Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: sap

Metasploit SAP Management Console AUX Modules: The RELEASE

So, the nice people at Metasploit (thanks HDM, Bannedit) have committed a bunch of my SAP auxiliary modules to the Metasploit SVN tree [r11858].

Alongside the modules I already released, I also finished up testing on the SAP_service_discovery module and wrote a new module sap_mgmt_con_brute for brute-forcing username|password through the SAP Management Consoles Basic Auth authentication*.

As these are MyFirst© Metasploit modules I’d appreciate any feedback you might have. I’ve still got a few modules to write-up once I get time, but I think these should be enough for you guys to be going on with.

Have fun, but not too much fun 😉

Links

Special thanks to Bannedit (and all the others in #Metasploit) for putting up with silly Ruby/Metasploit questions!

* This is a brute-force module… you may lock out accounts. Obvious really, but apparently that needs to be said!

Advertisements

Setting up your own SAP Netweaver test lab

One of the main issues I came across when starting research in SAP security (and SAP in general) was the seeming lack of demo software available and the difficulty getting what demo versions there were up and running. This has also been the number 1 question I’ve received over the last few months… “How do I get a trial version for my lab”!

With that in mind I’ve collected up the links I’ve used over the past few months into a single post for those that are interested in setting up an SAP test lab and playing about with it.

These trial versions are slightly limited as they don’t offer the ability to update them to the latest build (which is an issue when it comes to security research). They also rely on MaxDB (formerly SAP DB) by default (although I believe one uses IBM DB/2 just for fun). They might be able to be configured to use external databases (Oracle etc…) but with this you’re on your own! I’m as far from a SAP expert as you could probably find.

I’ve tried to break things down by platform as one of my aims was to get and install a few different versions for tool testing. These trials are memory hungry, CPU hungry at times, and need a lot of disk space (>42GB for a single VM).

Note: SAP isn’t for the faint of heart, and getting things running 100% is never going to be easy! Don’t say I didn’t warn you 😉

You’ll need to sign-up for a free SAP Community Network (SCN) user account to download most of these files. This will also give you access to the forums.

Linux

SAP NetWeaver 7.0 – Trial Version on Linux –> DOWNLOAD

(N4S) SAP NETWEAVER 7.0 – SAP WEB APPLICATION SERVER ON LINUX (DVD) –> REQUEST DVD

Windows

SAP NetWeaver AS ABAP 7.02 SP6 32-bit Trial –> DOWNLOAD

Step by Step Installation of SAP NetWeaver 7.01 SR1 SP3 ABAP Trial Version in Oracle VirtualBox Part 1/3 –> GUIDE

SAP NETWEAVER 2004S ABAP TRIAL VERSION – TROUBLESHOOTING GUIDE  –> GUIDE

Notes: A few points you might want to check before beginning with the install.

  • RAM
    • I got away with running this on 1.5GB of RAM, but it really needs >2GB to run smoothly
  • SWAP
    • Don’t even bother starting your install without >4GB of swapfile initialized. The installer will only complain about the lack of swap after you’ve configured the whole install… you’ve been warned!
  • Disk Space
    • Lots…. I made a VM with a 50GB second disk purely for the MaxDB
  • JRE
    • It might look like things are all working fine with 1.6.x but I only had issues with the system afterwards or during install (crashed my vmware fusion). Stick to JRE 1.4.x  latest (worked fine for me).

VMWARE (LINUX SLES)

(CTB) SAP NetWeaver 7.0 – Java Trial Version on Linux – VMware Edition –> DOWNLOAD

Novell Link to CTB SLES images –> DOWNLOAD

GETTING STARTED SAP NETWEAVER 7.0-JAVA-VMWARE-TRIAL –> GUIDE

SAP ON LINUX: TEST DRIVES – TIPS AND TRICKS –> GUIDE

Notes: This VM is meant to be a sealed unit where you access it from a second system for management etc. I had issues getting the Visual Administrator to connect, and also getting the config tool running on the local system.

Some guides reference the n4sadm user (these guides are written for the pure Linux version of SAP and not the VM version). You might find you have more luck using the ctbadm when the guide says n4sadm.

Oh and the root password is “sap123”

Licensing

This page seems to be the main hub for what SAP now call “minisap” (originally TRIAL version).

You’ll need to run some commands on the SAP install and extract the resulting codes to request a key through this link.

http://www.sap.com/minisap/

LINKS:

Metasploit SAP Management Console AUX Modules

It’s been a tough few months, not only with Christmas, new years and the inevitable travelling that brings, but also dealing with what I can only assume is one of the worst written and conceived programs I’ve ever had to install (more about that in another post though!). I can only guess this is how SAP deter security researchers… by making it a weeks work just to get a single SAP test instance up and working 😉

Anyway, where was I. Oh yeah. Although the basic premise of my research was quick to formulate, I’ve had to invest a lot of the time (more than I care to admit) in fighting to the death setting up a couple of test SAP servers (SuSE Linux and Windows-based) to fully test what was possible and what wasn’t through the SAP Management Console. It’s been an interesting journey!

The auxiliary modules  I’m releasing today are based on an information disclosure bug I noticed while conducting some SAP research back in November 2010. During the time it took me to write-up and release these modules, the main issue was also discovered and reported by researchers at Onapsis (a company known for it’s SAP security research). I know it’s not unusual for multiple researchers to find the same issue at the same time, so I guess I’ll just need to be faster next time 😉

I see no ethical issue in releasing the information gathering modules that take advantage of this bug, as quite honestly, anybody with an SAP system and tcpdump could find this in a few minutes seconds. I’ve not looked further into the Onapsis DoS condition mentioned in Onapsis-2011-002, but will add it to the list of things to look at in the next phase of my research.

Although the Onapsis advisory only mentions Information Disclosure and a single DoS condition, I think there is more gold here to be found here, so keep an eye out for some further SAP Management Console modules in the future. I’ve already got a few ideas what’s coming next. It’s just getting the time to implement these ideas in Metasploit.

Auxiliary Modules:

Note: To use these modules with your current Metasploit install, place them into your ~/.msf3/modules folder (retaining the directory structure above… e.g. auxiliary/scanner/sap).

sap_mgmt_con_version.jpg

You can find out more detailed information about the modules and download copies of the .rb files (they are not currently available in the Metasploit SVN) by following the below links, or viewing them through the Tools/Scripts Menu.

Demo Video:

Note:

These are my first Metasploit modules, so as a non ruby programmer (and non programmer in general) please excuse the odd bad practice when it comes to coding. Any feedback (good or bad) is always gratefully received!

Links:

updated [10.01.11] – Reworded my sleep deprived version for something that actually makes sense!

DeepSEC: Attacking SAP Users Using sapsploit eXtended 1.1

Attacking SAP Users Using sapsploit eXtended 1.1 Alexander Polyakov

Agenda:

  • SAP security in common
  • Attacking SAP users
  • SAP Stuxnet Prototype
  • Mitigations

SAP security in common

SAP security has traditionally been about roles and permissions within the SAP system itself. However they ignore other issues that could allow attackers to gain access to the SAP system and data.

Published advisories in SAP and attached database software is growing. Alone 40 vulnerabilities in a single month during 2010.

ERP systems have a very complex structure, which is bad for security.

SAP is hugely customizable so it’s impossible to assign one security model for all instances

Rarely updated because administrators are scared they can break things

This talk will focus on the client-side of SAP insecurity

Attacking SAP Users

Users are less secure

There are possible thousands of SAP users in a single company (bigger attack surface)

Client software .:

  • SAPGUI
  • JAVAGUI
  • WEBGUI
  • NWBC
  • RFC
  • Visualadmin, mobile client

SAPGUI

Is the most commonly used SAP access client

Doesn’t perform any central updates

Rarely patched by the user

Administrators don’t think it should be updated

SAPGUI suffers from 8 of the OWASP-EAS top 10 vulnerabilities

EASFV-1 Buffer Overflow

About 1,000 ActiveX in SAPGUI

16 have vulnerabilities

User interaction is needed for exploitation

10-50% of successful exploitation depending on user awareness

Not all discovered vulnerabilities have been patched (still working with the vendors)

EASFV-2 Insecure Methods

ActiveX controls can:

  • Download and exec executables such as trojans
  • Run any OS command
  • Overwrite config / Denial of Service
  • Steal credentials using SMB Relay attack

EASFV-3 Insecure scripting

Many ActiveX execute different SAP functions using RFC

By mis-using the ActiveX records you can fool a user into logging into the SAP and downloading tables

GUI scripting is implemented using vbs scripts to repeat manual work on the front-end

Many possibilities for abuse

EASFV-4 File handling vulnerabilities

Not patched yet 😉

EASFV-5 Broken or risky crypto algorithms

Connection is compressed and not encrypted

Can easily decode the traffic to view traffic

The WEBGUI uses base64 to “encrypt” sensitive data

Can be mitigated by using SNC and SSL

EASFV-6 Storage of sensitive information

sapshortcut.ini can store names and passwords (restricted in 7.1, available again in 7.2)

saplogon.ini provides information about SAP servers

Trace Files provide password information

Other files can also hold sensitive information

  • Excel (linked to SAP/Database)
  • VBS scripts – automatic jobs
  • Pivot .oqu files (remote load of InfoCubes)

EASFV-9 Remote vulnerabilities

SAPLPD vulnerable to exploitation

Multiple BOF

Attackers exploiting these issues can gain full control over the SAP server

DLL Hijacking

Many SAP systems are also vulnerable.

Waiting for a better solution from SAP

Implementation failures

Configuration files stored in shared locations for ease of deployment… and easy of attack!

Attackers can download and extract info, or overwrite and exploit users

Over write distributed DLL files to backdoor client installs

WEBGUI

Many SAP systems install web interfaces

Typical vulnerabilities exist

  • XSS
  • Phishing

Can you create a Stuxnet for SAP

All the required faults and exploits already exist.

Client-side exploitation

Server-side exploitation

Trojan backdoor of clients

Default passwords

Mitigations

Perform vulnerability scans to check exposure

ERPScan online (http://erpscan.com/)

  • Free Online scanner using ActiveX calls
  • Doesn’t install 3rd party add-ons of software
  • Checks not only system issues, but also user issues
  • Uses database of version information to check vulnerabilities
  • Partially question and answer based
  • Provides awareness and links to improve security

Links: