Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: research

{QuickPost} Research Teaser – HTTP Response Codes

So I’ve been a little slack recently when it comes to blog posts… and conferences… and, well pretty much everything. Still, I’ve been doing some interesting things (for me at least) in the background that I’m hoping to be talking about later this year. I don’t want to give too much away, but I’m sure people can figure it out based on stuff I’ve previously put out… if not, then here’s just a pretty picture of 3 browsers side by side 😉

teaser

… and no, the above isn’t doing anything with the user-agent string (you’re thinking of the wrong research ;).

Here’s hoping that the fine folks over at BSidesLondon accept my talk so I can talk about it in April… and that everything pans out so I don’t look like a moron on stage… again! 😉

Advertisements

Setting up your own SAP Netweaver test lab

One of the main issues I came across when starting research in SAP security (and SAP in general) was the seeming lack of demo software available and the difficulty getting what demo versions there were up and running. This has also been the number 1 question I’ve received over the last few months… “How do I get a trial version for my lab”!

With that in mind I’ve collected up the links I’ve used over the past few months into a single post for those that are interested in setting up an SAP test lab and playing about with it.

These trial versions are slightly limited as they don’t offer the ability to update them to the latest build (which is an issue when it comes to security research). They also rely on MaxDB (formerly SAP DB) by default (although I believe one uses IBM DB/2 just for fun). They might be able to be configured to use external databases (Oracle etc…) but with this you’re on your own! I’m as far from a SAP expert as you could probably find.

I’ve tried to break things down by platform as one of my aims was to get and install a few different versions for tool testing. These trials are memory hungry, CPU hungry at times, and need a lot of disk space (>42GB for a single VM).

Note: SAP isn’t for the faint of heart, and getting things running 100% is never going to be easy! Don’t say I didn’t warn you 😉

You’ll need to sign-up for a free SAP Community Network (SCN) user account to download most of these files. This will also give you access to the forums.

Linux

SAP NetWeaver 7.0 – Trial Version on Linux –> DOWNLOAD

(N4S) SAP NETWEAVER 7.0 – SAP WEB APPLICATION SERVER ON LINUX (DVD) –> REQUEST DVD

Windows

SAP NetWeaver AS ABAP 7.02 SP6 32-bit Trial –> DOWNLOAD

Step by Step Installation of SAP NetWeaver 7.01 SR1 SP3 ABAP Trial Version in Oracle VirtualBox Part 1/3 –> GUIDE

SAP NETWEAVER 2004S ABAP TRIAL VERSION – TROUBLESHOOTING GUIDE  –> GUIDE

Notes: A few points you might want to check before beginning with the install.

  • RAM
    • I got away with running this on 1.5GB of RAM, but it really needs >2GB to run smoothly
  • SWAP
    • Don’t even bother starting your install without >4GB of swapfile initialized. The installer will only complain about the lack of swap after you’ve configured the whole install… you’ve been warned!
  • Disk Space
    • Lots…. I made a VM with a 50GB second disk purely for the MaxDB
  • JRE
    • It might look like things are all working fine with 1.6.x but I only had issues with the system afterwards or during install (crashed my vmware fusion). Stick to JRE 1.4.x  latest (worked fine for me).

VMWARE (LINUX SLES)

(CTB) SAP NetWeaver 7.0 – Java Trial Version on Linux – VMware Edition –> DOWNLOAD

Novell Link to CTB SLES images –> DOWNLOAD

GETTING STARTED SAP NETWEAVER 7.0-JAVA-VMWARE-TRIAL –> GUIDE

SAP ON LINUX: TEST DRIVES – TIPS AND TRICKS –> GUIDE

Notes: This VM is meant to be a sealed unit where you access it from a second system for management etc. I had issues getting the Visual Administrator to connect, and also getting the config tool running on the local system.

Some guides reference the n4sadm user (these guides are written for the pure Linux version of SAP and not the VM version). You might find you have more luck using the ctbadm when the guide says n4sadm.

Oh and the root password is “sap123”

Licensing

This page seems to be the main hub for what SAP now call “minisap” (originally TRIAL version).

You’ll need to run some commands on the SAP install and extract the resulting codes to request a key through this link.

http://www.sap.com/minisap/

LINKS:

CVE research made easy

There are a number of sites and services available for researching vulnerabilities, some have been around for a long time (Mitre, NVD) , others are new to the game (OSVDB). Although these sites offer a great mix of information, a new player that’s making access to CVE vulnerability information easier than ever is cvedetails.com (alternatively known as SecurityVulnerability.net). This new twist on CVE search offers the ability to browse vulnerability information by type, date, product, vendor, and CVSS scores using an easy to use interface with a great deal of customization.   

CVEDETAILS Apache View

As you can see by the above screenshot (using Apache as an example), the layout of CVEdeails gives a great deal of information about vulnerabilities reported, including a helpful breakdown of the type of flaw and number of vulnerabilities reported by year (see the coloured charts at the bottom of the screenshot). Here you can easily filter the vulnerabilities further by year or type simply by clicking on the desired selection. Not only does the interface make filtering your search criteria easier, but management will love charts…. just saying 😉

CVEDETAILS Apache Code Exec

Diving into the “Execute Code” vulnerabilities (after all, that’s the real juicy stuff), CVEdetails gives you a full breakdown of CVE information with some nice additional features. I particularly like the ability to easily see the CVSS scores, as well as the “gained access level” and access (remote|local). This, alongside the ability to easily filter by CVSS score, makes researching vulnerabilities a lot easier. The eagle-eyed amongst you will also have noticed the “# of Exploits” column. This gives an indication (I say this, because not all exploits are publicly available) of the exploits available.

CVEDETAILS Apache CVE Detailed View

By clicking on one of the CVE listing we get a good overview of the vulnerability (as you’d expect, this information is based on centrally stored information), however the addition of some handy links in the “Vulnerable Products” list is a nice bonus. Here you can easily expand/narrow your search by looking at other vulnerabilities for the affected product versions. The ability to also look at vulnerability trends for specific product versions is also something that will come in useful for a number of us I’m sure. Again, management love charts, and I can see this kind of charting being used in reports t convey the issue of outdated software more clearly to management.

CVEDETAILS - Apache 2.3.0 Vulnerability Trends

Overall CVEdetails seems like a step in the right direction when it comes to providing useful information in an easy to find/use interface. The ability to view large amounts of vulnerability information and filter it to your requirements is a real timesaver, and the level of customization within the searches provides exactly what you’re looking for without the headache of manually sifting through pages and pages of CVEs before you finally find the one you need. I know there are a lot of other alternatives out there, but adding CVEdetails to this list certainly won’t hurt!

Links: