Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian
What is this talk about? Large IT Projects n System Integrators n SAP n
What is SAP? Enterprise Resource Planning (SAP R/3) n CRM n EP n HR n FI/CO n BW n MM n PP n
What is SAP/R 3, really? Business process re-implementation n Fancy MIS framework with template processes n Big basket for corporate eggs n
Fundamentals of Large Projects n The bigger the budget, the harder the fall n Compound delays due to complex dependencies n Corners cut to meet deadlines n Functionality Vs. Security n Decision rarely based upon business case n When was the last time you signed off $xxx million? n Don’t believe me?
Irish HSE PPARs and FISP Systems n PPARs (HR) and FISP (FI/CO) n Projected Combined Cost - £ 6. 2 mil n PPARs Cost when halted in 2005 - £ 80 mil n FISP Cost when halted - £ 20. 7 mil n Revenues for Deloitte & Touche - £ 34. 5 mil n Revenues for SAP – Undisclosed (not part of D&T’s fees)
PPARs n “It’s like a case study in how not to run a project … It’s appaling stuff. ” – Enda Kenny, Fine Gael Leader n PPARs could’ve paid for: n. A 600 bed Hospital n 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland
HP’s Internal Failure n i. GSO n Launched in 2002 n Consolidate 350 Digital, Compaq, HP, Tandem systems n Expected finish date 2007
HP: The Adaptive Enterprise that couldn’t adapt n Total cost of Implementation failure n US$400 mil (revenue) n US$275 mil (operating profit) n 3 Executives heads n Did I mention this was the total for Q 3 2002?
How is SAP Implemented Internally? n Usually Poorly n Inadequate Skills/Experience n Poor/No Business Requirements Capture n Technology Driven Implementation n Poor Documentation n Usually very expensive ($20 mil+)
How is SAP implemented by External Integrators? n Poorly n Front-loading Skills n Business Requirements Capture? n Partner-driven Implementation n Poor/No Documentation n Subject to contract wrangling n Can be extremely expensive ($50 mil+)
Where does it all go wrong? n Lack of: n Communication n Contingency n Requirements n Simplicity n Security Capture/Analysis
Where does Security come in? n At the end of a long queue n By the time it reaches us, it is: n Non or semi-functional n Delayed n Costing the business n Security’s role is to n SUSO (Shut Up, Sign Off)
Show me the SUSO n You need to sign this off n If you don’t n You’re blocking the business n You’re costing us money n You’re getting in the way of the project n If you do n It’s your backside on the dotted line
End of Talk n Oh you want more?
This is the price, right? Come on down!
This is the price, right? Quiz Show n Prizes n Need Victims Volunteers n
How it works Question is asked n Potential answers are shown n You have to guess which one of the answers was an actual response n
This is the price, right? Question 1
Why can’t we use SSH? A) It (Pu. TTY) isn’t vendor supported n B) SFTP Doesn’t support ASCII n C) We don’t have a PKI n D) Key Management is too difficult n E) The TCO for Open. SSH is too high n
Why can’t we switch off RSH? A) It requires a server rebuild n B) It requires extensive testing that would cost millions n C) Cowboy. Neal n D) We use telnet, you insensitive clod! n E) We don’t know what it would break n
Why did the SI buy the tin prior to completing the design stage? n n A) Because the vendor rebate would be lower next year B) Because the client will have to write off the hardware expenditure anyway C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin D) If the client has already paid a fortune up front they’re less likely to pull the plug later
Why were all the consultants on the job South African? A) Because of S. A’s extensive investment in enterprise technology training n B) Because all the experienced guys are from Joburg n C) Because they’re cheaper than native employees and have a lesser understanding of local employment law n
Why are these not risks? n n n A) Because it’s not live yet B) Because you need an account to access the systems C) Because you’d need to have an RSH client and a copy of finger to access the systems D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd E) Because there are plenty of other ways in F) Because you’re holding the project up so just sign off or there’ll be trouble
Well done! n The good news is n People n got prizes The bad news is n We’re all losers in the end
Breaking SAP Send in the clowns
SAP Structure Infrastructure Issues n Front-End Application n Business Logic n Business Processes n Database Skullduggery n
Infrastructure Issues Let me paint you a picture
What does an SAP deployment look like?
What does an SAP deployment look like?
Points of interest There is no standard deployment n There should be Firewalls involved n n If there are, Any-Any rules may be used Sometimes the File Server(s) are shared between dev, test and live too n Sometimes the App Server(s) are shared between dev, test and live too n
How (not) to conduct an SAP Pentest Nmap n Amap n Nikto n Nessus n Metasploit n
How to conduct an SAP Pentest Nmap (-s. S and –s. U only, no –s. V or –A and watch timings) n Manual confirmation of services with standard client tools n RSH, Finger, Net View, Showmount, FTP n No active exploitation n Password guessing possible, but not automated n
SAP Systems are Unpatched n Unhardened n Unmaintained (caveat: security) n Unmanaged (caveat: security) n
Once you’ve got local access n Useful tools n R 3 Trans n TP n SQL Trusts n OSQL –E n SQLPLUS “/ as sysdba” n My. SQL –u root, mysqld_safe
R 3 Trans Uses SAP’s abstracted SQL model (TSQL) n Uses ‘control files’ to perform actions upon databases n R 3 Trans –d –v n n Test database connection
R 3 Trans Control File EXPORT FILE=‘/tmp/. export/’ CLIENT=000 SELECT * FROM USR 02 n Start with: n R 3 Trans n /tmp/control Don’t forget to check trans. log
Where to look /usr/sap/trans n /usr/sap/<SID> n /home/<SID>adm n There is no reason for these directories to be world writeable! n Most should be 700, 770 or 775 n
From the trenches n “We use RSH to copy files around the environment. RSH has a feature call. rhosts which enables us to restrict access to specific users or hosts”
Front-End Issues Busting down the door citing section 404
What front-end? n SAP has many n SAPGUI n Web. GUI/Net. Weaver/ITS/EP n SAPRFC n For the sake of time we will focus on SAPGUI n These issues do apply elsewhere though
SAPGUI
SAPGUI n See the box up next to the green tick? n n Use /? to start debugging Type in a transaction code (T-Code) to start a transaction
SAP Transactions of Note n n n n SU 01 – User Authorization SU 02 – User Profile Administration RZ 04 – Maintain SAP Instances SECR – Audit Information System SE 11 – Data Dictionary SE 38 – ABAP Editor SE 61 – R/3 Documentation SM 21 – System Log SM 31 – Table Maintenance SM 51 – List of Targets SAP Servers SU 24 – Disable Authorization Checks SM 49 – Execute Operating System Commands SU 12 – Delete All Users PE 51 – HR Form Editor (HR) P 013 – Maintain Positions (HR) P 001 – Maintain Jobs (HR)
SAP Transactions of Note n n n n AL 08 – Users Logged On AL 11 – Display SAP Directories OS 01 – LAN Check with Ping OS 03 – Local OS Parameter changes OS 04 – Local System Configuration OSO 5 – Remote System Configuration OSS 1 – SAP’s Online Service System PFCG – Profile Generator RZ 01 – Job Scheduling Monitor RZ 20 – CCMS Monitoring RZ 21 – Customize CCMS Monitor SA 38 – ABAP/4 Reporting SCC 0 – Client Copy SE 01 – Transport and Correction System SE 13 – Maintain Technical Settings (Tables) SUIM – Repository Information System
You can’t access those! n I can access them (or equivalents) if restrictions are based on: n n n Easy Access Menu Items Transactions only Custom-tables (e. g a ZUSERS table of allowed users) Restrictions need to be implemented at the Authorization level So what else is there?
Reports n n n n RPCIFU 01 – Display File RPCIFU 03 – Download Unix File RPCIFU 04 – Upload Unix File RPR_ABAP_SOURCE_SCAN – Search ABAP for a string ; ) RSBDCOS 0 – Execute OS Command RSPARAM – Check System Parameters RSORAREL – Get the Oracle System Release
Tables n Accessible through: n SE 16 (Maintain Tables) n SE 17 (Display Tables) n SA 38 (Execute ABAP) n SE 38 (ABAP Editor) n Customizations (ZZ_TABLE_ADMIN etc. ) n Will Be Covered Later
Job Scheduler n Can’t get OS access? n Use SM 36 or SM 36 WIZ Instead n Specify Immediate Start n External Program as Step
Custom Transaction fun n Input Validation n Selection Criteria Expansion n Path specification (. . /, // etc) n Shell Escapes (; /bin/ls, |”/bin/ls”| etc) n SQL Injection n Export/Import file fun and games n Bypass Authorization Checks
From the trenches n “As discussed in the meeting on <redacted> with <redacted>, we’ve agreed that there is no further action required. I appreciate that you are on holiday at the moment, but we will take your expected non-response in advance as agreement upon the matter. ”
Database Skullduggery Here be Dragons
Database Stuff The Database contains all the data. n The Database is accessed by SAP users through the SAP system. n The SAP database is not subject to the same controls as SAP itself. n n WARNING: DO NOT MODIFY THE DATABASE WITHOUT PERMISSION SIGNED IN BLOOD (not yours)
Getting In Patch Weaknesses n Brute Force n Roundhouse Kicks n Default Accounts n
Speaking of Default Accounts n Default Accounts (with Oracle Hashes) n DDIC/199220706 (4 F 9 FFB 093 F 909574) n SAP/SAPR 3 (BEAA 1036 A 464 F 9 F 0) n SAP/6071992 (B 1344 DC 1 B 5 F 3 D 903) n SAPR 3/SAP (58872 B 4319 A 76363) n EARLYWATCH/SUPPORT (8 AA 1 C 62 E 08 C 76445)
Note about Schemas <610 has SAPR 3 as Schema Owner n >610 uses SAP as Schema Owner n
Database Queries of Note Select MANDT, BNAME, BCODE, USTYP, CLASS from <SAPDB>. . USR 02 n SELECT * FROM UST 04 n SELECT * FROM TSTCT WHERE SPRSL = ‘E’ n SELECT * FROM DBCON n exec master. dbo. xp_cmdshell 'cmd. exe /c net view’ n
Common Values in the DB ACTVT – Activity Code n USTYP – User Type n MANDT – Client Number n BUKRS – Company Code n BEGRU – Authorization n
USTYP values n n n n USTYP specifies the type of user (used in USR 02) A – Dialog (interactive user) C – Communications (CPIC) D – System (BDC) S – Service L – Reference People often don’t change passwords on CPIC users as they’re not sure what breaks
Tables to look at n n n BKPF – Accounting Header (FI) BSEG – Accounting Document Segment (FI) CEPC – Profit Master Data EKKO – PO Header RSEG – Incoming Invoice RBKP – Invoice Receipts KNA 1 – Customer Master Records LFA 1 – Vendor Master Records PNP – Personnel Data (HR Only) CSKS – Cost Centre Master (HR) T 569 V – Payroll Control Records (HR)
Subverting Business Logic It’s not a lie, we just didn’t tell you that
How SAP Controls Access Local logon details in USR 02 n Profile details in UST 04, USR 04 etc. n Authorizations & Profiles n
Custom SAP Code and Access Control n ABAPs and Auths 101 n Authorization checks n AUTHORITY-CHECK n OBJECT <object> If the authority check statement isn’t there, it is assumed that you can go ahead!
SAP Authorization Concept
Common Authorization Snafus ‘Pyramid Structure’ Approach n Overly Restrictive Approach n Use Standard SAP Profiles Approach n Transactions/Menu only Approach n Objects only Approach n
So what happens when things go wrong?
When things go wrong Too much access n Too little access n Disgruntled Employees and no audit trail n Enron style fun n
Business Process Hacking Where you too can be like Neo
Business Process Hacking When your business processes are correctly aligned all is good. n When they aren’t… n … And it’s even worse when it’s legislation
BPH Vs. Social Engineering n From the Canadian charter of rights and freedoms: n 20. (1) Any member of the public in Canada has the right to communicate with, and to receive available services from, any head or central office of an institution of the Parliament or government of Canada in English or French, and has the same right with respect to any other office of any such institution where n a) there is a significant demand for communications with and n n services from that office in such language; or b) due to the nature of the office, it is reasonable that communications with and services from that office be available in both English and French. Is this charter open to abuse?
BPH Example n User provisioning policy not correctly implemented n Weakness: New users created but old ones not disabled n Result: Accounts can be used after owners leave
BPH Example #2 n Evening meal expense claim requires signature of most senior person present n Then signed off by person at higher grade n No requirement to list people present
How does this tie into SAP? n SAP process integration n If the process fits… n If it doesn’t?
A word from our sponsors Well, Steve has to get revenue somehow
A word from our sponsors
OWASP-EAS Stays crisp in milk
OWASP-EAS What? n Why? n How? n When? n
What? OWASP-Enterprise Application Security Project n Enterprise Grade Schnizzle n n Requirements Guidelines n Audit Programmes n Business-level and tech guidance docs
Why? OWASP is great for Web-based stuff n It’s great for toy applications n It’s not great for large business systems n n Not applicable n Not relevant n Not ‘Enterprise Grade’
How? n Initial Launch n Parent OWASP-EAS Mailing List n Develop industry links n Initial projects n OWASP-EAS RFP Guide n Security Document Templates n SAP Assessment Guide n White Papers
When? n Real Soon Now* n Formal launch in June ‘ 06 n ‘Soft’ Launch End April n Mailing List n Sub-Projects Initiation n *may contain nuts
Conclusions
Conclusions SAP is teh r 0 x 0 r n The people who implement it aren’t necessarily so n OWASP-EAS will help them… to a point n
Скачать презентацию Mo Budget Mo Problems Steve Lord Mandalorian
c64de54cdfb15889a538df5fba4f49e5.ppt