Real SAP Backdoors - TROOPERS conference

Dr. Markus Schumacher. © 2012 Virtual Forge GmbH | www.virtualforge.com | All ... Training Class WDESA3 @ SAP University. My car, my house, my boat, …
PDF Herunterladen
PNG-Bilder
2MB Größe 131 Downloads 380 Ansichten
Kommentar
Andreas Wiegenstein TITEL bearbeiten Dr. Markus Schumacher

Real SAP Backdoors

- 23rd, Heidelberg text styles Troopers12, ClickMarch to19th edit Master

 Second level  Third level  Fourth level  Fifth level

© © 2012 2011 Virtual 2012 Virtual Forge Forge GmbH GmbH || www.virtualforge.com www.virtualforge.com || All All rights rights reserved. reserved.

TITEL My car,bearbeiten my house, my boat, …

Andreas Wiegenstein

 Click to edit Master text styles 

Founder of Virtual Forge (Heidelberg), responsible for Research &



Development  Third level SAP Security Researcher, active since 2003  Fourth level

 Second level

 Received Credits from SAP for more than 20 reported 0-day Vulnerabilities



 Fifth level Frequent Speaker at international Conferences

 SAP TechEd 2004 (USA & Europa) / 2005 (USA) / 2006 (USA), DSAG 2009  BlackHat 2011 (Europe), Hack in the Box 2011 (Europe)  Troopers 2011, RSA 2012 (USA)



Co-Author of „Sichere ABAP Programmierung" (SAP Press)



Training Class WDESA3 @ SAP University

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

http://tinyurl.com/0daycredit TITEL bearbeiten

 Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

CONTENTS TITEL bearbeiten

1. isedit a Backdoor?  What Click to Master text styles  Second level

2. SAP Technology / Security Basics Third level  Fourth level

3. SAP Backdoors  Fifth level 4. How do you prevent Backdoors? 5. Summary

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten

What a backdoor?  Click is to edit Master text styles  Second level  Third level  Fourth level  Fifth level

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL Search Some bearbeiten Engine Results…

 Click to edit Master text styles

NOT

 Second level  Third level  Fourth level  Fifth level

This is

The topic Of this talk. No way.

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITELSearch More bearbeiten Engine Results…

 Click to edit Master text styles  Second level

NOT

 Third level  Fourth level  Fifth level

Also

The topic Of this talk.

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITELresearch Own bearbeiten

 Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten Wikipedia on Backdoors

 Click “A backdoor to edit in Master a computer text styles system [...] is a method of  Second level authentication, securing remote bypassing normal  Third level

access to a computer, obtaining access to plaintext,  Fourth level

and so on, while attempting to remain undetected.”  Fifth level (March 2012)

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten Definition of a Backdoor in Software

 Click “A backdoor to edit in Master software text is astyles hidden feature that was  Second level designed to bypass a security mechanism.”  Third level (Troopers, March 2012)level  Fourth  Fifth level

Characteristics: 1. Covertness

2. Bypass 3. Intent

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten

SAP / Security Basics  ClickTechnology to edit Master text styles  Second level  Third level  Fourth level  Fifth level

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten ABAP

 Click to edit Advanced Business MasterApplication text styles Programming  Second level 

Proprietary exact specification not (freely) available  Thirdlanguage, level



Platform-independent code  Fourth level



Built-in transport system and version control  Fifth level



Various programming paradigms:  Programs & Forms, Reports, Function Modules, Dynpros  Classes & Methods, Business Server Pages, Web Dynpro ABAP



Integrated platform-independent SQL Standard: Open SQL



Built-in authentication, roles and authorization model



ABAP runs with very high Privileges



ABAP uses an explicit Authorization Model

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten Remote Function Call (RFC)

Client or SAP Server

 Click to edit Master text styles

SAP Server

 Second level  Third level  Fourth level  Fifth level

 S_RFC authorization required to call Function Modules remotely  > 33.000 RFC-enabled Function Modules on ECC 6.0 RFC authorizations are complex to maintain © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten ABAP Reports

 Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level

 Reports can only be executed locally via restricted transactions  ~ 220.000 ABAP reports on ECC 6.0 in the SAP standard  ABAP command SUBMIT executes reports and checks authorizations  Authorization is checked only if Authorization Group is maintained

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten

SAP  ClickBackdoors to edit Master text styles  Second level  Third level  Fourth level  Fifth level

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#1 Case bearbeiten – OS Commands

Controlled Operating System (OS) Command Execution

 Click to edit Master text styles ABAP Call  OS Second 'LIST' 

SM49 / SM69

level

Command LIST

Third level

PING X_PYTHON

 Fourth level

Program

OS Command

ls

'ls'

ping x_python

OS

© 2010 Virtual Forge GmbH. All rights reserved.  Fifth level

 OS Commands must be pre-defined by Admin (white list)  OS Commands must be executed through special API (SXPG_CALL_SYSTEM / SXPG_COMMAND_EXECUTE)  Execution requires special authorization (S_LOG_COM)

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#1 Case bearbeiten – Code (1)

FUNCTION oiuh_submit_unix_call.

*"-------------------------------------------------------------------Click to edit Master text styles *"*"Local interface  Second level(simplified excerpt): *"

IMPORTING

 Third level

*"

VALUE(SCRIPT_NAME) LIKE

*"

VALUE(LOGICAL_PATH) LIKE

*"

 Fourth level

TABLES

RESULTS STRUCTURE

*"

SCRIPT_DATA STRUCTURE

*"

FILENAME-FILEINTERN

 Fifth level

*"

*"

RLGRAP-FILENAME

OIUH_SYS_CONSOLE OIUH_SYS_CONSOLE

EXCEPTIONS

CALL_FAILURE

*"--------------------------------------------------------------------

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#1 Case bearbeiten – Code (2)

DELETE DATASET script_name.

 Click to edit Master text styles

OPEN DATASET script_name FOR OUTPUT IN TEXT MODE ENCODING DEFAULT. LOOP AT script_data.

 Second level

TRANSFER script_data TO script_name. ENDLOOP.

 Third level

CLOSE DATASET script_name. Fourth level

 Fifth level

* CHANGE THE FILE MODE TO EXECUTE. CONCATENATE 'chmod 777' script_name INTO unix_command SEPARATED BY space. ... CALL 'SYSTEM' ID 'COMMAND' FIELD unix_command ID 'TAB'

FIELD results-*sys*.

... * Execute the actual command CALL 'SYSTEM' ID 'COMMAND' FIELD script_name ID 'TAB'

FIELD results-*sys*.

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#1 Case bearbeiten – Backdoor (?)

 Click toModule Function edit Master oiuh_submit_unix_call text styles is  Second level designed to execute arbitrary OS commands,  Third level

bypassing the white list defined in SM49/69.  Fourth level

 Fifth level

Characteristics: 1. Covertness

2. Bypass 3. Intent

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#1 Case bearbeiten – Side Notes

 Click toModule Function edit Master oiuh_submit_unix_call2 text styles is an exact  of Second level copy oiuh_submit_unix_call.  Third level

Both Function Modules also contain a Directory Traversal  Fourth level

vulnerability.

 Fifth level

VF Advisories: SAP-BACK-01 and SAP-BACK-02

SAP Notes: 1560360 and 1558010 SAP CVSS Base Score: 6.0 SAP CVSS Base Vector: AV:N/AC:M/AU:S/C:P/I:P/A:P © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#2 Case bearbeiten – ABAP Development

System Separation

 Click to edit Master text styles  Second level  Third level  Fourth level

Transport

Transport

 Fifth level DEV

TEST

PROD

© 2010 Virtual Forge GmbH. All rights reserved.

Development process is well defined : DEV, TEST, PROD  All ABAP code is tested before productive use  No development possible on productive system © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#2 Case bearbeiten – Code (1)

FUNCTION rs_functionmodule_insert.

*"-------------------------------------------------------------------Click to edit Master text styles *"*"Local Interface  Second level(simplified excerpt): *"

IMPORTING

 Third level

*"

VALUE(FUNCNAME) LIKE

*"

VALUE(FUNCTION_POOL) LIKE

*"

 Fifth level VALUE(REMOTE_CALL) LIKE

*"

VALUE(SHORT_TEXT) LIKE

*"

VALUE(SUPPRESS_CORR_CHECK) LIKE

*"

VALUE(SUPPRESS_LANGUAGE_CHECK) LIKE

*"

VALUE(AUTHORITY_CHECK) LIKE

*"

VALUE(SAVE_ACTIVE) LIKE

*" *"

 Fourth level

RS38L-NAME RS38L-AREA

RS38L-REMOTE DEFAULT SPACE TFTIT-STEXT RS38L-EXTERN DEFAULT 'X'

RS38L-HEAD DEFAULT 'X'

RS38L-HEAD DEFAULT 'X'

TABLES SOURCE STRUCTURE

RS38L-HEAD DEFAULT 'X'

RSSOURCE OPTIONAL

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#2 Case bearbeiten – Code (2)

...

CALLClick to edit Master text styles FUNCTION 'RS_ACCESS_PERMISSION' EXPORTING  Second

level

authority_check

 Third level

...

= authority_check

 Fourth level

IF sy-subrc = 0.

 Fifth level

...

l_source = source[]. LOOP AT l_source INTO l_line. INSERT l_line INTO code INDEX tabix.

tabix = tabix + 1. ENDLOOP. INSERT REPORT rs38l-include FROM code. ENDIF.

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#2 Case bearbeiten – Code (3)

FUNCTION rs_access_permission.

*"---------------------------------------------------------------------Click to edit Master text styles *"*"Lokale Schnittstelle (simplified excerpt):  Second level *" *"

...

IMPORTING

 Third level

VALUE(AUTHORITY_CHECK) DEFAULT 'X‘

 Fourth level

 Fifth level

l_authority_check = authority_check.

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#2 Case bearbeiten – Code (4)

...

CASEClick to edit Master text styles mode. WHEN 'MODIFY'.level  Second IF l_authority_check NE ' '.

 Third level

PERFORM accp_authority

 Fourth level USING

 Fifth level

modus

object object_class auth_object s_develop

CHANGING

trdir_inf.

ENDIF.

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#2 Case bearbeiten – Backdoor (?)

 Click toModule Function edit Master rs_functionmodule_insert text styles is  Second level designed to create arbitrary remote-executable ABAP  Third level

Code, bypassing the TEST System.  Fourth level

 Fifth level

Characteristics: 1. Covertness

2. Bypass 3. Intent

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#2 Case bearbeiten – Side Notes

 Click VF Advisory: to editSAP-BACK-03 Master text styles  Second level

SAP Note: 1589919  Third level  Fourth level CVSS Base Score: 3.5  Fifth level

CVSS Base Vector: AV:N/AC:M/AU:S/C:N/I:P/A:N

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#3 Case bearbeiten – Code (1)

FUNCTION RKC_FUNCTION_INTERFACE_GEN.

*"-------------------------------------------------------------------Click to edit Master text styles *"Lokale Schnittstelle  Second level (simplified excerpt): *" *" *"

*" *" *"

EXPORTING

 Third level REPID LIKE SY-REPID

 Fourth level

TABLES

 FifthSTRUCTURE level REP_TAB RFCLINE EXCEPTIONS NOT_INSERTED

*"--------------------------------------------------------------------

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#3 Case bearbeiten – Code (2)

DATA: BEGIN OF REP OCCURS 20.

 ClickINCLUDE to edit Master text styles STRUCTURE ABAPTEXT. DATA: END OF REP. Second level

 Third level REFRESH REP.

 Fourth level

LOOP AT REP_TAB.

REP = REP_TAB.

 Fifth level

APPEND REP. ENDLOOP. REPID = 'RKCINTER'.

INSERT REPORT REPID FROM REP. IF SY-SUBRC 0. RAISE NOT_INSERTED. ENDIF. ENDFUNCTION.

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#3 Case bearbeiten – Intermission

 Click Now weto can edit create Master a report text styles with arbitrary content. Second level But(how) can we execute it (remotely) ?  Third level  Fourth level  Fifth level

M? © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#3 Case bearbeiten – Code (3)

FUNCTION HR99B_PARALLEL_REPORT_RUN.

*"-------------------------------------------------------------------Click to edit Master text styles *"*"Local Interface  Second level(simplified excerpt): *" *" *"

*" *" *"

IMPORTING

 Third level

VALUE(REPID) TYPE TABLES

TRDIR-NAME

 Fourth level

 Fifth level VALUTAB STRUCTURE RSPARAMS CHANGING VALUE(CV_TASK_NAME) TYPE

HR99B_TASK_NAME OPTIONAL

*"--------------------------------------------------------------------

SUBMIT (REPID) WITH SELECTION-TABLE VALUTAB AND RETURN. "#EC CI_SUBMIT

ENDFUNCTION.

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#3 Case bearbeiten – Backdoor (?)

Function RKC_FUNCTION_INTERFACE_GEN  Click toModule edit Master text styles is designed create a Report that contains arbitrary  Second to level  Third level ABAP Code, bypassing the TEST System.  Fourth level

Function Module HR99B_PARALLEL_REPORT_RUN is  Fifth level

designed to execute reports remotely. Characteristics:

1. Covertness 2. Bypass 3. Intent © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#3 Case bearbeiten – Side Notes

 Click VF Advisory: to editSAP-BACK-06 Master text styles  Second level

SAP Note: 1592312  Third level  Fourth level CVSS Base Score: 3.5  Fifth level CVSS Base Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

VF Advisory: SAP-BACK-04 SAP Note: 1558284 CVSS Base Score: 8.2

CVSS Base Vector: AV:N/AC:M/AU:S/C:C/I:C/A:P © © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#4 Case bearbeiten – SAP Transaction RSRV

 Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level

Characteristics: 1. Covertness 2. Bypass 3. Intent

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#5 Case bearbeiten – The Three Developers

Security of Master a BSP (Web) of an SAP customer  ClickAudits to edit text Application styles

OneofSecond the pages appeared to be blank level  Third level the page checked for the usernames of three In the source code,  Fourth level

external developers…

 Fifth level

…and would allow them to read data from a table of their choice in the SAP database  Financial data  Production data  HR data …

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL#5 Case bearbeiten – Backdoor (!)

Generic reader in BSP page.  Clicktable to edit Master text styles

 Second level Characteristics:  Third level

1.

Covertness  Fourth level

2.

Bypass

3.

Intent

 Fifth level

A nice backdoor and 100% remote accessible

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten

How youMaster prevent Backdoors?  Clickdo to edit text styles  Second level  Third level  Fourth level  Fifth level

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten Anti-Backdoor Recommendations (1)

 Perform all code Click topeer editreviews Masteroftext styles  The backdoor can be everywhere Second level

 for Third level  Check proprietary authorization logic / unusual options Fourth level  Check for (unexpected) modifications to the database  Fifth level

 Check for generic database access  Prohibit certain coding practices by strict guidelines but don‘t rely on them

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten Anti-Backdoor Recommendations

 Use codeMaster analysistext to detect suspicious code Clickstatic to edit styles

 Check for command execution based on input  Second level  Third level  ABAP  Fourth  Operating systemlevel  Fifth level

 Expect stealth techniques  Dynamic ABAP  Hidden OK Codes  #EC suppression  …

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten

Summary  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITELBackdoor SAP bearbeiten Summary

 ABAP canMaster have backdoors Click code to edit text styles

 Backdoors difficult to spot  Secondare level  Thirdtolevel  Designed be covert level  „Needle inFourth the haystack“  Fifth level

 Check the background of your (external) developers  Perform code audits before productive use  Perform static code analysis as additional line of defense

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Security Resources TITEL bearbeiten

SAP Security Advisories researched by Virtual Forge

Links

http://www.codeprofilers.com/index.php/advisories.html  Click to edit Master text styles

 Second level Organizations  Third level

BIZEC – Business Security Initiative http://www.bizec.org

 Fourth level  Fifth level Literature

Sichere ABAP-Programmierung (SAP PRESS, 372 S., 2009)

Andreas Wiegenstein, Markus Schumacher, Sebastian Schinzel, Frederik Weidemann

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten

Questions?

 Click to edit Master text styles  Second level McFly:

 Third level  Fourth level

“Listen, you got a backdoor to this place?“  Fifth level

Bartender: “Yeah, it's in the back.”

(Back to the Future III, 1990)

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten

Contact Information

 Click to edit Master text styles  Second level  Third level

VIRTUALFORGE GmbH  Fourth level

[email protected]  Fifth level Speyerer Straße 6 69115 Heidelberg Deutschland Telefon: + 49 (0) 6221 86 89 0 - 0 Fax: + 49 (0) 6221 86 89 0 - 101

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

TITEL bearbeiten Disclaimer

SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

 Click to edit Master text styles

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.

 Second level

Third level The authors  assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material.  Fourth This document is provided withoutlevel a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.  Fifth level

The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. Hippies are not supposed to read this. No exceptions. No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH. © 2012 Virtual Forge GmbH.

© © 2012 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.