ERP Security

Comentarios

Transcripción

ERP Security
ERP Security:
How hackers can open the safe
and take the jewels
Ezequiel Gutesman (@gutes) [email protected]
Jordan Santarsieri (@jsansec) [email protected]
September 25-27, 2013
Ekoparty Security Conference
Buenos Aires, Argentina
Disclaimer
This publication is copyright 2013 Onapsis Inc. – All rights reserved.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet,
PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are
trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web
Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or
registered trademarks of Business Objects in the United States and/or other countries.
This publication contains references to the products of Oracle and services mentioned herein are trademarks or
registered trademarks of Oracle in all countries all over the world.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP
Group shall not be liable for errors or omissions with respect to the materials.
Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for its
content, and Oracle Corporation shall not be liable for errors or omissions with respect to the materials.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
2
Agenda
1.Introduction
●
●
●
Why bothering about ERPs?
History of ERP Security
ERP Security for hackers
2.Targeting ERPs
●
●
●
Reinventing the wheel: Technology stacks
Attack Vectors
Demo time!
●
●
●
Sabotage
Espionage
Fraud
3.Conclusions
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
3
1. Introduction
Why bothering about ERPs?
TREASURY
FINANCIAL PLANNING
SALES
INVOICING
PAYROLL
BILLING
LOGISTICS
HUMAN RESOURCES
PRODUCTION
PROCUREMENT
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
5
Why bothering about ERPs?
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
6
Why bothering about ERPs?
Forbes 500
Mid-size companies
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
7
Why bothering about ERPs?
• They run our
business-critical
processes
• They Store our most
sensitive information
ER
P
• Our organizations are
highly-dependent on
them
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
8
Why bothering about ERPs?
Hacktivism(*)
Unit 61398
Vulns
Zombies → Botnets →
Section 702
Section 215
Cyberwarfare
&
Surveillance
(*) http://suelette.home.xs4all.nl/underground/underground.txt
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
9
So... why bothering about ERPs?
Because...
ERP vulns
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
10
History of ERP security
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
11
History of ERP security
1970 1980 1990 2000
1988
Morris
Worm
1972
Buffer
Overflows
1995
XSS
1996 Ping
of Death
2001 Heap
OWASP Spraying
1980
SAP R/2
(mainframe)
2013
2003
Metasploit
2002 2006
Bluepill
CSRF SQLi
2007
SAP “virus”
SAPVir
Wir hacken
eine SAP
Datenbank
1993
SAP
R/3
Realtime
3-tier
2010
2011
Debian
PRNG
Bug
Practical
Padding
Oracles
BEAST
2012
CRIME
@
Rootkits and Trojans
on your SAP Landscape
SAP Knowledge
The truth about ABAP Security
Management
Protecting SAP
Attacking users with Applications
Against Common Attacks (SAP)
SAPSploit
2010 (5+)
2002
Exploiting
SAP
Internals
30 years of SoD
1972 – SAP
RF → R/1
2008
13 years
2009 (3)
2004
SAP
Netweaver
2003
“SAP” Password
Sicherheit
2008
SAP
@JtR
Attacking SAP clients
SAP
Security
Notes
The
risks of downward
Decompression of
SAP's DIAG
protocol
compatibility
2011 (5+)
2012(10+)
The Invoker Servlet
SAP Backdoors & Rootikts
Arch. & program vulns in SAP's
J2EE engine
Security of Enterprise Business
Application Systems
Attacks to SAP Web Applications
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
12
ERP Security for hackers
FRAUD
Modify financial information,
tamper sales and purchase
orders, create new vendors,
modify vendor bank account
numbers, etc.
SABOTAGE ESPIONAGE
Paralyze the operation of the
organization by shutting down
the ERP system, disrupting
interfaces with other systems
and deleting critical
information, etc.
Extract customer/vendor/HR data,
financial planning information,
balances, profits, sales information,
manufacturing recipes, etc.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
13
2. Targeting ERPs
Reinventing the wheel: Technology stacks
Layered architecture
Attack Vectors
Client (web/API/thick client)
Proprietary protocols
/ HTTP / SOAP /
CORBA
Application Server
Trust relationships /
ODBC / Other
External
Servers
&
Other
Application
servers
DB
OS
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
15
Reinventing the wheel: Technology stacks
Layered architecture
Attack Vectors - SAP
http://bit.ly/19AXe7Y
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
16
Reinventing the wheel: Technology stacks
Layered architecture
Attack Vectors - SAP
http://bit.ly/19AXe7Y
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
17
Reinventing the wheel: Technology stacks
Layered architecture
Attack Vectors – Oracle JD Edwards
HTTP
HTTP
HTTP
C
DB
JDE Java
Application
Server (JAS)
JDE
Enterprise
Server
O
Web Server
ET
JDEN
BC
OD
Database
Server
JDE
Deployment
Server
http://bitly.com/QB12xx
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
18
Attack Vectors
• Components and servers through protocols
– P4, DIAG, RFC, NI, CORBA, SOAP, JDENET, HTTP,
SNC, etc, etc.
• Crypto
– Stored keys, default certificates, proprietary schemes
• Business through data manipulation
– Default credentials, lack of checks
• Apps
– Web , companion apps. , transactions, reports, external
tools, APIs
• DB
– Connectors, trust relationships, default accounts
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
19
Demo Time!
SABOTAGE
JD Edwards: Shutdown via UDP
The JDENet component listens on port 6015 (UDP) for
control commands:
SHOWCONN TOGGLE_LOG CONNECT_FROM
CONNECT_TO CONNECT_REJECT
GET_WRKMGT VIEW_KERNEL_TRACE
SHUTDOWN USRBROADCAST …
Wait...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
22
JD Edwards: Shutdown via UDP
>>> hexdump(IP(dst="192.168.0.12")/UDP(dport=6015)/"SHUTDOWN")
0000
45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46
[email protected]%...F
0010
C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54
.....5...."=SHUT
0020
44 4F 57 4E
DOWN
An attacker needs:
– Access to port 6015 on target
– Send UDP packet
An Attacker gets:
– Immediate JDE Enterprise Server shutdown
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
23
JD Edwards: Shutdown via UDP
Fix:
Apply the latest Oracle Critical
Patch Update, as the fix for
Demo
this attack was released by oracle in a scheduled CPU.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
24
Siebel: Bypass log in
The Anonymous user
• Required even if the applications do not allow access
by unregistered users
• Used at start up, to connect to“datasource”
• If deleted, no user could access Siebel
• At installation time, asks you to choose an already
created user to become the Anonymous user
• Should have low privileges, but to avoid configuration
issues but...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
25
Siebel: Bypass log in
An attacker needs:
– Access to the application
– Wrong configuration of Anonymous user
An Attacker gets:
– Complete control of the Siebel installation
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
26
Siebel: Bypass log in
Fix:
In the Siebel configurationDemo
file, set the “anonymous user”
property to a low-privileged user.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
27
FRAUD
SAP: Diverting payments (default credentials)
SAP Clients (or mandants)
– Entity w/ independent data (like a tenant)
– 3-digit identifiers
– “special” default clients (created on installation)
• 000 → Cross-client tasks
• 001 → Template for new clients
• 066 → SAP support
SAP* left w/pass
06071992
SAP* w/Master
password on
installation
Catch: SAP* in client 066 not w/
SAP_ALL privileges, but...
http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
29
SAP: Diverting payments (default credentials)
Fix:
- Change SAP* password
on client 066
Demo
- Correctly assign SAP* permissions
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
30
ESPIONAGE
JD Edwards: Stealing passwords
Again, the JDENet... is also listening on port
6015 (TCP) for JDEMsg commands
Remotely retrieve information from the JDE.INI file,
and also sensitive information in clear-text
Kernel types and configuration
ity
r
u
c
Se
tion
a
r
u
fig
n
o
c
er
Serv
SSO Node information
Data
base
inf
orma
t
ion
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
32
JD Edwards: Stealing passwords
An Attacker needs:
– Access to port 6015 on target (TCP)
– Send function call (JdeMsg number 563)
• Use default password hard-coded in service
• Get DB Credentials (plain-text)
– Connect to DB with obtained credentials
• Read table F98OWSEC
An Attacker gets:
– “encrypted” user passwords
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
33
JD Edwards: Stealing passwords
Fix:
Apply the latest Oracle Critical
Patch Update, as the fix for
Demo
this attack was released by oracle in a scheduled CPU.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
34
Siebel: Search Inside
Acces control in Siebel
@ View
Level
@ Business
Component
Level
Who can access
the views
Who can access
the data
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
35
Siebel: Search Inside
Siebel
Query
Language
(no, it's not SQL)
• Used all through Siebel
• Originally designed to
filter data inside Applets
• Executing queries not
restricted by
authorization checks
(privilege independent)
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
36
Siebel Query Language Injection
Fix:
Using eScript, catch the pre-query
Demo or Invoke query methods
applying a custom filter which should prevent the use of
dangerous functions.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
37
SAP: Getting DB Admin rights
“The J2EE Engine provides a secure storage area where
applications or service components on the J2EE Engine can
store sensitive data such as passwords or communication
destinations, in encrypted form” (*)
/usr/sap/<SID>/SYS/global/security/data/SecStore.properties
E
3D
Problem #1
get the file
Problem #2
decrypt file
S
Problem #3
access DB
(*) http://help.sap.com/saphelp_nw73/helpdata/en/47/b08e68542e3378e10000000a421937/content.htm
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
38
SAP: Getting DB Admin rights
1. Getting the Secure Store File
/usr/sap/<SID>/SYS/global/security/data/SecStore.properties
RMI
CORBA
P4
(RMI)
SAP Netweaver
Application Server
Uses P4 for:
• Communication between objects in different
namespaces (e.g. FileTransfer_Stub)
• Reliable client-server connections
• Transparent failover for clustered remote objects
• Etc
https://service.sap.com/sap/support/notes/1682613
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
39
SAP: Getting DB Admin rights
2.Decrypt Secure Store
/usr/sap/<SID>/SYS/global/security/data/SecStore.properties
/usr/sap/<SID>/SYS/global/security/data/SecStore.key
3DES
Key bundle?
3.Access DB
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
40
SAP: Getting DB Admin rights
Fix:
- Apply note https://service.sap.com/sap/support/notes/1682613
Demo
- Correctly handle access to SecStore.key file
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
41
3. Conclusions
Conclusions
●
●
●
●
●
●
●
ERP Systems are among the most critical systems in the
organization and that makes them a really interesting
target to the attackers
ERPs have a long history, most of it was about SoD
Technical vulnerabilities are more critical than SoD since
ant attacker doesn't need any user in the system
Although receiving more attention in the last years (2009+)
they don't get the attention they deserve
The attack surface is huge, proprietary protocols and
custom technologies are everywhere
Old vulns?
Patching practices are delayed due to complexity and
cost
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
43
¿?
Contact:
Ezequiel Gutesman (@gutes) [email protected]
Jordan Santarsieri (@jsansec) [email protected]

Documentos relacionados