Business applications like ERP, CRM, SRM, and others are one of the major topic of information security as these applications store business-critical data and any vulnerability in them can cause a significant monetary and reputational loss or even stoppage of business.
There are several myths about Business Applications Security such as:
Myth 1: Business Applications are available only internally.
Myth 2: ERP security is a vendors' problem.
Myth 3: Business Application internals are very specific and unknown to hackers.
Myth 4 ERP security is all about Segregation Of Duties.
Our findings explode these myths.
1. Invest
in
security
to
secure
investments
ERP
Security.
Myths,
Problems,
Solu6ons
Alexander
Polyakov
CTO
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu8on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta6ons
key
security
conferences
worldwide
• 25
Awards
and
nomina6ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. Intro
• ERP
-‐
Enterprise
resource
planning
is
an
integrated
computer-‐based
system
used
to
manage
internal
and
external
resources
including
tangible
assets,
financial
resources,
materials,
and
human
resource
– Wikipedia
3
4. Intro
Business
applica8ons
like
ERP,
CRM,
SRM
and
others
are
one
of
the
major
topics
within
the
scope
of
computer
security
as
these
applica8ons
store
business
data
and
any
vulnerability
in
these
applica8ons
can
cause
a
significant
monetary
loss
or
even
stoppage
of
business.
4
5. Main
Problems
in
ERP
Security
Complex
structure
(complexity
kills
security)
Different
vulnerabili6es
At
all
the
levels
Inside
a
company
(closed
world)
Rarely
updated
administrators
are
scared
they
can
be
broken
during
updates
5
6. Myths
Myth
1:
Business
applica8ons
are
only
available
internally
what
means
no
threat
from
the
Internet
Myth
2:
ERP
security
is
a
vendor’s
problem
Myth
3:
Business
applica8on
internals
are
very
specific
and
are
not
known
for
hackers
Myth
4
ERP
security
is
all
about
SOD
6
7. Myth
1:
Business
Applica6ons
are
Only
Available
Internally
• Top
management
point
of
view
– This
myth
is
popular
for
internal
corporate
systems
and
people
think
that
these
systems
are
only
available
internally
• Real
life
– Yes
maybe
at
the
mainframe
era
with
SAP
R/2
and
in
some
implementa8ons
of
R/3
you
can
use
SAP
only
internally
but
not
now
in
the
era
of
global
communica8ons.
As
a
minimum
you
need
the
integra8on
with:
o Another
offices
o Customers
and
suppliers
o For
SAP
systems
you
need
connec8on
with
SAP
network
Even
if
you
do
not
have
direct
connec4on
there
are
user
worksta4ons
connected
to
the
internet
7
8. Myth
1:
Business
Applica6ons
are
Only
Available
Internally
It
is
necessary
to
bring
together
people
who
understand
ERP
security,
and
people
who
understand
the
Internet,
e-‐mail
and
security
of
WEB-‐services
8
10. Myth
2.
ERP
Security
is
a
Vendor’s
Problem
From
the
point
of
law:
• Vendor
is
NOT
responsible
for
the
vulnerabili6es
in
their
products
• Business
applica6on
security
is
the
problem
of
a
Client
10
11. Myth
2.
ERP
Security
is
a
Vendor’s
Problem
{
{Vendor
problems
Client
problems
1. Program
Errors
2. Architecture
errors
3. Implementa8on
architecture
errors
4. Defaults
/
Misconfigura8ons
5. Human
factor
6. Patch
management
7. Policies/
processes
/
etc
From
technical
point:
There
can
be
so
many
fails
even
if
the
soware
is
secure
11
12. Myth
3.
Business
Applica6on
Internals
are
not
Known
to
Hackers
Current
point
of
view:
• Mostly
installed
inside
a
company
• Not
so
popular
among
hackers
like
Windows
or
Apple
products
• Closed
world
• Security
through
obscurity
12
13. Myth
3.
Business
Applica6on
Internals
are
not
Known
to
Hackers
Real
life:
• Popular
products
are
on
the
a_ack
by
hackers,
and
becoming
more
and
more
secure
• Business
applica8ons
WERE
closed
but
over
the
last
5
years
they
have
became
more
and
more
popular
on
the
Internet
• And
also
popular
for
hackers
and
researchers
(will
be
shown
in
the
future
sta8s8cs)
• Unfortunately,
their
security
level
is
s8ll
like
3-‐5
years
ago
• Now
they
look
as
a
defenseless
child
in
a
big
city
13
14. Myth
4.
ERP
Security
is
All
about
SOD
Current
point
of
view:
• Many
people
especially
ERP
people
think
that
security
is
all
about
SOD
Real
life:
• Making
AD
access
control
dont
give
you
secure
infrastructure
• Buying
new
engine
for
car
every
year
will
not
help
you
if
you
simply
puncture
a
wheel
• And
also
remind
Sachar
Paulus
interview
that
says:
“other
threat
comes
from
people
connec4ng
their
ERP
systems
to
the
Internet”
14
15. Myth
4.
ERP
Security
is
All
about
SOD
ERP
system
with
secure
SOD
and
nothing
else
it
is
much
of
spending
all
money
on
video
systems,
biometric
access
control
and
leaving
the
back
door
open
for
housekeepers
15
16. Myth
4.
ERP
Security
is
All
about
SOD
1 Lack
of
patch
management CRITICAL REMOTE
2 Default
passwords
for
applica8on
access CRITICAL REMOTE
3 SOD
conflicts CRITICAL LOCAL
4 Unnecessary
enabled
applica8on
features
HIGH REMOTE
5 Open
remote
management
interfaces HIGH REMOTE
6 Lack
of
password
lockout/complexity
checks MEDIUM REMOTE
7 Insecure
op8ons
MEDIUM REMOTE
8 Unencrypted
communica8ons HIGH REMOTE
9 Insecure
trust
rela8ons MEDIUM LOCAL
10 Guest
access MEDIUM REMOTE
Top
10
Applica6on
Implementa6on
Problems
(OWASP-‐EAS
EASAI
Top
10)
16
19. Development
Problems
SAP
OWN
TECHNOLOGIES
(ABAP/BSP)
JAVA
(jsp/servlets/ejb/j2ee/rmi)
WEB
(html/js)
Other
(C/wbs/sql)
Oracle
OWN
TECHNOLOGIES
(BPEL
/PLSQL)
JAVA
(jsp/servlets/ejb/j2ee/rmi)
WEB
(html/js/cgi)
Other
(C/wbs/sql)
PeopleSo
OWN
TECHNOLOGIES
(Peoplecode/PLSQL)
JAVA
(jsp/servlets/ejb/j2ee/rmi)
WEB
(html/js/cgi)
Other
(C/wbs/sql)
Languages
Technologies
Plaborms
19
20. Implementa6on
Problems
Different
Databases
Different
OS
Different
product
versions
Huge
amount
of
customiza8on
Different
Architecture
20
21. Different
Architecture
• Different
mandates
on
different
instances
on
different
physical
servers
• Can
be
DEV
TEST
or
PROD
• Can
have
different
modules
such
as
SRM/PLM/CRM/ERP
connected
by
different
ways
to
itself
and
other
systems
• Different
DMZ/
terminal
server
installa8ons
• Add
IM/LDAP/AD
and
other
solu8ons
to
our
architecture
• And
even
more
21
22. Different
OS
OS
popularity
for
SAP
Windows
NT
-‐
28%
AIX
-‐
25%
Linux
-‐
19%
SunOS
-‐
13%
HP-‐UX
-‐
11%
OS/400
-‐
4%
22
23. Different
Plaborms
• ABAP
or
JAVA
or
BusinessObjects
• Only
ABAP
Can
be:
- SAP
R/3
4.6
- SAP
R/3
4.7
Entertprise
- SAP
NetWeaver
6.4
- SAP
NetWeaver
7.0
- SAP
NetWeaver
7.2
- SAP
NetWeaver
7.3
- Also
Add-‐ons
- Also
industry
solu8ons
23
24. Great
Amount
of
Customiza6on
• Approximately
about
40-‐60%
of
ERP
are
custom
code
• With
own
vulnerabili8es
• Also
there
can
be
custom
many
custom
items
– Authoriza8on
objects
– Authoriza8ons
– Roles
– Transac8ons
– Programs
– Etc…
If
you
have
customized
the
system
you
must
have
security
solu4ons
customized
that
is
much
more
harder
than
checklist-‐like
solu4ons
24
26. How
to
Make
Secure
ERP
System
in
5
Steps
• Develop
secure
sonware
• Implement
it
securely
• Teach
administrators
• Increase
user
awareness
• Control
the
whole
process
26
27. Introducing
OWASP-‐EAS
• Develop
secure
sonware
– OWASP-‐Enterprise
Business
Applica8on
Security
Vulnerability
Tes8ng
Guide
v0.1
• Implement
it
securely
– Enterprise
Business
Applica8on
Security
Implementa8on
Assessment
Guide
• Teach
administrators
– Our
Trainings
• Increase
user
awareness
– SAP
Security
in
figures
report
• Control
the
whole
process
– Tools
27
28. Introducing
OWASP-‐EAS
• Need
guides
for
developers
and
vulnerability
testers
to
assess
enterprise
applica8ons
• Sources:
– We
have
OWASP
–
good
and
focused
mainly
on
WEB
vulnerabili8es
– We
have
WASC
–
good
but
focused
on
WEB
– We
have
SANS
25
–
good
but
not
about
ERP
– We
have
CWE
–
good
but
too
big
– We
have
OSTMM
–
good
but
focused
on
assessing
systems
not
sonware
– SAP/Oracle
security
guides
–
good
but
too
many
informa8on
• Result:
– OWASP-‐EAS
Enterprise
Business
Applica8on
Security
Vulnerability
Tes8ng
Guide
v.0.1
28
29. Introducing
OWASP-‐EAS
• Analyze
most
popular
vulnerabili8es
in
enterprise
systems
• Create
TOP
10
list
• Collect
informa8on
about
examples,
threats
and
countermeasures
• Release
Guide
• Aner
a
year
go
back
to
step
1
29
32. Examples
XSS
• There
is
an
unlimited
number
of
XSS
in
SAP
• The
latest
one
at
h_p://erpscan.com
Informa6on
Disclosure
• ORACLE
Financials
– /pls/DAD/find_web.ping
– /OA_HTML/jsp/fnd/fndping.jsp
• SAP
Netweaver
– /sap/public/info
32
33. Examples
of
Network
Security
Improper
access
control
/
traversal
(SAP
Netweaver)
• RFC
func8ons
can
be
called
remotely
• You
need
a
user
and
a
password
• ALMOST
ALL
SAP
administrators
do
not
change
the
password
for
user
SAPCPIC
• Using
his
creden8als
we
can
call
the
func6on
that
tries
to
read
the
file
on
our
SMB
share
• Gotcha!
Hashes
are
stolen
33
35. Examples
of
Frontend
Vulnerabili6es
• Buffer
overflow
– Can
be
exploited
to
gain
remote
access
to
user
– Also
format
string
and
memory
corrup8on
– The
latest
one
at
h_p://www.exploit-‐db.com/exploits/14416/
– NEW
vulns
are
being
patched
now.
Soon
at
h_p://erpscan.com/
– Also
other
vulnerable
ERPs
35
36. Examples
of
Frontend
Vulnerabili6es
• Hard-‐coded
passwords
(some
ERPs,
we
don’t
spell
names)
– Very
dangerous
– Fat
client
with
hard-‐coded
passwords
to
database
– Checking
of
access
rights
is
on
the
client
site.
They
are
exploited
to
gain
remote
access
to
user
– Exploited
simply
by
sniffing
database
connec8on
and
direct
connec8on
with
stolen
password
–
As
a
result
we
are
DBA
on
database
36
38. Enterprise
Applica6on
Security
Implementa6on
Assessment
• Build
secure
applica8on
is
not
enough
• Need
to
do
securely
– Install
it
– Configure
it
– Manage
it
38
39. Enterprise
Applica6on
Security
Implementa6on
Assessment
• Analyze
the
most
cri8cal
areas
of
misconfigura8ons
• Group
it
• Create
TOP
10
list
• Collect
informa8on
about
examples,
threats
and
countermeasures
• Release
Guide
• Aner
a
year
go
back
to
step
1
39
42. Examples
of
Network
Security
Capture
SAP
traffic
tcpdump -n -i eth0 'tcp[13] & 3 != 0 and
(( tcp[2:2] >= 3200 tcp[2:2] < 3300) > or 5
( tcp[2:2] >= 3600 tcp[2:2] < > 3700))‘
• Find
a
user
and
decode
the
password.
A
user
has
access
to
XI
system
without
business
data
• Use
the
SM59
transac8on
that
can
show
all
RFC
connec8ons.
There
was
only
one
connec8on
to
HR
system
with
hardcoded
creden8als
found
• Creden8als
were
of
the
remote
RFC
user
created
for
data
exchange
• This
user
called
ALEREMOTE
had
SAP_ALL
privileges
42
44. OS
Vulnerabili6es:
Access
to
Cri6cal
Files
• Database
files
(DATA
+
encrypted
Oracle
and
SAP
passwords)
– /oracle/<DBSID>/sapdata/system_1/system.data1
• SAP
config
files
(encrypted
passwords)
– /usr/sap/<SAPSID>/<Instance
ID>/sec/*
– /usr/sap/<SAPSID>/<Instance
ID>/sec/sapsys.pse
• Configtool
Config
files
(Encrypted
Database
password)
– usrsapDM0SYSglobalsecuritydataSecStope.proper8es
– usrsapDM0SYSglobalsecuritydataSecStope.key
• J2EE
Trace
files
(Plaintext
passwords)
– /usr/sap/<sapsid>/<InstanceID>/j2ee/cluster/dispatcher/log/defaultTrace.
0.trc
• ICM
config
files
(encrypted
password)
– usrsapDM0SYSexeucNTI386icmauth.txt
There
are
many
cri4cal
files
on
SAP
server
that
can
be
used
by
unprivileged
user
to
gain
access
to
SAP
applica4on:
44
46. Examples
of
Database
Vulnerabili6es
• Unnecessary
enabled
services
– Any
database
have
them
by
default
o Oracle
– UTL_FILE,
UTL_HTTP,
UTL_TCP,etc
– MSSQL
o Master..xp_dirtree
‘fakesmbsharee’
o Can
be
used
to
steal
creden8als
o !
ERPs
run
database
from
the
own
service
creden8al,
not
from
the
‘Network
Service’
46
48. Examples
of
Applica6on
Vulnerabili6es
• Default
passwords
– Any
ERP
installs
with
predefined
passwords
o For
Applica8on
o For
Database
o Some8mes
for
OS
– Most
of
them
are
well
known
– Will
be
published
at
OWASP
48
49. SAP
default
passwords
• FOR
Applica6on
• FOR
Database
– SAPR3/SAP
– +
Oracle
defaults
in
the
older
versions
49
50. PeopleSo
default
passwords
• FOR
Applica8on
(many)
– FEDTBHADMN1/
FEDTBHADMN1
– FEDTBHADMN1/
FEDTBHMGR01
– FEDTBHMGR02/
FEDTBHMGR02
– HAM/HAM
– etc…
• For
Database
– Peop1e/Peop1e
– PS/PS
– Sysadm/sysadm
– +
Oracle
defaults
in
the
old
versions
50
52. Examples
of
Applica6on
Vulnerabili6es
Remote
management
interfaces
• Example
of
SAP
(other
have
the
same
problems)
• There
is
web
RFC
access
• Google
it
/sap/bc/webrfc
• All
RFC
features
are
possible
• Plus
something
more
including
dos/smbrelay
• Details
later
on
h_p://erpscan.com
• Remote
pwnage
is
possible
52
55. Examples
of
Frontend
Vulnerabili6es
Insecure
distribu6on
service
• Example
of
SAP
(others
have
the
same
problems)
• SAPGUI
onen
distributes
from
corporate
file
server
• Onen
this
share
available
for
any
user
• Configura8on
files
and
distribu8ves
can
be
overwri_en
– Insert
Trojan
– Redirect
to
fake
servers
The
same
problems
when
using
terminal
services
55
57. Enterprise
Applica6on
Vulnerability
Sta6s6cs
2009
“This
document
we
will
show
a
result
of
staDsDcal
research
in
the
Business
ApplicaDon
security
area
made
by
ERPScan
and
OWASP-‐EAS
project.
The
purpose
of
this
document
is
to
raise
awareness
about
Enterprise
Business
ApplicaDon
security
by
showing
the
current
number
of
vulnerabiliDes
found
in
these
applicaDons
and
how
criDcal
it
is
can
be”
• Analyzed
systems
– ERP
Systems
– Business
Frontend
sonware.
– Database
systems
– Applica8on
servers
• Analyzed
resources
– h_p://securityfocus.com
,
h_p://exploit-‐db.com
– h_p://cwe.mitre.org
,
h_p://cvedetails.com
– h_p://oracle.com
,
h_p://sdn.sap.com
,
h_p://ibm.com
57
61. Growing
interest
• Number
of
found
vulnerabili8es
grows
– gree8ngs
to
all
companies
in
applica8on
security
area
• Number
of
talks
about
ERP
security
at
conferences
grows
– 2006(1),2007(1),2008(2),2009(3),2010(10!)
• And
also
companies
pay
more
a_en8on
to
this
area
– SAP
security
response
team
are
growing
every
year
This
area
is
becoming
popular.
We
really
need
automa6c
tools
for
ERP
security
assessment
for
pentesters
and
for
administrators
61
62. Need
for
Automa6on
What
we
have
done
• Sapsploit
and
Sapscan
–tools
for
pentes8ng
and
trojaning
SAP
users
• ERPSCAN
Online
–
free
service
for
assessing
SAP
Frontend
security
• ERPSCAN
Security
scanner
for
SAP
–enterprise
applica8on
for
solving
full
area
of
problems
in
SAP
solu8ons
62
63. ERPSCAN
–Security
Scanner
for
SAP
• Corporate
scanner
for
assessing
security
of
SAP
systems
• Checking
for
misconfigura6ons,
public
vulnerabili6es,
0-‐days,
compliance
with
standards
and
metrics
• Checking
both
ABAP
and
JAVA
instances,
more
than
400
checks
• Whitebox
scanning
to
prevent
possible
damage
• Addi8onal
engine
for
checking
exis6ng
vulnerabili6es
without
exploi6ng
them
• Extended
knowledgebase
for
all
checks
with
detailed
descrip6ons
and
countermeasures
collected
by
ERPcan
experts
• ERPSCAN.COM
63
64. Conclusion
about
ERP
Security
• ERP
security
is
not
a
myth
• Becomes
more
popular
for
BlackHats
and
WhiteHats
• There
is
a
need
to
create
guidelines
and
increase
awareness
in
this
area
• OWASP-‐EAS
call
for
volunteers
with
background
in
this
area
• ERP
security
is
very
complex
and
if
you
are
ready
to
do
it
24/7
then
do
it
• If
you
cannot
do,
leave
it
to
professionals
64