Real SAP Backdoors
Transcription
Real SAP Backdoors
Andreas Wiegenstein TITEL bearbeiten Dr. Markus Schumacher Real SAP Backdoors - 23rd, Heidelberg text styles Troopers12, ClickMarch to19th edit Master Second level Third level Fourth level Fifth level © © 2012 2011 Virtual 2012 Virtual Forge Forge GmbH GmbH || www.virtualforge.com www.virtualforge.com || All All rights rights reserved. reserved. TITEL My car,bearbeiten my house, my boat, … Andreas Wiegenstein Click to edit Master text styles Founder of Virtual Forge (Heidelberg), responsible for Research & Development Third level SAP Security Researcher, active since 2003 Fourth level Second level Received Credits from SAP for more than 20 reported 0-day Vulnerabilities Fifth level Frequent Speaker at international Conferences SAP TechEd 2004 (USA & Europa) / 2005 (USA) / 2006 (USA), DSAG 2009 BlackHat 2011 (Europe), Hack in the Box 2011 (Europe) Troopers 2011, RSA 2012 (USA) Co-Author of „Sichere ABAP Programmierung" (SAP Press) Training Class WDESA3 @ SAP University © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. http://tinyurl.com/0daycredit TITEL bearbeiten Click to edit Master text styles Second level Third level Fourth level Fifth level © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. CONTENTS TITEL bearbeiten 1. isedit a Backdoor? What Click to Master text styles Second level 2. SAP Technology / Security Basics Third level Fourth level 3. SAP Backdoors Fifth level 4. How do you prevent Backdoors? 5. Summary © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten What a backdoor? Click is to edit Master text styles Second level Third level Fourth level Fifth level © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL Search Some bearbeiten Engine Results… Click to edit Master text styles NOT Second level Third level Fourth level Fifth level This is The topic Of this talk. No way. © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITELSearch More bearbeiten Engine Results… Click to edit Master text styles Second level NOT Third level Fourth level Fifth level Also The topic Of this talk. © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITELresearch Own bearbeiten Click to edit Master text styles Second level Third level Fourth level Fifth level © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten Wikipedia on Backdoors Click “A backdoor to edit in Master a computer text styles system [...] is a method of Second level authentication, securing remote bypassing normal Third level access to a computer, obtaining access to plaintext, Fourth level and so on, while attempting to remain undetected.” Fifth level (March 2012) © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten Definition of a Backdoor in Software Click “A backdoor to edit in Master software text is astyles hidden feature that was Second level designed to bypass a security mechanism.” Third level (Troopers, March 2012)level Fourth Fifth level Characteristics: 1. Covertness 2. Bypass 3. Intent © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten SAP / Security Basics ClickTechnology to edit Master text styles Second level Third level Fourth level Fifth level © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten ABAP Click to edit Advanced Business MasterApplication text styles Programming Second level Proprietary exact specification not (freely) available Thirdlanguage, level Platform-independent code Fourth level Built-in transport system and version control Fifth level Various programming paradigms: Programs & Forms, Reports, Function Modules, Dynpros Classes & Methods, Business Server Pages, Web Dynpro ABAP Integrated platform-independent SQL Standard: Open SQL Built-in authentication, roles and authorization model ABAP runs with very high Privileges ABAP uses an explicit Authorization Model © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten Remote Function Call (RFC) Client or SAP Server Click to edit Master text styles SAP Server Second level Third level Fourth level Fifth level S_RFC authorization required to call Function Modules remotely > 33.000 RFC-enabled Function Modules on ECC 6.0 RFC authorizations are complex to maintain © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten ABAP Reports Click to edit Master text styles Second level Third level Fourth level Fifth level Reports can only be executed locally via restricted transactions ~ 220.000 ABAP reports on ECC 6.0 in the SAP standard ABAP command SUBMIT executes reports and checks authorizations Authorization is checked only if Authorization Group is maintained © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten SAP ClickBackdoors to edit Master text styles Second level Third level Fourth level Fifth level © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#1 Case bearbeiten – OS Commands Controlled Operating System (OS) Command Execution Click to edit Master text styles ABAP Call OS Second 'LIST' SM49 / SM69 level Command LIST Third level PING X_PYTHON Fourth level Program OS Command ls 'ls' ping x_python OS © 2010 Virtual Forge GmbH. All rights reserved. Fifth level OS Commands must be pre-defined by Admin (white list) OS Commands must be executed through special API (SXPG_CALL_SYSTEM / SXPG_COMMAND_EXECUTE) Execution requires special authorization (S_LOG_COM) © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#1 Case bearbeiten – Code (1) FUNCTION oiuh_submit_unix_call. *"-------------------------------------------------------------------Click to edit Master text styles *"*"Local interface Second level(simplified excerpt): *" IMPORTING Third level *" VALUE(SCRIPT_NAME) LIKE *" VALUE(LOGICAL_PATH) LIKE *" Fourth level TABLES RESULTS STRUCTURE *" SCRIPT_DATA STRUCTURE *" FILENAME-FILEINTERN Fifth level *" *" RLGRAP-FILENAME OIUH_SYS_CONSOLE OIUH_SYS_CONSOLE EXCEPTIONS CALL_FAILURE *"-------------------------------------------------------------------- © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#1 Case bearbeiten – Code (2) DELETE DATASET script_name. Click to edit Master text styles OPEN DATASET script_name FOR OUTPUT IN TEXT MODE ENCODING DEFAULT. LOOP AT script_data. Second level TRANSFER script_data TO script_name. ENDLOOP. Third level CLOSE DATASET script_name. Fourth level Fifth level * CHANGE THE FILE MODE TO EXECUTE. CONCATENATE 'chmod 777' script_name INTO unix_command SEPARATED BY space. ... CALL 'SYSTEM' ID 'COMMAND' FIELD unix_command ID 'TAB' FIELD results-*sys*. ... * Execute the actual command CALL 'SYSTEM' ID 'COMMAND' FIELD script_name ID 'TAB' FIELD results-*sys*. © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#1 Case bearbeiten – Backdoor (?) Click toModule Function edit Master oiuh_submit_unix_call text styles is Second level designed to execute arbitrary OS commands, Third level bypassing the white list defined in SM49/69. Fourth level Fifth level Characteristics: 1. Covertness 2. Bypass 3. Intent © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#1 Case bearbeiten – Side Notes Click toModule Function edit Master oiuh_submit_unix_call2 text styles is an exact of Second level copy oiuh_submit_unix_call. Third level Both Function Modules also contain a Directory Traversal Fourth level vulnerability. Fifth level VF Advisories: SAP-BACK-01 and SAP-BACK-02 SAP Notes: 1560360 and 1558010 SAP CVSS Base Score: 6.0 SAP CVSS Base Vector: AV:N/AC:M/AU:S/C:P/I:P/A:P © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#2 Case bearbeiten – ABAP Development System Separation Click to edit Master text styles Second level Third level Fourth level Transport Transport Fifth level DEV TEST PROD © 2010 Virtual Forge GmbH. All rights reserved. Development process is well defined : DEV, TEST, PROD All ABAP code is tested before productive use No development possible on productive system © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#2 Case bearbeiten – Code (1) FUNCTION rs_functionmodule_insert. *"-------------------------------------------------------------------Click to edit Master text styles *"*"Local Interface Second level(simplified excerpt): *" IMPORTING Third level *" VALUE(FUNCNAME) LIKE *" VALUE(FUNCTION_POOL) LIKE *" Fifth level VALUE(REMOTE_CALL) LIKE *" VALUE(SHORT_TEXT) LIKE *" VALUE(SUPPRESS_CORR_CHECK) LIKE *" VALUE(SUPPRESS_LANGUAGE_CHECK) LIKE *" VALUE(AUTHORITY_CHECK) LIKE *" VALUE(SAVE_ACTIVE) LIKE *" *" Fourth level RS38L-NAME RS38L-AREA RS38L-REMOTE DEFAULT SPACE TFTIT-STEXT RS38L-EXTERN DEFAULT 'X' RS38L-HEAD DEFAULT 'X' RS38L-HEAD DEFAULT 'X' TABLES SOURCE STRUCTURE RS38L-HEAD DEFAULT 'X' RSSOURCE OPTIONAL © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#2 Case bearbeiten – Code (2) ... CALLClick to edit Master text styles FUNCTION 'RS_ACCESS_PERMISSION' EXPORTING Second level authority_check Third level ... = authority_check Fourth level IF sy-subrc = 0. Fifth level ... l_source = source[]. LOOP AT l_source INTO l_line. INSERT l_line INTO code INDEX tabix. tabix = tabix + 1. ENDLOOP. INSERT REPORT rs38l-include FROM code. ENDIF. © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#2 Case bearbeiten – Code (3) FUNCTION rs_access_permission. *"---------------------------------------------------------------------Click to edit Master text styles *"*"Lokale Schnittstelle (simplified excerpt): Second level *" *" ... IMPORTING Third level VALUE(AUTHORITY_CHECK) DEFAULT 'X‘ Fourth level Fifth level l_authority_check = authority_check. © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#2 Case bearbeiten – Code (4) ... CASEClick to edit Master text styles mode. WHEN 'MODIFY'.level Second IF l_authority_check NE ' '. Third level PERFORM accp_authority Fourth level USING Fifth level modus object object_class auth_object s_develop CHANGING trdir_inf. ENDIF. © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#2 Case bearbeiten – Backdoor (?) Click toModule Function edit Master rs_functionmodule_insert text styles is Second level designed to create arbitrary remote-executable ABAP Third level Code, bypassing the TEST System. Fourth level Fifth level Characteristics: 1. Covertness 2. Bypass 3. Intent © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#2 Case bearbeiten – Side Notes Click VF Advisory: to editSAP-BACK-03 Master text styles Second level SAP Note: 1589919 Third level Fourth level CVSS Base Score: 3.5 Fifth level CVSS Base Vector: AV:N/AC:M/AU:S/C:N/I:P/A:N © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#3 Case bearbeiten – Code (1) FUNCTION RKC_FUNCTION_INTERFACE_GEN. *"-------------------------------------------------------------------Click to edit Master text styles *"Lokale Schnittstelle Second level (simplified excerpt): *" *" *" *" *" *" EXPORTING Third level REPID LIKE SY-REPID Fourth level TABLES FifthSTRUCTURE level REP_TAB RFCLINE EXCEPTIONS NOT_INSERTED *"-------------------------------------------------------------------- © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#3 Case bearbeiten – Code (2) DATA: BEGIN OF REP OCCURS 20. ClickINCLUDE to edit Master text styles STRUCTURE ABAPTEXT. DATA: END OF REP. Second level Third level REFRESH REP. Fourth level LOOP AT REP_TAB. REP = REP_TAB. Fifth level APPEND REP. ENDLOOP. REPID = 'RKCINTER'. INSERT REPORT REPID FROM REP. IF SY-SUBRC <> 0. RAISE NOT_INSERTED. ENDIF. ENDFUNCTION. © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#3 Case bearbeiten – Intermission Click Now weto can edit create Master a report text styles with arbitrary content. Second level But(how) can we execute it (remotely) ? Third level Fourth level Fifth level M? © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#3 Case bearbeiten – Code (3) FUNCTION HR99B_PARALLEL_REPORT_RUN. *"-------------------------------------------------------------------Click to edit Master text styles *"*"Local Interface Second level(simplified excerpt): *" *" *" *" *" *" IMPORTING Third level VALUE(REPID) TYPE TABLES TRDIR-NAME Fourth level Fifth level VALUTAB STRUCTURE RSPARAMS CHANGING VALUE(CV_TASK_NAME) TYPE HR99B_TASK_NAME OPTIONAL *"-------------------------------------------------------------------- SUBMIT (REPID) WITH SELECTION-TABLE VALUTAB AND RETURN. "#EC CI_SUBMIT ENDFUNCTION. © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#3 Case bearbeiten – Backdoor (?) Function RKC_FUNCTION_INTERFACE_GEN Click toModule edit Master text styles is designed create a Report that contains arbitrary Second to level Third level ABAP Code, bypassing the TEST System. Fourth level Function Module HR99B_PARALLEL_REPORT_RUN is Fifth level designed to execute reports remotely. Characteristics: 1. Covertness 2. Bypass 3. Intent © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#3 Case bearbeiten – Side Notes Click VF Advisory: to editSAP-BACK-06 Master text styles Second level SAP Note: 1592312 Third level Fourth level CVSS Base Score: 3.5 Fifth level CVSS Base Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N VF Advisory: SAP-BACK-04 SAP Note: 1558284 CVSS Base Score: 8.2 CVSS Base Vector: AV:N/AC:M/AU:S/C:C/I:C/A:P © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#4 Case bearbeiten – SAP Transaction RSRV Click to edit Master text styles Second level Third level Fourth level Fifth level Characteristics: 1. Covertness 2. Bypass 3. Intent © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#5 Case bearbeiten – The Three Developers Security of Master a BSP (Web) of an SAP customer ClickAudits to edit text Application styles OneofSecond the pages appeared to be blank level Third level the page checked for the usernames of three In the source code, Fourth level external developers… Fifth level …and would allow them to read data from a table of their choice in the SAP database Financial data Production data HR data … © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL#5 Case bearbeiten – Backdoor (!) Generic reader in BSP page. Clicktable to edit Master text styles Second level Characteristics: Third level 1. Covertness Fourth level 2. Bypass 3. Intent Fifth level A nice backdoor and 100% remote accessible © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten How youMaster prevent Backdoors? Clickdo to edit text styles Second level Third level Fourth level Fifth level © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten Anti-Backdoor Recommendations (1) Perform all code Click topeer editreviews Masteroftext styles The backdoor can be everywhere Second level for Third level Check proprietary authorization logic / unusual options Fourth level Check for (unexpected) modifications to the database Fifth level Check for generic database access Prohibit certain coding practices by strict guidelines but don‘t rely on them © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten Anti-Backdoor Recommendations Use codeMaster analysistext to detect suspicious code Clickstatic to edit styles Check for command execution based on input Second level Third level ABAP Fourth Operating systemlevel Fifth level Expect stealth techniques Dynamic ABAP Hidden OK Codes #EC suppression … © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten Summary Click to edit Master text styles Second level Third level Fourth level Fifth level © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITELBackdoor SAP bearbeiten Summary ABAP canMaster have backdoors Click code to edit text styles Backdoors difficult to spot Secondare level Thirdtolevel Designed be covert level „Needle inFourth the haystack“ Fifth level Check the background of your (external) developers Perform code audits before productive use Perform static code analysis as additional line of defense © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. ABAP Security Resources TITEL bearbeiten SAP Security Advisories researched by Virtual Forge Links http://www.codeprofilers.com/index.php/advisories.html Click to edit Master text styles Second level Organizations Third level BIZEC – Business Security Initiative http://www.bizec.org Fourth level Fifth level Literature Sichere ABAP-Programmierung (SAP PRESS, 372 S., 2009) Andreas Wiegenstein, Markus Schumacher, Sebastian Schinzel, Frederik Weidemann © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten Questions? Click to edit Master text styles Second level McFly: Third level Fourth level “Listen, you got a backdoor to this place?“ Fifth level Bartender: “Yeah, it's in the back.” (Back to the Future III, 1990) © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten Contact Information Click to edit Master text styles Second level Third level VIRTUALFORGE GmbH Fourth level andreas.wiegenstein@virtualforge.de Fifth level Speyerer Straße 6 69115 Heidelberg Deutschland Telefon: + 49 (0) 6221 86 89 0 - 0 Fax: + 49 (0) 6221 86 89 0 - 101 © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. TITEL bearbeiten Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Click to edit Master text styles All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. Second level Third level The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. Fourth This document is provided withoutlevel a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. Fifth level The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. Hippies are not supposed to read this. No exceptions. No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH. © 2012 Virtual Forge GmbH. © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.