Real SAP Backdoors

Transcription

Real SAP Backdoors

Andreas Wiegenstein
TITEL
bearbeiten
Dr. Markus Schumacher
Real SAP Backdoors
- 23rd,
Heidelberg text styles
Troopers12,
ClickMarch
to19th
edit
Master
 Second level
 Third level
 Fourth level
 Fifth level
©
© 2012
2011 Virtual
2012
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
TITEL
My
car,bearbeiten
my house, my boat, …
Andreas Wiegenstein
 Click to edit Master text styles

Founder of Virtual Forge (Heidelberg), responsible for Research &

Development
 Third level
SAP Security Researcher, active since 2003
 Fourth level
 Second level
 Received Credits from SAP for more than 20 reported 0-day Vulnerabilities

 Fifth level
Frequent Speaker at international Conferences
 SAP TechEd 2004 (USA & Europa) / 2005 (USA) / 2006 (USA), DSAG
2009
 BlackHat 2011 (Europe), Hack in the Box 2011 (Europe)
 Troopers 2011, RSA 2012 (USA)

Co-Author of „Sichere ABAP Programmierung" (SAP Press)

Training Class WDESA3 @ SAP University
©
© 2012
2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
http://tinyurl.com/0daycredit
TITEL bearbeiten
 Second level
 Third level
 Fourth level
 Fifth level
©
© 2012
CONTENTS
TITEL bearbeiten
1.
isedit
a Backdoor?
 What
Click to
Master text styles
 Second level
2. SAP Technology
/ Security Basics
Third level
 Fourth level
3. SAP Backdoors
 Fifth level
4. How do you prevent Backdoors?
5. Summary
©
© 2012
TITEL bearbeiten
What
a backdoor?
 Click is
to edit
Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
©
© 2012
TITEL Search
Some
bearbeiten
Engine Results…
NOT
 Second level
 Third level
 Fourth level
 Fifth level
This is
The topic
Of this talk.
No way.
©
© 2012
TITELSearch
More
bearbeiten
Engine Results…
 Second level
NOT
 Third level
 Fourth level
 Fifth level
Also
The topic
Of this talk.
©
© 2012
TITELresearch
Own
bearbeiten
 Second level
 Third level
 Fourth level
 Fifth level
©
© 2012
TITEL bearbeiten
Wikipedia
on Backdoors
 Click
“A
backdoor
to edit
in Master
a computer
text styles
system [...] is a method of
 Second
level authentication, securing remote
bypassing
normal
 Third level
access to a computer, obtaining access to plaintext,
 Fourth level
and so on, while
attempting
to remain undetected.”
 Fifth
level
(March 2012)
©
© 2012
TITEL bearbeiten
Definition
of a Backdoor in Software
 Click
“A
backdoor
to edit
in Master
software
text
is astyles
hidden feature that was
 Second
level
designed
to bypass
a security mechanism.”
 Third level
(Troopers, March
2012)level
 Fourth
 Fifth level
Characteristics:
1. Covertness
2. Bypass
3. Intent
©
© 2012
TITEL bearbeiten
SAP
/ Security
Basics
 ClickTechnology
to edit Master text
styles
 Second level
 Third level
 Fourth level
 Fifth level
©
© 2012
TITEL bearbeiten
ABAP
 Click to edit
Advanced
Business
MasterApplication
text styles Programming
 Second level

Proprietary
exact specification not (freely) available
 Thirdlanguage,
level

Platform-independent
code
 Fourth level

Built-in transport
system
and version control
 Fifth
level

Various programming paradigms:
 Programs & Forms, Reports, Function Modules, Dynpros
 Classes & Methods, Business Server Pages, Web Dynpro ABAP

Integrated platform-independent SQL Standard: Open SQL

Built-in authentication, roles and authorization model

ABAP runs with very high Privileges

ABAP uses an explicit Authorization Model
©
© 2012
TITEL bearbeiten
Remote
Function Call (RFC)
Client or SAP Server
SAP Server
 Second level
 Third level
 Fourth level
 Fifth level
 S_RFC authorization required to call Function Modules remotely
 > 33.000 RFC-enabled Function Modules on ECC 6.0
RFC authorizations are complex to maintain
©
© 2012
TITEL bearbeiten
ABAP
Reports
 Second level
 Third level
 Fourth level
 Fifth level
 Reports can only be executed locally via restricted transactions
 ~ 220.000 ABAP reports on ECC 6.0 in the SAP standard
 ABAP command SUBMIT executes reports and checks authorizations
 Authorization is checked only if Authorization Group is maintained
©
© 2012
TITEL bearbeiten
SAP
 ClickBackdoors
to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
©
© 2012
TITEL#1
Case
bearbeiten
– OS Commands
Controlled Operating System (OS) Command Execution
ABAP
Call
 OS
Second
'LIST' 
SM49 / SM69
level
Command
LIST
Third level
PING
X_PYTHON
 Fourth level
Program
OS Command
ls
'ls'
ping
x_python
OS
© 2010 Virtual Forge GmbH. All rights reserved.
 Fifth level
 OS Commands must be pre-defined by Admin (white list)
 OS Commands must be executed through special API
(SXPG_CALL_SYSTEM / SXPG_COMMAND_EXECUTE)
 Execution requires special authorization (S_LOG_COM)
©
© 2012
TITEL#1
Case
bearbeiten
– Code (1)
FUNCTION oiuh_submit_unix_call.
*"-------------------------------------------------------------------Click to edit Master text styles
*"*"Local
interface
 Second
level(simplified excerpt):
*"
IMPORTING
 Third level
*"
VALUE(SCRIPT_NAME) LIKE
*"
VALUE(LOGICAL_PATH) LIKE
*"
 Fourth level
TABLES
RESULTS STRUCTURE
*"
SCRIPT_DATA STRUCTURE
*"
FILENAME-FILEINTERN
 Fifth level
*"
*"
RLGRAP-FILENAME
OIUH_SYS_CONSOLE
OIUH_SYS_CONSOLE
EXCEPTIONS
CALL_FAILURE
*"--------------------------------------------------------------------
©
© 2012
TITEL#1
Case
bearbeiten
– Code (2)
DELETE DATASET script_name.
OPEN DATASET script_name FOR OUTPUT IN TEXT MODE ENCODING DEFAULT.
LOOP AT script_data.
 Second level
TRANSFER script_data TO script_name.
ENDLOOP.
 Third level
CLOSE DATASET script_name.
Fourth level
 Fifth level
* CHANGE THE FILE MODE TO EXECUTE.
CONCATENATE 'chmod 777' script_name INTO unix_command SEPARATED BY space.
...
CALL 'SYSTEM' ID 'COMMAND' FIELD unix_command
ID 'TAB'
FIELD results-*sys*.
...
* Execute the actual command
CALL 'SYSTEM' ID 'COMMAND' FIELD script_name
ID 'TAB'
FIELD results-*sys*.
©
© 2012
TITEL#1
Case
bearbeiten
– Backdoor (?)
 Click toModule
Function
edit Master
oiuh_submit_unix_call
text styles
is
 Second
level
designed
to execute
arbitrary OS commands,
 Third level
bypassing the white list defined in SM49/69.
 Fourth level
 Fifth level
Characteristics:
1. Covertness
2. Bypass
3. Intent
©
© 2012
TITEL#1
Case
bearbeiten
– Side Notes
 Click toModule
Function
edit Master
oiuh_submit_unix_call2
text styles
is an exact
 of
Second
level
copy
oiuh_submit_unix_call.
 Third level
Both Function Modules also contain a Directory Traversal
 Fourth level
vulnerability.
 Fifth level
VF Advisories: SAP-BACK-01 and SAP-BACK-02
SAP Notes: 1560360 and 1558010
SAP CVSS Base Score: 6.0
SAP CVSS Base Vector: AV:N/AC:M/AU:S/C:P/I:P/A:P
©
© 2012
TITEL#2
Case
bearbeiten
– ABAP Development
System Separation
 Second level
 Third level
 Fourth level
Transport
Transport
 Fifth level
DEV
TEST
PROD
© 2010 Virtual Forge GmbH. All rights reserved.
Development process is well defined : DEV, TEST, PROD
 All ABAP code is tested before productive use
 No development possible on productive system
©
© 2012
TITEL#2
Case
bearbeiten
– Code (1)
FUNCTION rs_functionmodule_insert.
*"*"Local
Interface
 Second
*"
IMPORTING
 Third level
*"
VALUE(FUNCNAME) LIKE
*"
VALUE(FUNCTION_POOL) LIKE
*"
 Fifth level
VALUE(REMOTE_CALL)
LIKE
*"
VALUE(SHORT_TEXT) LIKE
*"
VALUE(SUPPRESS_CORR_CHECK) LIKE
*"
VALUE(SUPPRESS_LANGUAGE_CHECK) LIKE
*"
VALUE(AUTHORITY_CHECK) LIKE
*"
VALUE(SAVE_ACTIVE) LIKE
*"
*"
 Fourth level
RS38L-NAME
RS38L-AREA
RS38L-REMOTE DEFAULT SPACE
TFTIT-STEXT
RS38L-EXTERN DEFAULT 'X'
RS38L-HEAD DEFAULT 'X'
TABLES
SOURCE STRUCTURE
RSSOURCE OPTIONAL
©
© 2012
TITEL#2
Case
bearbeiten
– Code (2)
...
CALLClick
FUNCTION 'RS_ACCESS_PERMISSION'
EXPORTING
 Second
level
authority_check
 Third level
...
= authority_check
 Fourth level
IF sy-subrc = 0.
 Fifth level
...
l_source = source[].
LOOP AT l_source INTO l_line.
INSERT l_line INTO code INDEX tabix.
tabix = tabix + 1.
ENDLOOP.
INSERT REPORT rs38l-include FROM code.
ENDIF.
©
© 2012
TITEL#2
Case
bearbeiten
– Code (3)
FUNCTION rs_access_permission.
*"---------------------------------------------------------------------Click to edit Master text styles
*"*"Lokale
Schnittstelle
(simplified excerpt):
 Second
level
*"
*"
...
IMPORTING
 Third level
VALUE(AUTHORITY_CHECK) DEFAULT 'X‘
 Fourth level
 Fifth level
l_authority_check = authority_check.
©
© 2012
TITEL#2
Case
bearbeiten
– Code (4)
...
CASEClick
mode.
WHEN
'MODIFY'.level
 Second
IF l_authority_check NE ' '.
 Third level
PERFORM accp_authority
 Fourth
level
USING
 Fifth level
modus
object
object_class
auth_object
s_develop
CHANGING
trdir_inf.
ENDIF.
©
© 2012
TITEL#2
Case
bearbeiten
– Backdoor (?)
 Click toModule
Function
edit Master
rs_functionmodule_insert
text styles
is
 Second
level
designed
to create
arbitrary remote-executable ABAP
 Third level
Code, bypassing the TEST System.
 Fourth level
 Fifth level
Characteristics:
1. Covertness
2. Bypass
3. Intent
©
© 2012
TITEL#2
Case
bearbeiten
– Side Notes
 Click
VF
Advisory:
to editSAP-BACK-03
Master text styles
 Second level
SAP Note:
1589919
 Third
level
 Fourth
level
CVSS Base
Score:
3.5
 Fifth level
CVSS Base Vector: AV:N/AC:M/AU:S/C:N/I:P/A:N
©
© 2012
TITEL#3
Case
bearbeiten
– Code (1)
FUNCTION RKC_FUNCTION_INTERFACE_GEN.
*"Lokale
Schnittstelle
 Second
level (simplified excerpt):
*"
*"
*"
*"
*"
*"
EXPORTING
 Third level
REPID LIKE SY-REPID
 Fourth level
TABLES
 FifthSTRUCTURE
level
REP_TAB
RFCLINE
EXCEPTIONS
NOT_INSERTED
*"--------------------------------------------------------------------
©
© 2012
TITEL#3
Case
bearbeiten
– Code (2)
DATA: BEGIN OF REP OCCURS 20.
 ClickINCLUDE
to edit
Master text styles
STRUCTURE ABAPTEXT.
DATA: END
OF REP.
Second
level
 Third level
REFRESH REP.
 Fourth level
LOOP AT REP_TAB.
REP = REP_TAB.
 Fifth level
APPEND REP.
ENDLOOP.
REPID = 'RKCINTER'.
INSERT REPORT REPID FROM REP.
IF SY-SUBRC <> 0.
RAISE NOT_INSERTED.
ENDIF.
ENDFUNCTION.
©
© 2012
TITEL#3
Case
bearbeiten
– Intermission
 Click
Now
weto
can
edit
create
Master
a report
text styles
with arbitrary content.
Second
level
But(how)
can
we execute it (remotely) ?
 Third level
 Fourth level
 Fifth level
M?
©
© 2012
TITEL#3
Case
bearbeiten
– Code (3)
FUNCTION HR99B_PARALLEL_REPORT_RUN.
*"*"Local
Interface
 Second
*"
*"
*"
*"
*"
*"
IMPORTING
 Third level
VALUE(REPID) TYPE
TABLES
TRDIR-NAME
 Fourth level
 Fifth level
VALUTAB STRUCTURE
RSPARAMS
CHANGING
VALUE(CV_TASK_NAME) TYPE
HR99B_TASK_NAME OPTIONAL
*"--------------------------------------------------------------------
SUBMIT (REPID) WITH SELECTION-TABLE VALUTAB AND RETURN. "#EC CI_SUBMIT
ENDFUNCTION.
©
© 2012
TITEL#3
Case
bearbeiten
– Backdoor (?)
Function
RKC_FUNCTION_INTERFACE_GEN
 Click toModule
edit Master
text styles
is designed
create a Report that contains arbitrary
 Second to
level
 Third level
ABAP Code,
bypassing the TEST System.
 Fourth level
Function Module HR99B_PARALLEL_REPORT_RUN is
 Fifth level
designed to execute reports remotely.
Characteristics:
1. Covertness
2. Bypass
3. Intent
©
© 2012
TITEL#3
Case
bearbeiten
– Side Notes
 Click
VF
Advisory:
to editSAP-BACK-06
Master text styles
 Second level
SAP Note:
1592312
 Third level
 Fourth
level
CVSS Base
Score:
3.5
 Fifth level
CVSS Base Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
VF Advisory: SAP-BACK-04
SAP Note: 1558284
CVSS Base Score: 8.2
CVSS Base Vector: AV:N/AC:M/AU:S/C:C/I:C/A:P
©
© 2012
TITEL#4
Case
bearbeiten
– SAP Transaction RSRV
 Second level
 Third level
 Fourth level
 Fifth level
Characteristics:
1. Covertness
2. Bypass
3. Intent
©
© 2012
TITEL#5
Case
bearbeiten
– The Three Developers
Security
of Master
a BSP (Web)
of an SAP customer
 ClickAudits
to edit
text Application
styles
OneofSecond
the pages
appeared to be blank
level
 Third
level the page checked for the usernames of three
In the source
code,
 Fourth level
external developers…
 Fifth level
…and would allow them to read data from a table of their choice in
the SAP database
 Financial data
 Production data
 HR data …
©
© 2012
TITEL#5
Case
bearbeiten
– Backdoor (!)
Generic
reader
in BSP
page.
 Clicktable
to edit
Master
text
styles
 Second level
Characteristics:
 Third level
1.
Covertness
 Fourth level
2.
Bypass
3.
Intent
 Fifth level
A nice backdoor and 100% remote accessible
©
© 2012
TITEL bearbeiten
How
youMaster
prevent
Backdoors?
 Clickdo
to edit
text styles
 Second level
 Third level
 Fourth level
 Fifth level
©
© 2012
TITEL bearbeiten
Anti-Backdoor
Recommendations (1)
 Perform
all code
Click topeer
editreviews
Masteroftext
styles
 The
backdoor
can be everywhere
Second
level
 for
Third
level
 Check
proprietary
authorization logic / unusual options
Fourth level
 Check for (unexpected)
modifications to the database
 Fifth level
 Check for generic database access
 Prohibit certain coding practices by strict guidelines but don‘t
rely on them
©
© 2012
TITEL bearbeiten
Anti-Backdoor
Recommendations
 Use
codeMaster
analysistext
to detect
suspicious code
Clickstatic
to edit
styles
 Check
for command
execution based on input
 Second
level
 Third level
 ABAP
 Fourth
 Operating
systemlevel
 Fifth level
 Expect stealth techniques
 Dynamic ABAP
 Hidden OK Codes
 #EC suppression
 …
©
© 2012
TITEL bearbeiten
Summary
 Second level
 Third level
 Fourth level
 Fifth level
©
© 2012
TITELBackdoor
SAP
bearbeiten
Summary
 ABAP
canMaster
have backdoors
Click code
to edit
text styles
 Backdoors
difficult to spot
 Secondare
level
 Thirdtolevel
 Designed
be covert
level
 „Needle inFourth
the haystack“
 Fifth level
 Check the background of your (external) developers
 Perform code audits before productive use
 Perform static code analysis as additional line of defense
©
© 2012
ABAP
Security Resources
TITEL bearbeiten
SAP Security Advisories researched by Virtual Forge
Links
http://www.codeprofilers.com/index.php/advisories.html
 Second level
Organizations
 Third level
BIZEC – Business Security Initiative
http://www.bizec.org
 Fourth level
 Fifth level
Literature
Sichere ABAP-Programmierung
(SAP PRESS, 372 S., 2009)
Andreas Wiegenstein, Markus Schumacher,
Sebastian Schinzel, Frederik Weidemann
©
© 2012
TITEL bearbeiten
Questions?
 Second level
McFly:
 Third level
 Fourth level
“Listen, you got a backdoor to this place?“
 Fifth level
Bartender:
“Yeah, it's in the back.”
(Back to the Future III, 1990)
©
© 2012
TITEL bearbeiten
Contact Information
 Second level
 Third level
VIRTUALFORGE GmbH
 Fourth level
[email protected]
 Fifth level
Speyerer Straße 6
69115 Heidelberg
Deutschland
Telefon: + 49 (0) 6221 86 89 0 - 0
Fax:
+ 49 (0) 6221 86 89 0 - 101
©
© 2012
TITEL bearbeiten
Disclaimer
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained
in this document serves informational purposes only.
 Second level
Third
level
The authors 
assume
no responsibility
for errors or omissions in this document. The authors do not warrant the
accuracy or completeness of the information, text, graphics, links, or other items contained within this material.
 Fourth
This document is provided
withoutlevel
a warranty of any kind, either express or implied, including but not limited to the
implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
 Fifth level
The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or
consequential damages that may result from the use of this document. Hippies are not supposed to read this. No
exceptions.
No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH.
© 2012 Virtual Forge GmbH.
©
© 2012

Real SAP Backdoors

Transcription

Similar documents

inurl sap

the Scanned PDF - Mineralogical Society of America

OWASP AppSec Germany 2009: Sichere Entwicklung und gängige