tcpdb dat case
play

TCPDB.DAT case Archive file signatures Attack surface Attack - PowerPoint PPT Presentation

Jul 03, 2023 •419 likes •913 views

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

  2. Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats • CAR • SAR v2.00 • SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A G E 2

  3. • SAP • SAP systems • SAP security • Complexity • Archive files • Software packaging • Software distribution • Transport files P A G E 3

  4. • File formats are not known • Lack of public documentation • Lack of practical known attacks • Went deep into the compression mechanisms • A different attack vector • Targets sysadmins, operators and BASIS admins • High privileged users P A G E 4

  5. • Based on Lempel-Ziv algorithm • Adaptive dictionary compression • Custom implementation • Two variants • LZH (Lempel-Ziv-Huffman) • LZC (Lempel-Ziv-Welch-Thomas) P A G E 5

  6. Special byte Algorithm LZC=compression level LZC=0x10 LZH=max # bits per code LZH=0x12 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | LENGTH |ALG| MAGIC |SPE| +---+---+---+---+---+---+---+---+ Uncompressed length Magic bytes (LE unsigned int) 0x1F9D P A G E 6

  7. • SAPCAR program • Command-line • Available on multiple platforms • Allows listing, adding, extracting, verifying archive files • Works with CAR, SAR v2.00 and v2.01 files • Latest version release 721 • > 16 March 2015 P A G E 7

  8. $ ./SAPCAR usage: create a new archive: [..] SAPCAR -c[vir][f archive] [-P] [-C directory] append files to an archive: [-A filename] [-T filename] [-X filename] SAPCAR -a[v][f archive] file1 [file2....] [-p value] [-V] file1 file2 ... merge two archives: list the contents of an archive: SAPCAR -m[v]f "source target" SAPCAR -t[vs][f archive] [file1 file2....] check availability of files to be processed: extract files from an archive: SAPCAR -l [-A filename][-X filename] [file1 file2...] SAPCAR -x[v][f archive] [-R directory] [-A filename] [-V] [file1 file2....] sign archive: SAPCAR -S[v]f MY.SAR [-key keyname] [-H file hash] verify the archive: SAPCAR -d[v][f archive] [-V] [file1 file2....] verify the content of signed manifest: [..] SAPCAR -M[v][f manifest file] [-manifest file] [..] P A G E 8

  9. • Software packaging/distribution • CAR • SAR v2.00 • SAR v2.01 • Transport files • Transport files P A G E 9

  10. • Old (first?) version of the archive file • Text based archive header • Blob content • Still supported on SAPCAR for extracting • Not supported for creating new archives P A G E 1 0

  11. New lines Compressed length Eyecatcher (LE unsigned int) Checksum (CRC32) # CAR archive header\n F FILENAME MOD FSIZE CSIZE TSTAMP CHECKSUM\n .. # end of header\n File length File Timestamp (LE unsigned int) File Type Permission mode Name 640=-rwxrw---- 0 1 2 3 4 5 6 7 Len, alg, magic +---+---+---+---+---+---+---+---+=============+ and special bytes | COMPRESSION HEADER | COMPR. BLOB | Compressed +---+---+---+---+---+---+---+---+=============+ LZC/LZH blob P A G E 1 1

  12. $ ./SAPCAR -xvf carcar_test_string.sar processing archive carcar_test_string.sar... x test_string.txt $ xxd carcar_test_string.sar 0000000: 2320 4341 5220 6172 6368 6976 6520 6865 # CAR archive he 0000010: 6164 6572 0a46 2074 6573 745f 7374 7269 ader.F test_stri 0000020: 6e67 2e74 7874 2020 2020 2020 2020 2020 ng.txt 0000030: 2034 3434 2020 2020 2020 2020 3433 2020 444 43 0000040: 2020 2020 2020 3533 2031 3434 3930 3130 53 1449010 0000050: 3132 3820 3331 3136 3736 3331 3434 0a23 128 3116763144.# 0000060: 2065 6e64 206f 6620 6865 6164 6572 0a2b end of header.+ 0000070: 0000 0012 1f9d 027b 2119 a90a 85a5 99c9 .......{!....... 0000080: d90a 4945 f9e5 790a 69f9 150a 59a5 b905 ..IE..y.i...Y... 0000090: c50a f965 a945 0a25 40e9 9cc4 aa4a 8594 ...e.E.%@....J.. 00000a0: fc74 0000 .t.. File type=file , Filename=test_string.txt , Perm mode=444 , File length=43 , Compressed Length=53 , Timestamp=01 Dec 2015 19:48 , Checksum=0xb9c60808 , Uncompressed Length=43, Algorithm=LZH, Special byte=02 P A G E 1 2

  13. • New version of the archive file (R/3 > 4.70) • Binary based archive file header • Still supported on SAPCAR for extracting • Not supported for creating new archives P A G E 1 3

  14. 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | EYECATCHER | VERSION | +---+---+---+---+---+---+---+---+ “CAR ” “2.00” P A G E 1 4

  15. Permission mode File type RG=file 640=-rwxrw---- File length DR=dir (LE unsigned int) 0 1 2 3 4 5 6 7 8 9 a b c d e f +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 0x00 | FTYPE | PERM MODE | FILE LEN | UNKNOWN +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 0x10 | TIMESTAMP | UNKNOWN | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ File timestamp (LE unsigned int) P A G E 1 5

  16. If it’s a regular file, and file length > 0 Filename len (LE unsigned short) Filename string 0 1 +---+---+==================================+ |FN LEN | ...FN LEN bytes of “filename”... | +---+---+==================================+ 0 1 2 3 4 5 6 7 8 9 A B C D +---+---+---+---+---+---+---+---+---+---+---+---+---+---+=============+ | ED | COMP LEN | COMPRESSION HEADER | COMPR. BLOB | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+=============+ Len, alg, magic Compressed length Compressed and special bytes (LE unsigned int) LZC/LZH blob 0 1 2 3 +---+---+---+---+ File checksum | CRC32 | +---+---+---+---+ P A G E 1 6

  17. $ ./SAPCAR -xvf car200_test_string.sar SAPCAR: processing archive car200_test_string.sar (version 2.00) x test_string.txt SAPCAR: 1 file(s) extracted $ xxd car200_test_string.sar 0000000: 4341 5220 322e 3030 5247 b481 0000 2b00 CAR 2.00RG....+. 0000010: 0000 0000 0000 0000 0000 d023 5e56 0000 ...........#^V.. 0000020: 0000 0000 0000 0000 0f00 7465 7374 5f73 ..........test_s 0000030: 7472 696e 672e 7478 7445 4435 0000 002b tring.txtED5...+ 0000040: 0000 0012 1f9d 027b 2119 a90a 85a5 99c9 .......{!....... 0000050: d90a 4945 f9e5 790a 69f9 150a 59a5 b905 ..IE..y.i...Y... 0000060: c50a f965 a945 0a25 40e9 9cc4 aa4a 8594 ...e.E.%@....J.. 0000070: fc74 0000 0808 c6b9 .t...... Version=2.00 , File type=file , Perm mode=664 , File length=43 , Timestamp=01 Dec 2015 19:48 , Filename length=15 , Filename=test_string.txt , Compressed Length=53 , Uncompressed Length=43, Algorithm=LZH, Special byte=02 , Checksum=-1178204152 P A G E 1 7

  18. • Newest version of the archive file • Same structure as v2.00, except: • Handling of filename length • Filename is null-terminated • Default version on SAPCAR P A G E 1 8

  19. 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | EYECATCHER | VERSION | +---+---+---+---+---+---+---+---+ “CAR ” “2.01” P A G E 1 9

  20. File type Permission mode RG=file 640=-rwxrw---- File length DR=dir (LE unsigned int) 0 1 2 3 4 5 6 7 8 9 a b c d e f +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 0x00 | FTYPE | PERM MODE | FILE LEN | UNKNOWN +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 0x10 | TIMESTAMP | UNKNOWN | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ File timestamp (LE unsigned int) P A G E 2 0

  21. If it’s a regular file, and file length > 0 Filename len (LE unsigned short) 0 1 Filename string +---+---+==================================+ (null terminated) |FN LEN | ...FN LEN bytes of “filename”... | +---+---+==================================+ 0 1 2 3 4 5 6 7 8 9 A B C D +---+---+---+---+---+---+---+---+---+---+---+---+---+---+=============+ | ED | COMP LEN | COMPRESSION HEADER | COMPR. BLOB | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+=============+ Len, alg, magic Compressed length Compressed and special bytes (LE unsigned int) LZC/LZH blob 0 1 2 3 +---+---+---+---+ File checksum | CRC32 | +---+---+---+---+ P A G E 2 1

  22. $ ./SAPCAR -xvf car201_test_string.sar SAPCAR: processing archive car201_test_string.sar (version 2.01) x test_string.txt SAPCAR: 1 file(s) extracted $ xxd car201_test_string.sar 0000000: 4341 5220 322e 3031 5247 b481 0000 2b00 CAR 2.01RG....+. 0000010: 0000 0000 0000 0000 0000 d023 5e56 0000 ...........#^V.. 0000020: 0000 0000 0000 0000 1000 7465 7374 5f73 ..........test_s 0000030: 7472 696e 672e 7478 7400 4544 3500 0000 tring.txt.ED5... 0000040: 2b00 0000 121f 9d02 7b21 19a9 0a85 a599 +.......{!...... 0000050: c9d9 0a49 45f9 e579 0a69 f915 0a59 a5b9 ...IE..y.i...Y.. 0000060: 05c5 0af9 65a9 450a 2540 e99c c4aa 4a85 ....e.E.%@....J. 0000070: 94fc 7400 0008 08c6 b9 ..t...... Version=2.00 , File type=file , Perm mode=664 , File length=43 , Timestamp=01 Dec 2015 19:48 , Filename length=16 , Filename=test_string.txt , Compressed Length=53 , Uncompressed Length=43, Algorithm=LZH, Special byte=02 , Checksum=-1178204152 P A G E 2 2

  23. • Handling of absolute/relative paths • “/ usr/var/some_file_name ” • “../../ some_file_name ” $ ./SAPCAR usage: [..] using absolute pathnames: If you create an archive with absolute pathnames the files will be extracted with exactly these pathnames! SAPCAR does not cut the first slash like the UNIX tool tar. [..] P A G E 2 3

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Quick Comparison Variance (existing rule) Case by Case (new) Applies to any applicable

1 Quick Comparison Variance (existing rule) Case by Case (new) Applies to any applicable

Variances and Case-by-Case Determinations 1 OAC 3745-300-12 Certified Professional 8-Hour Training Changes to rule 2 Variances (existing) Case-by-Case Determinations (new) Fees (change) Withdrawals (new) Examples of

862 views • 6 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

910 views • 4 slides
ul#mate goal MEMORANDUM constitution and/or statute and/or regulation case case case

ul#mate goal MEMORANDUM constitution and/or statute and/or regulation case case case

ul#mate goal MEMORANDUM constitution and/or statute and/or regulation case case case treatise law review ideal case law mandatory precedent with similar facts,

106 views • 10 slides
Case Management Best P r actice Case Management regulations. Case Study. Community

Case Management Best P r actice Case Management regulations. Case Study. Community

Case Management Best P r actice Case Management regulations. Case Study. Community Links Wollondilly and the Case Work Team LEGISLATION AGENCY STANDARDS PROFESSIONAL STANDARDS CMSA STANDARDS STRENGTH BASED APPROACH PERSON

472 views • 25 slides
II . Directive for case documentation : Case reports must contain the following data: Medical

II . Directive for case documentation : Case reports must contain the following data: Medical

Guidelines for Comprehensive Case Presentation I . Case Type: Generalized moderate to advanced periodontitis with deep pockets and moderate to severe bone loss must be present in both arches. Cases must be of sufficient periodontal complexity to

667 views • 4 slides
Femoral Fracture During Cesarean Section: A Case of Professional Liability? Case Presentation and

Femoral Fracture During Cesarean Section: A Case of Professional Liability? Case Presentation and

DOI: 10.26502/acmcr.96550087 Arch Clin Med Case Rep 2019; 3 (5): 242-249 Case Report Femoral Fracture During Cesarean Section: A Case of Professional Liability? Case Presentation and Review of the Literature Luigi Papi 1* , Federica Gori 1 ,

643 views • 8 slides
CASE PROJECT CASE PROJECT IMPLEMENTATION 2017 AND PLANS FOR 2018 Antoine Zannotti CASE Project

CASE PROJECT CASE PROJECT IMPLEMENTATION 2017 AND PLANS FOR 2018 Antoine Zannotti CASE Project

CASE PROJECT CASE PROJECT IMPLEMENTATION 2017 AND PLANS FOR 2018 Antoine Zannotti CASE Project Coordinator, ECAC AFI SECFAL Plan SC/6, Montreal, 8 December 2017 CASE PROJECT Content Key elements of the CASE Project Duration

417 views • 16 slides
ANALYSE A CASE LAW Acelegal (Education Series) 1/38 ACELEGAL AGENDA What is a Case Law?

ANALYSE A CASE LAW Acelegal (Education Series) 1/38 ACELEGAL AGENDA What is a Case Law?

HOW TO ANALYSE A CASE LAW Acelegal (Education Series) 1/38 ACELEGAL AGENDA What is a Case Law? Elements of a Case Law How to Analyze a Case Law ACELEGAL 2/38 WHAT IS A CASE LAW ? Law based on previous judicial decisions,

1.06k views • 38 slides
Case Sleep Disorders: A Case-based Approach ROS: 30 Lbs wt gain/1year Fatigue LeRoy

Case Sleep Disorders: A Case-based Approach ROS: 30 Lbs wt gain/1year Fatigue LeRoy

Case Sleep Disorders: A Case-based Approach ROS: 30 Lbs wt gain/1year Fatigue LeRoy Essig, MD Heart burn Rami Khayat, MD Nasal congestion, dry mouth Reduced concentration/memory Case Case 47 y/o male presents to

552 views • 16 slides
The Montreal case The Montreal case 1 The Montreal case The Montreal case 2 Montreal 1992

The Montreal case The Montreal case 1 The Montreal case The Montreal case 2 Montreal 1992

The Montreal case The Montreal case 1 The Montreal case The Montreal case 2 Montreal 1992 Montreal 19922012 : Waterrelated investments related investments Value ($) $ / yr $ / yr Life expectancy (yrs) 30G$ 300M$ / yr 300M$ / yr 100

900 views • 17 slides
1 Case Presentation Running head: CASE PRESENTATION Alicia: A Case Presentation Christine S.

1 Case Presentation Running head: CASE PRESENTATION Alicia: A Case Presentation Christine S.

1 Case Presentation Running head: CASE PRESENTATION Alicia: A Case Presentation Christine S. CNSS 561 Holy Family University 2 Alicia: A Case Presentation Who is involved? In addition to the student client, Alicia, there are several others

364 views • 20 slides
case Statement Nesting if past two levels is error prone and possibly inefficient. case

case Statement Nesting if past two levels is error prone and possibly inefficient. case

case Statement Nesting if past two levels is error prone and possibly inefficient. case excels when many tests are performed on the same expression. case works well for muxes, decoders, and next state logic. SVerilog case has implied

279 views • 15 slides
Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc kland What We ll Co ve r T o day T he L ig htbulb Mo me nt My Ph.D Case Study Case Study Charac te ristic s Case Study Stre

424 views • 10 slides
Variances and Case by Case Determinations OAC 3745 300 12 Certified Professional 8

Variances and Case by Case Determinations OAC 3745 300 12 Certified Professional 8

Variances and Case by Case Determinations OAC 3745 300 12 Certified Professional 8 Hour Training Changes to rule Variances (existing) Case by Case Determinations (new) Fees (change) Withdrawals (new)

402 views • 24 slides
Neuropharmacy Masterclass Case Studies Jan 19 Case 1 29 yr old female RRMS diagnosed

Neuropharmacy Masterclass Case Studies Jan 19 Case 1 29 yr old female RRMS diagnosed

Neuropharmacy Masterclass Case Studies Jan 19 Case 1 29 yr old female RRMS diagnosed 10yrs ago Rebif started 2008 Jan 2016 - experiencing injection fatigue What are her options ? dimethyl fumarate or teriflunomide Case 1

507 views • 16 slides
Intro Presenters Garvin Seto (Case 04) Mike Lustig (Case 07) Goals: Inform

Intro Presenters Garvin Seto (Case 04) Mike Lustig (Case 07) Goals: Inform

Intro Presenters Garvin Seto (Case 04) Mike Lustig (Case 07) Goals: Inform students about opportunities at Case Mini-Codonics Update Provide Tech Demo/Discussion Quick Outline Case Section Kinect Tech Talk

709 views • 21 slides
Multimodal KBs: Extraction & Completion Sameer Singh University of California, Irvine Gray

Multimodal KBs: Extraction & Completion Sameer Singh University of California, Irvine Gray

Multimodal KBs: Extraction & Completion Sameer Singh University of California, Irvine Gray Vinyl Barstool This sleek dual purpose stool easily adjusts from counter to bar height. The backless design is casual and contemporary which allow

499 views • 34 slides
CS7015 (Deep Learning) : Lecture 12 Object Detection: R-CNN, Fast R-CNN, Faster R-CNN, You Only

CS7015 (Deep Learning) : Lecture 12 Object Detection: R-CNN, Fast R-CNN, Faster R-CNN, You Only

CS7015 (Deep Learning) : Lecture 12 Object Detection: R-CNN, Fast R-CNN, Faster R-CNN, You Only Look Once (YOLO) Mitesh M. Khapra Department of Computer Science and Engineering Indian Institute of Technology Madras 1/47 Mitesh M. Khapra

1.17k views • 47 slides
Aspect Extraction with Automated Prior Knowledge Learning Zhiyuan (Brett) Chen Arjun Mukherjee

Aspect Extraction with Automated Prior Knowledge Learning Zhiyuan (Brett) Chen Arjun Mukherjee

Aspect Extraction with Automated Prior Knowledge Learning Zhiyuan (Brett) Chen Arjun Mukherjee Bing Liu Aspect Extraction Extracting aspect terms Aspect Terms This camera takes beautiful pictures but its price is

975 views • 74 slides
PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau,

PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau,

PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau, Gerard de Melo PhD Candidate, Tsinghua University Visiting Student, Columbia University http://www.larayang.com/ Content Evaluating Summary

575 views • 35 slides
Kobe University, NICT, and University of Siegen at TRECVID 2016 AVS Task Yasuyuki Matsumoto,

Kobe University, NICT, and University of Siegen at TRECVID 2016 AVS Task Yasuyuki Matsumoto,

Kobe University, NICT, and University of Siegen at TRECVID 2016 AVS Task Yasuyuki Matsumoto, Kuniaki Uehara (Kobe University) Takashi Shinozaki (NICT) Kimiaki Shirahama, Marcin Grzegozek (University of Siegen) Our Contribution A method of using

1.07k views • 35 slides
for scalable information extraction Pablo Barrio , Columbia University Gonalo Simes, INESC-ID

for scalable information extraction Pablo Barrio , Columbia University Gonalo Simes, INESC-ID

Learning to rank adaptively for scalable information extraction Pablo Barrio , Columbia University Gonalo Simes, INESC-ID and IST, University of Lisbon Helena Galhardas, INESC-ID and IST, University of Lisbon Luis Gravano, Columbia

682 views • 30 slides
Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic

Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic

Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques Fabio Pagani and Davide Balzarotti Usenix Security 19 Memory Forensics - Introduction Infected Machine Memory Dump Analysis

648 views • 47 slides
Malicious PDF Detection is important! 129 Adobe Reader CVE's in 2015 Up from 44 in 2014

Malicious PDF Detection is important! 129 Adobe Reader CVE's in 2015 Up from 44 in 2014

Extract Me If You Can: Abusing PDF Parsers in Malware Detectors Curtis Carmony, Mu Zhang, Xunchao Hu, Abhishek Vasisht Bhaskar, and Heng Yin Department of EECS, Syracuse University College of Engineering L.C.Smith and Computer Science Malicious

628 views • 48 slides

More recommend