Andreas Wiegenstein TITEL bearbeiten Dr. Markus Schumacher
Real SAP Backdoors
- 23rd, Heidelberg text styles Troopers12, ClickMarch to19th edit Master
Second level Third level Fourth level Fifth level
© © 2012 2011 Virtual 2012 Virtual Forge Forge GmbH GmbH || www.virtualforge.com www.virtualforge.com || All All rights rights reserved. reserved.
TITEL My car,bearbeiten my house, my boat, …
Andreas Wiegenstein
Click to edit Master text styles
Founder of Virtual Forge (Heidelberg), responsible for Research &
Development Third level SAP Security Researcher, active since 2003 Fourth level
Second level
Received Credits from SAP for more than 20 reported 0-day Vulnerabilities
Fifth level Frequent Speaker at international Conferences
SAP TechEd 2004 (USA & Europa) / 2005 (USA) / 2006 (USA), DSAG 2009 BlackHat 2011 (Europe), Hack in the Box 2011 (Europe) Troopers 2011, RSA 2012 (USA)
Co-Author of „Sichere ABAP Programmierung" (SAP Press)
Training Class WDESA3 @ SAP University
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
http://tinyurl.com/0daycredit TITEL bearbeiten
Click to edit Master text styles Second level Third level Fourth level Fifth level
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
CONTENTS TITEL bearbeiten
1. isedit a Backdoor? What Click to Master text styles Second level
2. SAP Technology / Security Basics Third level Fourth level
3. SAP Backdoors Fifth level 4. How do you prevent Backdoors? 5. Summary
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten
What a backdoor? Click is to edit Master text styles Second level Third level Fourth level Fifth level
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL Search Some bearbeiten Engine Results…
Click to edit Master text styles
NOT
Second level Third level Fourth level Fifth level
This is
The topic Of this talk. No way.
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITELSearch More bearbeiten Engine Results…
Click to edit Master text styles Second level
NOT
Third level Fourth level Fifth level
Also
The topic Of this talk.
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITELresearch Own bearbeiten
Click to edit Master text styles Second level Third level Fourth level Fifth level
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten Wikipedia on Backdoors
Click “A backdoor to edit in Master a computer text styles system [...] is a method of Second level authentication, securing remote bypassing normal Third level
access to a computer, obtaining access to plaintext, Fourth level
and so on, while attempting to remain undetected.” Fifth level (March 2012)
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten Definition of a Backdoor in Software
Click “A backdoor to edit in Master software text is astyles hidden feature that was Second level designed to bypass a security mechanism.” Third level (Troopers, March 2012)level Fourth Fifth level
Characteristics: 1. Covertness
2. Bypass 3. Intent
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten
SAP / Security Basics ClickTechnology to edit Master text styles Second level Third level Fourth level Fifth level
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten ABAP
Click to edit Advanced Business MasterApplication text styles Programming Second level
Proprietary exact specification not (freely) available Thirdlanguage, level
Platform-independent code Fourth level
Built-in transport system and version control Fifth level
Various programming paradigms: Programs & Forms, Reports, Function Modules, Dynpros Classes & Methods, Business Server Pages, Web Dynpro ABAP
Integrated platform-independent SQL Standard: Open SQL
Built-in authentication, roles and authorization model
ABAP runs with very high Privileges
ABAP uses an explicit Authorization Model
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten Remote Function Call (RFC)
Client or SAP Server
Click to edit Master text styles
SAP Server
Second level Third level Fourth level Fifth level
S_RFC authorization required to call Function Modules remotely > 33.000 RFC-enabled Function Modules on ECC 6.0 RFC authorizations are complex to maintain © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten ABAP Reports
Click to edit Master text styles Second level Third level Fourth level Fifth level
Reports can only be executed locally via restricted transactions ~ 220.000 ABAP reports on ECC 6.0 in the SAP standard ABAP command SUBMIT executes reports and checks authorizations Authorization is checked only if Authorization Group is maintained
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten
SAP ClickBackdoors to edit Master text styles Second level Third level Fourth level Fifth level
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#1 Case bearbeiten – OS Commands
Controlled Operating System (OS) Command Execution
Click to edit Master text styles ABAP Call OS Second 'LIST'
SM49 / SM69
level
Command LIST
Third level
PING X_PYTHON
Fourth level
Program
OS Command
ls
'ls'
ping x_python
OS
© 2010 Virtual Forge GmbH. All rights reserved. Fifth level
OS Commands must be pre-defined by Admin (white list) OS Commands must be executed through special API (SXPG_CALL_SYSTEM / SXPG_COMMAND_EXECUTE) Execution requires special authorization (S_LOG_COM)
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#1 Case bearbeiten – Code (1)
FUNCTION oiuh_submit_unix_call.
*"-------------------------------------------------------------------Click to edit Master text styles *"*"Local interface Second level(simplified excerpt): *"
IMPORTING
Third level
*"
VALUE(SCRIPT_NAME) LIKE
*"
VALUE(LOGICAL_PATH) LIKE
*"
Fourth level
TABLES
RESULTS STRUCTURE
*"
SCRIPT_DATA STRUCTURE
*"
FILENAME-FILEINTERN
Fifth level
*"
*"
RLGRAP-FILENAME
OIUH_SYS_CONSOLE OIUH_SYS_CONSOLE
EXCEPTIONS
CALL_FAILURE
*"--------------------------------------------------------------------
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#1 Case bearbeiten – Code (2)
DELETE DATASET script_name.
Click to edit Master text styles
OPEN DATASET script_name FOR OUTPUT IN TEXT MODE ENCODING DEFAULT. LOOP AT script_data.
Second level
TRANSFER script_data TO script_name. ENDLOOP.
Third level
CLOSE DATASET script_name. Fourth level
Fifth level
* CHANGE THE FILE MODE TO EXECUTE. CONCATENATE 'chmod 777' script_name INTO unix_command SEPARATED BY space. ... CALL 'SYSTEM' ID 'COMMAND' FIELD unix_command ID 'TAB'
FIELD results-*sys*.
... * Execute the actual command CALL 'SYSTEM' ID 'COMMAND' FIELD script_name ID 'TAB'
FIELD results-*sys*.
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#1 Case bearbeiten – Backdoor (?)
Click toModule Function edit Master oiuh_submit_unix_call text styles is Second level designed to execute arbitrary OS commands, Third level
bypassing the white list defined in SM49/69. Fourth level
Fifth level
Characteristics: 1. Covertness
2. Bypass 3. Intent
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#1 Case bearbeiten – Side Notes
Click toModule Function edit Master oiuh_submit_unix_call2 text styles is an exact of Second level copy oiuh_submit_unix_call. Third level
Both Function Modules also contain a Directory Traversal Fourth level
vulnerability.
Fifth level
VF Advisories: SAP-BACK-01 and SAP-BACK-02
SAP Notes: 1560360 and 1558010 SAP CVSS Base Score: 6.0 SAP CVSS Base Vector: AV:N/AC:M/AU:S/C:P/I:P/A:P © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#2 Case bearbeiten – ABAP Development
System Separation
Click to edit Master text styles Second level Third level Fourth level
Transport
Transport
Fifth level DEV
TEST
PROD
© 2010 Virtual Forge GmbH. All rights reserved.
Development process is well defined : DEV, TEST, PROD All ABAP code is tested before productive use No development possible on productive system © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#2 Case bearbeiten – Code (1)
FUNCTION rs_functionmodule_insert.
*"-------------------------------------------------------------------Click to edit Master text styles *"*"Local Interface Second level(simplified excerpt): *"
IMPORTING
Third level
*"
VALUE(FUNCNAME) LIKE
*"
VALUE(FUNCTION_POOL) LIKE
*"
Fifth level VALUE(REMOTE_CALL) LIKE
*"
VALUE(SHORT_TEXT) LIKE
*"
VALUE(SUPPRESS_CORR_CHECK) LIKE
*"
VALUE(SUPPRESS_LANGUAGE_CHECK) LIKE
*"
VALUE(AUTHORITY_CHECK) LIKE
*"
VALUE(SAVE_ACTIVE) LIKE
*" *"
Fourth level
RS38L-NAME RS38L-AREA
RS38L-REMOTE DEFAULT SPACE TFTIT-STEXT RS38L-EXTERN DEFAULT 'X'
RS38L-HEAD DEFAULT 'X'
RS38L-HEAD DEFAULT 'X'
TABLES SOURCE STRUCTURE
RS38L-HEAD DEFAULT 'X'
RSSOURCE OPTIONAL
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#2 Case bearbeiten – Code (2)
...
CALLClick to edit Master text styles FUNCTION 'RS_ACCESS_PERMISSION' EXPORTING Second
level
authority_check
Third level
...
= authority_check
Fourth level
IF sy-subrc = 0.
Fifth level
...
l_source = source[]. LOOP AT l_source INTO l_line. INSERT l_line INTO code INDEX tabix.
tabix = tabix + 1. ENDLOOP. INSERT REPORT rs38l-include FROM code. ENDIF.
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#2 Case bearbeiten – Code (3)
FUNCTION rs_access_permission.
*"---------------------------------------------------------------------Click to edit Master text styles *"*"Lokale Schnittstelle (simplified excerpt): Second level *" *"
...
IMPORTING
Third level
VALUE(AUTHORITY_CHECK) DEFAULT 'X‘
Fourth level
Fifth level
l_authority_check = authority_check.
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#2 Case bearbeiten – Code (4)
...
CASEClick to edit Master text styles mode. WHEN 'MODIFY'.level Second IF l_authority_check NE ' '.
Third level
PERFORM accp_authority
Fourth level USING
Fifth level
modus
object object_class auth_object s_develop
CHANGING
trdir_inf.
ENDIF.
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#2 Case bearbeiten – Backdoor (?)
Click toModule Function edit Master rs_functionmodule_insert text styles is Second level designed to create arbitrary remote-executable ABAP Third level
Code, bypassing the TEST System. Fourth level
Fifth level
Characteristics: 1. Covertness
2. Bypass 3. Intent
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#2 Case bearbeiten – Side Notes
Click VF Advisory: to editSAP-BACK-03 Master text styles Second level
SAP Note: 1589919 Third level Fourth level CVSS Base Score: 3.5 Fifth level
CVSS Base Vector: AV:N/AC:M/AU:S/C:N/I:P/A:N
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#3 Case bearbeiten – Code (1)
FUNCTION RKC_FUNCTION_INTERFACE_GEN.
*"-------------------------------------------------------------------Click to edit Master text styles *"Lokale Schnittstelle Second level (simplified excerpt): *" *" *"
*" *" *"
EXPORTING
Third level REPID LIKE SY-REPID
Fourth level
TABLES
FifthSTRUCTURE level REP_TAB RFCLINE EXCEPTIONS NOT_INSERTED
*"--------------------------------------------------------------------
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#3 Case bearbeiten – Code (2)
DATA: BEGIN OF REP OCCURS 20.
ClickINCLUDE to edit Master text styles STRUCTURE ABAPTEXT. DATA: END OF REP. Second level
Third level REFRESH REP.
Fourth level
LOOP AT REP_TAB.
REP = REP_TAB.
Fifth level
APPEND REP. ENDLOOP. REPID = 'RKCINTER'.
INSERT REPORT REPID FROM REP. IF SY-SUBRC 0. RAISE NOT_INSERTED. ENDIF. ENDFUNCTION.
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#3 Case bearbeiten – Intermission
Click Now weto can edit create Master a report text styles with arbitrary content. Second level But(how) can we execute it (remotely) ? Third level Fourth level Fifth level
M? © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#3 Case bearbeiten – Code (3)
FUNCTION HR99B_PARALLEL_REPORT_RUN.
*"-------------------------------------------------------------------Click to edit Master text styles *"*"Local Interface Second level(simplified excerpt): *" *" *"
*" *" *"
IMPORTING
Third level
VALUE(REPID) TYPE TABLES
TRDIR-NAME
Fourth level
Fifth level VALUTAB STRUCTURE RSPARAMS CHANGING VALUE(CV_TASK_NAME) TYPE
HR99B_TASK_NAME OPTIONAL
*"--------------------------------------------------------------------
SUBMIT (REPID) WITH SELECTION-TABLE VALUTAB AND RETURN. "#EC CI_SUBMIT
ENDFUNCTION.
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#3 Case bearbeiten – Backdoor (?)
Function RKC_FUNCTION_INTERFACE_GEN Click toModule edit Master text styles is designed create a Report that contains arbitrary Second to level Third level ABAP Code, bypassing the TEST System. Fourth level
Function Module HR99B_PARALLEL_REPORT_RUN is Fifth level
designed to execute reports remotely. Characteristics:
1. Covertness 2. Bypass 3. Intent © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#3 Case bearbeiten – Side Notes
Click VF Advisory: to editSAP-BACK-06 Master text styles Second level
SAP Note: 1592312 Third level Fourth level CVSS Base Score: 3.5 Fifth level CVSS Base Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
VF Advisory: SAP-BACK-04 SAP Note: 1558284 CVSS Base Score: 8.2
CVSS Base Vector: AV:N/AC:M/AU:S/C:C/I:C/A:P © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#4 Case bearbeiten – SAP Transaction RSRV
Click to edit Master text styles Second level Third level Fourth level Fifth level
Characteristics: 1. Covertness 2. Bypass 3. Intent
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#5 Case bearbeiten – The Three Developers
Security of Master a BSP (Web) of an SAP customer ClickAudits to edit text Application styles
OneofSecond the pages appeared to be blank level Third level the page checked for the usernames of three In the source code, Fourth level
external developers…
Fifth level
…and would allow them to read data from a table of their choice in the SAP database Financial data Production data HR data …
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL#5 Case bearbeiten – Backdoor (!)
Generic reader in BSP page. Clicktable to edit Master text styles
Second level Characteristics: Third level
1.
Covertness Fourth level
2.
Bypass
3.
Intent
Fifth level
A nice backdoor and 100% remote accessible
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten
How youMaster prevent Backdoors? Clickdo to edit text styles Second level Third level Fourth level Fifth level
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten Anti-Backdoor Recommendations (1)
Perform all code Click topeer editreviews Masteroftext styles The backdoor can be everywhere Second level
for Third level Check proprietary authorization logic / unusual options Fourth level Check for (unexpected) modifications to the database Fifth level
Check for generic database access Prohibit certain coding practices by strict guidelines but don‘t rely on them
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten Anti-Backdoor Recommendations
Use codeMaster analysistext to detect suspicious code Clickstatic to edit styles
Check for command execution based on input Second level Third level ABAP Fourth Operating systemlevel Fifth level
Expect stealth techniques Dynamic ABAP Hidden OK Codes #EC suppression …
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten
Summary Click to edit Master text styles Second level Third level Fourth level Fifth level
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITELBackdoor SAP bearbeiten Summary
ABAP canMaster have backdoors Click code to edit text styles
Backdoors difficult to spot Secondare level Thirdtolevel Designed be covert level „Needle inFourth the haystack“ Fifth level
Check the background of your (external) developers Perform code audits before productive use Perform static code analysis as additional line of defense
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
ABAP Security Resources TITEL bearbeiten
SAP Security Advisories researched by Virtual Forge
Links
http://www.codeprofilers.com/index.php/advisories.html Click to edit Master text styles
Second level Organizations Third level
BIZEC – Business Security Initiative http://www.bizec.org
Fourth level Fifth level Literature
Sichere ABAP-Programmierung (SAP PRESS, 372 S., 2009)
Andreas Wiegenstein, Markus Schumacher, Sebastian Schinzel, Frederik Weidemann
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten
Questions?
Click to edit Master text styles Second level McFly:
Third level Fourth level
“Listen, you got a backdoor to this place?“ Fifth level
Bartender: “Yeah, it's in the back.”
(Back to the Future III, 1990)
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten
Contact Information
Click to edit Master text styles Second level Third level
VIRTUALFORGE GmbH Fourth level
[email protected] Fifth level Speyerer Straße 6 69115 Heidelberg Deutschland Telefon: + 49 (0) 6221 86 89 0 - 0 Fax: + 49 (0) 6221 86 89 0 - 101
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
TITEL bearbeiten Disclaimer
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Click to edit Master text styles
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.
Second level
Third level The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. Fourth This document is provided withoutlevel a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. Fifth level
The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. Hippies are not supposed to read this. No exceptions. No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH. © 2012 Virtual Forge GmbH.
© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.