Invest in security to secure investments
All your SAP Passwords belong to us.
Dmitry Chastuchin Director, Security Consul;ng ERPScan.
About ERPScan • The only 360-‐degree SAP Security solu;on -‐ ERPScan Security Monitoring Suite for SAP • Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta=ons key security conferences worldwide • 25 Awards and nomina=ons • Research team -‐ 20 experts with experience in different areas of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
SAP • The most popular business applica;on • More than 250000 customers worldwide • More than 83 % of Forbes 500 run SAP
3
SAP security Espionage • Stealing financial informa;on • Stealing corporate secrets • Stealing supplier and customer lists • Stealing HR data Fraud • False transac;ons • Modifica;on of master data Sabotage • Denial of service • Modifica;on of financial reports • Access to technology network (SCADA) by trust rela;ons
4
Is it remotely exploitable?
5000+ non-‐web SAP services exposed in the world including Dispatcher, Message server, SapHostControl, etc. 5
Is it remotely exploitable?
9 8 7 6 5
4 3 2 1 0 SAP Dispatcher
SAP MMC
SAP Message Server
SAP HostControl
SAP ITS Agate
SAP Message Server httpd
6
SAP MMC – overview • • • • • •
MMC is installed by default on port 513 Used for remote management of SAP servers Commands executed via SOAP interface By default, SSL is not implemented Administra;ve password transmi\ed using basic auth (Base64) By sniffing this password, we can get full control over the server
7
SAP MMC – aSacks • Many a\acks can be implemented without authen;ca;on • A\acks can be executed by sending SOAP requests • Mostly, it is informa;on disclosure and denial of service • Also, OS command execu;on
8
Advanced MMC aSacks true j2ee/cluster/server0/log/system/userinterface.log %COUNT% EOF 9
PWN
If an a&acker can read a file from server OS, he can get clear text passwords of SAP users and, as a result, compromise the SAP system
10
Default passwords
11
Passwords on client side
User name
Password
SAP*
06071992 PASS
DDIC
19920706
TMSADM
PASSWORD $1Pawd2&
EARLYWATCH
SUPPORT
SAPCPIC
ADMIN
12
Passwords on client side
13
Passwords on client side • A\ack via Ac;veX ‒ A lot of issues with RCE inside (1519966, 1327004, 1092631, …)
• A\ack via client bugs ‒ Buffer overflow in saplogon.exe (1504547)
What aler that? SapLogon shortcuts! Olen, lazy users store password for SAP account in shortcuts 14
Passwords on client side [System] Name=DM0 Description=Test Sap Server Client=800 [User] Name=SAP* Language=EN Password=PW_48B7231FD1FE390C [Function] Title=myShortcut Command=se16 [Configuration] WorkDir=C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI [Options] Reuse=1
This is how a typical shortcut looks like…
File: .sap
15
Passwords on client side [Label] Key1=myShortcut [Command] Key1=desc="Test Sap Server" -sid="DM0" -clt="800" -u="SAP*" -l="EN" -tit="myShortcut" -cmd="se16" -wd="C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI" -ok="/nse16" -pwenc="PW_48B7231FD1FE390C"
…or like that
File: sapshortcut.ini
16
Passwords on client side pwenc="PW_48B7231FD1FE390C"
PW_48B7231FD1FE390C
48B7231FD1FE390C I used this password: 06071992 Looks like XOR encryp;on
17
Passwords on client side • Aler a few experiments, we found out: – Yes, this is XOR – Yes, the key is sta;c for all SAPLogon
• The key is: 788113…dc49b0
18
Passwords on client side • …and the PY code to decrypt key="788…" def sxor(s1,s2): return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) enc_pass="PW_48B7231FD1FE390C" dec_pass=sxor(enc_pass[3:].decode("hex"),key.decode("hex")) print "Decoded password is: "+dec_pass
19
Preven=on
• Don’t use SAPGUI 6.4 (there are no patches for some vulns) • Patch SAPGUI with the latest SP • Don’t store password in shortcuts • (HKCU\Solware\SAP\SAPShortcut\Security EnablePassword=0) • Make sure that you do not ac;vate the storage of passwords in SAP shortcuts • Authen;ca;on security for SAP shortcuts: h\p://help.sap.com/SAPHELP_NWPI71/helpdata/en/4d/dc9db9bc0e02cfe10000000a42189b/ content.htm
20
Passwords from USR02, USH02, USRPWDHISTORY
21
USR02 password hash • Well known password area • Hash algorithm: – – – – – – – –
CODVN A CODVN B (MD5-‐based) CODVN D (MD5-‐based) CODVN E (MD5-‐based) CODVN F (SHA1-‐based) CODVN G (Code versions B & F) CODVN H (SHA-‐1-‐based) CODVN I (Code versions B, F & H)
• Just use John the Ripper
22
Preven=on
• • • • • • • • • • • • •
Use the latest algorithm SAP Note 2467: Password rules and preven;ng incorrect logons SAP Note 721119: Logon with (delivered) default user fails SAP Note 735356: Special character in passwords; reac;va;on not possible SAP Note 862989: New password rules as of SAP NetWeaver 2004s SAP Note 874738: New password hash calcula;on procedure (code version E) SAP Note 991968: Value list for login/password_hash_algorithm SAP Note 1023437: Downwardly incompa;ble passwords since NW2004s SAP Note 1237762: Protec;on against password hash a\acks SAP Note 1300104: CUA – New password hash procedures -‐ Background informa;on SAP Note 1458262: Recommended se|ngs for password hash algorithms SAP Note 1484692: Protect read access to password hash value tables SAP Note 1488159: SUIM – RSUSR003 – Incorrect results for CODVN = F
23
Passwords from RFC request
24
Passwords from RFC request • If an a\acker catches an RFC request with logon data, he will be: – – – –
Happy because he got the login and password Upset because the password is encrypted Happy because the encryp;on is just a XOR (lol) Happy because the key is sta;c
Key: 313ec…a4021 – Very happy because he got the clear text password
25
Passwords from RFC request
26
Passwords from RFC request • …and the PY code to decrypt key="313e…" def sxor(s1,s2): return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) enc_pass="0108F357D03F770D" dec_pass=sxor(enc_pass.decode("hex"),key.decode("hex")) print "Decoded password is: "+dec_pass
27
Preven=on
• Secure RFC connec;on using SNC • SAP Security Note 1724516 • RFC and SNC: h\p://help.sap.com/saphelp_nw70ehp2/helpdata/en/72/ e52c4057cb185de10000000a1550b0/content.htm
28
SAP Visual Admin password
29
SAP VisualAdmin • • • • • •
SAP Visual Admin – a remote tool for controlling J2EE Engine Uses the P4 protocol – SAP’s proprietary By default, all data transmi\ed in cleartext P4 can be configured to use SSL to prevent MitM Passwords are transmi\ed by some sort of encryp;on In reality, it is some sort of Base64 transforma;on with a known key
30
SAP VisualAdmin data
31
Insecure password encryp=on in P4 /* /* /* /* /* /* /* /* /* /* /*
87 88 89 */ 91 92 93 */ 95 */ 97
*/ char mask = 43690; //aaaa hex */ char check = 21845; //5555 hex */ char[] result = new char[data.length + 1]; */ */ */ } */
for (int i = 0; i < data.length; ++i) { mask = (char)(mask ^ data[i]); result[i] = mask; result[data.length] = (char)(mask ^ check);
*/ return result;
32
DEMO SAP Visual Admin password sniffing
33
Preven=on
• Secure P4 connec;on using SSL • SAP Security Note 1724516 • Using P4 protocol over a secure connec;on: h\p://help.sap.com/saphelp_nw73ehp1/helpdata/en/ 48/2d9ba88aef4bb9e10000000a42189b/content.htm
34
SAP JAVA Security Storage
35
SecStore • The AS Java stores security-‐relevant informa;on encrypted in a file in the file system • The AS Java stores the following security-‐relevant informa;on in files in the file system: – Database user SAPDB and its password – Database connec;on informa;on – Administrator user and its password
• Secure storage file is located at : \usr\sap\\SYS\global\security\data\SecStore.properties
36
SecStore $internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ $internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt $internal/mode=encrypted admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E
• The AS Java uses the SAP Java Cryptography Toolkit to encrypt the informa;on in the secure store using the TripleDES algorithm. The encryp;on is performed during the AS Java installa;on process • Let’s look deeper 37
SecStore • Algorithm is TripleDES. We heed a key for decryp;on • The main issue is that the key file is located in the same directory as the encrypted data: \usr\sap\\SYS\global\security\data\SecStore.key
• The key consists of two parts: – Version informa;on – Encrypted key phrase 38
SecStore • Version informa;on. It affects the TripleDES key – If version >= 7.00.000, then the Triple DES key = key phrase +
• Encrypted key phrase – By default, it is the ini;al password which the administrator sets up during
SAP system installa;on. Olen, this phase equals to the DB password or an SAP administrator account password (SAP*, DDIC, J2EE_Admin, etc.) – For encryp;ng the key phrase, XOR algorithm with sta;c key is used 43,-74…,-41,-67
• That’s why, if an a\acker only got the SecStore.key file, they can also get access into SAP, because they have the ini;al password
39
SecStore • • • • •
OK. We have the encrypted password (SecStore.properXes) We have the decryp;on key (SecStore.key) We can get all sensi;ve informa;on from Security Storage As I said, data’s encrypted by the TripleDES algorithm More precisely, the encryp;on uses the TripleDES algorithm in CBC mode using a secret key which is derived from a password with the SHA hash algorithm – The key is the key phrase from SecStore.key + (if version >= 7.00.000) – The salt is the value 0000000000000000
40
SecStore • We also wrote a tool which decrypts all the stuff from SAP JAVA AS Security Storage (SecStore_Cr.jar)
• Also, SAP Secure Store file can have another name (ex. JUpgrade.proper;es) and store other interes;ng data, like: – Password for SAP OS user (SIDADM) – DB password – DDIC password – etc… 41
Preven=on
• Install SAP Note 1619539 • Restrict read access to files SecStore.properXes, JUpgrade.properXes, and SecStore.key • Managing secure storage in the file system: h\p://help.sap.com/saphelp_nw70ehp2/helpdata/en/cd/ 14c93ec2f7df6ae10000000a114084/content.htm
42
Passwords from log files
43
Log files • We know about many places where SAP writes logs • Administrator can define the verbosity level • A\acker can found many interes;ng things in log files: informa;on about the system, informa;on about the users, even session informa;on • Very interes;ng path with logs: /sapinst_instdir/ But what about passwords?
44
Log files • Passwords in SAP log files looks like that:
dev_umconfigurator.trc
45
Log files • Some;mes, we can find a clear text password
sapinst_dev..log 46
Log files • Some;mes, we can find an encrypted password
47
Log files • Guess what type of encryp;on is used? J • Right! XOR with a sta;c hardcoded key:
31…65d • As a result, we have a decryptor: key="31XXXXXXXXXXXX5d" def sxor(s1,s2): return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) def prepare(val): encoco=val.split("|") rez="" for a in encoco: rez= rez + str(hex(int(a)).replace("0x","")) return rez encr=prepare(raw_input("Enter encrypted password:")) dec_pass=sxor(encr.decode("hex"),key.decode("hex")) print "Decoded password is: "+dec_pass
48
Log files • The same story with the config file
usr\sap\\config\usagetypes.properXes
49
Preven=on
• Don’t use TRACE_LEVEL = 3 • Delete traces when work is finished • Mask security-‐sensi;ve data in HTTP access log • Incremen;ng/decremen;ng the trace level: h\ps://help.sap.com/saphelp_nwpi71/helpdata/en/ 46/962416a5a613e8e10000000a155369/content.htm
50
Passwords from SLD config file
51
SLD • SLD is the central informa;on repository for your system landscape • It contains informa;on about: – technical systems – landscapes – business systems – products – solware components in your system landscape
52
SLD password files • Configura;on file: usr\sap\\DVEBMGS\exe\ slddest.cfg – User name with DataSupplierLD role – User password (wooot!) – Host name – Port
Encrypted by DES algorithm in the early version of SLD Sta;c default key is: 0A…71F But if user specifies the key, then the key file is stored near the encrypted data file in slddest.cfg.key
53
SLD password files • In the latest versions of SLD, another algorithm is used: TripleDES with hardcoded key
54
Preven=on
• Restrict read access to fileslddest.cfg and slddest.cfg.key • Configuring sldreg and transferring data to SLD: h\p://help.sap.com/saphelp_nw70/helpdata/en/42/ ea5ff4b5d61bd9e10000000a11466f/content.htm
55
Passwords from ABAP SecStore
56
Password from RSECTAB • The secure storage is a component of the SAP Web Applica;on Server ABAP • It allows the encrypted storage of sensi;ve data that SAP applica;ons require when logging into other systems • These SAP applica;ons use the storage to store passwords: – – – – – –
RFC des;na;ons Exchange Infrastructure (XI) LDAP system users SAPphone SAPconnect CCMS (Generic Request and Message Generator)
• Table RSECTAB select rawtohex(DATA) from SAPSR3.RSECTAB 57
Password from RSECTAB
58
Password from RSECTAB
59
Password from RSECTAB • TripleDES 3DES mode: DES-‐EDE3 • The triple DES algorithm uses the DES-‐EDE3 method where a 24 byte key is supplied. This means there are three DES opera;ons in the sequence encrypt-‐decrypt-‐encrypt with the three different keys. The first key will be bytes 1 to 8, the second key bytes 9 to 16 and the third key bytes 17 to 24 • Two rounds
60
Password from RSECTAB • First round • Encrypt: – char randomPrefix[2]; – char payload[109]; – char payloadLength; – char magicLocal[4]; – char magicGlobalSalted[4]; – char recordIden;fierA7Hash[16];
61
Password from RSECTAB • Key for the first round of encryp;on base on default key: Key’def[1] = Keydef[1] ^ Key’def[6] = Keydef[6] ^ Key’def[7] = Keydef[7] ^ Key’def[10] = Keydef[10] Key’def[13] = Keydef[13] Key’def[16] = Keydef[16] Key’def[19] = Keydef[19] Key’def[20] = Keydef[20]
(Hsup[0] & (Hsup[0] & (Hsup[3] & ^ (Hsup[1] ^ (Hsup[1] ^ (Hsup[4] ^ (Hsup[2] ^ (Hsup[2]
0xF0) 0x0F) 0xF0) & 0xF0) & 0x0F) & 0x0F) & 0xF0) & 0x0F)
• Where Hsup is md5(sidA7[3]+insnoA7[10])
62
Password from RSECTAB
63
Password from RSECTAB • Second round • Encrypt all data with the default key
64
Password from RSECTAB • What about the default key? • It is encrypted via 3DES-‐EDE2, too • But the key for this encryp;on is hardcoded
65
Preven=on
• Change the default key • SAP Security Note 1902611 • Choosing your own key: h\p://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/ f73d41945bdb2be10000000a1550b0/content.htm
66
Passwords from DBCON table
67
DBCON table • SAP has a connec;on with different DBs • Administrator can manage this connec;on via the transac;on DBCO • All DB connec;ons informa;on is stored encrypted in the table DBCON (Descrip;on of Database Connec;ons)
68
DBCON table • Encrypted data looks like: V01/0030ZctvSB67Wv1OuVLazse4ORik – BASE64 + DES – hardcoded key: 59A…70E – decrypted data includes sta;c salt: BE HAPPY
69
Preven=on
• Restrict access to the table DBCON • Restrict access to the transac;on DBCO • SAP Security Notes 1638280 and 1823566
70
Passwords from HANA
71
SAP HANA • User details (including passwords) stored in hdbuserstore • Located in the /usr/sap/hdbclient directory • About hdbuserstore: ‒ SSFS_HDB.DAT ‒ with user data ‒ with keys
72
SAP HANA • • • •
SSFS_HDB.DAT Signature: RSecSSFsData Algorithm: 3DES Default key is the same as in the ABAP Security Storage
73
SAP HANA • SAP HANA – in memory database • But it drops some data into FS – Backup – Savepoint
“The SAP HANA database holds the bulk of its data in memory for maximum performance, but it sXll uses persistent disk storage to provide a fallback in case of failure. Data is automaXcally saved from memory to disk at regular savepoints. The data belonging to a savepoint represents a consistent state of the data on disk and remains so unXl the next savepoint operaXon has completed. Aber a power failure, the database can be restarted like any disk-‐ based database and returns to its last consistent state,” – SAP HANA Security Guide
74
SAP HANA • “Data volume encrypXon ensures that anyone who can access the data volumes on disk using operaXng system commands cannot see the actual data. If data volumes are encrypted, all pages that reside in the data area on disk are encrypted using the AES-‐256-‐CBC algorithm.” • “Aber data volume encrypXon has been enabled, an iniXal page key is automaXcally generated. Page keys are never readable in plain text, but are encrypted themselves using a dedicated persistence encrypXon root key.”
75
SAP HANA “SAP HANA uses SAP NetWeaver SSFS to protect the root encrypXon keys that are used to protect all encrypXon keys used in the SAP HANA system from unauthorized access.”
• SSFS_HDB.DAT – HDB_SERVER/PERSISTENCE/ROOTKEY – HDB_SERVER/DPAPI
• The persistence encryp;on feature does not encrypt the following data: – Database redo log files – Database backups – Database traces 76
Preven=on
• Change the encryp;on key aler installa;on • Restrict access to the key file • Restrict access to the DAT file • Security guide for HANA (p. 71) h&p://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
• Secure storage in the file system: h&p://help.sap.com/saphelp_nw70ehp2/helpdata/en/ a0/82dd0abbde4696b98a8be133b27f3b/content.htm
77
Etc.. • ICF Password Repository – ICFSECPASSWD
• FI module passwords – FIEB_PASSWORD
• Oracle Fail Safe – Stores passwords inside the ENVIRONMENT variable (Note 1764043 p. 4)
• SAP BusinessObjects LCMuser – hardcoded SVN user – \SAP BusinessObjects Enterprise XI.0\LCM_repository\svn_repository \conf
• SAP BusinessObjects axis2 login:password – axis2.xml 78
Conclusion It is possible to protect yourself from these kinds of issues, and we are working close with SAP to keep customers secure
SAP guides Regular security assessments Monitoring technical security ABAP code review Segrega=on of du=es
It’s all in your hands
79
Future work I'd like to thank SAP's Product Security Response Team for the great cooperaXon to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new a&acks and demos, follow us at @erpscan and a&end future presentaXons. PS: • EAS-‐SEC: Recourse which combines – Guidelines for assessing enterprise applica;on security – Guidelines for assessing custom code – Surveys about enterprise applica;on security 80