Attacking SAP Users Using sapsploit eXtended 1.1 Alexander Polyakov
Agenda:
- SAP security in common
- Attacking SAP users
- SAP Stuxnet Prototype
- Mitigations
SAP security in common
SAP security has traditionally been about roles and permissions within the SAP system itself. However they ignore other issues that could allow attackers to gain access to the SAP system and data.
Published advisories in SAP and attached database software is growing. Alone 40 vulnerabilities in a single month during 2010.
ERP systems have a very complex structure, which is bad for security.
SAP is hugely customizable so it’s impossible to assign one security model for all instances
Rarely updated because administrators are scared they can break things
This talk will focus on the client-side of SAP insecurity
Attacking SAP Users
Users are less secure
There are possible thousands of SAP users in a single company (bigger attack surface)
Client software .:
- SAPGUI
- JAVAGUI
- WEBGUI
- NWBC
- RFC
- Visualadmin, mobile client
SAPGUI
Is the most commonly used SAP access client
Doesn’t perform any central updates
Rarely patched by the user
Administrators don’t think it should be updated
SAPGUI suffers from 8 of the OWASP-EAS top 10 vulnerabilities
EASFV-1 Buffer Overflow
About 1,000 ActiveX in SAPGUI
16 have vulnerabilities
User interaction is needed for exploitation
10-50% of successful exploitation depending on user awareness
Not all discovered vulnerabilities have been patched (still working with the vendors)
EASFV-2 Insecure Methods
ActiveX controls can:
- Download and exec executables such as trojans
- Run any OS command
- Overwrite config / Denial of Service
- Steal credentials using SMB Relay attack
EASFV-3 Insecure scripting
Many ActiveX execute different SAP functions using RFC
By mis-using the ActiveX records you can fool a user into logging into the SAP and downloading tables
GUI scripting is implemented using vbs scripts to repeat manual work on the front-end
Many possibilities for abuse
EASFV-4 File handling vulnerabilities
Not patched yet 😉
EASFV-5 Broken or risky crypto algorithms
Connection is compressed and not encrypted
Can easily decode the traffic to view traffic
The WEBGUI uses base64 to “encrypt” sensitive data
Can be mitigated by using SNC and SSL
EASFV-6 Storage of sensitive information
sapshortcut.ini can store names and passwords (restricted in 7.1, available again in 7.2)
saplogon.ini provides information about SAP servers
Trace Files provide password information
Other files can also hold sensitive information
- Excel (linked to SAP/Database)
- VBS scripts – automatic jobs
- Pivot .oqu files (remote load of InfoCubes)
EASFV-9 Remote vulnerabilities
SAPLPD vulnerable to exploitation
Multiple BOF
Attackers exploiting these issues can gain full control over the SAP server
DLL Hijacking
Many SAP systems are also vulnerable.
Waiting for a better solution from SAP
Implementation failures
Configuration files stored in shared locations for ease of deployment… and easy of attack!
Attackers can download and extract info, or overwrite and exploit users
Over write distributed DLL files to backdoor client installs
WEBGUI
Many SAP systems install web interfaces
Typical vulnerabilities exist
Can you create a Stuxnet for SAP
All the required faults and exploits already exist.
Client-side exploitation
Server-side exploitation
Trojan backdoor of clients
Default passwords
Mitigations
Perform vulnerability scans to check exposure
ERPScan online (http://erpscan.com/)
- Free Online scanner using ActiveX calls
- Doesn’t install 3rd party add-ons of software
- Checks not only system issues, but also user issues
- Uses database of version information to check vulnerabilities
- Partially question and answer based
- Provides awareness and links to improve security
Links:
Cатсн²² (in)sесuяitу / ChrisJohnRiley 
Pingback: Tweets that mention DeepSEC: Attacking SAP Users Using sapsploit eXtended 1.1 | Cатсн²² (in)sесuяitу -- Topsy.com