ERP Security

Transcripción

ERP Security

ERP Security:
How hackers can open the safe
and take the jewels
Ezequiel Gutesman (@gutes) [email protected]
Jordan Santarsieri (@jsansec) [email protected]
September 25-27, 2013
Ekoparty Security Conference
Buenos Aires, Argentina
Disclaimer
This publication is copyright 2013 Onapsis Inc. – All rights reserved.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet,
PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are
trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web
Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or
registered trademarks of Business Objects in the United States and/or other countries.
This publication contains references to the products of Oracle and services mentioned herein are trademarks or
registered trademarks of Oracle in all countries all over the world.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP
Group shall not be liable for errors or omissions with respect to the materials.
Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for its
content, and Oracle Corporation shall not be liable for errors or omissions with respect to the materials.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved
2
Agenda
1.Introduction
●
●
●
Why bothering about ERPs?
History of ERP Security
ERP Security for hackers
2.Targeting ERPs
●
●
●
Reinventing the wheel: Technology stacks
Attack Vectors
Demo time!
●
●
●
Sabotage
Espionage
Fraud
3.Conclusions
3
1. Introduction
TREASURY
FINANCIAL PLANNING
SALES
INVOICING
PAYROLL
BILLING
LOGISTICS
HUMAN RESOURCES
PRODUCTION
PROCUREMENT
5
6
Forbes 500
Mid-size companies
7
• They run our
business-critical
processes
• They Store our most
sensitive information
ER
P
• Our organizations are
highly-dependent on
them
8
Hacktivism(*)
Unit 61398
Vulns
Zombies → Botnets →
Section 702
Section 215
Cyberwarfare
&
Surveillance
(*) http://suelette.home.xs4all.nl/underground/underground.txt
9
So... why bothering about ERPs?
Because...
ERP vulns
10
History of ERP security
11
History of ERP security
1970 1980 1990 2000
1988
Morris
Worm
1972
Buffer
Overflows
1995
XSS
1996 Ping
of Death
2001 Heap
OWASP Spraying
1980
SAP R/2
(mainframe)
2013
2003
Metasploit
2002 2006
Bluepill
CSRF SQLi
2007
SAP “virus”
SAPVir
Wir hacken
eine SAP
Datenbank
1993
SAP
R/3
Realtime
3-tier
2010
2011
Debian
PRNG
Bug
Practical
Padding
Oracles
BEAST
2012
CRIME
@
Rootkits and Trojans
on your SAP Landscape
SAP Knowledge
The truth about ABAP Security
Management
Protecting SAP
Attacking users with Applications
Against Common Attacks (SAP)
SAPSploit
2010 (5+)
2002
Exploiting
SAP
Internals
30 years of SoD
1972 – SAP
RF → R/1
2008
13 years
2009 (3)
2004
SAP
Netweaver
2003
“SAP” Password
Sicherheit
2008
SAP
@JtR
Attacking SAP clients
SAP
Security
Notes
The
risks of downward
Decompression of
SAP's DIAG
protocol
compatibility
2011 (5+)
2012(10+)
The Invoker Servlet
SAP Backdoors & Rootikts
Arch. & program vulns in SAP's
J2EE engine
Security of Enterprise Business
Application Systems
Attacks to SAP Web Applications
12
ERP Security for hackers
FRAUD
Modify financial information,
tamper sales and purchase
orders, create new vendors,
modify vendor bank account
numbers, etc.
SABOTAGE ESPIONAGE
Paralyze the operation of the
organization by shutting down
the ERP system, disrupting
interfaces with other systems
and deleting critical
information, etc.
Extract customer/vendor/HR data,
financial planning information,
balances, profits, sales information,
manufacturing recipes, etc.
13
2. Targeting ERPs
Layered architecture
Attack Vectors
Client (web/API/thick client)
Proprietary protocols
/ HTTP / SOAP /
CORBA
Application Server
Trust relationships /
ODBC / Other
External
Servers
&
Other
Application
servers
DB
OS
15
Attack Vectors - SAP
http://bit.ly/19AXe7Y
16
Attack Vectors - SAP
http://bit.ly/19AXe7Y
17
Attack Vectors – Oracle JD Edwards
HTTP
HTTP
HTTP
C
DB
JDE Java
Application
Server (JAS)
JDE
Enterprise
Server
O
Web Server
ET
JDEN
BC
OD
Database
Server
JDE
Deployment
Server
http://bitly.com/QB12xx
18
Attack Vectors
• Components and servers through protocols
– P4, DIAG, RFC, NI, CORBA, SOAP, JDENET, HTTP,
SNC, etc, etc.
• Crypto
– Stored keys, default certificates, proprietary schemes
• Business through data manipulation
– Default credentials, lack of checks
• Apps
– Web , companion apps. , transactions, reports, external
tools, APIs
• DB
– Connectors, trust relationships, default accounts
19
Demo Time!
SABOTAGE
JD Edwards: Shutdown via UDP
The JDENet component listens on port 6015 (UDP) for
control commands:
SHOWCONN TOGGLE_LOG CONNECT_FROM
CONNECT_TO CONNECT_REJECT
GET_WRKMGT VIEW_KERNEL_TRACE
SHUTDOWN USRBROADCAST …
Wait...
22
>>> hexdump(IP(dst="192.168.0.12")/UDP(dport=6015)/"SHUTDOWN")
0000
45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46
E..$....@..%...F
0010
C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54
.....5...."=SHUT
0020
44 4F 57 4E
DOWN
An attacker needs:
– Access to port 6015 on target
– Send UDP packet
An Attacker gets:
– Immediate JDE Enterprise Server shutdown
23
Fix:
Apply the latest Oracle Critical
Patch Update, as the fix for
Demo
this attack was released by oracle in a scheduled CPU.
24
Siebel: Bypass log in
The Anonymous user
• Required even if the applications do not allow access
by unregistered users
• Used at start up, to connect to“datasource”
• If deleted, no user could access Siebel
• At installation time, asks you to choose an already
created user to become the Anonymous user
• Should have low privileges, but to avoid configuration
issues but...
25
An attacker needs:
– Access to the application
– Wrong configuration of Anonymous user
An Attacker gets:
– Complete control of the Siebel installation
26
Fix:
In the Siebel configurationDemo
file, set the “anonymous user”
property to a low-privileged user.
27
FRAUD
SAP: Diverting payments (default credentials)
SAP Clients (or mandants)
– Entity w/ independent data (like a tenant)
– 3-digit identifiers
– “special” default clients (created on installation)
• 000 → Cross-client tasks
• 001 → Template for new clients
• 066 → SAP support
SAP* left w/pass
06071992
SAP* w/Master
password on
installation
Catch: SAP* in client 066 not w/
SAP_ALL privileges, but...
http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm
29
SAP: Diverting payments (default credentials)
Fix:
- Change SAP* password
on client 066
Demo
- Correctly assign SAP* permissions
30
ESPIONAGE
JD Edwards: Stealing passwords
Again, the JDENet... is also listening on port
6015 (TCP) for JDEMsg commands
Remotely retrieve information from the JDE.INI file,
and also sensitive information in clear-text
Kernel types and configuration
ity
r
u
c
Se
tion
a
r
u
fig
n
o
c
er
Serv
SSO Node information
Data
base
inf
orma
t
ion
32
An Attacker needs:
– Access to port 6015 on target (TCP)
– Send function call (JdeMsg number 563)
• Use default password hard-coded in service
• Get DB Credentials (plain-text)
– Connect to DB with obtained credentials
• Read table F98OWSEC
An Attacker gets:
– “encrypted” user passwords
33
Fix:
Apply the latest Oracle Critical
Patch Update, as the fix for
Demo
this attack was released by oracle in a scheduled CPU.
34
Siebel: Search Inside
Acces control in Siebel
@ View
Level
@ Business
Component
Level
Who can access
the views
Who can access
the data
35
Siebel: Search Inside
Siebel
Query
Language
(no, it's not SQL)
• Used all through Siebel
• Originally designed to
filter data inside Applets
• Executing queries not
restricted by
authorization checks
(privilege independent)
36
Siebel Query Language Injection
Fix:
Using eScript, catch the pre-query
Demo or Invoke query methods
applying a custom filter which should prevent the use of
dangerous functions.
37
SAP: Getting DB Admin rights
“The J2EE Engine provides a secure storage area where
applications or service components on the J2EE Engine can
store sensitive data such as passwords or communication
destinations, in encrypted form” (*)
/usr/sap/<SID>/SYS/global/security/data/SecStore.properties
E
3D
Problem #1
get the file
Problem #2
decrypt file
S
Problem #3
access DB
(*) http://help.sap.com/saphelp_nw73/helpdata/en/47/b08e68542e3378e10000000a421937/content.htm
38
1. Getting the Secure Store File
RMI
CORBA
P4
(RMI)
SAP Netweaver
Application Server
Uses P4 for:
• Communication between objects in different
namespaces (e.g. FileTransfer_Stub)
• Reliable client-server connections
• Transparent failover for clustered remote objects
• Etc
https://service.sap.com/sap/support/notes/1682613
39
2.Decrypt Secure Store
/usr/sap/<SID>/SYS/global/security/data/SecStore.key
3DES
Key bundle?
3.Access DB
40
Fix:
- Apply note https://service.sap.com/sap/support/notes/1682613
Demo
- Correctly handle access to SecStore.key file
41
3. Conclusions
Conclusions
●
●
●
●
●
●
●
ERP Systems are among the most critical systems in the
organization and that makes them a really interesting
target to the attackers
ERPs have a long history, most of it was about SoD
Technical vulnerabilities are more critical than SoD since
ant attacker doesn't need any user in the system
Although receiving more attention in the last years (2009+)
they don't get the attention they deserve
The attack surface is huge, proprietary protocols and
custom technologies are everywhere
Old vulns?
Patching practices are delayed due to complexity and
cost
43
¿?
Contact:
Ezequiel Gutesman (@gutes) [email protected]
Jordan Santarsieri (@jsansec) [email protected]

ERP Security

Transcripción

Documentos relacionados

Optimice sus Entornos de Prueba con Datos de Producción

TEC 2015 ERP Report: The Makings of a Great ERP User Experience

Next steps

Jennifer Stearns Buttrick - Cancer Support Community Greater Miami

Web Dynpro Controllers

See