Cатсн²² (in)sесuяitу / ChrisJohnRiley

Attacking SAP Users Using sapsploit eXtended 1.1 Alexander Polyakov

Agenda:

• SAP security in common
• Attacking SAP users
• SAP Stuxnet Prototype
• Mitigations

SAP security in common

SAP security has traditionally been about roles and permissions within the SAP system itself. However they ignore other issues that could allow attackers to gain access to the SAP system and data.

Published advisories in SAP and attached database software is growing. Alone 40 vulnerabilities in a single month during 2010.

ERP systems have a very complex structure, which is bad for security.

SAP is hugely customizable so it’s impossible to assign one security model for all instances

Rarely updated because administrators are scared they can break things

This talk will focus on the client-side of SAP insecurity

Attacking SAP Users

Users are less secure

There are possible thousands of SAP users in a single company (bigger attack surface)

Client software .:

• SAPGUI
• JAVAGUI
• WEBGUI
• NWBC
• RFC
• Visualadmin, mobile client

SAPGUI

Is the most commonly used SAP access client

Doesn’t perform any central updates

Rarely patched by the user

Administrators don’t think it should be updated

SAPGUI suffers from 8 of the OWASP-EAS top 10 vulnerabilities

EASFV-1 Buffer Overflow

About 1,000 ActiveX in SAPGUI

16 have vulnerabilities

User interaction is needed for exploitation

10-50% of successful exploitation depending on user awareness

Not all discovered vulnerabilities have been patched (still working with the vendors)

EASFV-2 Insecure Methods

ActiveX controls can:

• Download and exec executables such as trojans
• Run any OS command
• Overwrite config / Denial of Service
• Steal credentials using SMB Relay attack

EASFV-3 Insecure scripting

Many ActiveX execute different SAP functions using RFC

By mis-using the ActiveX records you can fool a user into logging into the SAP and downloading tables

GUI scripting is implemented using vbs scripts to repeat manual work on the front-end

Many possibilities for abuse

EASFV-4 File handling vulnerabilities

Not patched yet 😉

EASFV-5 Broken or risky crypto algorithms

Connection is compressed and not encrypted

Can easily decode the traffic to view traffic

The WEBGUI uses base64 to “encrypt” sensitive data

Can be mitigated by using SNC and SSL

EASFV-6 Storage of sensitive information

sapshortcut.ini can store names and passwords (restricted in 7.1, available again in 7.2)

saplogon.ini provides information about SAP servers

Trace Files provide password information

Other files can also hold sensitive information

• Excel (linked to SAP/Database)
• VBS scripts – automatic jobs
• Pivot .oqu files (remote load of InfoCubes)

EASFV-9 Remote vulnerabilities

SAPLPD vulnerable to exploitation

Multiple BOF

Attackers exploiting these issues can gain full control over the SAP server

DLL Hijacking

Many SAP systems are also vulnerable.

Waiting for a better solution from SAP

Implementation failures

Configuration files stored in shared locations for ease of deployment… and easy of attack!

Attackers can download and extract info, or overwrite and exploit users

Over write distributed DLL files to backdoor client installs

WEBGUI

Many SAP systems install web interfaces

Typical vulnerabilities exist

• XSS
• Phishing
• …

Can you create a Stuxnet for SAP

All the required faults and exploits already exist.

Client-side exploitation

Server-side exploitation

Trojan backdoor of clients

Default passwords

Mitigations

Perform vulnerability scans to check exposure

ERPScan online (http://erpscan.com/)

• Free Online scanner using ActiveX calls
• Doesn’t install 3rd party add-ons of software
• Checks not only system issues, but also user issues
• Uses database of version information to check vulnerabilities
• Partially question and answer based
• Provides awareness and links to improve security

Links:

• Talk synopsis –> HERE
• ERPscan Online –> http://erpscan.com