SlideShare a Scribd company logo

Вектор атаки на SAP — система CUA

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days
Technology
1 of 32
SAP CUA as an SAP Attack Vector Dmitry Gutsko Business System Security Assessment Group Positive Technologies PHDays IV
Agenda ― What is SAP CUA? ― Deployment schemes ― SAP CUA user privileges ― Attack vectors • Compromising a child system • Analysis of network packets ― Protection/Countermeasures
What is SAP CUA? SAP HCM SAP CRM SAP ECC SAP BW SAP FI SAP CUA
What is SAP CUA? SAP CUA Central System Child System Child System Child System
SAP CUA deployment
SAP CUA deployment (trusted connections)
SAP CUA User Privileges (SAP Recommendations) ― Client side (SAP CUA child system) • SAP_BC_USR_CUA_CLIENT • SAP_BC_USR_CUA_SETUP_CLIENT ― Server side (SAP CUA central system) • SAP_BC_USR_CUA_CENTRAL • SAP_BC_USR_CUA_CENTRAL_BDIST • SAP_BC_USR_CUA_SETUP_CENTRAL
SAP CUA User privileges
SAP CUA User privileges
SAP CUA User privileges
Attack vectors ― Compromising SAP CUA central system No comments ― Compromising a child system 1. Bypassing a SAP CUA child system’s restrictions 2. Escalation of privileges in the SAP CUA model 3. Gathering information in the SAP CUA model ― Compromising a network 4. Intercepting data sent between child and central systems
SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target
SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1. Central system compromising 2. Escalation of privileges at the central system 3. Creating account in a child system 1 2 3
SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1 1. Another child system compromising 2. Escalation of privileges in the CUA model 3. Creating account in a child system 2 3
Bypassing a SAP CUA child system’s restrictions ― Create a user ― Change a password ― Assign a profile
Bypassing a SAP CUA child system’s restrictions (video)
Bypassing a SAP CUA child system’s restrictions ― Create a user: Execute FM BAPI_USER_CREATE1 (transaction SE37) in a child system ― Change a password: Edit the USRFLDSEL table (transaction SE16n) in a child system ― Assign a profile/role: Edit the USRFLDSEL table (transaction SE16n) in a child system
SAP CUA Central System Child System Child System Child System Child System Attacker Child System Child System Escalation of privileges in the SAP CUA model
SAP CUA Central System Child System Child System Child System Child System SAP CUA users SAP_BC_USR_CUA_CLIENT SAP_BC_USR_CUA_SETUP_CLIENT SAP_BC_USR_CUA_CENTRAL SAP_BC_USR_CUA_CENTRAL_BDIST SAP_BC_USR_CUA_SETUP_CENTRAL RFC Connection to the central CUA system RFC Connection to a child CUA system Attacker RSECTAB, RFCDES tables = User credentials SE37 transaction = FM remote execution
Escalation of privileges in the SAP CUA model (video)
Escalation of privileges in the SAP CUA model ― Reassign a User-System: Execute FM BAPI_USER_SYSTEM_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Assign a profile: Execute FM BAPI_USER_LOCPROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Assign a role: Execute FM BAPI_USER_LOCACTGROUPS_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Gather information (continued)
Gathering information about the SAP CUA model ― CUA Users/hashes: Execute in the central system FM RFC_READ_TABLE (USR02, USH02, …) (Role SAP_BC_USR_CUA_CENTRAL) ― The CUA model: Locally execute Transaction SCUA Execute in a central system FM RFC_READ_TABLE (USZBVSYS, …) = CUA logs Read local tables RFCDES, RSECTAB = RFC destinations
SAP Security Note 1997455
Central System SAP CUA Child System Child System Child System Child System RFC/IDoc (compressed) Usr02.Bname: PHD-USER Usr02.Bcode: 283D7893C91674A0 Usr02.Ustyp: A Usr02.Uflag: 0 User Accounts RFC User Account to Child System RFC User Account to Central System Hacker Intercepting data sent between child and central systems RFC/IDoc User Creation Confirmation
Sending user credentials to a child system RFC account password recovery UserID Encrypted password Length For gamma generating XORed password Password
Sending user credentials to a child system User credentials data recovery
Obtained account sent to a child system ― Get user list: Execute FM BAPI_USER_GETLIST (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Create users: Execute FM BAPU_USER_CREATE1 (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Assign privileges: Execute FM BAPI_USER_PROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Lock/Unlock users: Execute FM BAPI_USER_LOCK/BAPI_USER_UNLOCK (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT)
Protection/Countermeasures ― Do not combine SAP systems of various security classifications in a single CUA model ― Delete SETUP roles for CUA users ― Apply Note 1997455 or modify SAP_BC_USR_CUA_CENTRAL role ― Activate table logging (USRFLDSEL) ― Enable SNC encryption for RFC connections ― Use trusted connections; assign S_RFC, S_ICF, S_RFCACL authorization objects to system users ― Control access to critical transactions: SM49, SE37, SCUA, ST04,… ― Configure ACL for SAP Gateway ― Do not forget about other clients
Thank you for your attention!
Additional information Transactions: SCUA– Display System Landscape (CUA model) SCUL– Log Display for Central User Administration SCUM – User Distribution Field Selection SCUG – Central User Administration Structure Display SE37- ABAP Function Modules Notes: 492589 – Minimum authorizations for communication users 333441 - CUA: Tips for problem analysis 376856 - Password synchronization - Single Sign-On/CUA 1997455 - Potential information disclosure in BC-SEC-USR-ADM Tables: USZBVSYS - CUA: Assignment of Systems to Users USRFLDSEL- CUA: Field Attributes
Вектор атаки на SAP — система CUA

Recommended

SAP hands on lab_ru
SAP hands on lab_ruSAP hands on lab_ru
SAP hands on lab_ruPositive Hack Days
 
ERP Глазами Злоумышленника
ERP Глазами ЗлоумышленникаERP Глазами Злоумышленника
ERP Глазами ЗлоумышленникаPositive Hack Days
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
SENTHIL RAMADOSS CV
SENTHIL RAMADOSS CVSENTHIL RAMADOSS CV
SENTHIL RAMADOSS CVsenthil ramadoss
 
Sap security training !! sap securtiy online training !! sap security video ...
Sap security training !! sap securtiy online training !! sap security video ...Sap security training !! sap securtiy online training !! sap security video ...
Sap security training !! sap securtiy online training !! sap security video ...sapdocs
 
Security
SecuritySecurity
Securitysapitsapitsap
 
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015SQL Server 2014 Backup to Azure - SQL Saturday CR 2015
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015Christian Sanabria MSc, PMP, CSM
 
SAP BASIS Online Training | SAP Training
SAP BASIS Online Training | SAP TrainingSAP BASIS Online Training | SAP Training
SAP BASIS Online Training | SAP TrainingVenkat reddy
 

Recommended

SAP hands on lab_ru
SAP hands on lab_ruSAP hands on lab_ru
SAP hands on lab_ruPositive Hack Days
 
ERP Глазами Злоумышленника
ERP Глазами ЗлоумышленникаERP Глазами Злоумышленника
ERP Глазами ЗлоумышленникаPositive Hack Days
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
SENTHIL RAMADOSS CV
SENTHIL RAMADOSS CVSENTHIL RAMADOSS CV
SENTHIL RAMADOSS CVsenthil ramadoss
 
Sap security training !! sap securtiy online training !! sap security video ...
Sap security training !! sap securtiy online training !! sap security video ...Sap security training !! sap securtiy online training !! sap security video ...
Sap security training !! sap securtiy online training !! sap security video ...sapdocs
 
Security
SecuritySecurity
Securitysapitsapitsap
 
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015SQL Server 2014 Backup to Azure - SQL Saturday CR 2015
SQL Server 2014 Backup to Azure - SQL Saturday CR 2015Christian Sanabria MSc, PMP, CSM
 
SAP BASIS Online Training | SAP Training
SAP BASIS Online Training | SAP TrainingSAP BASIS Online Training | SAP Training
SAP BASIS Online Training | SAP TrainingVenkat reddy
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
SAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIALSAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIALAbhishek_005
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...akquinet enterprise solutions GmbH
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Harin Vadodaria
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerablePrecisely
 
SAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP Technology
 
SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7Thecreating Experts
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesAruba, a Hewlett Packard Enterprise company
 
Catherine Ner-Nacional
Catherine Ner-NacionalCatherine Ner-Nacional
Catherine Ner-NacionalCatherine Nacional
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL ServerGeorgi Kodinov
 
HANA SPS07 Security
HANA SPS07 Security HANA SPS07 Security
HANA SPS07 Security SAP Technology
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?Sage Computing Services
 
Vpd
VpdVpd
VpdSage Computing Services
 
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...akquinet enterprise solutions GmbH
 
Transform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User AcceptanceTransform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User AcceptanceIvanti
 
CA Performance Management Deep Dive
CA Performance Management Deep DiveCA Performance Management Deep Dive
CA Performance Management Deep DiveCA Technologies
 
SAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxSAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxjuancusa
 
Stored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayiStored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayiMuhammed Thanveer M
 
Sap basis
Sap basisSap basis
Sap basisSri Nivas
 
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 

More Related Content

Similar to Вектор атаки на SAP — система CUA

SAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIALSAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIALAbhishek_005
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...akquinet enterprise solutions GmbH
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Harin Vadodaria
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerablePrecisely
 
SAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP Technology
 
SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7Thecreating Experts
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL ServerGeorgi Kodinov
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?Sage Computing Services
 
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...akquinet enterprise solutions GmbH
 
Transform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User AcceptanceTransform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User AcceptanceIvanti
 
CA Performance Management Deep Dive
CA Performance Management Deep DiveCA Performance Management Deep Dive
CA Performance Management Deep DiveCA Technologies
 
SAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxSAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxjuancusa
 
Stored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayiStored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayiMuhammed Thanveer M
 

Similar to Вектор атаки на SAP — система CUA (20)

An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
SAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIALSAP SECURITY TRAINING VIDEO TUTORIAL
SAP SECURITY TRAINING VIDEO TUTORIAL
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i Vulnerable
 
SAP HANA SPS09 - Security
SAP HANA SPS09 - SecuritySAP HANA SPS09 - Security
SAP HANA SPS09 - Security
 
SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7SAP BASIS Training in Chennai Demo Part-7
SAP BASIS Training in Chennai Demo Part-7
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issues
 
Catherine Ner-Nacional
Catherine Ner-NacionalCatherine Ner-Nacional
Catherine Ner-Nacional
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
 
HANA SPS07 Security
HANA SPS07 Security HANA SPS07 Security
HANA SPS07 Security
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?
 
Vpd
VpdVpd
Vpd
 
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...
 
Transform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User AcceptanceTransform Desktops and Accelerate User Acceptance
Transform Desktops and Accelerate User Acceptance
 
CA Performance Management Deep Dive
CA Performance Management Deep DiveCA Performance Management Deep Dive
CA Performance Management Deep Dive
 
SAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxSAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docx
 
Stored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayiStored procedures by thanveer danish melayi
Stored procedures by thanveer danish melayi
 
Sap basis
Sap basisSap basis
Sap basis
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Вектор атаки на SAP — система CUA

  • 1.
  • 2. SAP CUA as an SAP Attack Vector Dmitry Gutsko Business System Security Assessment Group Positive Technologies PHDays IV
  • 3. Agenda ― What is SAP CUA? ― Deployment schemes ― SAP CUA user privileges ― Attack vectors • Compromising a child system • Analysis of network packets ― Protection/Countermeasures
  • 4. What is SAP CUA? SAP HCM SAP CRM SAP ECC SAP BW SAP FI SAP CUA
  • 5. What is SAP CUA? SAP CUA Central System Child System Child System Child System
  • 8. SAP CUA User Privileges (SAP Recommendations) ― Client side (SAP CUA child system) • SAP_BC_USR_CUA_CLIENT • SAP_BC_USR_CUA_SETUP_CLIENT ― Server side (SAP CUA central system) • SAP_BC_USR_CUA_CENTRAL • SAP_BC_USR_CUA_CENTRAL_BDIST • SAP_BC_USR_CUA_SETUP_CENTRAL
  • 9. SAP CUA User privileges
  • 10. SAP CUA User privileges
  • 11. SAP CUA User privileges
  • 12. Attack vectors ― Compromising SAP CUA central system No comments ― Compromising a child system 1. Bypassing a SAP CUA child system’s restrictions 2. Escalation of privileges in the SAP CUA model 3. Gathering information in the SAP CUA model ― Compromising a network 4. Intercepting data sent between child and central systems
  • 14. SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1. Central system compromising 2. Escalation of privileges at the central system 3. Creating account in a child system 1 2 3
  • 15. SAP CUA Central System Child System Child System Child System Attacker Child System Attack vectors Attack Target 1 1. Another child system compromising 2. Escalation of privileges in the CUA model 3. Creating account in a child system 2 3
  • 16. Bypassing a SAP CUA child system’s restrictions ― Create a user ― Change a password ― Assign a profile
  • 17. Bypassing a SAP CUA child system’s restrictions (video)
  • 18. Bypassing a SAP CUA child system’s restrictions ― Create a user: Execute FM BAPI_USER_CREATE1 (transaction SE37) in a child system ― Change a password: Edit the USRFLDSEL table (transaction SE16n) in a child system ― Assign a profile/role: Edit the USRFLDSEL table (transaction SE16n) in a child system
  • 20. SAP CUA Central System Child System Child System Child System Child System SAP CUA users SAP_BC_USR_CUA_CLIENT SAP_BC_USR_CUA_SETUP_CLIENT SAP_BC_USR_CUA_CENTRAL SAP_BC_USR_CUA_CENTRAL_BDIST SAP_BC_USR_CUA_SETUP_CENTRAL RFC Connection to the central CUA system RFC Connection to a child CUA system Attacker RSECTAB, RFCDES tables = User credentials SE37 transaction = FM remote execution
  • 21. Escalation of privileges in the SAP CUA model (video)
  • 22. Escalation of privileges in the SAP CUA model ― Reassign a User-System: Execute FM BAPI_USER_SYSTEM_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Assign a profile: Execute FM BAPI_USER_LOCPROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Assign a role: Execute FM BAPI_USER_LOCACTGROUPS_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CENTRAL) ― Gather information (continued)
  • 23. Gathering information about the SAP CUA model ― CUA Users/hashes: Execute in the central system FM RFC_READ_TABLE (USR02, USH02, …) (Role SAP_BC_USR_CUA_CENTRAL) ― The CUA model: Locally execute Transaction SCUA Execute in a central system FM RFC_READ_TABLE (USZBVSYS, …) = CUA logs Read local tables RFCDES, RSECTAB = RFC destinations
  • 24. SAP Security Note 1997455
  • 25. Central System SAP CUA Child System Child System Child System Child System RFC/IDoc (compressed) Usr02.Bname: PHD-USER Usr02.Bcode: 283D7893C91674A0 Usr02.Ustyp: A Usr02.Uflag: 0 User Accounts RFC User Account to Child System RFC User Account to Central System Hacker Intercepting data sent between child and central systems RFC/IDoc User Creation Confirmation
  • 26. Sending user credentials to a child system RFC account password recovery UserID Encrypted password Length For gamma generating XORed password Password
  • 27. Sending user credentials to a child system User credentials data recovery
  • 28. Obtained account sent to a child system ― Get user list: Execute FM BAPI_USER_GETLIST (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Create users: Execute FM BAPU_USER_CREATE1 (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Assign privileges: Execute FM BAPI_USER_PROFILES_ASSIGN (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT) ― Lock/Unlock users: Execute FM BAPI_USER_LOCK/BAPI_USER_UNLOCK (SE37) (Role SAP_BC_USR_CUA_SETUP_CLIENT)
  • 29. Protection/Countermeasures ― Do not combine SAP systems of various security classifications in a single CUA model ― Delete SETUP roles for CUA users ― Apply Note 1997455 or modify SAP_BC_USR_CUA_CENTRAL role ― Activate table logging (USRFLDSEL) ― Enable SNC encryption for RFC connections ― Use trusted connections; assign S_RFC, S_ICF, S_RFCACL authorization objects to system users ― Control access to critical transactions: SM49, SE37, SCUA, ST04,… ― Configure ACL for SAP Gateway ― Do not forget about other clients
  • 30. Thank you for your attention!
  • 31. Additional information Transactions: SCUA– Display System Landscape (CUA model) SCUL– Log Display for Central User Administration SCUM – User Distribution Field Selection SCUG – Central User Administration Structure Display SE37- ABAP Function Modules Notes: 492589 – Minimum authorizations for communication users 333441 - CUA: Tips for problem analysis 376856 - Password synchronization - Single Sign-On/CUA 1997455 - Potential information disclosure in BC-SEC-USR-ADM Tables: USZBVSYS - CUA: Assignment of Systems to Users USRFLDSEL- CUA: Field Attributes