Practical pentesting of ERPs and business applications
advertisement
Invest in security to secure investments Prac%cal pentes%ng of ERPs and business applica%ons Alexander Polyakov, CTO in ERPScan Alexey Tyurin, Director of consul%ng department in ERPScan About ERPScan • The only 360-­‐degree SAP Security solu%on -­‐ ERPScan Security Monitoring Suite for SAP • Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta=ons key security conferences worldwide • 25 Awards and nomina=ons • Research team -­‐ 20 experts with experience in different areas of security • Headquarters in Palo Alto (US) and Amsterdam (EU) 2 Agenda •
•
•
•
•
Business applica%ons EBASS (OWASP-­‐EAS) ERP Pentes%ng approach Pentes%ng SAP NetWeaver JAVA Pentes%ng Oracle PeopleSoV 3 Business applica=on security All business processes are generally contained in ERP systems. Any informa%on an aXacker, be it a cybercriminal, industrial spy or compe%tor, might want is stored in the company’s ERP. This informa%on can include financial, customer or public rela%ons, intellectual property, personally iden%fiable informa%on and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effec%ve if targeted at the vic%m’s ERP system and cause significant damage to the business. 4 SAP security threats Espionage • Financial Data, Financial Planning (FI) • HR Data, Personal, Contact Details (HR) • Customer Lists • Corporate Secrets (PLM) • Supplier Tenders (SRM) • Customer Lists (CRM) Cyber criminals need only to gain access to one of the described systems to successfully steal cri%cal informa%on. 5 SAP security threats Sabotage • Denial of service – Incurs huge costs • Data modifica%on to cause damage – Delete cri%cal informa%on • SCADA connec%ons – Common to see connec%ons between ERP and SCADA 6 SAP security threats Fraud • Manipulate automated transac%on systems • Generate false payments • Transfer money Associa(on of Cer(fied Fraud Examiners es(mates that corpora(ons, on average, lose 7% of revenue to fraud 7 Business applica=on security • Complexity Complexity kills security. Many different vulnerabili%es in all levels, from network to applica%on • Customiza=on Cannot be installed out of the box. They have many (up to 50%) custom codes and business logic • Risky Rarely updated because administrators are scared they can be broken during updates; also, it is down%me • Unknown Mostly available inside the company (closed world) hXp://erpscan.com/wp-­‐content/uploads/pres/ForgoXen%20World%20-­‐%20Corporate%20Business%20Applica%on%20Systems%20Whitepaper.pdf 8 ERP Pentes(ng Approach 9 EASSEC (OWASP-­‐EAS) •
•
•
•
•
•
Enterprise Applica%on SoVware Security project Founded in 2010 as OWASP-­‐EAS Published concept and top 10 issues for different areas Rebranded to EASSEC in 2013 and updated Because it is much more than WEB Compliance for SAP NetWeaver ABAP planned for July 2013 Exists to provide guidance to people involved in the procurement, design, implementa(on or sign-­‐off of large scale (i.e.'Enterprise') applica(ons. hXp://www.owasp.org/index.php/OWASP_Enterprise_Applica%on_Security_Project hXp://eas-­‐sec.org 10 EASSEC • Network Implementa%on issues (EASSEC-­‐NI-­‐9-­‐2013) • OS Implementa%on issues (EASSEC-­‐OI-­‐9-­‐2013) • Database Implementa%on issues (EASSEC-­‐NI-­‐9-­‐2013)
• Applica%on Implementa%on issues (EASSEC-­‐AI-­‐9-­‐2013) • Frontend Implementa%on issues (EASSEC-­‐CI-­‐9-­‐2013)
11 EASSEC-­‐NI-­‐9-­‐2013 1 Insecurely configured Internet facing applica%ons 2 Vulnerable or default configura%on of routers 3 Lack of proper network filtra%on between EA and Corporate network 4 Lack or vulnerable encryp%on between corporate net and EA Network 5 Lack of frontend access filtra%on 6 Lack of encryp%on inside EA Network 7 Lack of separa%on between Test, Dev, and Prod systems 8 Insecure wireless communica%ons 9 Lack or misconfigured network monitoring 12 EASSEC-­‐OI-­‐9-­‐2013 1 Missing 3rd party soVware patches 2 Missing OS patches 3 Universal OS passwords 4 Unnecessary enabled services 5 Lack of password lockout/complexity checks 6 Unencrypted remote access 7 Insecure trust rela%ons 8 Insecure internal access control 9 Lacking or misconfigured logging 13 EASSEC-­‐DI-­‐9-­‐2013 1 Default passwords for DB access 2 Lack of DB patch management 3 Remotely enabled addi%onal interfaces 4 Insecure trust rela%ons 5 Unencrypted sensi%ve data transport 6 Lack of password lockout and complexity checks 7 Extensive user and group privileges 8 Unnecessary enabled DB features 9 Lacking or misconfigured audit 14 EASSEC-­‐AI-­‐9-­‐2013 1 Lack of patch management 2 Default passwords 3 Unnecessary enabled func=onality 4 Remotely enabled administra=ve services 5 Insecure configura=on 6 Unencrypted communica=ons 7 Internal access control and SoD 8 Insecure trust rela=ons 9 Monitoring of security events 15 ERP pentes=ng features • Deeper knowledge of ERP than normal systems required • ERP systems are mission cri%cal and cannot be accidentally taken down (POC exploits are too dangerous) • Gaining shell / command exec is not the goal – The goal is the access to sensi%ve data or the impact on business processes 16 Deeper knowledge • Higher difficulty than standard pentests • Required knowledge of: –
–
–
–
–
–
–
Business processes Business logic Exploit tes%ng impact risk assessment High end databases Numerous (some%mes esoteric) opera%ng systems Different hardware plamorms Common custom implementa%ons 17 Exploita=on • Exploit code is not easily weaponized for ERP • Payloads have to be adapted – Numerous hardware, OS, release version, and DB systems to generate payloads for – In some cases, up to 50 different shellcode varia%ons • Building a test environment is nearly impossible – Takes an expert a week to properly install each varia%on – A year to build a comprehensive test environment 18 Shell • A beXer approach required with focus on – Architecture – Business logic – Configura%on You will get administrator access to business data • Rather than – Program or memory vulnerabili%es You will probably gain access to OS and then need to obtain access to Applica%on 19 Shell Program vulnerabili=es: Architecture flaws: -­‐ Can be patched quickly + Harder to patch and harder to re-­‐design (old design – in produc%on for 10 years) -­‐ Need to write & test numerous + One vulnerability – one exploit payloads -­‐ AVer gaining OS shell you s%ll + Direct access to applica%on and need to access data + Easier to find API (mostly) -­‐ H a r d e r t o fi n d ( d e e p e r knowledge on the system required) 20 Architecture issues • Informa%on disclosure • Authen%ca%on bypass – This is oVen provided non-­‐privileged access • Improper Access Control – This area is mostly covered by Segrega%on of Du%es • Undocumented Func%onality – ERPs have many func%ons created for debug or leV over from old versions • Dangerous Func%onality – Can be improperly restricted by user accounts with default passwords • Insecure Trust Rela%ons – It is very common to escalate privileges to another system 21 ERPScan Pentes=ng Tool • ERPScan's Pentes%ng Tool is a freeware tool that is intended for penetra%on of ERP systems using Black Box tes%ng methods • Previous version 0.6 released in 2012 (41 module for SAP) • Version 1.0 will be released aVer the BlackHat conference and will contain ~60 modules and tools for SAP and PeopleSoV • Using ERPScan's SAP Pentes%ng Tool, you can: – Obtain informa%on using informa%on disclosure vulnerabili%es; – Exploit poten%al vulnerabili%es; – Collect business cri%cal data for reports; * ERPScan's SAP Pentes(ng Tool is NOT a demo or part of the professional product called ERPScan Security Monitoring Suite. It is just a number of Perl scripts for penetra(on testers. 22 Pentes(ng SAP NetWeaver J2EE 23 SAP •
•
•
•
•
The most popular business applica%on More than 120000 customers worldwide 74% of Forbes 500 companies run SAP Main system – ERP 3 plamorms Вставьте рисунок на слайд, скруглите верхний левый и нижний правый угол (Формат – Формат рисунка), добавьте контур (оранжевый, толщина – 3) ‒ NetWeaver ABAP ‒ NetWeaver J2EE ‒ BusinessObjects 24 SAP NetWeaver J2EE • Addi%onal plamorm • Base plamorm for IT stuff. Like: • SAP Portal , SAP XI, SAP Solu%on Manager, SAP Mobile, SAP xMII • Purpose: Integra%on of different systems • If compromised: • Stopping of all connected business processes • Fraud • Industrial espionage 25 SAP for users • Client-­‐server applica%on SAP-­‐GUI with proprietary DIAG protocol • Main func%ons: – transac=ons executed in SAPGUI – calling special background func%ons (RFC) remotely – modifying code of transac%ons or RFC func%ons using ABAP language – using web interfaces like Web Dynpro or BSP in some applica%ons, like SRM 26 SAP vulnerabili=es 900 800 700 600 500 By 2014 -­‐ 2800 SAP Security notes 400 300 200 100 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 27 J2EE pla`orm architecture 28 J2EE pla`orm services Service Name Port Number Default Value Range (min-­‐max) Enqueue server 32NN 3201 3200-­‐3299 HTTP 5NN00 50000 50000-­‐59900 HTTP over SSL 5NN01 50001 50001-­‐59901 IIOP 5NN07 50007 50007-­‐59907 IIOP Ini%al Context 5NN02 50002 50002-­‐59902 IIOP over SSL 5NN03 50003 50003-­‐59903 P4 5NN04 50004 50004-­‐59904 P4 over HTTP 5NN05 50005 50005-­‐59905 P4 over SSL 5NN06 50006 50006-­‐59906 Telnet 5NN08 50008 50008-­‐59908 Log Viewer control 5NN09 50009 50009-­‐59909 JMS 5NN10 50010 50010-­‐59910 29 Preven=on Preven%on: • Deny access to open ports from users subnet (except 5NN00). Only administrators must have access. • Disable unnecessary services 30 User management • UME: User management engine. Using UME, you can manage all user data through web interface: hXp://server:port/useradmin • SPML: Service Provisioning Markup Language (SPML). A new unified interface for managing UME: hXp://server:port/spml/spmlservice 31 Authen=ca=on • Declara=ve authen=ca=on: - The Web container (J2EE Engine) handles authen%ca%on - Example: J2EE Web applica%ons • Programma=c authen=ca=on. - Components running on the J2EE Engine authen%cate directly against User Management Engine (UME) using the UME API. - Example: Web Dynpro, Portal iViews 32 J2EE Engine services •
•
•
•
•
•
SAP NetWeaver HTTP (webserver) SAP Visual Admin (P4) SAP J2EE Telnet SAP Log Viewer SAP Portal SAP SDM 33 SAP NetWeaver web server SAP HTTP Services can be easily found on the Internet: • inurl:/irj/portal • inurl:/IciEventService sap • inurl:/IciEventService/IciEventConf • inurl:/wsnavigator/jsps/test.jsp • inurl:/irj/go/km/docs/ 34 A lot of results 35 SAP NetWeaver 7.2 1200 web applica%ons 36 Vulnerabili=es •
•
•
•
•
•
•
Informa%on disclose SMBRelay XSS CSRF Auth bypass Verb Tampering Auth bypass Invoker Servlet XXE/SSRF 37 SAP NetWeaver web server • Applica%on service with J2EE support • It is like Apache Tomcat but 100 %mes more complex • Supports different SAP web service types: -
-
-
-
-
-
Web Dynpros JSPs J2EE web applica%ons Java Beans SOAP web services Portal iViews • By default, a lot of test applica%ons installed 38 SAP NetWeaver web server Demonstra=on of acacks by ERPScan Pentes=ng Tool • Informa%on disclosure • CTC web service auth bypass • Log Viewer aXacks • P4 password decryp%on • Breaking connected ABAP systems 39 Informa=on disclosure • Kernel or applica%on release and SP version. DSECRG-­‐11-­‐023, DSECRG-­‐11-­‐027, DSECRG-­‐00208 • Applica%on logs and traces DSECRG-­‐00191, DSECRG-­‐11-­‐034 • Username DSECRG-­‐12-­‐028 • Internal port scanning, Internal user bruteforce DSECRG-­‐11-­‐032, DSECRG-­‐00175 40 Inf. disclosure in REP (DSECRG-­‐11-­‐023) 41 Inf. disclosure in BCB (DSECRG-­‐11-­‐027) 42 Preven=on • Install SAP notes: 1503856,1548548, 581525,1503856,1740130, 948851,1619539,1545883 • Update the latest SAP notes every month • Disable unnecessary applica%ons 43 CTC authen=ca=on bypass WEB.XML file is stored in WEB-­‐INF directory of applica%on root. security-constraint>!
<web-resource-collection>!
<web-resource-name>Restrictedaccess</webresource-name>!
<url-pattern>/admin/*</url-pattern>!
<http-method>DELETE</http-method>!
</web-resource-collection>!
!<auth-constraint>
!<role-name>admin</role-name>
!</auth-constraint>!
</security-constraint>!
<
!
44 CTC authen=ca=on bypass <security-constraint>
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
What if we use HEAD instead of GET ? 45 CTC authen=ca=on bypass •
•
•
•
Must use the security control that lists HTTP verbs (DONE) Security control fails to block verbs that are not listed (DONE) GET func%onality will be executed with an HEAD verb (DONE) SAP NetWeaver J2EE engine has all these features!!! 46 CTC authen=ca=on bypass • Administra%ve interface for managing J2EE engine (CTC) • Can be accessed remotely • Can run user management ac%ons -
-
-
-
-
Create new users Assign any roles to them Execute OS commands on the server side Create RFC des%na%ons Read RFC des%na%ons info 47 DEMO 48 Preven=on Preven%on: • Install SAP notes 1503579, 1616259, 1589525, 1624450 • Scan applica%ons using ERPScan WEB.XML check tool or manually • Secure WEB.XML by dele%ng all <hXp-­‐method> • Disable applica%on that are not necessary 49 SAP VisualAdmin •
•
•
•
•
•
SAP Visual Admin: a remote tool for controlling J2EE Engine Uses the P4 protocol – SAP’s proprietary By default, all data transmiXed in cleartext P4 can be configured to use SSL to prevent MitM Passwords transmiXed in some sort of encryp%on In reality, it is some sort of Base64 transform with known key 50 VisualAdmin protocol 51 Insecure password encryp=on in P4 /* 87 */ char mask = 43690; /* 88 */ char check = 21845; /* 89 */ char[] result = new char[data.length + 1]; /* */ /* 91 */ for (int i = 0; i < data.length; ++i) { /* 92 */ mask = (char)(mask ^ data[i]); /* 93 */ result[i] = mask; /* */ } /* 95 */ result[data.length] = (char)(mask ^ check); /* */ /* 97 */ return result; 52 DEMO 53 Preven=on Preven%on: • Use SSL for securing all data transmišng in server-­‐server and server-­‐client connec%ons hXp://help.sap.com/saphelp_nwpi71/helpdata/de/14/
ef2940cbf2195de10000000a1550b0/content.htm 54 LogViewer acacks • LogViewer: a special service which can be manually enabled in an SAP system. • If LogViewer standalone is installed on SAP server, aXacker can try to remotely register a log file by console command register_log.bat • No authen%ca%on needed • This op%on can be used for SMBRelay aXack • Port address can be 50109 or 5465 or any custom 55 DEMO 56 Preven=on Preven%on: • Install SAP note 1685106 • Disable applica%ons that are not necessary 57 Breaking connected ABAP systems • Major part of penetra%on tes%ng is post-­‐exploita%on • NetWeaver J2EE connected with ABAP stack of other systems by RFC protocol • Authen%ca%on data for those connec%ons are stored in J2EE Engine and can be obtained by using API • To do that, you need to upload a special service which will call internal func%ons for obtaining access to RFC connec%ons. • In most cases, those connec%ons are configured with privileged users RFC is an SAP interface protocol, which simplifies the programming of communica(on processes between systems 58 Breaking connected ABAP systems public void getUsers(String _file)
throws Exception
{
ClassLoader origClassLoader =
Thread.currentThread().getContextClassLoader();
Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
InitialContext ctx = new InitialContext();
Object obj = ctx.lookup("rfcengine");
RFCRuntimeInterface runtime = (RFCRuntimeInterface)ctx.lookup("rfcengine");
BundleConfiguration bundle = new BundleConfiguration();
String text = "Users: \n\n";
BundleConfiguration[] bundles = runtime.getConfigurations();
for (int i = 0; i < bundles.length; i++)
{
text = text + "LogonUser \t" + bundles[i].getLogonUser() + "\n";
text = text + "LogonPassword \t" + bundles[i].getLogonPassword() + "\n";
text = text + "SystemNumber \t" + bundles[i].getSystemNumber() + "\n";
text = text + "LogonClient \t" + bundles[i].getLogonClient() + "\n\n";
}
save(text, _file);
Thread.currentThread().setContextClassLoader(origClassLoader);
}
59 DEMO 60 Preven=on Preven%on: • Install SAP notes 1503579, 1616259 • Disable applica%ons that are not necessary • Don’t store cri%cal accounts in RFC des%na%ons, especially from less cri%cal systems to more cri%cal 61 Pentes(ng Oracle PeopleSoT 62 Agenda •
Introduc%on to Oracle PeopleSoV •
PeopleSoV Internet Architecture •
Introduc%on to PeopleSoV Security •
Assessing PeopleSoV using EBASS (OWASP-­‐EAS) •
A lot of DEMOs… 63 What is it? •
•
•
Oracle PeopleSoV Apps: HRMS, FMS, SCM, CRM, EPM Can work as one big portal or separately Many implementa%ons 64 PeopleSof Internet Architecture •
•
•
Many applica%ons, but they have one architecture PeopleSoV Internet Architecture – Internet oriented since version 8 Based on several special core technologies 65 PeopleSof Internet Architecture PeopleTools: • Technology • Developer tools • Framework • PeopleCode All of the applica%ons are created using PeopleTools. 66 PeopleSof Internet Architecture PeopleCode: • object-­‐oriented proprietary (case-­‐insensi%ve) language • used to express business logic for PeopleSoV applica%ons • PeopleCode syntax resembles other programming languages • fundamentals of objects and classes are the same as in Java 67 PeopleSof Internet Architecture 68 PeopleSof Internet Architecture Components: • Web browser • Web server • Applica%on server • Batch server • Database server 69 PeopleSof Internet Architecture 70 PeopleSof Internet Architecture • Web server – WebLogic /WebSphere – PS Servlets – Forwards request from a browser to an App Server • Applica%on server – PS Services + Tuxedo + Jolt – Business logic, SQL transac%on management, Transport • Database server – System Tables, PeopleTools metadata , PeopleSoV applica%on data 71 PeopleSof Internet Architecture Another view: 72 PeopleSof Internet Architecture •
Users (web browser) – All common web technologies – A single escala%on point for common and administra%ve goals •
Developers (PeopleTools) – 2-­‐Tier – direct connec%on to DBMS – 3-­‐Tier – connec%on through Applica%on Server. Special ports WSH, WSL. Essen%ally, basic SQL requests which are forwarded to DBMS by Applica%on Server •
External systems – Different web services (SOAP, XML) for a cross-­‐system integra%on 73 PeopleSof Internet Architecture 74 PeopleSof Internet Architecture Basic role model: • Permission Lists – Permission lists are the building blocks of user security authoriza%on •
Roles – A role is a collec%on of permission lists •
User Profile – The user profile specifies a number of user aXributes, including one or more assigned roles 75 PeopleSof Internet Architecture Authen=ca=on process and terms: •
User logs in with their User ID and password. •
Applica%on Server uses Connect ID to connect to DBMS. –
•
•
•
This account has limited rights in DBMS. It is used to retrieve the u=User ID and password, which are then compared to the user’s input If successful, the system takes Symbolic ID (associated with) User ID. The system uses Symbolic ID to find in PSACCESSPRFL the necessary Access ID and the password. This account is privileged. The system reconnects to DBMS using Access ID. * Passwords are encrypted. 76 EASSEC-­‐AI-­‐9-­‐2013 1 Lack of patch management 2 Default passwords 3 Unnecessary enabled func%onality 4 Remotely enabled administra%ve services 5 Insecure configura%on 6 Unencrypted communica%ons 7 Internal access control and SOD 8 Insecure trust rela%ons 9 Monitoring of security events 77 1. Lack of patch management 78 PeopleSof Vulns Some vulns every year, but no info for pentes%ng… 79 PeopleSof DoS • o ld research • buffer overflow in login process!!! • we can control the return address • but stack cookie… so only DoS * Do you think it is secure Java? No, there are too many crashes J 80 0-­‐=me + a lot of 0-­‐days aVer our last research wait un=l show =me… 81 Subcomponents A strange finding: Apache Axis 1.4 is from 2006. Is it not too old? What about CVE CVE-­‐2012-­‐5785 or CVE-­‐2012-­‐4418, which exist in Axis 2? Needs deeper tes%ng… 82 2. Default passwords for applica=on access
83 Default accounts Some of them: • people:peop1e – DB •
PS:PS – super PS user (also VP1:VP1) •
“password” for many web services •
“dayoff” for a Portal servlet Ex: psp/[site]/?cmd=viewconfig&pwd=dayoff – to see configs Different way: non-­‐standard Weblogic accounts: •
system: Passw0rd (password) – main administrator •
operator: password – operator role •
monitor: password – monitor role * The password of “system” is oVen changed to that of “PS” 84 3. Unnecessary enabled applica=on features 85 Features Some of PS: •
Business Interlinks •
Integra%on Gateway •
PeopleSoV Online Library •
PeopleSoV Repor%ng Some of WebLogic: •
UDDI Explorer •
WebLogic web services 86 New inputs But much more when we look closely (some of them): 87 4. Open remote management interfaces 88 PeopleSof App Debug commands for the Portal sevlet: •
•
•
•
•
•
•
•
?cmd=viewconfig&pwd=dayoff ?cmd=reloadconfig&pwd=dayoff ?cmd=viewsprop&pwd=dayoff ?cmd=debugCache&pwd=dayoff ?cmd=purge&pwd=dayoff ?cmd=resešmeout&pwd=dayoff ?cmd=resetlog&pwd=dayoff ?cmd=manifestCache&pwd=dayoff 89 WebLogic •
•
•
WebLogic admin “/console” On the same port with PeopleSoV applica%on by default Anyone can try to access the inside with default accounts 90 WebLogic And what about the T3 protocol? Remote management of interfaces 91 WebLogic •
Non-­‐default is fine too •
informa%on from SNMP “public” 92 5. Insecure op=ons 93 Accounts •
•
Large enterprise systems. There are a lot of accounts which we can bruteforce… 94 Encryp=on Encryp%on of password in config files: • Some passwords of PeopleSoV are stored in plaintext • Some – DES • Some – 3DES • Some – AES (Weblogic) DES •
The key for DES is hardcoded •
Was used for encryp%on in the older systems •
Has no ID at the beginning (such as “{V1.1}”) 95 Encryp=on 3DES •
The key for 3DES is standard by default. •
You can check it. The string “{V1.1}” before an encrypted password shows the key is default. •
AVer each key regenera%on, the number is changed (1.2, 1.3…). •
Do you regenerate it? AES •
If you want to decrypt with AES, you need SerializedSystemIni.dat. •
You can understand that it is AES by the “{AES}” string in the beginning of an encrypted password. 96 7. Unencrypted communica=ons 97 Communica=ons General problem with communica%ons: • User or Remote system to Web Server: HTTP and HTTPS are both used by default in PeopleSoV apps. HTTP has no encryp%on. • Applica=on server to RDBMS and Developer to RDBMS (2-­‐
=er): By default, there is no encryp%on. In some RDBMS (like MS SQL) we can grab creden%als very easily. 98 Non-­‐standard •
JOLT (between Web server and Applica=on server): By default, there is no encryp%on. Default ports: TCP/9001-­‐9005. It looks like HTTP traffic, but it’s a liXle bit weird. 99 Jolt Request 100 Jolt Reply 101 Non-­‐standard •
Developer through Applica=on Server to RDBMS (3-­‐=er) By default, there is no encryp%on. Default ports: TCP/7001-­‐7005. It looks like plaintext SQL queries. 102 WSL Request 103 Pentest 104 Ports 105 Default ports •
•
•
•
•
•
•
•
•
80, 443 – both ports – WebLogic / PeopleSoV 3050 – Tuxedo (not used in PS) 7000 – WSL – distributes connec%ons on WSH 7001-­‐7005 – WSH – a port on the applica%on server for developers (3-­‐%er) 7180, 7143 – PS REN server (Real-­‐%me EventNo%fica%on) 9000 – JSL – distributes connec%ons on JSH (jolt) 9001-­‐9005 – a port on the applica%on server for Jolt connec%ons from the web server 9500 – PS Debugging port – a port on the applica%on server (non default) 9100 – Jolt relay (non default) 106 Google Dorks • filetype:GBL peoplesoV • peoplesoV inurl:cmd=login • in%tle:"PeopleSoV Enterprise Sign-­‐in" • in%tle:"WebLogic Server" in%tle:"Console Login" inurl:console • "Welcome to Weblogic Applica%on Server" PeopleSoV 107 Google Dorks 108 Detect •
PS can be “hidden” very well and look totally unlike itself – Filetype: GBL – A lot of JavaScripts with version informa%on – Cookie with PORTAL-­‐PSJSESSIONID – Cookie PSTOKEN – Cookie PSLOGINLIST 109 Default inputs • A lot of input spots. Scan them! 110 Default inf disclosure • Some of them: 111 Default accounts • WebLogic account bruteforcing is blocked by default • PS account bruteforcing is not blocked be default • auditPWD is not monitored 112 DEMO 113 Strange UDDI explorer One of input spots: • We can scan internal network via SSRF (%me-­‐based) • We can steal the password of administrator * But who uses this strange thing? 114 DEMO 115 MitM acacks • No encryp%on is used for JOLT and WSH by default • Let’s look a liXle bit closer at the traffic 116 DEMO 117 Another classic acack • Most administra%ve tasks are fulfilled by administrators through the portal. XSS is a beau%ful aXack! • Ex. 1 (un%l PT 8.51). PSOL Full Text Search: XSS in every entry field 118 Another classic acack • Ex. 2 (PT 8.53): CVE-­‐2013-­‐3818 Patched in CPU 16 July 2013 (cpujul2013) hXp://172.16.0.79/CfgOCIReturn.html?&debug=true&domain=aaa
%27%3Cimg%20src%3D%22zz%22%20onerror%3Dalert
%28%22XSS%22%29%3E 119 True DoS • One of input points is Business Interlink • No authen%ca%on • Simple request • PeopleSoV сrashes (Java, to be precise ;)) 120 DEMO 121 DoS? • One of input points is Business Interlink • No authen%ca%on • Simple request • Crashes PeopleSoV CVE-­‐2013-­‐3820 Patched in CPU on the 16th of July 2013 (cpujul2013) 122 DEMO 123 XXEs • Some of input points: PSIGW/*, Business Interlink, SyncServ • !!!No authen%ca%on !!! • Common XXE injec%on impact: – We can read plain text files (not all) – SSRF – SSRF+gopher (if JDK <= 1.6) – SSRF+grab NTLM hashes/SMBRelay (if JDK <= 1.6 and OS = Windows) – Classic en%%es DoS? + we can list directories and read XML files! (no binary) CVE-­‐2013-­‐3800, CVE-­‐2013-­‐3819, CVE-­‐2013-­‐3821 Patched in CPU on the 16th July 2013 (cpujul2013) 124 Whatever do we read? • Configura%on files that can store plaintext passwords: hcmss.dms, create_accessid.sql , connect_2005.sql,
psprcs.cfg, hcengl.log, dbsetup.xml, psappsrv.cfg,
resetpswd.dms, hcora.dms, connect.sql, pswinclt.cfg
* They mostly belong to Connec%on ID. But there are some PS too. • Configura%on files that can store encrypted passwords (DES, 3DES, AES): configuration.properties, gatewayUserProfile.xml,
integrationGateway.properties, config.xml,
security.xml, DefaultAuthenticatorInit.ldif,
boot.properties, nm_password.properties
* They mostly belong to web service. But they can fit forPS too. 125 Whatever do we read? Issues • Not all of the listed files can be read by reading data from the web server • Passwords from WebLogic accounts are AES-­‐encrypted, the key is in the binary file • If the administrator re-­‐generated keys to 3DES ({V1.2},{V1.3 …), the key is also in a binary file which cannot be read through XXE • Theore%cally, the private SSL key can be read and used for MitM aXacks, but it has to be stored in plain-­‐text. By default, it is stored in Java storage (binary) 126 Acack! 1) Read Connec%on ID and aXack through the database. It is possible to download user hashes and bruteforce them, for example. 2) From the mul%tude of configura%on files, we can retrieve various accounts (in the case of v. 1.1 or an old PT version with DES) and use it to find the password for the PS acount in Portal. 3) We can read the file nm_password.proper%es of WebLogic, which stores the hash of the node manager password (similar to the password of the user “system” in WebLogic by default). 127 Bonus (T3 protocol) A funny case: • Access to the console is blocked by WAF • But we know that the console shares a port with PS Portal by default • We have a WebLogic account. But what exactly do we do? 128 Bonus (T3 protocol) A funny case: • Access to the console is blocked by WAF • But we know that the console shares a port with PS Portal by default • We have a WebLogic account. But what exactly do we do? • !!!Use the T3 protocol!!! • T3 is the RMI to WebLogic. It can be used to execute any administra%ve ac%ons including applica%on deployment • It shares a port with console • It is not the HTTP protocol and thus not blocked by WAF 129 DEMO 130 Pentes(ng MicrosoT Dynamics GP 131 What is it? •
•
MicrosoV Dynamics GP is ERP or accoun%ng soVware Many implementa%ons: about 430000 companies Img from hXp://www.calszone.com 132 Architecture Based on www.securestate.com/Downloads/whitepaper/Cash-­‐Is-­‐King.pdf 133 Features •
Fat client •
Web is only for info and repor%ng •
Dexterity language •
The security depends on the security of SQL Server •
MicrosoV Dynamics GP does not integrate with Ac%ve Directory 134 Security Role model: • Security Tasks • Security Roles • Users Features: • sa • DYNSA • DYNGRP • System password • SQL users 135 inSecurity • All the security of Dynamics relies on the visual restric%ons of the fat client • In fact, all users have the rights to the companies’ databases and to DYNAMICS • The only obstruc%on: impossible to connect to the SQL server directly. How to bypass it? 136 inSecurity • Reverse engineering to understand the password “encryp%on” algorithm • A MitM aXack on ourselves MS SQL server does not encrypt the process of authen%ca%on af a few bytes are replaced upon connec%on! * The method itself is described and implemented into a Metasploit Framework module that works like a charm: hXp://f0rki.at/microsoV-­‐sql-­‐server-­‐downgrade-­‐aXack.html ** It is a feature, not a bug, and MicrosoV is not going to correct it 137 What’s next? • Full access to the company’s informa%on in the database For example, privilege escala%on. But a research called “Cash is King” describes subtler methods: hXp://marke%ng.securestate.com/cash-­‐is-­‐king-­‐download-­‐our-­‐free-­‐whitepaper • AXack on OS For example, if the SQL server is launched under a privileged user account, we can ini%ate a connec%on to our host using stored procedures (xp_dirtree) because we have the rights of the “public” role. The result will be a hash which can be used in a bruteforce aXack. If Dynamics GP uses a cluster of SQL servers (it happens some%mes), we can conduct an SMB Relay aXack on the same server (MS08-­‐068 will not work here). The result will be a shell on the cluster :) 138 DEMO 139 Conclusion It is possible to be protected from almost all those kinds of issues and we are working hard to make it secure Guides Regular security assessments Monitoring technical security Code review Segrega=on of du=es EAS-­‐SEC project Future work I'd like to thank SAP's Product Security Response Team for the great coopera(on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new aXacks and demos, follow us at @erpscan and aXend future presenta(ons: •
•
•
•
•
September 12-­‐13 SEC-­‐T Conference (Stockholm, Sweden) September 21 HackerHalted Conference (Atlanta, USA) October 7-­‐8 HackerHalted Conference (Reykjavik, Iceland) October 30-­‐31 RSA Europe (Amsterdam, Netherlands) November 7-­‐8 ZeroNights (Moscow, Russia) Greetz to our crew who helped
