SAP Backdoor
Doing SAP security research is one of my main tasks at Positive Technologies. In addition, I had to come up with - with what to speak to the audience on our forum PHDays III . Thus, a topic for research was found: how in the SAP system it is possible to hide the presence of the user’s SAP_ALL profile (that is, all possible authorizations). If an attacker managed to penetrate the system, get the rights to create users and assign privileges to them, then most likely the next step to consolidate the system is to create a new account for yourself, of course, with all the necessary rights. But such a user will be displayed in the results of internal audits, external audits, and it is difficult to expect that a user with SAP_ALL rights will go unnoticed.
So let's get started. I outlined two vectors of work:
For the first vector interested, I propose to look at the materials of my speech, the second will be discussed below.
')
Let us turn to the logic of the report. The logic is simple: a list of all users of the system is taken, and each user is step by step checked for the presence of the required permissions. If the user does not match the search criteria - he is removed from the list. Everything seems to be simple ... But when analyzing, attention is attracted by the following line:
The user with the mysterious name "... ... ..." (12 points) is deleted from the output list. Let's test our assumption in practice: create a user with the name of 12 points, assign him various roles and profiles - and look at the results of the report analysis. As expected, there is no user with the same name in the report results!
Isn't it really interesting: why could a SAP manufacturer need this? Of course, I cannot answer this question. Maybe this user was created when generating reports from EARLYWATCH and did something in the system? ..
For the vulnerability identified the following CVSS-vector:
The rating seems to be low, but you must agree: it’s unpleasant to realize that the manufacturer of the system in which we keep and process all the critical business information left such loopholes to hide some specially instituted users. Actually, what could this be for?
However, not so bad. In June 2013, an update closing this vulnerability has already been released: SAP Note 1844202. Downloading the released update will eliminate this problem on your systems.
As you can see in the table below, a fix has been released for all existing versions of SAP_BASIS, starting with version 4.6B. In other words, if you have not had time to upgrade, then this tab will also be with you with one hundred percent probability.
That's all, in fact, what I wanted to tell. I recommend to apply the “note”, the initiator of which is your humble servant :)
SAP Security note 1844202: https://service.sap.com/sap/support/notes/1844202
Author: Dmitry Gutsko, a leading expert at Positive Technologies.
PS Video (Valdai hall from 4:00 pm) and PHDays presentation slides.
So let's get started. I outlined two vectors of work:
- Confuse permissions analysis reports: by nesting profiles, using a reference user, roles, profile copies, etc.
- If you ask SAP specialists: “How to get a list of users with certain rights?” - they call the transaction SUIM, the RSUSR002 report, which is essentially the same thing. Hence the following idea: based on the analysis of the ABAP-code of the RSUSR002 report, invent a mechanism for overcoming the algorithm of the report, thus hiding the user.
For the first vector interested, I propose to look at the materials of my speech, the second will be discussed below.
')
Let us turn to the logic of the report. The logic is simple: a list of all users of the system is taken, and each user is step by step checked for the presence of the required permissions. If the user does not match the search criteria - he is removed from the list. Everything seems to be simple ... But when analyzing, attention is attracted by the following line:
The user with the mysterious name "... ... ..." (12 points) is deleted from the output list. Let's test our assumption in practice: create a user with the name of 12 points, assign him various roles and profiles - and look at the results of the report analysis. As expected, there is no user with the same name in the report results!
Isn't it really interesting: why could a SAP manufacturer need this? Of course, I cannot answer this question. Maybe this user was created when generating reports from EARLYWATCH and did something in the system? ..
For the vulnerability identified the following CVSS-vector:
CVSS Base Score: 4.6CVSS Base Vector: AV:N/AC:H/AU:S/C:P/I:P/A:PThe rating seems to be low, but you must agree: it’s unpleasant to realize that the manufacturer of the system in which we keep and process all the critical business information left such loopholes to hide some specially instituted users. Actually, what could this be for?
However, not so bad. In June 2013, an update closing this vulnerability has already been released: SAP Note 1844202. Downloading the released update will eliminate this problem on your systems.
As you can see in the table below, a fix has been released for all existing versions of SAP_BASIS, starting with version 4.6B. In other words, if you have not had time to upgrade, then this tab will also be with you with one hundred percent probability.
That's all, in fact, what I wanted to tell. I recommend to apply the “note”, the initiator of which is your humble servant :)
SAP Security note 1844202: https://service.sap.com/sap/support/notes/1844202
Author: Dmitry Gutsko, a leading expert at Positive Technologies.
PS Video (Valdai hall from 4:00 pm) and PHDays presentation slides.
Source: https://habr.com/ru/post/189434/
All Articles