Security Research
cancel

SAP: One of the weaker security links?

SAP: One of the weaker security links?

BrandieAnderson

An Enterprise Resource System (ERP) is often the information backbone of a modern organization -- a point of control for the organization’s financial reporting, human resources, inventory, production costs, sales and procurement. Those systems are so complicated and vast that they may be considered as “information systems within information systems.” Often they have proprietary programming, support, and extensive vendor participation. To complicate things, their penetration of the OSI stack and horizontal organization is not fully understood. This complexity adds another dimension to ERP security and raises risk rating of this crucial system type.

 

 Systems, Applications & Products in Data Processing (SAP) is one of the most popular and ubiquitous ERP systems in the world serving 282,000 customers in 190 countries, according to their 2014 report. SAP security “holes” have been known and reported ever since the first versions of the system. It is also well known that applications are a main vector of attacks these days. Given ERPs cross boundaries between applications, networks, and even hardware, it is not surprising that more and more hackers choose to either attack them directly or use them as a penetration and pivoting point for further ill-intended presence.  According to a May 2015 study, over 95% of SAP systems worldwide had critical vulnerabilities, and the average period between patches was over 18 months. Security specialists may limit their tests of SAP security to the segregation of duties, as they are either inexperienced or uncomfortable delving into the technical threats surrounding the platform.

 

Threat Landscape

There is no doubt that hackers possess the same or better information about SAP vulnerabilities as we do. The number of relevant exploits is growing, often followed by significant breaches and disruptions.

Attackers usually choose the path of the least resistance. Those who possess enough knowledge of SAP proprietary code may try to attack directly; web-facing customer and vendor portals are another favorite. Most often these attackers try to move between SAP components, escalating privileges to get to the valuable information.

  

There are quite a few vulnerabilities and attacks specific to SAP. MITRE lists over 160 CVEs related to various versions of the system. The following table lists the most popular classes of attack against SAP installations, coupled with various indications that such an attack might be in progress. Such indications are useful information to ESM (enterprise security management) systems that collect, aggregate, and correlate them into a cohesive security picture.

 

Attack

Attack Indicator

SAP password cracking

USR02 table is retrieved with transaction SE16 by users who wouldn’t normally need it.

 

User logs in from unusual location or at unusual time

 

User performs actions she does not need or does not normally do

 

Profile parameter login/password_downwards_compatibility is set to 1

 

BCODE field stores the user password using CODVN B.

 

BCODE field stores the user password truncated at 8 characters.

 

BCODE field stores the user password converted to uppercase.

 

PASSCODE field contains the complete password, hashed with CODVN F.

 

BCODE field stores the user password using CODVN I

 

SAP password is shorter than 8 characters

 

Initial password is a dictionary word

 

User has access to USR02

 

SAP servers are not deployed in internal DMZ

 

Direct connections to the SAP databases are allowed

 

Tables USR02, USH02 and USRPWDHISTORY can be directly accessed through table maintenance tools (transactions SE16, SE17, SE11 etc.)

 

Authorization object S_TABU_DIS is not used

 

Same passwords are used for critical users (SAP*, DDIC, administration users, etc.) in all systems and clients.

 

login/min_password_lng is less or equal 8

 

login/min_password_lowercase is less or equal 0

 

USR40 table configured to allow dictionary-based passwords

Insecure default configuration of SAP Knowledge Management

User is a part of the “Everyone” group

 

User has the “Full Control” permissions

 

Phishing scams and Web 2.0 attacks against the employees

 

Modification and/or deletion of sensitive business information occurred

 

Two or more user groups have identical access

 

User is a Guest of SAP Enterprise Portal

 

"Everyone" group has Full Control in at least one KM folder

Malicious penetration

Transaction SE03 is performed

 

A new user, with the SAP_ALL Profile is created

 

login/password_downwards_compatibility profile parameter is set to 3 or 4

 

Password is checked against the “weak” hash value

 

USR02 Table is modified

Hardcoded user names

SAP Security Notes contain hard coded name notifications

 

Transaction SCI or report RS_ABAP_SOURCE_SCAN have not been used or reviewed I a while.

Malicious code in ABAP programs

No code reviews of custom ABAP code for security are performed

 

Database REPOSRC not secured

 

 Table REPOSRC was modified

 

SET DATA was changed In table REPOSRC

 

PROGNAME was changed In table REPOSRC

 

DELETE FROM SAPSR3.REPOLOAD was executed

 

Transactions like FK01 (Create Vendor), ME21 (Create Purchase Order), PA30 (Maintain HR Master Data), FI12 (Change House Banks/Bank Accounts) were modified.

 

Vendor bank account information is changed

 

Customer's information is sent from the SAP system to a Web Server in the Internet

 

SAP platform is connected with a SCADA system

 

ABAP programs that receive the SCADA signal information were modified

Exploits in authenticated mode

SAPMSYST was modified

 

Transaction SE38 is executed

Invoker Servlet bypass

Call to any servlet class located in the WEB-INF\classes, WEB-INF\lib and WEB-INF\additionallib

 

Any servlet is called through its fully-qualified class name via URL, e.g. http://sap-server/appname/servlet/com.company.privateServlet1Interface

 

“EnableInvokerServletGlobally” property of servlet_jsp on the server nodes is “True”

Web access abuse

The ICM returns the following Server headers:

server: SAP Web Application Server (1.0;<VERSION>)

server: SAP NetWeaver Application Server (1.0;<VERSION>)

server: SAP NetWeaver Application Server / ABAP <VERSION>

server: SAP NetWeaver Application Server <VERSION> / ICM <VERSION>

 

The J2EE Engine returns the following Server headers:

Server: SAP J2EE Engine/<VERSION>

Server: SAP NetWeaver Application Server <VERSION> / AS Java <VERSION>

 

ICM Server header is default

 

J2EE Engine banner is default (property UseServerHeader)

 

Erroneous service request (such as /scripts/wgate/inexistent/!) triggers a default error message (e.g . 403 or 404)

 

J2EE Engine SAP Enterprise Portal shows the default path for the application (/irj/portal).

 

SAP EP provides version information in the source code of the generated pages.

Unrestricted Access to ICF Services

ICF service is enabled and public

 

Standard users SAP*, DDIC, EARLYWATCH, SAPCPIC and TMSADM, have publicly known default passwords

 

Info Service is enabled

 

Info Service was accessed through the /sap/public/info URL without business need

 

SOAP RFC Service is activated

 

WEBGUI service was accessed through the /sap/bc/gui/sap/its/webgui URL without business need

 

Web Dispatcher administration interface (default path is /sap/wdisp/admin) is accessible from untrusted networks.

 

Web Dispatcher administration interface (default path is /sap/wdisp/admin) password for the administrator user is weak.

 

SAP J2EE Engine application wsnavigator is enabled.

 

SAP J2EE Server allows direct connections.

 

HTTP request is sent directly to the SAP server:

GET /irj/portal HTTP/1.1

Host: <server>:<port>

<additional_headers>

<AUTH_HEADER>: <user_to_impersonate>

AUTH_HEADER is from the spoofed third-party authentication solution.

 

Post written by Guest Researcher Roman Potapov

0 Kudos
About the Author

BrandieAnderson

Head of OpSec Research

Labels
//Add this to "OnDomLoad" event