Hardcore Sap Penetration Testing

 

Disclaimer According to the partnership agreement between ERPScan and SAP, our company is not entled to publish any specic and detailed informaon about detected vulnerabilies before SAP releases an appropriate appropriat e patch. This white paper only includes the details of those vulnerabilies that we have the right to publish as of the release date. However, However, you can see addional examples of exploitaon, which prove the existence of the vulnerabilies by following us during the conferences as well as at ERPScan. com.

The research was conducted by ERPScan as a part of contribuon to the EAS-SEC non-prot organizaon organizaon that is focused on Enterprise Applicaon Security awareness. This document or any of its fragments cannot be reproduced or distributed in whole or in part without prior wrien consent of EAS-SEC. SAP SE is neither the author nor the publisher of this whitepaper and is not responsible for its content. EAS-SEC and ERPScan are not responsible for any damage that can be incurred by aempng to test the vulnerabilies described in this document. This publicaon contains references refer ences to SAP SE products. SAP NetWeaver and other SAP products and services menoned herein are trademarks or registered trademarks of SAP SE. Our SAP security surveys go beyond this whitepaper. You can nd the latest stascs reports related to SAP services on the Internet and other endeavors of the ERPScan Research on  on  ERPScan ocial blog and on EAS-SEC project’s website.

2

 

Contents Disclaimer ............................................................................................................. ................................................................................................................................................ ................................... 2

Introducon.................................................................................................................................  ............................................................................................................................................. ............ 4 What is SAP pentest? ....................................  ............................................................................................................................ ........................................................................................4 4 SAP Pentest vs. SAP Security Audit .......................................................................................................5 Threat Modelling .................................................................................................................. ..................................................................................................................................... ................... 6

Analyzing Risks for Manufacturing Industry .................................................................................... ......................................................................................... ...... 6 Idenfying the most important assets in SAP landscape . ...................................................................... .....................................................................7 7 Uncovering SAP Plaorms for the most crical assets .......................................................................... .........................................................................7 7 How vulnerable are SAP plaorms? ...................................................................................................... .....................................................................................................8 8 Aack Scenario ........................................................................................................ ..................................................................................................................................... .............................. 10 Informaon gathering ...................................  ......................................................................................................................... ......................................................................................10 10 Vulnerability exploitaon .................................  .................................................................................................................... ...................................................................................11 11 Privilege escalaon .............................................................................................................................13 Business Risk demonstra demonstraon on ..............................................................................................................13 The Scope of the Search  ..............................  ................................................................................................. .......................................................................................... ....................... 15 SAP Informaon disclosure ................................................................................................................17 SAP SQL injecon .......................................  ................................................................................................................................ .........................................................................................18 18 Crypto issue ...........................................  ........................................................................................................................................ .............................................................................................24 24 Hardcore SAP Pentesng - Exploitaon ..............................................................................................31 Automaon ............................................  ......................................................................................................................................... .............................................................................................33 33 Privilege escalaon, remote command execuon ........  .............................................................................. ......................................................................36 36 Conclusion .........................................  ............................................................................................................. .................................................................................................... ................................ 39 Contacts .....................................................................................................................................  ................................................................................................................................................. ............ 40

3

 

Introduction Pentest, or penetraon tesng, stands for a range of processes that simulate an aacker's acons to idenfy security weaknesses. Usually, a company engages third-party security experts in conducng penetraon tesng and provides them with the address(es) of the server(s) they should examine. Pentestss are oen divided into two types: Pentest • white-box pentest - a pentest, in which experts are provided with background system information; • black-box pentest - a pentest in which background system data is unknown to a pentest executor.

The pentesng process of the rst model, when pentesters are outside the internal network and have no privileges, includes the following steps: 1. Acquiring information about a company, systems, and users. 2. Exploitation of vulnerabilities to access the system with minimal user privileges. 3. Exploitation of vulnerabilities and escalation of privileges to access a database and critical business information. 4. Acquiring administrative administrative access to an OS.

During a white-box pentesng, a client company informs a pentester about the infrastructure, gives a computer network diagram, explains specic features of protecng mechanisms, and somemes provides access to the source code. Both types of pentests may include manual and automac works. For example, examining source code for vulnerabilies is simplied by using ready-made pentesng tools  (available on the Internet) or custom programs wrien on their own. Numerous tools can come in handy during pentesng, such as those that automate system analysis and exploitaon of SQL injecon, XSS, or RCE vulnerabilies. Nonetheless, it is impossible to conduct a successful penetraon tesng with automated programs only because every company has its own specic features, and pentesters have to modify programs adapng to each individual client.

► What is SAP pentest? Why do you need to access an SAP system security? The rst reason is rather obvious and simple: an SAP aon System is a tempng target hackersprocesses. because it stores and manages the lifeblood of any organizaon organiz – crical c rical informaon andfor business However, that is not it. Imagine a certain SAP module liable for industrial technologies, for example, one that controls oil exploitaon or transportaon. No need to say it has vital importance when it comes to producon lifecycle. How to ensure that the SAP system is not vulnerable and perpetrators are not able to interf interfere ere in any process? SAP Penetraon tesng perfectly serves the purpose here. A typical black-box SAP penetraon tesng looks like this: 1. Penetration testers scan SAP systems in their scope trying to reveal as much system information as possible. 2. According to the information obtained from the first step, the pentesters recognize what database, SAP version, and particular SAP modules are implemented. Then, they search for vulnerabilities a

version is susceptible to. By exploiting these vulnerabilities, pentesters pentesters gain minimal access rights to the system (e.g., as a guest user).

4

 

3. By exploiting vulnerabilities, pentesters escalate privileges and get administrative access to a system.

SAP soware is unique, and its specic nature should be taken into account while conducng an SAP Penetraon tesng. For example, by default, an administrator password, a password to a database, and a scheme for connecng an SAP server to a database are encrypted and stored in the SecStore. properes le, and the decrypon key is kept in the SecStore.key le. Therefore, in case of a poorly congured system, the exploitaon of a vulnerability, like Directory Traversal or XXE, is enough to read les from a server. Since a vendor now focuses on the security of its products and new protecng mechanisms are implemented, SAP system compromise compromise is more of a challenge to accomplish. Likewise, SAP security hits the radar of organizaons' security teams. So, these days it is unlikely that one can compromise the whole SAP system by exploing a single vulnerability vulnerability.. Thus a pentester has to exploit a chain of security issues to achieve the nal results.

► SAP Pentest vs. SAP Security Audit Another opon to assess SAP system security is SAP security Audit. If during pentesng a security expert does not succeed in hacking a system for a certain period of me (for example, 2 weeks), it does not mean that this system is secure and hackers cannot break into it. It simply means that if aackers have more me, they will succeed. The security audit process lies in the fact that a group of experts is provided with full access to a syst system, em, source code, and internal network so that they can analyze its security more eecvely and discover more vulnerabilies than during black-box or white-box pentests.

5

 

Threat Modelling A penetraon test is a pracce of aacking an IT infrastructure to evaluate evaluate its security and determine whether malicious acons are possible. Although it is a common task, the nature and methodology of a penetraon test dier according to the scope, aims, a client-compan client-company's y's specics, and many other factors. Once the ERPScan team was conducng a penetraon test in a large manufacturing organizaon. organizaon. The task was not so ordinary and easy because the number of syst systems ems in the scope was huge and lile me was alloed. That is why it was absolutely necessary to perform Threat Modelling before diving into the process of hacking. Threat Modelling is the rst step of every successful penetraon tesng. tesng. At this stage, a cybersecurity expert gets the picture of business processes of a typical manufacturing company, company, idenes the most crical assets and associated risks. The gathered informaon helps a penetraon tester tester to decide what to focus on.

► Analyzing Risks for Manufacturing Industry Manufacturing companies are aracve targets for dierent kinds of cybercriminals, i.e., state-sponsored hackers, hackvists, terrorists, malicious insiders). Such companies are responsible for a great part of some countries' economy. Any interference in their work can stop processes and, as a result, deprive the company and the country of revenue. Just to give some background informaon, in 2015 the United States exported app. 2.6 million vehicles valued at $65 billion. The manufacturing industry is indeed on the radar of cybercriminals. For example, the cyberaack  cyberaack  against a steel mill in Germany hit the headlines in 2015, as it has caused conrmed physical damage. In case of a cyberaack, a manufacturing company may face the following consequences: • Plant Sabotage/Shut Sabotage/Shutdown down • Equipment damage • Production Disruption (Stop or pause production) • Product Quality (Quality degradation) • Compliance violation (Such as pollution) • Safety violation (Death or injury)

Aer we have idened the most important risks for the manufacturing industry, the next step is to nd out whether it is possible to cause these risks by accessing acce ssing SAP systems and that exactly exactly an aacker should exploit to cause them. SAP systems are widely used in the Manufacturing industry, industry, and there are even specic SAP modules for Manufacturing. Cyberaacks Cyberaacks on SAP systems (regardless (regardless of the industry) are crical, as they can lead to espionage, sabotage or fraud. However, However, they can be even more lethal for the Manufacturing because of trust connecons in SAP syst systems ems that are responsible for asset management and technology networks (e.g., plant oor).

6

 

► Identifying the most important assets in SAP

landscape

A typical manufacturing company's infrastructure consists of mulple business applicaons and industry-specic modules. Here is an incomplete list of the applicaons which common for the majority of manufacturing enterprises: • Enterprise Resource Planning (ERP) • • • •

Manufacturing Execution System (MES) Asset Lifecycle Management (ALM) Manufacturing Integration (xMII) Other standard systems: HR, CRM, PLM, SRM, BI/BW, SCM

Some of these systems such as xMII or ALM can be connected with Industrial Control Control Systems or plant oor, so a single vulnerability in them may pose a risk for the enre company.

► Uncovering SAP Platforms Platforms for the

most critical assets

SAP systems can be based on dierent plaorms: ABAP, Java, or HANA. The main SAP plaorm is SAP NetWeaver, the enabling foundaon for SAP and non-SAP applicaons. The rst version of SAP NetWeaver came out in 2004. Aer that, SAP has introduced several versions of the plaorm and new modules to extend its funconality. As of today, the latest version is SAP NetWeaver NetWea ver 7.5 (the rst release was in October 2015). One of the main parts of SAP NetWeaver is SAP NetWeaver Applicaon Server (AS). SAP NetWeaver NetWeaver AS includes the applicaon server ABAP and Java. As its name implies, the main programming language for SAP NetWeaver AS ABAP plaorm is ABAP and, correspondingly, for SAP NetWeaver AS Java is Java. Returning to our case, the most crical applicaon linked to the producon network is SAP xMII (SAP xApp Manufacturing Integraon and Intelligence) based on the Java plaorm. SAP xMII is oen used in industrial enterprises to manage and automate their processes. This module extends the funconality of SAP NetWea NetWeaver ver AS Java to use it in producon. SAP xMII provides a direct connecon between shop-oor systems and business It enterprise ensures that all dataand related to manufacturing is visible in real me. SAP customers can operaons. also link their processes master data to manufacturing processes to run their business based on a single version. Vulnerabilies in SAP xMII are parcularly hazardous, because this soluon is a kind of a bridge between ERP (Enterprise Resource Planning), other enterprise applicaons and plant oor as well as OT (Operaonal Technology) Technology) devices. Any vulnerability aecng SAP xMII can be used as a starng point of a mul-stage aack aiming to get control over plant devices and manufacturing systems. A brief look at public sources indicates that there is a couple of notable vulnerabilies in the SAP xMII component (e.g., Reected XSS vulnerability, directory traversal vulnerability). Sounds great, now we know what the risks are, which systems are the most important and what plaorm we need to analyze in terms of security rst of all.

7

 

The nal preparaon step is to nd out the most important vulnerabilies in this plaorm, how common they are, and what versions are the most widespread. All these factors inuence chances of successfully performing a penetraon test. Such analysis will show us if we need to add addional resources to the team such as researchers who will look for 0-day vulnerabilies in the plaorms in case if informaon about those SAP systems is not available (this situaon is rather common when we deal with SAP Pentesng).

► How vulnerable are SAP

platforms?

According to the latest SAP Cybersecurity in Figures report, 3662 vulnerabilies in dierent SAP products were xed in total (as for mid-2016). 548 of them aect Java stack and 2585 ABAP. We have scanned the enre range of IP addresses on the Internet and revealed that an overwhelming number of SAP servers available on the Internet have version 7.3 (7.3 – 626, 7.3 EHP 1 – 851) and 7.4. In other words, we will likely come across these versions while conducng penetraon tesng. tesng. They are more secure and contain no security issues specic to the 7.2 version. Thus, we will need to nd 0-day vulnerabilies. Since the necessity to nd new vulnerabilies is evident, let us look at the most common types of issues patched in SAP NetWeaver Java plaorm (see Chart 1). This informaon as well as other interesng details are available in our latest SAP Cybersecurity Threat report.  

7.3 21%

7.2

7.1 EHP1

7.1

1%

6%

1%

7.5 2%

7.4 41%

7.3 EHP1 28%

Chart 1. SAP NetWeaver AS JAVA versions From the Chart 1., it is clear that the most common vulnerability type is XSS, but we rarely exploit them during pentests. Apparently, Apparently, we will need to nd informaon disclosure or conguraon issue to break into the system (see Chart 2)

8

 

Other 8%

Denial of Service 3% XML external enty 2%

Cross-site scripn scripng g 29%

SQL injecon 2% Verb tampering 4% Directory traversal 5%

Cross-site request forgery 7% Missing Authorizaon 10%

Informaon disclosure 17% Configuraon issues 13%

Chart 2. Vulnerabilities in Java platform Theorecally, such a large number of the vulnerabilies in Java plaorm allows considering that penetraon tesng will pose no diculty. In most cases, it is so indeed. Usually, it does not take much me to break into an SAP system as companies do not even implement patches for 3-year-old vulnerabilies. Not this me, however however.. During our pentest, we faced some dicules and uncommon tasks.

9

 

Attack Scenario The exploitaon of 3 vulnerabilies enables an aacker to hijack an SAP administr administrator ator account without any access to an SAP system by using the black-box method. A typical pentest involves the following steps: 1. Information gathering 2. Vulnerability exploitation 3. Vulnera Privilegebility escalation 4. Business Risk demonstra demonstration tion

► Information

gathering

Informaon gathering gathering is the basis of every penetraon tesng. Some informaon about a syst system em can be collected without using a single vulnerability. vulnerability. For example, by scanning a network for parcular SAP services or a web server for available web applicaons to understand if there are any applicaons or services with security issues. This step also includes exploitaon of a specic vulnerability type - “Informaon disclosure.” Usually, there is a plethora of these low-risk vulnerabilies detected at the Informaon Gathering stage. What is more dangerous, they are oen le unpatched since administrators have to put all the available resources to cope with more crical issues. However, However, with the help of this vulnerability vulnerability,, an aacker can obtain valuable informaon about the operang system system installed, SAP version, private IP to a user list and user passwords. Although a typical SAP installaon is abundant in Informaon Disclosure vulnerabilies, during our pentesng the system system was so securely sec urely congured that we had to search for 0-days. Eventually,, we found mulple Informaon disclosure vulnerabilies. For instance, using vulnerabilies Eventually ERPSCAN-16-010 and ERPSCAN-16-016 an authencated aacker can get an SAP user's name, surname, privileges, and logins remotely. remotely. An example of vulnerabilies exploitaon is provided below (see Fig. 1.)

10

 

Fig. 1. Vulnerabi Vulnerability lity exploitation The exploitaon of this vulnerability is quite an easy task. An aacker needs to anonymously open an available webdynpro applicaon uniform resource idener (URI) and press the “Select” buon. Nevertheless, an aacker cannot log into the SAP system with only usernames; passwords for SAP accounts are also required. Here comes the second step of our plan – Vulnerability exploitaon. exploitaon.

► Vulnerability

exploitation

This step is straighorward. straighorward. Aer we gure out which services and web applicaons are available, we can nd out if these services have a vulnerability for us to exploit. As long as the SAP NetWeaver NetWeaver J2EE applicaon server is considered, there are mulple loopholes (from Verb Tampering vulnerability in the CTC web service and Invoker servlet to P4 Authencaon bypass, mulple XXEs, and SSRF issues in K2EE web services) idened years ago. All of them sll exist in almost every SAP Implementaon. Nonetheless, some clients do take care of SAP Security and have eliminated so-called "low-hanging fruits." It is the thing that disnguishes true pentesters from a “script-kiddie” “script-kiddie” or a vulnerability scanner. scanner. Real pentesters tries to nd new vulnerabilies even if there is no obvious way to do it. In doing so, they consider what is needed. Actually, pentesters pentesters already have some informaon about a system – usernames. Therefore, by laying their hands on at least a password hash pentesters ensure their victory.

11

 

How can they do this? Certain vulnerabilies may give access to it, and they are SQL Injecons. SQL injecons are common for tradional applicaons, but they are a rare occurrence in SAP (see Table 1). This type of vulnerabilies allows aackers to inject their own malicious SQL commands. These command legimate a request and paves the way for accessing crical data stored in a database (e.g., business data, user passwords, and bank account informaon). By using SQL injecons, aackers try to get credit cards dates, user passwords, social cards informaon, etc. Vulnerability type

  Place in stascs

global   CWE-ID

Place in SANS 25

  Place in OWASP TOP 10

XSS

2

CWE-79

2

3

Missing Authorizaon Checks

5

CWE-862

3

7

Directory Traversal 6

CWE-22

10

4

Conguraon Issues

N/A

N/A

5

4

CWE-89

4

1

3

CWE-200

12

8

Disclosure Cross-Site Request 7 Forgery

CWE-352

8

6

Overows (DoS, RCE)

CWE-120

?

N/A

CWE-94

7

1

CWE-308

7

2

SQL Injecons Informaon

1

Conde Injecon Hardcoded Credenals

N/A

Table 1. Comparison of Top 10 SAP Vulnerabilies, World stasc, SANS 25, and OWASP TOP 10 In the scope of our pentest, we detected an anonymous SQL injecon vulnerability in SAP NetWea NetWeaver ver (later it was assigned the ERPSCAN-16-011 idener). It is the SAP UDDI (Universal Descripon, Discovery and Integraon) component, the most widespread one, that contains the vulnerability vulnerability.. Thus, the SAP NetWeaver versions 7.11 – 7.50 are suscepble to the threat. To exploit the vulnerability, an aacker can merely send an HTTP query of the following type: POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1 Content-Type: Content-Typ e: text/xml 5  



  x' x' AND 1=(SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY) BC_UDV3_EL8E M_KEY) or '1'='1    





12

 

The vulnerability is contained in permissionId that can keep any SQL command. When SAP gets this code, it executes it. For example, an SAP server will execute this SQL command and return a count of rows from the BC_UDV3_EL8EM_KEY table. SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY

thi s vulnerability, By exploing this vulnerabili ty, aackers can obtain the hash of user passwords password s from the UME_STRINGS table. Aer that, they will need to get passwords from the hash. There are two ways to do this: 1. Use bruteforce attack 2. Find another vulnerability in password crypto algorithm

► Privilege escalation Aer exploitaon, we may have access to the system but the access is restricted to parcular acons. In other words, we need to escalate our privileges by using a chain of vulnerabilies. The rst part of the pentest has provided us with some valuable informaon, but it is not enough in our case. We have usernames and password hashes, but sll, do not have passwords. While nishing the project we we came across a vulnerability in the password encrypon funconality in SAP NetWeaver (ERPSCAN-16-003). When a user with a password is created in an SAP syst system, em, the password is secured with encrypon. e ncrypon. The funcon that makes it possible is HashWithIteraons stored in PasswordHash.class. PasswordHash.class. SAP SE has made a mistake during the realizaon of the encrypon algorithm, and as a result, the password is stored in its database as base64 which is not encrypon algorithm but an encoding one.

► Business Risk demonstra demonstration tion The great news is that now we have access to the system even though it may have seemed impossible in the beginning because all the known vulnerabilies were patched. Usually, a tradional pentest pentest ends here. However, However, to make a perfect pentest, it is not enough only to show access – it is also essenal to demonstrate demonstra te business risks. So, we have got an administr administrator ator account on the SAP syst system, em, for example, the one of the Manufacturing vercal. These companies use a wide range of SAP products and can manage technologic processes using the SAP MII module. SAP MII (SAP Manufacturing Integraon and Intelligence) is an applicaon for synchronizing manufacturing operaons with back-oce business processes and standar standardize dize data. Between SAP MII and technologic controllers, there is also SAP PCo. When SAP PCo receives all the control data from SAP MII, it changes the data and sends it to controllers. As we have SAP NetWeaver administrator user, we can get access to SAP MII and manage controllers are responsible for oil producon. Our research team idened several vulnerabilies in SAP xMII . These can be used as part of a mulstage mulstag e aack, starng from one of the numerous business applicaons exposed to the internet with the ulmate aim of geng control over the shop oor oor.. Industry control systems were designed without basic security measures implemented. Once cybercriminals breach a network, they gain unfeered access to all the controllers and their conguraons. Here, the result depends on perpetrators' goals and are limited only by their skills and imaginaon. For example, an aacker can change the melng 13

 

temperature so that products become more fragile. Another aack vector is a slight modicaon of the temperature instrucon of a welding seam. Both acons can lead to dire consequences if they are made during car producon or high-tech equipment manufacturing.

14

 

The Scope of the Search Quite oen a tradional approach does not work. If SAP pentesters know only a limited number of SAP vulnerabilies and downloaded free tools from the Internet, they will not be able to hack a system since some companies have installed the latest patches. In other words, it will be impossible to exploit the most common cybersecurity issues (e.g., Gatewa Gatewayy bypass, Verb Tampering, or Default Passwords). Passwords). For example, during one of the assessments, we understood that no exisng exploits worked: worked: all default passwords were changed, and pentetrang into those SAP syst systems ems seemed inconceivable. We will consider the following points which can help to perform a hardcore SAP pentesng: 1. SAP servlets and applications that should be viewed as a matter of priority to find 0-day vulnerabilities; 2. the rights for applications existing in an SAP system; 3. the features of a blind SQL injection in an SAP syst system; em; 4. the options of privilege escalation; 5. the way to execute arbitrary code from the application access level and gain full access to OS.

If there is no public vulnerability, 0-days should be looked for. To search for vulnerabilies in SAP systems, syst ems, it is necessary necessary,, to idenfy the types of apps exisng in an SAP system. There are several types of web applicaons that are installed and run together with the system: • • • • •

servlet; webdynpro; portal apps; service; extensions, core lib's, interfaces, but they will not be taken into account.

In SAP Servlets, apps webdynpro and portal applicaons are installed in the following folder:

C:\usr\sap\%SID%\J00\j2ee\ C:\usr\sap\%S ID%\J00\j2ee\cluster\apps cluster\apps the directory of service applicaons is: C:\usr\sap\%S C:\usr\sap\%SID%\J00\j2ee\ ID%\J00\j2ee\cluster\bin\ cluster\bin\ services; where %SID% is the SID of an SAP system. In our case, the SID is DM0. Each applicaon has privileges that are predened by developers. A user can use an applicaon with these privileges only. By default, SAP NetWeaver AS Java has four types of rights: 1. no safety - an application is available to all users and does not require authorization; 2. low safety - an application is available to authenticated users; 3. medium safety - an application is available to content admin user or admin system; 4. high safety - a medium application is available to content admin user or admin system.

All access rights to the applicaons are described in the webdynpro.xml, web.xml conguraon les, and for portal apps, it is portalapp.xml.

15

 

As menoned above, we are interested in the applicaons that do not require authencaon. To To nd them, we need to get the list of applicaons using a simple le search. The applicaons that sasfy the search condion are found in a few minutes, and one of them is the component tc~rtc~coll.appl.rtc~wd_chat . Its conguraon le is located by the following address:

C:\usr\sap\%SID%\J00\j2ee\cluster\apps\ C:\usr\sap\%SID%\J00\j2ee\ cluster\apps\sap.com\tc~rtc sap.com\tc~rtc~coll.appl.rt~coll.appl.rtc~wd_chat\servlet_jsp\webd c~wd_chat\ser vlet_jsp\webdynpro\resourc ynpro\resources\sap.com\tc~ es\sap.com\tc~rtc~coll.appl rtc~coll.appl. . rtc~wd_chat\root\WEB-INF\w rtc~wd_chat\r oot\WEB-INF\webdynpro.xml ebdynpro.xml and has the following code (see Fig. 2):

Fig. 2. Cong le code As seen from the descripon, this component has two applicaons that can be called from a browser: Chat and Messages. Accordingly,, the applicaons will be available at the addresses: Accordingly 1. http:/SAP_IP:SA http:/SAP_IP:SAP_PORT/webdynpr P_PORT/webdynpro/resources/s o/resources/sap.com/tc~rtc~coll.appl.rt ap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat# c~wd_chat/Chat# http:/SAP_IP:SAP_PORT/webdynpro/resources/sa /webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/ p.com/tc~rtc~coll.appl.rtc~wd_chat/ 2. http:/SAP_IP:SAP_PORT Messages#

16

 

► SAP Information disclosure Let us open the Chat app and see what funconality it has (Fig. 3).

Fig. 3. Chat app funconality Aer following the address, an anonymous servlet with message wring funconality is opened. If we click the "Add parcipant" buon, a window that allows adding users to the Chat will be opened (see Fig. 4).

1 2

3

Fig. 4. Adding parcipant to the Chat If we select a user user,, it will be clear that we can get a list of all users and, consequently, consequently, their logins (see Fig. 5).

17

 

Fig. 5. Geng the list of users and their logins So, we have found an anonymous service and received the login of an administrator administrator named John. Then all we need is to know its account password. password.

► SAP SQL injection Proceeding with our search for vulnerabilies in anonymous servlets, we come across one funconal component tc~uddi. There are three services in it (see Fig. 6).

Fig. 6. Services in the tc~uddi component The most interesng among them is C:\usr\sap\DM0 C:\usr\sap\DM0\J00\j2ee\clu \J00\j2ee\cluster\apps\sap ster\apps\sap. . com\tc~uddi\servlet_jsp\UD com\tc~uddi\s ervlet_jsp\UDDISecuritySer DISecurityService vice If we open the congura conguraon on le at C:\usr\sap\DM C:\usr\sap\DM0\J00\j2ee\clu 0\J00\j2ee\cluster\apps\sap ster\apps\sap.com\ .com\ tc~uddi\servlet_jsp\UDDISe tc~uddi\servl et_jsp\UDDISecurityService curityService\root\WEB-INF\ \root\WEB-INF\web.xml web.xml we will see the content (see Fig. 7).

18

 

Fig. 7. The content of UDDISecurityService The "servlet-class" eld indicates that this servlet uses the SOAP methods to transfer and receive data, The name of the servlet is UDDISecurityImplBean. Aertheaddress http://nw74:50000/UDDISecurityService/UDDISecurityImplBean   is opened in the browser, browser, the following message is displayed (see Fig. 8):

Fig. 8. Error Report message The UDDISecurityImplBean servlet does not accept GET requests. To understand understand which POST requests to send, it is sucient to add the "?wsdl" key to the URL . Here we got wsdl descripon of the UDDI Security Service (see Fig. 9).

19

 

Fig. 9. wsdl descripon To convert a wsdl le into soap requests, we can use burp with the wsdler extension (see Fig. 10).

Fig. 10. Operang wsdler extension

20

 

When an SOAP request is sent to the SAP server and then the deletePermissionById funcon is called with the permissionId parameter, parameter, the server sends a request and responds with the 200 code (see Fig. 11).

Fig. 11. Server requests and response It means that the server has processed the request successfully. successfully. Nevertheless, to understand what logic is built into the program, we need to nd the source code on the server server.. The root directory of the component C:\usr\sap\DM0\J00\j2ee\cluster\apps\sap.com\tc~uddi looks like this (see Fig. 12):

Fig. 12. Root directory of the component The EJBContainer folder oen stores JAR les used in the context of the component. This me, the server has a JAR le with the following path: C:\usr\sap\D C:\usr\sap\DM0\J00\j2ee\c M0\J00\j2ee\cluster\apps\ luster\apps\ sap.com\tc~uddi\EJBContainer\applicationjars\tc~esi~uddi~server~ejb~ejbm.jar To get the source code for Java programs, we can use JD-GUI Decompiler. Once this jar le is opened, the classes that are implemented in this program are displayed (see Fig. 13).

21

 

Fig. 13. The classes implemented into the program It is quite evident there are the UDDISecurityBean, AppluPermission and DeletePermissionById classes in the program. Let us analyze the UDDISecurityBean class (see Fig. 14).

Fig. 14. The UDDOSecurityBean class

22

 

Here, it says that the implementaon of the deletePermissionById  and applyPermission  funcons is described in the PermissionsDao  class (see Fig. 15).

Fig. 15. The PermissionsDao class Here is a typical SQL injecon that does not require authencaon for its exploitaon. Let us send our favorite favorit e quotaon mark in the SOAP request and see what we will get in response (see Fig. 16).

Fig. 16. SOAP request and response to it So, there is no error in response, and now we need to see what is in the logs database and what is its last entry (see Fig. 17).

By default, all logs of the SAP program are stored in C:\usr\sap\DM0\J00\j2ee\cluster\ server0\log And a log le of the database is located in: C:\usr\sap\DM0\J00\j2ee\cluster\server0\log\system\ database_00.0.log

23

 

Fig. 17. Database log Everything is conrmed. Now we have an SQL injecon in SAP NetWeaver AS Java. Thus, to compromise compromise an SAP system, it is necessary to obtain an administr administrator ator password hash or even a password hash of any user from the database. Proceeding with our pentesng, we should answer a simple queson: "Even if we have a password hash, how can we decrypt it?"

► Crypto issue In order to obtain the password using SQL injecon, rst, we need to know which table stores passwords. To connect to the data stored stored in the database, we can apply the standard isql ulity as our database is Sybase ASE. To connect to the database in the console mode, we open a command line window and run the following commands:

Fig. 18. Connecng to the database

24

 

Here, we have SAP server with DM0 SID. We will use the DM0 database (see Fig. 19).

Fig. 19. DM0 database According to the SAP documentaon, SAP AS Java user passwords are stored in the User Management Engine (UME) in the UME_STRINGS table. There are two main elds in the UME_STRINGS table: PID and VAL. The PID eld keeps the Administrator ID, and VAL stores the password in an encrypted form with SHA as a prex. The request is as follows: SELECT PID, VAL FROM SAPSR3DB.UME_STRINGS WHERE PID LIKE '%Administrator%' and VAL LIKE '%SHA%' Here is the result of the program operaon (see Fig. 20):

Fig. 20. The result of the program operaon PID is UACC.PRIVATE_DATASOURCE.un:Administrator VAL is {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYamodVV2ycvIqBU80lPPUD8twAOhZ/ AUSezf4Reou4uFpqth9lDpefHZ1JOuzfILlHY AUSezf4Reou4uFpqt h9lDpefHZ1JOuzfILlHYQv4LhheyzoQMAng5pOkvHz5bZXJ+SGps Qv4LhheyzoQMAng5pOkvHz5bZXJ+SGpsyrju3UtBkmRQ== yrju3UtBkmRQ== It is evident enough that the SHA-512 hash is used which is calculated 10.000 mes. One may say it hinder those who tries to bruteforce the hash, but not in this case. This is what we got by decoding base64 (see Fig. 21).

25

 

Fig. 21. Decoding base64 It turns out that SAP made a mistake and the password is stored insecurely in base64. However, how could it fail to noce this error in such a crical place? Aer a couple of hours of researching, we have nally idened the funcon responsible for the encrypon and password storage. This JAR le encrypts and checks the password validity:

C:\usr\sap\DM0\J00\j2ee\cluster\bin\ext\com.sap.security.core.sda\ lib\private\sap.com~tc~sec lib\private\s ap.com~tc~sec~ume~core~imp ~ume~core~impl.jar l.jar To nd the necessary nec essary class in this le, it is enough to look for magic data, "SHA-512", in JD-GUI (see FIg. 22).

Fig. 22. SHA-512 in JD-GUI Done. PasswordHash.class PasswordHash.class is found. In the class, there is exactly what we need (see Fig. 23).

26

26  

Fig. 23. The Passwor PasswordHash dHash class is found The main funcon of the class may come in handy to understand understand how the hash funcon works (see Fig. 24).

Fig. 24. The Hash funcon in opearaon First of all, it is the inializaon of the PasswordHash class (see Fig. 25)

Fig. 25. The inializaon of the PasswordHash PasswordHash class

27  

Aer that, the getHash(); funcon is called (see Fig. 26).

Fig. 26. Calling the getHash(); funcon The lines from 87 to 113 show the variables are currently being checked and inializing, and the line 114 indicates a call of the createHashWithIteraons funcon that takes a data set of 24-character length. To demonstrate this feature, feature, we will write a wrapper for it in the debugger and see which data is sent. Below, is the full code of the class that is responsible for hashing the password in SAP. Let us run it and see how it works (see Fig. 27).

28  

Fig. 27. The code of the class in operaon We chose the asdQWE123 combinaon as a password. It is worth menoning that the inializaon of two special parameters carries out in the createHashWithIteracons  funcon. They are "output" and "pass_n_salt" transferred to the nal hash funcon - hashWithIteracons (see Fig. 28).

29  

Fig. 28. output and pass_n_salt in operaon More details on the hashWithIteracons  funcon are provided below (see Fig. 29)

Fig. 29. The hashWithIteracons funcon All the work the key has performed related to hashing is presented in the lines 40-45. The block diagram illustrates illustra tes the work of these lines (see Fig. 30). NO

YES i