2. INTEGRITY
About
Consultant and Partner @ INTEGRITY
Leading Consulting and Penetration Testing engagements
Breaking things, and finding how to fix them
OSCP, CISSP-ISSMP, CISA, ISO27001LA
Currently doing the MSc in Information Security @ Royal Holloway,
University of London.
Organizing BSidesLisbon 2013
@morisson
http://www.linkedin.com/in/morisson
3. INTEGRITY
What is SAP ?
SAP, started in 1972 by five former IBM employees in Mannheim, Germany,
states that it is the world's largest inter-enterprise software company
and the world's fourth-largest independent software supplier, overall.
The original name for SAP was German: Systeme, Anwendungen, Produkte,
German for "Systems Applications and Products." The original SAP idea was
to provide customers with the ability to interact with a common corporate
database for a comprehensive range of applications. Gradually, the
applications have been assembled and today many corporations, including
IBM and Microsoft, are using SAP products to run their own
businesses.
Source: http://searchsap.techtarget.com/definition/SAP
13. INTEGRITY
Standing on the shoulders of giants
Chris John Riley - SAP (in)Security
http://www.slideshare.net/ChrisJohnRiley/sap-insecurity-scrubbing-sap-clean-with-soap
David Hartley (nmonkee) - SAP Slappin’
http://labs.mwrinfosecurity.com/publications/2012/04/27/sap-slapping/
Mariano di Croce - The SAProuter
http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Mariano%20Nunez
%20Di%20Croce%20-%20SAProuter%20.pdf
Alexander Polyakov - Breaking SAP portal
http://erpscan.com/presentations/breaking-sap-portal-from-hashdays-2012/
15. INTEGRITY
SAP Security Note 1816536
21 Aug 2012 – Reported vulnerability to vendor
23 Aug 2012 – Vendor acknowledged vulnerability
22 Oct 2012 – Vendor contact, with status update
23 Jan 2013 – Contacted vendor, requesting status update
23 Jan 2013 – Vendor replied with status update
9 Apr 2013 – Vendor releases patch
9 Jul 2013 – Advisory released
16. INTEGRITY
SAP Security Note 1816536
Summary
Symptom
An attacker can discover information relating to used Operating
System Version, Databases Version who uses SAP Host Agent.
This information could be used to allow the attacker to specialize their
attacks against the Operating System and Databases Software.
20. INTEGRITY
SAProuter
What is SAProuter ?
SAProuter is an SAP program that acts as an intermediate station (proxy) in a
network connection between SAP Systems, or between SAP Systems and external
networks. SAProuter controls the access to your network (application level
gateway), and, as such, is a useful enhancement to an existing firewall system
(port filter).
Figuratively speaking, the firewall acts as an impenetrable wall around your
network. However, since particular types of connections need to penetrate this
wall, a “hole” has to be made in the firewall. SAProuter assumes the control
of this hole.
Source: http://help.sap.com/saphelp_nw70/helpdata/en/4f/992d39446d11d189700000e8322d00/content.htm
24. INTEGRITY
sap_router_portscanner.rb
msf auxiliary(sap_router_portscanner) > show options
Module options (auxiliary/scanner/sap/sap_router_portscanner):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 1 yes The number of concurrent ports to check per host
INSTANCES 00-99 no SAP instance numbers to scan (NN in PORTS definition)
MODE SAP_PROTO yes Connection Mode: SAP_PROTO or TCP (accepted: SAP_PROTO, TCP)
PORTS 32NN yes Ports to scan (e.g. 3200-3299,5NN13)
RHOSTS 192.168.1.175 yes The target address range or CIDR identifier
SAPROUTER_HOST 192.168.1.25 yes SAPRouter address
SAPROUTER_PORT 3299 yes SAPRouter TCP port
THREADS 1 yes The number of concurrent threads
msf auxiliary(sap_router_portscanner)