ERP Security
Transcripción
ERP Security
ERP Security: How hackers can open the safe and take the jewels Ezequiel Gutesman (@gutes) [email protected] Jordan Santarsieri (@jsansec) [email protected] September 25-27, 2013 Ekoparty Security Conference Buenos Aires, Argentina Disclaimer This publication is copyright 2013 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. This publication contains references to the products of Oracle and services mentioned herein are trademarks or registered trademarks of Oracle in all countries all over the world. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for its content, and Oracle Corporation shall not be liable for errors or omissions with respect to the materials. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 2 Agenda 1.Introduction ● ● ● Why bothering about ERPs? History of ERP Security ERP Security for hackers 2.Targeting ERPs ● ● ● Reinventing the wheel: Technology stacks Attack Vectors Demo time! ● ● ● Sabotage Espionage Fraud 3.Conclusions ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 3 1. Introduction Why bothering about ERPs? TREASURY FINANCIAL PLANNING SALES INVOICING PAYROLL BILLING LOGISTICS HUMAN RESOURCES PRODUCTION PROCUREMENT ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 5 Why bothering about ERPs? ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 6 Why bothering about ERPs? Forbes 500 Mid-size companies ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 7 Why bothering about ERPs? • They run our business-critical processes • They Store our most sensitive information ER P • Our organizations are highly-dependent on them ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 8 Why bothering about ERPs? Hacktivism(*) Unit 61398 Vulns Zombies → Botnets → Section 702 Section 215 Cyberwarfare & Surveillance (*) http://suelette.home.xs4all.nl/underground/underground.txt ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 9 So... why bothering about ERPs? Because... ERP vulns ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 10 History of ERP security ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 11 History of ERP security 1970 1980 1990 2000 1988 Morris Worm 1972 Buffer Overflows 1995 XSS 1996 Ping of Death 2001 Heap OWASP Spraying 1980 SAP R/2 (mainframe) 2013 2003 Metasploit 2002 2006 Bluepill CSRF SQLi 2007 SAP “virus” SAPVir Wir hacken eine SAP Datenbank 1993 SAP R/3 Realtime 3-tier 2010 2011 Debian PRNG Bug Practical Padding Oracles BEAST 2012 CRIME @ Rootkits and Trojans on your SAP Landscape SAP Knowledge The truth about ABAP Security Management Protecting SAP Attacking users with Applications Against Common Attacks (SAP) SAPSploit 2010 (5+) 2002 Exploiting SAP Internals 30 years of SoD 1972 – SAP RF → R/1 2008 13 years 2009 (3) 2004 SAP Netweaver 2003 “SAP” Password Sicherheit 2008 SAP @JtR Attacking SAP clients SAP Security Notes The risks of downward Decompression of SAP's DIAG protocol compatibility 2011 (5+) 2012(10+) The Invoker Servlet SAP Backdoors & Rootikts Arch. & program vulns in SAP's J2EE engine Security of Enterprise Business Application Systems Attacks to SAP Web Applications ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 12 ERP Security for hackers FRAUD Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc. SABOTAGE ESPIONAGE Paralyze the operation of the organization by shutting down the ERP system, disrupting interfaces with other systems and deleting critical information, etc. Extract customer/vendor/HR data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 13 2. Targeting ERPs Reinventing the wheel: Technology stacks Layered architecture Attack Vectors Client (web/API/thick client) Proprietary protocols / HTTP / SOAP / CORBA Application Server Trust relationships / ODBC / Other External Servers & Other Application servers DB OS ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 15 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors - SAP http://bit.ly/19AXe7Y ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 16 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors - SAP http://bit.ly/19AXe7Y ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 17 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors – Oracle JD Edwards HTTP HTTP HTTP C DB JDE Java Application Server (JAS) JDE Enterprise Server O Web Server ET JDEN BC OD Database Server JDE Deployment Server http://bitly.com/QB12xx ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 18 Attack Vectors • Components and servers through protocols – P4, DIAG, RFC, NI, CORBA, SOAP, JDENET, HTTP, SNC, etc, etc. • Crypto – Stored keys, default certificates, proprietary schemes • Business through data manipulation – Default credentials, lack of checks • Apps – Web , companion apps. , transactions, reports, external tools, APIs • DB – Connectors, trust relationships, default accounts ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 19 Demo Time! SABOTAGE JD Edwards: Shutdown via UDP The JDENet component listens on port 6015 (UDP) for control commands: SHOWCONN TOGGLE_LOG CONNECT_FROM CONNECT_TO CONNECT_REJECT GET_WRKMGT VIEW_KERNEL_TRACE SHUTDOWN USRBROADCAST … Wait... ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 22 JD Edwards: Shutdown via UDP >>> hexdump(IP(dst="192.168.0.12")/UDP(dport=6015)/"SHUTDOWN") 0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F 0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT 0020 44 4F 57 4E DOWN An attacker needs: – Access to port 6015 on target – Send UDP packet An Attacker gets: – Immediate JDE Enterprise Server shutdown ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 23 JD Edwards: Shutdown via UDP Fix: Apply the latest Oracle Critical Patch Update, as the fix for Demo this attack was released by oracle in a scheduled CPU. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 24 Siebel: Bypass log in The Anonymous user • Required even if the applications do not allow access by unregistered users • Used at start up, to connect to“datasource” • If deleted, no user could access Siebel • At installation time, asks you to choose an already created user to become the Anonymous user • Should have low privileges, but to avoid configuration issues but... ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 25 Siebel: Bypass log in An attacker needs: – Access to the application – Wrong configuration of Anonymous user An Attacker gets: – Complete control of the Siebel installation ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 26 Siebel: Bypass log in Fix: In the Siebel configurationDemo file, set the “anonymous user” property to a low-privileged user. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 27 FRAUD SAP: Diverting payments (default credentials) SAP Clients (or mandants) – Entity w/ independent data (like a tenant) – 3-digit identifiers – “special” default clients (created on installation) • 000 → Cross-client tasks • 001 → Template for new clients • 066 → SAP support SAP* left w/pass 06071992 SAP* w/Master password on installation Catch: SAP* in client 066 not w/ SAP_ALL privileges, but... http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 29 SAP: Diverting payments (default credentials) Fix: - Change SAP* password on client 066 Demo - Correctly assign SAP* permissions ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 30 ESPIONAGE JD Edwards: Stealing passwords Again, the JDENet... is also listening on port 6015 (TCP) for JDEMsg commands Remotely retrieve information from the JDE.INI file, and also sensitive information in clear-text Kernel types and configuration ity r u c Se tion a r u fig n o c er Serv SSO Node information Data base inf orma t ion ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 32 JD Edwards: Stealing passwords An Attacker needs: – Access to port 6015 on target (TCP) – Send function call (JdeMsg number 563) • Use default password hard-coded in service • Get DB Credentials (plain-text) – Connect to DB with obtained credentials • Read table F98OWSEC An Attacker gets: – “encrypted” user passwords ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 33 JD Edwards: Stealing passwords Fix: Apply the latest Oracle Critical Patch Update, as the fix for Demo this attack was released by oracle in a scheduled CPU. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 34 Siebel: Search Inside Acces control in Siebel @ View Level @ Business Component Level Who can access the views Who can access the data ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 35 Siebel: Search Inside Siebel Query Language (no, it's not SQL) • Used all through Siebel • Originally designed to filter data inside Applets • Executing queries not restricted by authorization checks (privilege independent) ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 36 Siebel Query Language Injection Fix: Using eScript, catch the pre-query Demo or Invoke query methods applying a custom filter which should prevent the use of dangerous functions. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 37 SAP: Getting DB Admin rights “The J2EE Engine provides a secure storage area where applications or service components on the J2EE Engine can store sensitive data such as passwords or communication destinations, in encrypted form” (*) /usr/sap/<SID>/SYS/global/security/data/SecStore.properties E 3D Problem #1 get the file Problem #2 decrypt file S Problem #3 access DB (*) http://help.sap.com/saphelp_nw73/helpdata/en/47/b08e68542e3378e10000000a421937/content.htm ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 38 SAP: Getting DB Admin rights 1. Getting the Secure Store File /usr/sap/<SID>/SYS/global/security/data/SecStore.properties RMI CORBA P4 (RMI) SAP Netweaver Application Server Uses P4 for: • Communication between objects in different namespaces (e.g. FileTransfer_Stub) • Reliable client-server connections • Transparent failover for clustered remote objects • Etc https://service.sap.com/sap/support/notes/1682613 ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 39 SAP: Getting DB Admin rights 2.Decrypt Secure Store /usr/sap/<SID>/SYS/global/security/data/SecStore.properties /usr/sap/<SID>/SYS/global/security/data/SecStore.key 3DES Key bundle? 3.Access DB ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 40 SAP: Getting DB Admin rights Fix: - Apply note https://service.sap.com/sap/support/notes/1682613 Demo - Correctly handle access to SecStore.key file ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 41 3. Conclusions Conclusions ● ● ● ● ● ● ● ERP Systems are among the most critical systems in the organization and that makes them a really interesting target to the attackers ERPs have a long history, most of it was about SoD Technical vulnerabilities are more critical than SoD since ant attacker doesn't need any user in the system Although receiving more attention in the last years (2009+) they don't get the attention they deserve The attack surface is huge, proprietary protocols and custom technologies are everywhere Old vulns? Patching practices are delayed due to complexity and cost ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 43 ¿? Contact: Ezequiel Gutesman (@gutes) [email protected] Jordan Santarsieri (@jsansec) [email protected]