Some notes on the SAP security track of Troopers#17.
Troopers.de is the annual security conference in Heidelberg Germany that has a specific SAP Security track where global SAP security researchers present their work. I was presenting our research in this track on security vulnerabilities in the inbound email processing functionality of SAP systems and also wrote some notes on the other presentations.
First of all a small quick recap from Enno’s keynote:
#Keynote enno rey
He showed a great recap of ten years troopers. He mentioned he will step back so the young ones can take over. A quick look into the past and future; there is progress in infosec in showing practical ways of exploitation. In Enterprise security however there is less progress. In society related Infosec, no that much progress yet, but enno is optimistic that we as a industry can get better in what we do when we keep on working hard.
#Martin Gallo – intercepting sap snc protected traffic – Slides are here
Great presentation on SNC, Secure network Communication. Snc is the encryption layer for SAP protocols like diag, sap router and rfc: Saps own protocols for server to server communication and gui to server communication. Protocols are not encrypted by default, only compressed. There are wire shark add-ons to decompress.
Snc adds encryption, integrity and strong authentication to the regular protocols via gss-api.
Cryptography done via SAP’s commoncryptolib.
Most used scenario in real life via x.509 certificate or kerberos icw sso.
There are 3 versions: 1993, 2010_1_0, 2010_1_1. The 1993 version works rather simple but sould not be used anymore. Latest version encrypts handshake and negotiation about used ciphers. Perfect forward security can be done with most recent version.
Quality of protection: you can define the level of protection as a customer: 1:auth only, 2:integrity protection, 3:privacy protection. Parameters in SAP system are snc/data_protection/min ../Max and ../use. Server then only accepts connections that have correct level of protection and drops others.
Attack demo: if qop is set too low passwords are still send compressed, not encrypted from gui to server and can be intercepted. Gives false sense of security as customers think communication is encrypted.
Many other attack scenarios. As this is all done via pre-auth communication.
Some tools: sap wire shark plugin and Pysap! HTTPs://github.com/CoreSecurity/pysap
Patch also the commoncryptolib. Do pentests and check architecture.
Use latest commoncryptolib.
Set correct qop settings (all to value 3). Sap note 1690662.
Set ccl/snc/(client/server)_protocol to 2010_1_1.
Also see the ccl/* parameters!
# Virtual forge – Frederik Weidemann & Hans Christian epserer Reverse Engineering abap bytecode
Bytecode in abap is generated when a program is activated and every time code is changed.
They demoed a way to change the Bytecode without that being visible in the normal abap ide / sourcecode.
There is no integrity check between source code and Bytecode.
Virtual Forge will release disassembler over time.
Great presentation on lowlevel bytecode in SAP Abap stack.
# Onapsis Pablo artuso & nahuel Sanchez – SAP Hana security overview – slides here
Already seen this presentation at another event. It is basically a great summary of hana vulnerabilities over the past year.
#erpscan dmitry yudin & vahagn vardanyan sap strikes back. Your sap server now counter-attacks – some info here
Attacking sap users instead of server is great because they are reachable more easy via internet, there are many of them, possible even if server is fully hardened.
Some vulnerabilities from the past: activex and sapgui scripting.
Some new attacks: execute os commands on front-end machines without sap gui showing the warning message.
They presented ways of attacking SAP users by using the SAP server to attack them. Great presentation on this attack vector, I recall some of the same from Virtual Forge some years ago.
#snorky pentest SAP from citrix
Issues in pentesting sap via citrix: no rfc sdk, not possible to install hacking tools, no direct connection to SAP systems .
First break out of citrix context, snorky showed several ways.
Connecting to SAP works via SAP .net connector! No need for RFC SDK and other dependencies.
From there he uses known vulnerabilities to gain access. He used for example our proxy exploit to call local modules remotely :). Also work from onapsis, erpscan, @nmonkee, etc, etc was incorporated.
Demo was done to show how to pentest with the tools, he will release the tools soon!
Great stuff as no additional tooling is needed.
All in all a great SAP Security day with lots of interesting talks, many offensive, in the future it would be nice to see help for SAP running customers in mitigating and defensive solutions.
People interested in our presentation on SAP email vulnerabilities, please see our site for the slides!
Thanks at the Troopers crew for organizing again a great conference!!!
Joris van de Vis