How i taught the arab sheikhs sap sap
Women in veils, men in traditional Arab robes, carved walls and lots and lots of gilding, and all this inside a huge wooden ship. This is what the Kuwait Info Security Information Security Conference 2012 looks like.
On duty in Digital Security, promoting the security of SAP to the masses, and indeed for the sake of high points and new acquaintances, I occasionally speak at various international security conferences ... although it would be more accurate to call them conferences on danger, since the leading researchers talk about new interesting ways to hack information systems. Despite two dozen speeches at events like BlackHat and HITB, I still remember the conference in Kuwait as one of the most unusual.
')
اهتمام!
Who is interested in reading only the technical details of the SAP vulnerabilities - for you this information is kindly in italics and cleared of the author's emotional experiences during the trip. An example of SAP hacked video is available at the end of the article.
Frankly, I initially had little idea where I belonged, and joked that I would go to teach Arabs cyberterrorism. As it turned out later, Kuwait, though an Arab country, is not poor enough, if not to say the opposite. Having about 10% of world oil reserves, the country exists at the expense of its production, which is, according to various sources, from 90 to 98% of exports (by the way, it’s a huge question for me what is the remaining 2%).
There are about 1 million indigenous people in the country to whom this wealth is actually distributed. In addition to the indigenous population, there are also about 3.5 million immigrants in Kuwait - mostly Indians and Asians. So to communicate in shops, hotels, restaurants and in general everywhere, as a rule, it is necessary with Hindus: Arabs have succeeded in their life, and they don’t want to work.
So, the May holidays I had to spend in a country where alcohol is not even in the Duty Free, which for many would be a fatal blow, but I was not a bit upset. Having spent 2 days in Kuwait and having traveled from Saudi Arabia to the very border with Iraq (I’m not as cool as Tema to go there),
After watching the oil rigs and endless construction projects, I went to the hotel where the conference was held.
At first it seemed that the hotel was not even completed, and all this is some kind of joke - in fact, how could a conference take place here in the middle of the desert? .. Nevertheless, a huge wooden ship moored to the shore (by the way, the ship is listed in the Guinness Book of Records as the world's largest wooden ship). He was the hotel, or rather, the conference hall in which the event took place.
The hall was equipped not with boring rows of chairs, as at any other conference, but with round tables at which local sheikhs sat down and a separate throne-bench at the place of the first rows. Before the start there were about five minutes, I was tormented only by one thought:
... is this really the place where I have to talk about buffer overflow in the SAP NetWeaver application’s nuclear function and then exploit this overflow through a transaction call, through which a vulnerable report must be run, which calls the kernel module and sends 108 bytes to overwrite EIP and about 100 for shellcode, and how difficult it was to stuff it, given that the size of the input value is limited to 255 bytes ...
And then my thoughts were interrupted by the general bustle, everyone fled somewhere. I realized that it seemed like the most important sheikh had come for whom the place on the first bench was cleared. After all the media representatives who had gathered, finished photographing him, he went to the stage and ... no, did not begin to read keynote, as it would be logical to assume taking into account the subject matter of the conference, but began to pray.
.... At this time, thoughts were bothering again in my head: would you like to go to the room and redo the presentation, throwing everything out and leaving only 3 pictures a la: oil, terrorist, ERPScan ... No, really, what is the refusal in service, they imagine, and, perhaps, better than I, which means a denial of service vulnerability in the SAP NetWeaver ABAP WEB interface, which occurs when processing the XML request for the WEBRFC service, can be explained. Well, in fact, everything is simple there: there is a web application interface that any user of the system has access to, as well as an attacker who was not too lazy to search the Internet for a list of SAP users and passwords by default. There are many RFC-functions that allow you to do various actions in the system, but require additional rights, and there is a function RFC_PING, which does not require any rights. The XML parser, in turn, as my colleague d00kie discovered long ago, is written by Indians, in a sense, has a vulnerability called XML Entity Expansion and XML Blowup (examples below). It lies in the fact that inside the XML package we form a set of recursive calls to variables defined in the ENTITY tag, which causes the XML parser to mercilessly eat system resources. Thus, having sent hundreds of requests, you can easily “put in” a server with SAP, and all business processes of the company will be covered with a copper basin for the duration of the attack ....
The introductory word ended, and the reports from Qualys and Symantec began on the security of your cloud and the trends in information security, which traditionally included mobility, cloud and industrial networks, which I had already heard enough, and therefore went to the exhibition hall, where I met colleagues from ELCOMSOFT companies, which also decided to take part in this conference. Special thanks to them for the nice company and pictures.
Soon, Andrei Belenko’s report was due to start - I decided to listen to him and look at the reaction of the audience, as he traditionally had enough technical reports, and there was a great opportunity to understand how to build a speech and what to focus on.
... Excellent, I thought: Andrey's report was about passwords and encryption algorithms, and this is what I need, I have one of the vulnerabilities in SAP dedicated to encryption. The trick is that the SAP GUI application - in fact, the main client utility for connecting to SAP - allows you to store passwords in shortcuts. This function is prohibited by default in new versions, but you yourself understand: when it is necessary for an accountant to make it convenient, often passwords are prescribed in these labels, which I have often found during audits. Naturally, passwords are not stored there in clear text - they are encrypted. Although "encrypted" - it says loudly: for such encryption, Diffi and Hellman would have awarded the author with the Order of Facepalm in a cube. Not that Caesar's cipher, but, in general, practically he. XOR was used for encryption. With a static key. The key is the same for all installations of all versions ... In general, a notable FAIL, and most importantly, no one will fix it, since SAP considered that this was not a vulnerability. Well, if it's not a bug, it means a feature, so let everyone know if you suddenly need to decrypt the “forgotten” password. By the way, getting access to the workstation itself is also not labor, and this can be implemented through the ActiveX-vulnerabilities of the SAP GUI, which I have talked about for a long time, or with, for example, Teensy USB, which you can read about in my colleague’s article.
Actually, more than the first day I didn’t remember anything, and I was slightly cheered about the fact that the students seemed to be rather well-versed in my area, although they look unusual. The next day, the reports were more technical, and from one even managed to draw a couple of interesting thoughts. While I was sitting in the hall, I realized that the Kuwaitis are generally strange people. The passion to stand out among them is no less developed than that of the Russians, and many look and behave like children who have inherited their grandmother’s inheritance, and they really do not know what to do with it properly. So, for example, almost every self-respecting Kuwaiti has 2 smartphones, often 2 iPhones - black and white. Well, they can not decide which is cooler, so just in case they wear two.
So time flew by, and the report began, let's say, of SAP security colleagues, who talked about GRC and the issues of separation of powers. Actually, to this area, unfortunately, the majority equates the security of SAP, although since the company SAP has closed its two thousandth software vulnerability (and 80% of these 2000 were closed in the last 3 years), the opinion that the security of SAP is this is only a separation of powers, it looks especially strange. However, I think, on this subject I will somehow break apart a separate post.
... After this report, I became even more bored because, first, the students were clearly at least aware of what SAP is, and they are minimally familiar with what SAP consists of, and even understood that there are problems security, at a minimum, concerning the separation of powers. And therefore you can tell them that there are many other problems - for example, the internal language of ABAP, in which the programs are written in the SAP system. He, like many other languages, may contain vulnerabilities and indeed contains them. All the same SQL injections, directory traversal when accessing the file system, ABAP code injections, cross-site scripting, if we are talking about BSP (these are web scripts written in a mixture of ABAP and HTML), and other problems, as well as many unique vulnerabilities inherent in code developed by ABAP. One of the interesting vulnerabilities that we found in SAP, which is common in WEB applications and is known to everyone else from CGI scripts, is called “OS command injection”. The logic here is the same: in ABAP there are kernel calls that allow you to call OS commands. Sometimes the parameters in these calls get from the user and are not filtered. Thus, using the “&” symbol that separates commands in Windows, you can add your own to the called command, for example: “net user hacker QWERTY / add” - thereby creating a new account in the OS .
Detailed demo, how to log in with user EARLYWATCH and password support and execute OS command, look at the video.
As a result, having told my entire report “TOP 10 of the most interesting SAP vulnerabilities”, I received quite positive reviews and laughter from the audience over especially funny vulnerabilities.
I will consider other vulnerabilities in more detail in the following posts. Everything related to SAP security is also available on the project website erpscan.com /erpscan.ru in the sections of research and publications.
In general, Kuwait, of course, is not a tourist country, and people who are used to excursions and proper service are unlikely to appreciate this place, and even more so want to return, but, nevertheless, the rudiments of the United Arab Emirates and Dubai are present there. You see, after 5 years, Kuwait can become the second Dubai, but for now - the houses are not completed, the water is dirty, the food is American, there is no alcohol even in Duty Free, but very friendly people, unique types of desert, Arabic flavor and just unbanal place.
On duty in Digital Security, promoting the security of SAP to the masses, and indeed for the sake of high points and new acquaintances, I occasionally speak at various international security conferences ... although it would be more accurate to call them conferences on danger, since the leading researchers talk about new interesting ways to hack information systems. Despite two dozen speeches at events like BlackHat and HITB, I still remember the conference in Kuwait as one of the most unusual.
')
اهتمام!
Who is interested in reading only the technical details of the SAP vulnerabilities - for you this information is kindly in italics and cleared of the author's emotional experiences during the trip. An example of SAP hacked video is available at the end of the article.
Frankly, I initially had little idea where I belonged, and joked that I would go to teach Arabs cyberterrorism. As it turned out later, Kuwait, though an Arab country, is not poor enough, if not to say the opposite. Having about 10% of world oil reserves, the country exists at the expense of its production, which is, according to various sources, from 90 to 98% of exports (by the way, it’s a huge question for me what is the remaining 2%).
There are about 1 million indigenous people in the country to whom this wealth is actually distributed. In addition to the indigenous population, there are also about 3.5 million immigrants in Kuwait - mostly Indians and Asians. So to communicate in shops, hotels, restaurants and in general everywhere, as a rule, it is necessary with Hindus: Arabs have succeeded in their life, and they don’t want to work.
So, the May holidays I had to spend in a country where alcohol is not even in the Duty Free, which for many would be a fatal blow, but I was not a bit upset. Having spent 2 days in Kuwait and having traveled from Saudi Arabia to the very border with Iraq (I’m not as cool as Tema to go there),
After watching the oil rigs and endless construction projects, I went to the hotel where the conference was held.
At first it seemed that the hotel was not even completed, and all this is some kind of joke - in fact, how could a conference take place here in the middle of the desert? .. Nevertheless, a huge wooden ship moored to the shore (by the way, the ship is listed in the Guinness Book of Records as the world's largest wooden ship). He was the hotel, or rather, the conference hall in which the event took place.
The hall was equipped not with boring rows of chairs, as at any other conference, but with round tables at which local sheikhs sat down and a separate throne-bench at the place of the first rows. Before the start there were about five minutes, I was tormented only by one thought:
... is this really the place where I have to talk about buffer overflow in the SAP NetWeaver application’s nuclear function and then exploit this overflow through a transaction call, through which a vulnerable report must be run, which calls the kernel module and sends 108 bytes to overwrite EIP and about 100 for shellcode, and how difficult it was to stuff it, given that the size of the input value is limited to 255 bytes ...
And then my thoughts were interrupted by the general bustle, everyone fled somewhere. I realized that it seemed like the most important sheikh had come for whom the place on the first bench was cleared. After all the media representatives who had gathered, finished photographing him, he went to the stage and ... no, did not begin to read keynote, as it would be logical to assume taking into account the subject matter of the conference, but began to pray.
.... At this time, thoughts were bothering again in my head: would you like to go to the room and redo the presentation, throwing everything out and leaving only 3 pictures a la: oil, terrorist, ERPScan ... No, really, what is the refusal in service, they imagine, and, perhaps, better than I, which means a denial of service vulnerability in the SAP NetWeaver ABAP WEB interface, which occurs when processing the XML request for the WEBRFC service, can be explained. Well, in fact, everything is simple there: there is a web application interface that any user of the system has access to, as well as an attacker who was not too lazy to search the Internet for a list of SAP users and passwords by default. There are many RFC-functions that allow you to do various actions in the system, but require additional rights, and there is a function RFC_PING, which does not require any rights. The XML parser, in turn, as my colleague d00kie discovered long ago, is written by Indians, in a sense, has a vulnerability called XML Entity Expansion and XML Blowup (examples below). It lies in the fact that inside the XML package we form a set of recursive calls to variables defined in the ENTITY tag, which causes the XML parser to mercilessly eat system resources. Thus, having sent hundreds of requests, you can easily “put in” a server with SAP, and all business processes of the company will be covered with a copper basin for the duration of the attack ....
<?xml version="1.0"?> <!DOCTYPE root [ <!ENTITY ha "Ha !"> <!ENTITY ha2 "&ha; &ha;"> <!ENTITY ha3 "&ha2; &ha2;"> <!ENTITY ha4 "&ha3; &ha3;"> <!ENTITY ha5 "&ha4; &ha4;"> ... <!ENTITY ha128 "&ha127; &ha127;"> ]> <root>&ha128;</root> <?xml version="1.0"?> <!DOCTYPE foobar [<!ENTITY x "AAAAA… [100KB of them] … AAAA">]> <root> <hi>&x;&x;….[30000 of them] … &x;&x;</hi> </root> The introductory word ended, and the reports from Qualys and Symantec began on the security of your cloud and the trends in information security, which traditionally included mobility, cloud and industrial networks, which I had already heard enough, and therefore went to the exhibition hall, where I met colleagues from ELCOMSOFT companies, which also decided to take part in this conference. Special thanks to them for the nice company and pictures.
Soon, Andrei Belenko’s report was due to start - I decided to listen to him and look at the reaction of the audience, as he traditionally had enough technical reports, and there was a great opportunity to understand how to build a speech and what to focus on.
... Excellent, I thought: Andrey's report was about passwords and encryption algorithms, and this is what I need, I have one of the vulnerabilities in SAP dedicated to encryption. The trick is that the SAP GUI application - in fact, the main client utility for connecting to SAP - allows you to store passwords in shortcuts. This function is prohibited by default in new versions, but you yourself understand: when it is necessary for an accountant to make it convenient, often passwords are prescribed in these labels, which I have often found during audits. Naturally, passwords are not stored there in clear text - they are encrypted. Although "encrypted" - it says loudly: for such encryption, Diffi and Hellman would have awarded the author with the Order of Facepalm in a cube. Not that Caesar's cipher, but, in general, practically he. XOR was used for encryption. With a static key. The key is the same for all installations of all versions ... In general, a notable FAIL, and most importantly, no one will fix it, since SAP considered that this was not a vulnerability. Well, if it's not a bug, it means a feature, so let everyone know if you suddenly need to decrypt the “forgotten” password. By the way, getting access to the workstation itself is also not labor, and this can be implemented through the ActiveX-vulnerabilities of the SAP GUI, which I have talked about for a long time, or with, for example, Teensy USB, which you can read about in my colleague’s article.
Actually, more than the first day I didn’t remember anything, and I was slightly cheered about the fact that the students seemed to be rather well-versed in my area, although they look unusual. The next day, the reports were more technical, and from one even managed to draw a couple of interesting thoughts. While I was sitting in the hall, I realized that the Kuwaitis are generally strange people. The passion to stand out among them is no less developed than that of the Russians, and many look and behave like children who have inherited their grandmother’s inheritance, and they really do not know what to do with it properly. So, for example, almost every self-respecting Kuwaiti has 2 smartphones, often 2 iPhones - black and white. Well, they can not decide which is cooler, so just in case they wear two.
So time flew by, and the report began, let's say, of SAP security colleagues, who talked about GRC and the issues of separation of powers. Actually, to this area, unfortunately, the majority equates the security of SAP, although since the company SAP has closed its two thousandth software vulnerability (and 80% of these 2000 were closed in the last 3 years), the opinion that the security of SAP is this is only a separation of powers, it looks especially strange. However, I think, on this subject I will somehow break apart a separate post.
... After this report, I became even more bored because, first, the students were clearly at least aware of what SAP is, and they are minimally familiar with what SAP consists of, and even understood that there are problems security, at a minimum, concerning the separation of powers. And therefore you can tell them that there are many other problems - for example, the internal language of ABAP, in which the programs are written in the SAP system. He, like many other languages, may contain vulnerabilities and indeed contains them. All the same SQL injections, directory traversal when accessing the file system, ABAP code injections, cross-site scripting, if we are talking about BSP (these are web scripts written in a mixture of ABAP and HTML), and other problems, as well as many unique vulnerabilities inherent in code developed by ABAP. One of the interesting vulnerabilities that we found in SAP, which is common in WEB applications and is known to everyone else from CGI scripts, is called “OS command injection”. The logic here is the same: in ABAP there are kernel calls that allow you to call OS commands. Sometimes the parameters in these calls get from the user and are not filtered. Thus, using the “&” symbol that separates commands in Windows, you can add your own to the called command, for example: “net user hacker QWERTY / add” - thereby creating a new account in the OS .
Detailed demo, how to log in with user EARLYWATCH and password support and execute OS command, look at the video.
As a result, having told my entire report “TOP 10 of the most interesting SAP vulnerabilities”, I received quite positive reviews and laughter from the audience over especially funny vulnerabilities.
I will consider other vulnerabilities in more detail in the following posts. Everything related to SAP security is also available on the project website erpscan.com /erpscan.ru in the sections of research and publications.
In general, Kuwait, of course, is not a tourist country, and people who are used to excursions and proper service are unlikely to appreciate this place, and even more so want to return, but, nevertheless, the rudiments of the United Arab Emirates and Dubai are present there. You see, after 5 years, Kuwait can become the second Dubai, but for now - the houses are not completed, the water is dirty, the food is American, there is no alcohol even in Duty Free, but very friendly people, unique types of desert, Arabic flavor and just unbanal place.
Source: https://habr.com/ru/post/144383/
All Articles