Скачать презентацию Mo Budget Mo Problems Steve Lord Mandalorian Скачать презентацию Mo Budget Mo Problems Steve Lord Mandalorian

c64de54cdfb15889a538df5fba4f49e5.ppt

  • Количество слайдов: 83

Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

What is this talk about? Large IT Projects n System Integrators n SAP n What is this talk about? Large IT Projects n System Integrators n SAP n

What is SAP? Enterprise Resource Planning (SAP R/3) n CRM n EP n HR What is SAP? Enterprise Resource Planning (SAP R/3) n CRM n EP n HR n FI/CO n BW n MM n PP n

What is SAP/R 3, really? Business process re-implementation n Fancy MIS framework with template What is SAP/R 3, really? Business process re-implementation n Fancy MIS framework with template processes n Big basket for corporate eggs n

Fundamentals of Large Projects n The bigger the budget, the harder the fall n Fundamentals of Large Projects n The bigger the budget, the harder the fall n Compound delays due to complex dependencies n Corners cut to meet deadlines n Functionality Vs. Security n Decision rarely based upon business case n When was the last time you signed off $xxx million? n Don’t believe me?

Irish HSE PPARs and FISP Systems n PPARs (HR) and FISP (FI/CO) n Projected Irish HSE PPARs and FISP Systems n PPARs (HR) and FISP (FI/CO) n Projected Combined Cost - £ 6. 2 mil n PPARs Cost when halted in 2005 - £ 80 mil n FISP Cost when halted - £ 20. 7 mil n Revenues for Deloitte & Touche - £ 34. 5 mil n Revenues for SAP – Undisclosed (not part of D&T’s fees)

PPARs n “It’s like a case study in how not to run a project PPARs n “It’s like a case study in how not to run a project … It’s appaling stuff. ” – Enda Kenny, Fine Gael Leader n PPARs could’ve paid for: n. A 600 bed Hospital n 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland

HP’s Internal Failure n i. GSO n Launched in 2002 n Consolidate 350 Digital, HP’s Internal Failure n i. GSO n Launched in 2002 n Consolidate 350 Digital, Compaq, HP, Tandem systems n Expected finish date 2007

HP: The Adaptive Enterprise that couldn’t adapt n Total cost of Implementation failure n HP: The Adaptive Enterprise that couldn’t adapt n Total cost of Implementation failure n US$400 mil (revenue) n US$275 mil (operating profit) n 3 Executives heads n Did I mention this was the total for Q 3 2002?

How is SAP Implemented Internally? n Usually Poorly n Inadequate Skills/Experience n Poor/No Business How is SAP Implemented Internally? n Usually Poorly n Inadequate Skills/Experience n Poor/No Business Requirements Capture n Technology Driven Implementation n Poor Documentation n Usually very expensive ($20 mil+)

How is SAP implemented by External Integrators? n Poorly n Front-loading Skills n Business How is SAP implemented by External Integrators? n Poorly n Front-loading Skills n Business Requirements Capture? n Partner-driven Implementation n Poor/No Documentation n Subject to contract wrangling n Can be extremely expensive ($50 mil+)

Where does it all go wrong? n Lack of: n Communication n Contingency n Where does it all go wrong? n Lack of: n Communication n Contingency n Requirements n Simplicity n Security Capture/Analysis

Where does Security come in? n At the end of a long queue n Where does Security come in? n At the end of a long queue n By the time it reaches us, it is: n Non or semi-functional n Delayed n Costing the business n Security’s role is to n SUSO (Shut Up, Sign Off)

Show me the SUSO n You need to sign this off n If you Show me the SUSO n You need to sign this off n If you don’t n You’re blocking the business n You’re costing us money n You’re getting in the way of the project n If you do n It’s your backside on the dotted line

End of Talk n Oh you want more? End of Talk n Oh you want more?

This is the price, right? Come on down! This is the price, right? Come on down!

This is the price, right? Quiz Show n Prizes n Need Victims Volunteers n This is the price, right? Quiz Show n Prizes n Need Victims Volunteers n

How it works Question is asked n Potential answers are shown n You have How it works Question is asked n Potential answers are shown n You have to guess which one of the answers was an actual response n

This is the price, right? Question 1 This is the price, right? Question 1

Why can’t we use SSH? A) It (Pu. TTY) isn’t vendor supported n B) Why can’t we use SSH? A) It (Pu. TTY) isn’t vendor supported n B) SFTP Doesn’t support ASCII n C) We don’t have a PKI n D) Key Management is too difficult n E) The TCO for Open. SSH is too high n

Why can’t we switch off RSH? A) It requires a server rebuild n B) Why can’t we switch off RSH? A) It requires a server rebuild n B) It requires extensive testing that would cost millions n C) Cowboy. Neal n D) We use telnet, you insensitive clod! n E) We don’t know what it would break n

Why did the SI buy the tin prior to completing the design stage? n Why did the SI buy the tin prior to completing the design stage? n n A) Because the vendor rebate would be lower next year B) Because the client will have to write off the hardware expenditure anyway C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin D) If the client has already paid a fortune up front they’re less likely to pull the plug later

Why were all the consultants on the job South African? A) Because of S. Why were all the consultants on the job South African? A) Because of S. A’s extensive investment in enterprise technology training n B) Because all the experienced guys are from Joburg n C) Because they’re cheaper than native employees and have a lesser understanding of local employment law n

Why are these not risks? n n n A) Because it’s not live yet Why are these not risks? n n n A) Because it’s not live yet B) Because you need an account to access the systems C) Because you’d need to have an RSH client and a copy of finger to access the systems D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd E) Because there are plenty of other ways in F) Because you’re holding the project up so just sign off or there’ll be trouble

Well done! n The good news is n People n got prizes The bad Well done! n The good news is n People n got prizes The bad news is n We’re all losers in the end

Breaking SAP Send in the clowns Breaking SAP Send in the clowns

SAP Structure Infrastructure Issues n Front-End Application n Business Logic n Business Processes n SAP Structure Infrastructure Issues n Front-End Application n Business Logic n Business Processes n Database Skullduggery n

Infrastructure Issues Let me paint you a picture Infrastructure Issues Let me paint you a picture

What does an SAP deployment look like? What does an SAP deployment look like?

What does an SAP deployment look like? What does an SAP deployment look like?

Points of interest There is no standard deployment n There should be Firewalls involved Points of interest There is no standard deployment n There should be Firewalls involved n n If there are, Any-Any rules may be used Sometimes the File Server(s) are shared between dev, test and live too n Sometimes the App Server(s) are shared between dev, test and live too n

How (not) to conduct an SAP Pentest Nmap n Amap n Nikto n Nessus How (not) to conduct an SAP Pentest Nmap n Amap n Nikto n Nessus n Metasploit n

How to conduct an SAP Pentest Nmap (-s. S and –s. U only, no How to conduct an SAP Pentest Nmap (-s. S and –s. U only, no –s. V or –A and watch timings) n Manual confirmation of services with standard client tools n RSH, Finger, Net View, Showmount, FTP n No active exploitation n Password guessing possible, but not automated n

SAP Systems are Unpatched n Unhardened n Unmaintained (caveat: security) n Unmanaged (caveat: security) SAP Systems are Unpatched n Unhardened n Unmaintained (caveat: security) n Unmanaged (caveat: security) n

Once you’ve got local access n Useful tools n R 3 Trans n TP Once you’ve got local access n Useful tools n R 3 Trans n TP n SQL Trusts n OSQL –E n SQLPLUS “/ as sysdba” n My. SQL –u root, mysqld_safe

R 3 Trans Uses SAP’s abstracted SQL model (TSQL) n Uses ‘control files’ to R 3 Trans Uses SAP’s abstracted SQL model (TSQL) n Uses ‘control files’ to perform actions upon databases n R 3 Trans –d –v n n Test database connection

R 3 Trans Control File EXPORT FILE=‘/tmp/. export/’ CLIENT=000 SELECT * FROM USR 02 R 3 Trans Control File EXPORT FILE=‘/tmp/. export/’ CLIENT=000 SELECT * FROM USR 02 n Start with: n R 3 Trans n /tmp/control Don’t forget to check trans. log

Where to look /usr/sap/trans n /usr/sap/<SID> n /home/<SID>adm n There is no reason for Where to look /usr/sap/trans n /usr/sap/ n /home/adm n There is no reason for these directories to be world writeable! n Most should be 700, 770 or 775 n

From the trenches n “We use RSH to copy files around the environment. RSH From the trenches n “We use RSH to copy files around the environment. RSH has a feature call. rhosts which enables us to restrict access to specific users or hosts”

Front-End Issues Busting down the door citing section 404 Front-End Issues Busting down the door citing section 404

What front-end? n SAP has many n SAPGUI n Web. GUI/Net. Weaver/ITS/EP n SAPRFC What front-end? n SAP has many n SAPGUI n Web. GUI/Net. Weaver/ITS/EP n SAPRFC n For the sake of time we will focus on SAPGUI n These issues do apply elsewhere though

SAPGUI SAPGUI

SAPGUI n See the box up next to the green tick? n n Use SAPGUI n See the box up next to the green tick? n n Use /? to start debugging Type in a transaction code (T-Code) to start a transaction

SAP Transactions of Note n n n n SU 01 – User Authorization SU SAP Transactions of Note n n n n SU 01 – User Authorization SU 02 – User Profile Administration RZ 04 – Maintain SAP Instances SECR – Audit Information System SE 11 – Data Dictionary SE 38 – ABAP Editor SE 61 – R/3 Documentation SM 21 – System Log SM 31 – Table Maintenance SM 51 – List of Targets SAP Servers SU 24 – Disable Authorization Checks SM 49 – Execute Operating System Commands SU 12 – Delete All Users PE 51 – HR Form Editor (HR) P 013 – Maintain Positions (HR) P 001 – Maintain Jobs (HR)

SAP Transactions of Note n n n n AL 08 – Users Logged On SAP Transactions of Note n n n n AL 08 – Users Logged On AL 11 – Display SAP Directories OS 01 – LAN Check with Ping OS 03 – Local OS Parameter changes OS 04 – Local System Configuration OSO 5 – Remote System Configuration OSS 1 – SAP’s Online Service System PFCG – Profile Generator RZ 01 – Job Scheduling Monitor RZ 20 – CCMS Monitoring RZ 21 – Customize CCMS Monitor SA 38 – ABAP/4 Reporting SCC 0 – Client Copy SE 01 – Transport and Correction System SE 13 – Maintain Technical Settings (Tables) SUIM – Repository Information System

You can’t access those! n I can access them (or equivalents) if restrictions are You can’t access those! n I can access them (or equivalents) if restrictions are based on: n n n Easy Access Menu Items Transactions only Custom-tables (e. g a ZUSERS table of allowed users) Restrictions need to be implemented at the Authorization level So what else is there?

Reports n n n n RPCIFU 01 – Display File RPCIFU 03 – Download Reports n n n n RPCIFU 01 – Display File RPCIFU 03 – Download Unix File RPCIFU 04 – Upload Unix File RPR_ABAP_SOURCE_SCAN – Search ABAP for a string ; ) RSBDCOS 0 – Execute OS Command RSPARAM – Check System Parameters RSORAREL – Get the Oracle System Release

Tables n Accessible through: n SE 16 (Maintain Tables) n SE 17 (Display Tables) Tables n Accessible through: n SE 16 (Maintain Tables) n SE 17 (Display Tables) n SA 38 (Execute ABAP) n SE 38 (ABAP Editor) n Customizations (ZZ_TABLE_ADMIN etc. ) n Will Be Covered Later

Job Scheduler n Can’t get OS access? n Use SM 36 or SM 36 Job Scheduler n Can’t get OS access? n Use SM 36 or SM 36 WIZ Instead n Specify Immediate Start n External Program as Step

Custom Transaction fun n Input Validation n Selection Criteria Expansion n Path specification (. Custom Transaction fun n Input Validation n Selection Criteria Expansion n Path specification (. . /, // etc) n Shell Escapes (; /bin/ls, |”/bin/ls”| etc) n SQL Injection n Export/Import file fun and games n Bypass Authorization Checks

From the trenches n “As discussed in the meeting on <redacted> with <redacted>, we’ve From the trenches n “As discussed in the meeting on with , we’ve agreed that there is no further action required. I appreciate that you are on holiday at the moment, but we will take your expected non-response in advance as agreement upon the matter. ”

Database Skullduggery Here be Dragons Database Skullduggery Here be Dragons

Database Stuff The Database contains all the data. n The Database is accessed by Database Stuff The Database contains all the data. n The Database is accessed by SAP users through the SAP system. n The SAP database is not subject to the same controls as SAP itself. n n WARNING: DO NOT MODIFY THE DATABASE WITHOUT PERMISSION SIGNED IN BLOOD (not yours)

Getting In Patch Weaknesses n Brute Force n Roundhouse Kicks n Default Accounts n Getting In Patch Weaknesses n Brute Force n Roundhouse Kicks n Default Accounts n

Speaking of Default Accounts n Default Accounts (with Oracle Hashes) n DDIC/199220706 (4 F Speaking of Default Accounts n Default Accounts (with Oracle Hashes) n DDIC/199220706 (4 F 9 FFB 093 F 909574) n SAP/SAPR 3 (BEAA 1036 A 464 F 9 F 0) n SAP/6071992 (B 1344 DC 1 B 5 F 3 D 903) n SAPR 3/SAP (58872 B 4319 A 76363) n EARLYWATCH/SUPPORT (8 AA 1 C 62 E 08 C 76445)

Note about Schemas <610 has SAPR 3 as Schema Owner n >610 uses SAP Note about Schemas <610 has SAPR 3 as Schema Owner n >610 uses SAP as Schema Owner n

Database Queries of Note Select MANDT, BNAME, BCODE, USTYP, CLASS from <SAPDB>. . USR Database Queries of Note Select MANDT, BNAME, BCODE, USTYP, CLASS from . . USR 02 n SELECT * FROM UST 04 n SELECT * FROM TSTCT WHERE SPRSL = ‘E’ n SELECT * FROM DBCON n exec master. dbo. xp_cmdshell 'cmd. exe /c net view’ n

Common Values in the DB ACTVT – Activity Code n USTYP – User Type Common Values in the DB ACTVT – Activity Code n USTYP – User Type n MANDT – Client Number n BUKRS – Company Code n BEGRU – Authorization n

USTYP values n n n n USTYP specifies the type of user (used in USTYP values n n n n USTYP specifies the type of user (used in USR 02) A – Dialog (interactive user) C – Communications (CPIC) D – System (BDC) S – Service L – Reference People often don’t change passwords on CPIC users as they’re not sure what breaks

Tables to look at n n n BKPF – Accounting Header (FI) BSEG – Tables to look at n n n BKPF – Accounting Header (FI) BSEG – Accounting Document Segment (FI) CEPC – Profit Master Data EKKO – PO Header RSEG – Incoming Invoice RBKP – Invoice Receipts KNA 1 – Customer Master Records LFA 1 – Vendor Master Records PNP – Personnel Data (HR Only) CSKS – Cost Centre Master (HR) T 569 V – Payroll Control Records (HR)

Subverting Business Logic It’s not a lie, we just didn’t tell you that Subverting Business Logic It’s not a lie, we just didn’t tell you that

How SAP Controls Access Local logon details in USR 02 n Profile details in How SAP Controls Access Local logon details in USR 02 n Profile details in UST 04, USR 04 etc. n Authorizations & Profiles n

Custom SAP Code and Access Control n ABAPs and Auths 101 n Authorization checks Custom SAP Code and Access Control n ABAPs and Auths 101 n Authorization checks n AUTHORITY-CHECK n OBJECT If the authority check statement isn’t there, it is assumed that you can go ahead!

SAP Authorization Concept SAP Authorization Concept

Common Authorization Snafus ‘Pyramid Structure’ Approach n Overly Restrictive Approach n Use Standard SAP Common Authorization Snafus ‘Pyramid Structure’ Approach n Overly Restrictive Approach n Use Standard SAP Profiles Approach n Transactions/Menu only Approach n Objects only Approach n

So what happens when things go wrong? So what happens when things go wrong?

When things go wrong Too much access n Too little access n Disgruntled Employees When things go wrong Too much access n Too little access n Disgruntled Employees and no audit trail n Enron style fun n

Business Process Hacking Where you too can be like Neo Business Process Hacking Where you too can be like Neo

Business Process Hacking When your business processes are correctly aligned all is good. n Business Process Hacking When your business processes are correctly aligned all is good. n When they aren’t… n … And it’s even worse when it’s legislation

BPH Vs. Social Engineering n From the Canadian charter of rights and freedoms: n BPH Vs. Social Engineering n From the Canadian charter of rights and freedoms: n 20. (1) Any member of the public in Canada has the right to communicate with, and to receive available services from, any head or central office of an institution of the Parliament or government of Canada in English or French, and has the same right with respect to any other office of any such institution where n a) there is a significant demand for communications with and n n services from that office in such language; or b) due to the nature of the office, it is reasonable that communications with and services from that office be available in both English and French. Is this charter open to abuse?

BPH Example n User provisioning policy not correctly implemented n Weakness: New users created BPH Example n User provisioning policy not correctly implemented n Weakness: New users created but old ones not disabled n Result: Accounts can be used after owners leave

BPH Example #2 n Evening meal expense claim requires signature of most senior person BPH Example #2 n Evening meal expense claim requires signature of most senior person present n Then signed off by person at higher grade n No requirement to list people present

How does this tie into SAP? n SAP process integration n If the process How does this tie into SAP? n SAP process integration n If the process fits… n If it doesn’t?

A word from our sponsors Well, Steve has to get revenue somehow A word from our sponsors Well, Steve has to get revenue somehow

A word from our sponsors A word from our sponsors

OWASP-EAS Stays crisp in milk OWASP-EAS Stays crisp in milk

OWASP-EAS What? n Why? n How? n When? n OWASP-EAS What? n Why? n How? n When? n

What? OWASP-Enterprise Application Security Project n Enterprise Grade Schnizzle n n Requirements Guidelines n What? OWASP-Enterprise Application Security Project n Enterprise Grade Schnizzle n n Requirements Guidelines n Audit Programmes n Business-level and tech guidance docs

Why? OWASP is great for Web-based stuff n It’s great for toy applications n Why? OWASP is great for Web-based stuff n It’s great for toy applications n It’s not great for large business systems n n Not applicable n Not relevant n Not ‘Enterprise Grade’

How? n Initial Launch n Parent OWASP-EAS Mailing List n Develop industry links n How? n Initial Launch n Parent OWASP-EAS Mailing List n Develop industry links n Initial projects n OWASP-EAS RFP Guide n Security Document Templates n SAP Assessment Guide n White Papers

When? n Real Soon Now* n Formal launch in June ‘ 06 n ‘Soft’ When? n Real Soon Now* n Formal launch in June ‘ 06 n ‘Soft’ Launch End April n Mailing List n Sub-Projects Initiation n *may contain nuts

Conclusions Conclusions

Conclusions SAP is teh r 0 x 0 r n The people who implement Conclusions SAP is teh r 0 x 0 r n The people who implement it aren’t necessarily so n OWASP-EAS will help them… to a point n