sap security, sap pentest, sap pentesting, sap pt, sap security assessment, sap vulnerability assessment, sap

insecurity, sap vulnerabilities, sap vulnerability, sap defense, hardening sap, sap hardening, protecting sap

SAP Penetration Testing

& Defense In-Depth
Mariano Nuñez Di Croce
mnunez@cybsec.com

October 2-3, 2008

Ekoparty, Buenos Aires - Argentina

© Copyright 2008 CYBSEC. All rights reserved.

reserved.
 © 2008

Who is CYBSEC ?

Provides Information Security services since 1996.

More than 300 customers, located in LatinAmerica, USA and Europe.

Wide range of services: Strategic Management, Operation Management,
Control Management, Incident Management, PCI Services, SAP Security.

SAP & CYBSEC

Member of the SAP Global Security Alliance (GSA).

Has been working with SAP (Walldorf) since 2005.

Provides specific SAP security services (Penetration Testing, Secure
Architecture Design, Secure Configuration, …)

2
 © 2008

Who am I?

Senior Security Researcher at CYBSEC.

Devoted to Penetration Testing and Vulnerability Research.

Discovered vulnerabilities in Microsoft, Oracle, SAP, Watchfire, …

Speaker/Trainer at Blackhat, Sec-T, Hack.lu, DeepSec, Ekoparty, CIBSI, …

SAP & Me

Started researching in 2005.

SAP Pentesting projects (customers).

Discovered more than 40 vulnerabilities in SAP software.

Published “Attacking the Giants: Exploiting SAP Internals”.

Developed sapyto, the first SAP Penetration Testing Framework.

CYBSEC’s “SAP (In)Security ” Training instructor.
3
 Agenda
© 2008

Agenda

Introduction to the SAP World

Why SAP Penetration Testing?

PenTest Setup

SAP PenTesting

Discovery Phase

Exploration Phase

Vulnerability Assessment Phase

Exploitation Phase

Case Study: SAProuter Security Assessment

Conclusions

4
 © 2008

Introduction to
the SAP World
Basic concepts for deep knowledge

5
 Introduction to the SAP World
© 2008

So…
So… what is SAP?
SAP (Systems, Applications and Products in Data Processing) is a
german company devoted to the development of business solutions.

More than 41.600 customers in more than 120 countries.

More than 121.000 SAP implementations around the globe.

Third biggest independent software vendor (ISV).

Provides different solutions:

CRM, ERP, PLM, SCM, SRM, GRC, Business One, …

The ERP solution is composed of different functional modules (FI, CO,

SD, HR, MM, etc) that implements organization business processes.

Modules are linked together, integrated by the Netweaver platform.

SAP runs on multiple Operating Systems and Databases. 6
 Introduction to the SAP World
© 2008

SAP Basic Concepts

Instance & System

An instance is an administrative entity which groups related
components of an SAP system, providing one or more services.

Systems are identified by SAP System ID (SID).

System (instance) parametrization is done in Profiles.

7
 Introduction to the SAP World
© 2008

SAP Basic Concepts

Client

Legally and organizationally independent unit in an SAP system
(company group, business unit, corporation).

Identified by a three-digit number.

Default clients: 000, 001 and 066.

Transaction

Related secuence of steps (dialog steps) aimed to perform an
operation in the SAP database.

Identified by a transaction code (ej: SU01, SE16, FK01, PA20,…)

8
 Introduction to the SAP World
© 2008

SAP Basic Concepts

ABAP

ABAP is the SAP high-level programming language used to
develop business applications.

Reports / Programs

ABAP programs that receive user input and produce a report in
the form of an interactive list.

Function Modules

Independent ABAP modules. Can be called locally or remotely.

The RFC (Remote Function Call) Interface

Used to call function modules on remote systems. 9
 Introduction to the SAP World
© 2008

SAP Basic Concepts

The Authorization Concept (Simplified)

Users are asigned roles/profiles.

Each profile contains a set of Authorization objects.

When a user tries to perform an activity, the required authorization
objects are checked against user’s authorization objects (user buffer).

Controlled Activities:

Starting Transactions (S_TCODE)

Accessing Tables (S_TABU_DIS)

Starting Programs (S_PROGRAM)

Calling RFC Function Modules (S_RFC)

Authorization checks can also be done programatically, through the
AUTHORITY_CHECK clause.
10
 Introduction to the SAP World
© 2008

Some “Low-
Low-level”
level” Knowledge

SAP_ALL profile = SAP God.

Many other profiles may enable a user become a god too.

Each SAP System uses its own Database.

SAP processes run under the <sid>adm or SAPService<SID> user
accounts.

Connections to the Database are done with the same UID. No
authorization at this level…

Direct access to the Database means full SAP compromise!

Connections between systems often based on Trust Relationships
(r* services).

Many customer’s interfaces are implemented through FTP (cleartext,
usually weak passwords).
11
 © 2008

Why SAP
Penetration Testing?
Or why You and your CFO should care

12
 Why SAP Penetration Testing? © 2008

Why do you Need an SAP Penetration Test?

The new SAP system
must be running on
October 3rd, no excuses.

13
 Why SAP Penetration Testing? © 2008

Why do you Need an SAP Penetration Test?

The new SAP system
But we haven’t secured the
must be running on
systems yet…you know,
October 3rd, no excuses.
there is something called
“Security”

14
 Why SAP Penetration Testing? © 2008

Why do you Need an SAP Penetration Test?

The new SAP system
But we haven’t secured the
must be running on
systems yet…you know,
October 3rd, no excuses.
there is something called
“Security”
Security? Hmm…is it French?
I don’t care…
Business *must* go on!

15
 Why SAP Penetration Testing? © 2008

Why do you Need an SAP Penetration Test?

The new SAP system
But we haven’t secured the
must be running on
systems yet…you know,
October 3rd, no excuses.
there is something called
“Security”
Security? Hmm…is it French?
But we should take care of I don’t care…
User authorizations to Business *must* go on!
prevent frauds!

16
 Why SAP Penetration Testing? © 2008

Why do you Need an SAP Penetration Test?

The new SAP system
But we haven’t secured the
must be running on
systems yet…you know,
October 3rd, no excuses.
there is something called
“Security”
Security? Hmm…is it French?
But we should take care of I don’t care…
User authorizations to Business *must* go on!
prevent frauds!
Just give everyone full access
(SAP_ALL) for three months,
then we’ll lock it down

17
 Why SAP Penetration Testing? © 2008

Why do you Need an SAP Penetration Test?

The new SAP system
But we haven’t secured the
must be running on
systems yet…you know,
October 3rd, no excuses.
there is something called
“Security”
Security? Hmm…is it French?
But we should take care of I don’t care…
User authorizations to Business *must* go on!
prevent frauds!
Just give everyone full access
OK… (SAP_ALL) for three months,
then we’ll lock it down

18
 Why SAP Penetration Testing? © 2008

Why do you Need an SAP Penetration Test?

The new SAP system
But we haven’t secured the
must be running on
systems yet…you know,
October 3rd, no excuses.
there is something called
“Security”
Security? Hmm…is it French?
But we should take care of I don’t care…
User authorizations to Business *must* go on!
prevent frauds!
Just give everyone full access
@#-*!#&$%!!
OK… (SAP_ALL) for three months,
then we’ll lock it down

19
 Why SAP Penetration Testing?
© 2008

Why do you Need an SAP Penetration Test? (cont.)

CFO’
CFO’s Mistake:
Mistake:

Alert

Weak SAP Security configuration can

definitely result in Business Frauds!

Security guy’
guy’s Mistake:
Mistake:

Alert

SAP Security is much (*much*) more

than User roles and authorizations!
20
 Why SAP Penetration Testing?
© 2008

Why do you Need an SAP Penetration Test? (Wrap up)

Security configurations of SAP systems are usually left by default.

By default, many configurations are not secure.

Conclusion: Many SAP implementations are not secure!

Is yours secure? A Penetration Test to these systems will help you

know how your SAP implementation can be attacked and which is the
real impact of this.

It will help you discover the weaknesses, secure them, and increase
the security level of your systems (a.k.a decrease fraud risk).

In this talk, we’ll see some of the activities that make up the different
phases of an SAP Penetration Testing (no way of covering them all). 21
 © 2008

PenTest Setup
Before we begin …

22
 PenTest Setup
© 2008

Preparation

What do you need? The Shopping List

sapyto
SMB client & security tools

nmap
BurpSuite / w3af

r* tools (rsh, rlogin, rexec)
Nessus

SQL client tools
john (patched)

NFS client tools
hydra

Try to get as much information as possible about target platforms,

usage and policies before starting the assessment.

Remember that everthing that breaks while you are pentesting *will*
be your fault (even if someone breaks his leg).

23
 sapyto © 2008

sapyto

First SAP Penetration Testing Framework.

Support for activities in all phases of the pentest.

Open-source (and free).

Plugin based.

Developed in Python and C.

Version 0.93 released at Blackhat Europe 07.

24
 sapyto © 2008

Available Plugins in sapyto v0.93

Audit:
Attack:

RFC Ping.
RFC_START_PROGRAM Dir Traversal.

Registration of External Servers.
Run commands through RFCEXEC.

Detection of RFCEXEC.
Run commands through SAPXPG.

Detection of SAPXPG.
StickShell.

Get system information.
Evil Twin Attack.

Get server documentation.
Get remote RFCShell.

Tools:

RFC Password Obfuscator / De-obfuscator.

25
 sapyto © 2008

Hot News!
News! sapyto v0.98

Core and architecture fully re-built.

Based on connectors.

The SAPRFC* connectors and the RFCSDK.

Plugins are now categorized in Discovery, Audit and Exploit.

Discovery plugins find new targets.

Audit plugins carry out the vulnerability assessments.

Exploit plugins are used as proof of concepts for discovered vulns.

sapytoAgents deployment.

New plugins for auditing SAProuters, find clients, bruteforcing, …

26
 © 2008

Discovery Phase
Finding SAP targets

27
 Discovery Phase
© 2008

Discovering SAP Systems and Applications (Targets)

Available Options:

Traffic sniffing.

SAP portscanning.

Checking SAPGUI configurations.

SAP Systems use a “fixed” range of ports.

Most ports follows the PREFIX + SYS. NUMBER format.

Common ports: 32XX, 33XX, 36XX, 39XX, 3299, 81XX, …

Nmap: Watch Timings (-T3) and don’t use version detection.

New sapyto will provide automatic discovery of SAP systems and

configuration of targets/connectors for auditing! 28
 © 2008

Exploration Phase
Getting as much information as possible

29
 Exploration Phase
© 2008

Getting Information from SAP Application Servers

The RFC_SYSTEM_INFO function module returns information about
remote SAP Application Servers (implemented in sapyto’s sapinfo plugin)

Can be called remotely (and anonymously) by default. [5]
sapinfo(target#0) {
Remote System Information:
RFC Log Version: 011
Release Status of SAP System: 700
Kernel Release: 700
Operating System: Linux
Database Host: sapl01
Central Database System: ORACLE
Integer Format: Little Endian
Dayligth Saving Time:
Float Type Format: IEEE
Hostame: sapl01
IP Address: 192.168.3.4
System ID: TL1
RFC Destination: sapl01_TL1_00
Timezone: -18000 (diff from UTC in seconds)
Character Set: 4103
30
Machine ID: 390
 Exploration Phase
© 2008

Getting Information from SAP Application Servers

The RFC_SYSTEM_INFO function module returns information about
remote SAP Application Servers (implemented in sapyto’s sapinfo plugin)

Can be called remotely (and anonymously) by default. [5]
sapinfo(target#0) {
Remote System Information:
Protection / RFC
Countermeasure
Log Version: 011
Release Status of SAP System: 700
Kernel Release: 700

Restrict connections
Operatingto the SAP Gateway
System: Linux at the network level.
Database refer

For more information, Host: sapl01
to SAP Note 931252.
Central Database System: ORACLE
Integer Format: Little Endian
Dayligth Saving Time:
Float Type Format: IEEE
Hostame: sapl01
IP Address: 192.168.3.4
System ID: TL1
RFC Destination: sapl01_TL1_00
Timezone: -18000 (diff from UTC in seconds)
Character Set: 4103
31
Machine ID: 390
 Exploration Phase
© 2008

Finding Available Clients

Users are client-dependent.

Default clients: 000, 001, 066.

getClients(target#0) {
Client 000 is available.
Client 001 is available.
Client 066 is available.
Client 101 is available.
Client 200 is available.
} res: Ok 32
 Exploration Phase
© 2008

Analyzing Shared Resources

The Common Transport Directory (CTD) is the directory where
changes (transports) are exported to and imported from in an SAP
landscape.

This directory must be shared for all systems in the landscape.

It is often the case, where the kernel files and profiles are shared to
dialog instances.

$ showmount –e sapserver

/export/usr/sap/trans (everyone)
/export/sapmnt/NP1 (everyone)
/export/informix/NP1 (everyone)
/export/interfacesNP1 (everyone)
/export/interfsrcNP1 (everyone)

33
 Exploration Phase
© 2008

Analyzing Shared Resources

The Common Transport Directory (CTD) is the directory where
changes (transports) are exported to and imported from in an SAP
landscape.

This directory must be shared for all systems in the landscape.

It is often the case, where the kernel files and profiles are shared to
Protection / Countermeasure
dialog instances.
Shared resource access should be restricted to SAP
$ showmount –e sapserver
related systems and users only.
/export/usr/sap/trans (everyone)
/export/sapmnt/NP1 (everyone)
/export/informix/NP1 (everyone)
/export/interfacesNP1 (everyone)
/export/interfsrcNP1 (everyone)

34
 © 2008

Vulnerability
Assesment Phase
Analyzing the discovered components

35
 Vulnerability Assessment Phase
© 2008

SAP Default Users

There is public information regarding the existence of default SAP
user accounts.

Many of these accounts are configured with high privileged profiles.

User ID Description Clients Password

SAP* Super user 000,001, 066 06071992
new clients PASS
DDIC ABAP Dictionary super 000,001 19920706
user

EARLYWATCH User for the 066 SUPPORT

EarlyWatch Service

SAPCPIC Communication User 000, 001 ADMIN

36
 Vulnerability Assessment Phase
© 2008

SAP Default Users

There is public information regarding the existence of default SAP
user accounts.

Many of these accounts are configured with high privileged profiles.

User ID Description Clients Password

Protection / Countermeasure
SAP* Super user 000,001, 066 06071992

Default users must be secured. new clients PASS
DDIC
SAP*ABAP
shouldDictionary super
be deactivated. 000,001 19920706
user RSUSR003 to check the status of default users.

Use report

EARLYWATCH User for the 066 SUPPORT

EarlyWatch Service

SAPCPIC Communication User 000, 001 ADMIN

37
 Vulnerability Assessment Phase
© 2008

SAP User Account Bruteforcing

Usernames are up to 12 characters long.

As part of the PenTest, you can try guessing/cracking user credentials.

Old Passwords (≤ 6.40) New Passwords (> 6.40)

Max. Length 8 40

Case Insensitive Sensitive

WARNING! User locking is implemented! (usually, between 3-12 tries)

Ops! In versions ≤ 6.20, lock counter is not incremented through RFC.

sapyto’s bruteLogin plugin can work in different modes:

Try default users only and SAP*:PASS in detected clients.

Specific credentials wordlist.

Username and Password wordlists. 38
 Vulnerability Assessment Phase
© 2008

Getting Credentials from the Wire – RFC Sniffing

RFC (Remote Function Call) is the most widely used interface in the
SAP world.

In order for a system to connect through RFC, it must provide login
information for the remote system.

RFC is clear-text, but you won’t be able to see the password in the
wire…

Password is obfuscated! -> Use sapyto’s getPassword plugin
...
01a0 00 00 00 00 00 00 06 05 14 00 10 5f 22 ea 45 5e ..........._".E^
01b0 22 c5 10 e1 00 00 00 c0 a8 02 8b 05 14 01 30 00 ".............0.
01c0 0a 72 66 63 5f 73 65 72 76 65 72 01 30 01 11 00 .rfc_server.0...
01d0 06 42 43 55 53 45 52 01 11 01 17 00 0b 81 bb 89 .BCUSER.........
for CHAR in CLEAR_TEXT_PASS:
01e0 62 fc b5 3e 70 07 6e 79 01 17 01 14 00 03 30 30 b..?w.oy......00
01f0 30 01 14 01 15 00 01 45 01 15 05 01 00 01 01 05 0......E........
0200 01 05 02 00 00 05 02 00 0b 00 03 36 34 30 00 0b ...........640.. OBFUSCATED_PASS[i] = CHAR XOR KEY[i]
0210 01 02 00 0e 5a 43 55 53 54 5f 47 45 54 4d 4f 4e ....ZCUST_GETMON
0220 45 59 01 02 05 14 00 10 5f 22 ea 45 5e 22 c5 10 EY......_".E^"..
0230 e1 00 00 00 c0 a8 02 8b 05 14 02 01 00 09 43 4c ..............CL
0240 49 45 4e 54 5f 49 44 02 01 02 03 00 08 43 55 53 IENT_ID......CUS
0250 54 30 30 31 00 02 03 ff ff 00 00 ff ff 00 00 01 T001............
0260 c7 00 00 3e 80 ...>. 39
 Vulnerability Assessment Phase
© 2008

Getting Credentials from the Wire – RFC Sniffing

RFC (Remote Function Call) is the most widely used interface in the
SAP world.

In order for a system to connect through RFC, it must provide login
information for the remote system.

RFC is clear-text, but you won’t be able to see the password in the
Protection / Countermeasure
wire…

Password isEnable
obfuscated! -> Use the
SNC, protecting sapyto’s getPassword
confidentiality plugin
and integrity of
the traffic.
...
01a0 00 00 00 00 00 00 06 05 14 00 10 5f 22 ea 45 5e ..........._".E^
01b0 22 c5 10 e1 00 00 00 c0 a8 02 8b 05 14 01 30 00 ".............0.
01c0 0a 72 66 63 5f 73 65 72 76 65 72 01 30 01 11 00 .rfc_server.0...
01d0 06 42 43 55 53 45 52 01 11 01 17 00 0b 81 bb 89 .BCUSER.........
for CHAR in CLEAR_TEXT_PASS:
01e0 62 fc b5 3e 70 07 6e 79 01 17 01 14 00 03 30 30 b..?w.oy......00
01f0 30 01 14 01 15 00 01 45 01 15 05 01 00 01 01 05 0......E........
0200 01 05 02 00 00 05 02 00 0b 00 03 36 34 30 00 0b ...........640.. OBFUSCATED_PASS[i] = CHAR XOR KEY[i]
0210 01 02 00 0e 5a 43 55 53 54 5f 47 45 54 4d 4f 4e ....ZCUST_GETMON
0220 45 59 01 02 05 14 00 10 5f 22 ea 45 5e 22 c5 10 EY......_".E^"..
0230 e1 00 00 00 c0 a8 02 8b 05 14 02 01 00 09 43 4c ..............CL
0240 49 45 4e 54 5f 49 44 02 01 02 03 00 08 43 55 53 IENT_ID......CUS
0250 54 30 30 31 00 02 03 ff ff 00 00 ff ff 00 00 01 T001............
0260 c7 00 00 3e 80 ...>. 40
 Vulnerability Assessment Phase
© 2008

Analysis of the RFC Interface

RFC Communication is done through the Gateway Service.

The GW can connect with external RFC servers:

Registered Servers:
The external system registers to the GW under a Program ID.

Started Servers:
The GW connects to a remote system and starts a program (trust?)

By exploiting Registered Servers caveats, it may be possible to obtain

confidential information, DoS, perform RFC MITM and callback attacks.

By exploiting Started Servers vulnerabilities, it may be possible to obtain
remote code execution on misconfigured Application Servers.

(check the “Attacking the Giants: Exploiting SAP Internals” white-paper) 41

 © 2008

Exploitation Phase
Getting access and beyond

42
 Exploitation Phase
© 2008

But…
But… why do we need Exploitation anyway?

Vulnerability Assessments reports enumerate discovered vulnerabilities
with the associated risk estimate.

A security aware individual would easily see the problems.

But, what about the people from the Financial areas?

For them to get involved, they need to see the facts! You must show
them how “their” information can be compromised -> screenshots, live-
demos…

Vulnerability Assessments are 2D, Exploitation adds a new Dimension.

43
 Exploitation Phase
© 2008

SAP Password Considerations & Cracking

SAP has implemented different password hashing mechanisms.

Passwords hashes are stored in table USR02 (BCODE, PASSCODE)
and USH02.
Code Vers. Description
A Obsolete
B Based on MD5, 8 characters, Uppercase, ASCII
C Not implemented
D Based on MD5, 8 characters, Uppercase, UTF-8
E Reserved
F Based on SHA1, 40 characters, Case
Insensitive, UTF-8
G Code Version F + Code Version B (2 hashes)

On June 26 2008, a patch for John The Ripper for CODVN B and F was
published. 44
 Exploitation Phase
© 2008

SAP Password Considerations & Cracking

SAP has implemented different password hashing mechanisms.

Passwords hashes are stored in table USR02 (BCODE, PASSCODE)
and USH02.
Code Vers. Description
Protection / Countermeasure
A Obsolete
B Based on MD5, 8 characters, Uppercase, ASCII

Access to tables USR02 and USH02 should be protected.
C Not implemented

Password security should be enforced through profile
D
configuration Based
(login/* on MD5, 8 characters, Uppercase, UTF-8
parameters).
E

Table Reserved
USR40 can be used to protect from trivial passwords.
F more information,

For Based on SHA1,
refer 40 characters,
to SAP Case
Note 1237762.
Insensitive, UTF-8
G Code Version F + Code Version B (2 hashes)

On June 26, a patch for John The Ripper for CODVN B and F was
published. 45
 Exploitation Phase
© 2008

Exploiting SAP/Oracle Authentication Mechanism

Discovered by me in 2007.

Discovered by Jochen Hein in 2003 (D’oh!)

Target: Default SAP/Oracle installations.

The SAP+Oracle Authentication Mechanism

SAP connects to the database as the OPS$<username> (eg: OPS$<SID>adm).

Retrieves user and password from table SAPUSER.

Re-connects to the database, using the retrieved credentials.

46
 Exploitation Phase © 2008

Exploiting SAP/Oracle Authentication Mechanism

There is a special Oracle configuration parameter named
REMOTE_OS_AUTHENT.

If set to TRUE, Oracle “trusts” that the remote system has authenticated the
user used for the SQL connection (!)

The user is created as “indentified externally” in the Oracle database.

Oracle recommendation: remote_os_authent = false

SAP default and necessary configuration: remote_os_authent = true

What do you need?

Database host/port.

SAP System ID.

Oracle Instance ID ( = SAPSID?)

47
 Exploitation Phase © 2008

Exploiting SAP/Oracle Authentication Mechanism

There is a special Oracle configuration parameter named
REMOTE_OS_AUTHENT.

If set to TRUE, Oracle “trusts” that the remote system has authenticated the
user used for the SQL connection (!)

The user is created as “indentified externally” in the Oracle database.
Protection / Countermeasure

Oracle recommendation: remote_os_authent = false

SAP default and necessary configuration: remote_os_authent = true
Restrict who can connect to the Oracle listener:

tcp.validnode_checking = yes

What do you need?
tcp.invited_nodes = (192.168.1.102, …)

Database host/port.

SAP System ID.

Oracle Instance ID ( = SAPSID?)

48
 Exploitation Phase
© 2008

Exploiting Weak RFC Interface Security

Possible in default configuration of SAP Systems.

Allows for unauthenticated remote code execution.
…
…
Starting EXPLOIT plugins
----------------------------
weakRFC(target#1) {
Creating new SHELL object...
SHELL object created. ID: 536
} res: Ok
sapyto> shells
sapyto/shells> list
Shell ID: 536 [RFCShell]
Target information:
Connector: SAPRFC_EXT
SAP Gateway Host: sapprd01
SAP Gateway Service: 3300
...
...

sapyto/shells> start 536

Starting shell #536
RFCShell - Run commands through RFC.
The remote target OS is: Win.NET.
sapyto/shells/536> run whoami
Call successfull. Command output:
prdadm
sapyto/shells/536>
49
 Exploitation Phase
© 2008

Exploiting Weak RFC Interface Security

Possible in default configuration of SAP Systems.

Allows for unauthenticated remote code execution.
…
Protection …/ Countermeasure
Starting EXPLOIT plugins
----------------------------
weakRFC(target#1) {

Starting of External Creating
RFC Servers is controlled
new SHELL object...through the file
SHELL object created. ID: 536
specified by the gw/sec_info profile parameter.
} res: Ok
sapyto> shells

This file should exist andlist
sapyto/shells> restrict access to allowed systems
Shell ID: 536 [RFCShell]
to start specific programs
Targetininformation:
the Application Servers.
Connector: SAPRFC_EXT

The gw/reg_info fileSAPprotects
GatewayRegistered Servers and should
Host: sapprd01
SAP Gateway Service: 3300
be configured as well....
...

For more information, refer to SAP Note 618516.
sapyto/shells> start 536
Starting shell #536
RFCShell - Run commands through RFC.
The remote target OS is: Win.NET.
sapyto/shells/536> run whoami
Call successfull. Command output:
prdadm
sapyto/shells/536>
50
 © 2008

Case Study:
SAProuter Security
Assessment

51
 Case Study: SAProuter Security Assessment
© 2008

SAProuter Introduction
SAProuter is an SAP program working as a proxy, which analyzes
connections between SAP systems and between SAP systems and
external networks.

Typical SAProuter Architecture

Internal Network

External User

Other Internal
Systems

Internet DEV QAS PRD

IntraWeb

SSH Server

SAProuter Internal Users Mainframe

Border FW
52
 Case Study: SAProuter Security Assessment
© 2008

SAProuter Introduction
If SAProuter is in place, clients have to specify a route string to connect.

/H/saprouter/S/3299/H/sapprd1/S/3200

Access in controlled through an ACL file called Route Permission Table.

Entry format:

P/S/D src_host dst_host dst_port pwd

First-match criteria.

In no match, deny connection. 53
 Case Study: SAProuter Security Assessment
© 2008

The Route Permission Table

Route Permission Table Example:

D host1 host2 serviceX

P 192.168.1.* host2 * pass123

S 10.1.*.* 10.1.2.* *

D * * * *

Route Permission Table in the real life:

D host1 host2 serviceX

P 192.168.1.* host2 * pass123

S 10.1.*.* 10.1.2.* *

P * * * * 54
 Case Study: SAProuter Security Assessment
© 2008

SAProuter Security Assessment with sapyto

The saprouterSpy plugin

Performs Internal Network port-scan.

Discovers new targets through SAProuter and configure them for
auditing by other plugins.

55
 Case Study: SAProuter Security Assessment
© 2008

SAProuter Security Assessment:

Assessment: sapytoAgents
Native Routing

SAPRouter also supports the “routing” of native protocols.

Useful for remote administration of Operating Systems, DB, etc.

Certain limitations apply.

saprouterAgent plugin deploys a sapytoAgent, which can be used to

proxy native connections (HTTP, SSH, Telnet, etc) to internal systems.

56
 Case Study: SAProuter Security Assessment
© 2008

SAProuter Introduction
SAProuter is an SAP program working as a proxy, which analyzes
connections between SAP systems and between SAP systems and
external networks.
Protection / Countermeasure
Typical SAProuter Architecture

SAProuter should be implemented in a separate DMZ.
Internal Network

Use VPNs and/or restrict connections at the border Firewall.

The RouteExternal
Permission
User Table should restrict access only to allowed parties, to
specific targets and ports. Other Internal
Systems

SNC should be required.
Internet DEV QAS PRD

Entries containing wildcards (*) are discouraged and should be carefully analyzed.
IntraWeb

SSH Server

SAProuter Internal Users Mainframe

Border FW
57
 © 2008

Conclusions
Wrapping up

58
 Conclusions
© 2008

Conclusions

It’s impossible to cover all the activities of an SAP Pentest in a one hour talk!

SAP systems deal with sensitive business information and processes. The
integrity, confidentiality and availability of this information is critical.

SAP systems security is often overlooked during the implementation phase, in
order to avoid “business delays”.

SAP security is much more than User Roles/Profiles and Authorizations!

By default, some configurations would expose the systems to high risk threats.

SAP provides many ways to secure systems and communications.
Administrators should enable security settings as soon as possible.

Pentesting your SAP systems will let you know the current security level of your
implementation (and show your managers why you need resources to secure it :P )

CYBSEC’s sapyto supports activities of all phases of the project.

SAP Penetration Tests should be carried out in controlled environments,
performed by qualified experts in the subject.
59
 References
© 2008

References

“Attacking the Giants: Exploiting SAP Internals” White-paper
http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf

John The Ripper Patch for SAP hashes

http://marc.info/?l=john-users&m=121444075820309&w=2

sapyto
http://www.cybsec.com/EN/research/sapyto.php

CYBSEC’s SAP Security Services

http://www.cybsec.com/EN/services/SAP_security.php

SAP Note 931252 - Security Note: Authority Check for Function Group SRFC.

SAP Note 618516 - Security-related enhancement of RFCEXEC program.

SAP Note 1237762 - ABAP systems: Protection against password hash attacks

60
 © 2008

¿Questions?

61
 © 2008

Thank you!

www.cybsec.com

62