian Furtun Founder &amp; CEO

Let's make pentesting fun again! Report writing in 5 minutes. Adrian Furtun Founder &amp; CEO

Fab Romnia Let's make pentesting fun again! Report writing in 5 minutes. Adrian Furtun Founder &amp; CEO https://pentest-tools.com Pentest reporting 2018 https://pentest-tools.com 2 Pentest reporting 2018 https://pentest-tools.com 3

414 views • 17 slides
Hack in, Cash out Hacking and Securing Payment Technologies Tim Yunusov Transaction stream

Hack in, Cash out Hacking and Securing Payment Technologies Tim Yunusov Transaction stream

Hack in, Cash out Hacking and Securing Payment Technologies Tim Yunusov Transaction stream fraud Main question of the payment pentest Good pentest Bad pentest From our own accounts Get money from the bank Decisions, decisions 4

664 views • 38 slides
Assessing BYOD with the Smarthpone Pentest Framework Georgia

Assessing BYOD with the Smarthpone Pentest Framework Georgia

Assessing BYOD with the Smarthpone Pentest Framework Georgia Weidman BYOD Is Not New Contractor Laptop Rogue Access Point Gaming Console Tradi&gt;onal Vulnerability Scanning

1.28k views • 95 slides
Flexible, Scientific Infrastructure for Research on the Future of Cloud Computing Dmitry

Flexible, Scientific Infrastructure for Research on the Future of Cloud Computing Dmitry

Flexible, Scientific Infrastructure for Research on the Future of Cloud Computing Dmitry Duplyakin University of Utah NSF MERIF Workshop May 29, 2019 Recent Facility-focused Research Long-term study of hardware performance Paper

118 views • 7 slides
Yandex DC Design Evolution Dmitry Afanasiev, fl0w@yandex-team.ru Network Architect Yandex

Yandex DC Design Evolution Dmitry Afanasiev, fl0w@yandex-team.ru Network Architect Yandex

Yandex DC Design Evolution Dmitry Afanasiev, fl0w@yandex-team.ru Network Architect Yandex We're rather typical MSDC Monthly user audience of over 90 million worldwide. ~Services: search, music, video, cloud storage, news,

274 views • 9 slides
Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1 Presentation By Henk van Doorn &amp; Marko Spithoff Relevance Security Audits Company Detects (Attempted) Breach Accountability Of Actions 2

337 views • 22 slides
WELCOME ALL OUR TEAM. EMILY KWONG Biomedical Engineering DMITRY MALYSHEV Biomedical

WELCOME ALL OUR TEAM. EMILY KWONG Biomedical Engineering DMITRY MALYSHEV Biomedical

WELCOME ALL OUR TEAM. EMILY KWONG Biomedical Engineering DMITRY MALYSHEV Biomedical Engineering KIRUBHAKARAN KRISHNANATHAN Control System Engineering Content - Project idea - The Model Defining the Model Simulating the

415 views • 29 slides
Sequential Compressed Sensing Dmitry Malioutov DRW, research done mostly at MIT Joint work with

Sequential Compressed Sensing Dmitry Malioutov DRW, research done mostly at MIT Joint work with

Sequential Compressed Sensing Dmitry Malioutov DRW, research done mostly at MIT Joint work with Sujay Sanghavi and Alan Willsky September 03, 2009 1 Motivation Many important classes of signals are either sparse, or compressible. Examples:

384 views • 16 slides
RUSSIA. WHEN THE RIGHT TO LIFE IS DENIED Dmitry Borisov Executive Director UICC, 28 August, 2012

RUSSIA. WHEN THE RIGHT TO LIFE IS DENIED Dmitry Borisov Executive Director UICC, 28 August, 2012

RUSSIA. WHEN THE RIGHT TO LIFE IS DENIED Dmitry Borisov Executive Director UICC, 28 August, 2012 Oncology in figures 2.8 million of registered patients, i.e. 1.8 % of population 516 thousand new cases of malignant tumors (this indicator

355 views • 14 slides
Where OU R RESEARCH becomes CARE Administrative Team: Calvin James, PhD Interim Executive

Where OU R RESEARCH becomes CARE Administrative Team: Calvin James, PhD Interim Executive

Where OU R RESEARCH becomes CARE Administrative Team: Calvin James, PhD Interim Executive Director Sarah Adkins, PharmD Associate Director Karie Cook BSN, RN Director of Operations Stacy Wright, MSN, RN Outcomes and Resource

932 views • 23 slides
Complexity of distributions and average-case hardness Dmitry Sokolov joint work with Dmitry

Complexity of distributions and average-case hardness Dmitry Sokolov joint work with Dmitry

Complexity of distributions and average-case hardness Dmitry Sokolov joint work with Dmitry Itsykson and Alexander Knop St. Petersburg Department of V. A. Steklov Institute of Mathematics Problems in Theoretical Computer Science Moscow

716 views • 34 slides
July 2010 Tigran, Ricardo , Maarten, Andrea, Yves Kemp, Dmitry Ozerov, desy DOT Team, Martin

July 2010 Tigran, Ricardo , Maarten, Andrea, Yves Kemp, Dmitry Ozerov, desy DOT Team, Martin

NFS 4.1 demonstrator Jean-Philippe Baud, IT-GT, CERN Patrick Fuhrmann, DESY July 2010 Tigran, Ricardo , Maarten, Andrea, Yves Kemp, Dmitry Ozerov, desy DOT Team, Martin Gasthuber dCache.org Quick reminder on why we are doing this ! The next

404 views • 19 slides
Origins of our Research The Team Helping parents help their children Director of Student

Origins of our Research The Team Helping parents help their children Director of Student

Origins of our Research The Team Helping parents help their children Director of Student Orientation successfully Director of Student Engagement and transition to college Retention Author of Becoming a Learner

453 views • 5 slides
Learning: A Bayesian solution Dmitry P. Vetrov Research professor at HSE, Head of Bayesian

Learning: A Bayesian solution Dmitry P. Vetrov Research professor at HSE, Head of Bayesian

Open Problems in Deep Learning: A Bayesian solution Dmitry P. Vetrov Research professor at HSE, Head of Bayesian methods research group http://bayesgroup.ru Idea of the talk 2 Deep Learning Revolution in machine learning Deep neural

452 views • 26 slides
Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest

Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest

Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest Overview Threat Modeling - Common Web Vulnerabilities - Automated Tooling - Modern Attacks - whoami Threat Modeling Analyzing the security of an

558 views • 44 slides
MAKING THE DECISION 237 217 200 80 252 237 217 200 119 174 237 217 200 27 .59 255

MAKING THE DECISION 237 217 200 80 252 237 217 200 119 174 237 217 200 27 .59 255

1 MAKING THE DECISION 237 217 200 80 252 237 217 200 119 174 237 217 200 27 .59 255 0 163 131 239 110 112 62 102 130 255 0 163 132 65 135 92 102 56 120 255 0 163 122 53 120 56 130 48 111 Los Angeles

338 views • 18 slides
Neutrinos Saturday Morning Physics Leo Aliaga Fermilab November 4, 201 7 Standard Model and

Neutrinos Saturday Morning Physics Leo Aliaga Fermilab November 4, 201 7 Standard Model and

Neutrinos Saturday Morning Physics Leo Aliaga Fermilab November 4, 201 7 Standard Model and Neutrinos Elementary Particles What does elementary mean? Leptons e charge: -1 e electron Quarks e charge: +2/3 u neutron up u d charge:

1.55k views • 90 slides
Digitaalinen kuvank asittely 10. Fourier-muunnoksen perusteet . . . . . . . . . . . . . . . .

Digitaalinen kuvank asittely 10. Fourier-muunnoksen perusteet . . . . . . . . . . . . . . . .

9.3 Lineaarinen alip a ast osuodatus (3.6.1) . . . . . . . . 71 Luento #3 24.9.2004 9.4 Kuvan ter av oitt aminen ylip a ast osuodatuksella (3.7) . 75 Digitaalinen kuvank asittely 10. Fourier-muunnoksen perusteet

537 views • 42 slides
3D Graphik-Pipeline Anwendung Geometrieverarbeitung

3D Graphik-Pipeline Anwendung Geometrieverarbeitung

CG CG Computer Graphik I Ausgabe Marc Alexa, TU Berlin 1 CG CG 3D Graphik-Pipeline Anwendung Geometrieverarbeitung Rasterisierung Ausgabe

945 views • 63 slides
Communication in Science / 2 April 2015 Samo Stani University of Nova Gorica Samo Stani,

Communication in Science / 2 April 2015 Samo Stani University of Nova Gorica Samo Stani,

Communication in Science / 2 April 2015 Samo Stani University of Nova Gorica Samo Stani, Univerza v Novi Gorici Scientific Writing Scientific Paper A s c i e n t i f i c p a p e r s h o u l d : P r esent the facts in an unbiased

577 views • 34 slides
Understanding Joe Landry, Transnational PhD October 16, 2019 Terrorism 1 After peaking in

Understanding Joe Landry, Transnational PhD October 16, 2019 Terrorism 1 After peaking in

Understanding Joe Landry, Transnational PhD October 16, 2019 Terrorism 1 After peaking in 2014, deaths from terrorism have fallen for the third consecutive year. The total number of deaths fell by 27 per cent between 2016 and 2017, with

1.11k views • 73 slides
Lexical Analysis Scanners, Regular expressions, and Automata cs4713 1 Phases of compilation

Lexical Analysis Scanners, Regular expressions, and Automata cs4713 1 Phases of compilation

Lexical Analysis Scanners, Regular expressions, and Automata cs4713 1 Phases of compilation Compilers Read input program optimization translate into machine code front end mid end back end Code Lexical

469 views • 36 slides
Lexical Analysis / Scanning Why separate lexical from syntactic analysis? Purpose: turn character

Lexical Analysis / Scanning Why separate lexical from syntactic analysis? Purpose: turn character

Lexical Analysis / Scanning Why separate lexical from syntactic analysis? Purpose: turn character stream (input program) Separation of concerns / good design into token stream scanner: parser turns token stream into syntax tree

543 views • 6 slides

More recommend