SlideShare a Scribd company logo

How Hackers can Open the Safe and Take the Jewels

Onapsis Inc. , profile picture
Onapsis Inc.

The document discusses the vulnerabilities in ERP systems that make them targets for cyberattacks, particularly focusing on methods employed by hackers to exploit these weaknesses. It outlines historical context, attack vectors, and various types of attacks such as sabotage, espionage, and fraud, highlighting their impact on business-critical processes and sensitive information. The document emphasizes the importance of improving ERP security practices due to the increasing focus on cyber threats since 2009.

Technology
1 of 45
Downloaded 28 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
ERP Security: How hackers can open the safe and take the jewels September 25-27, 2013 Ekoparty Security Conference Buenos Aires, Argentina Ezequiel GutesmanEzequiel Gutesman (@gutes)(@gutes) egutesman@onapsis.comegutesman@onapsis.com Jordan SantarsieriJordan Santarsieri (@jsansec)(@jsansec) jsantarsieri@onapsis.comjsantarsieri@onapsis.com
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 2 Disclaimer This publication is copyright 2013 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. This publication contains references to the products of Oracle and services mentioned herein are trademarks or registered trademarks of Oracle in all countries all over the world. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for its content, and Oracle Corporation shall not be liable for errors or omissions with respect to the materials.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 3 Agenda 1.Introduction ● Why bothering about ERPs? ● History of ERP Security ● ERP Security for hackers 2.Targeting ERPs ● Reinventing the wheel: Technology stacks ● Attack Vectors ● Demo time! ● Sabotage ● Espionage ● Fraud 3.Conclusions
1. Introduction
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 5 Why bothering about ERPs? SALESSALES PRODUCTIONPRODUCTION FINANCIAL PLANNINGFINANCIAL PLANNING INVOICINGINVOICING PROCUREMENTPROCUREMENT TREASURYTREASURY LOGISTICSLOGISTICS PAYROLLPAYROLL BILLINGBILLING HUMAN RESOURCESHUMAN RESOURCES
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 6 Why bothering about ERPs? Forbes 500 Mid-size companies
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 7 Why bothering about ERPs? Zombies → Botnets → Hacktivism(*) Vulns (*) http://suelette.home.xs4all.nl/underground/underground.txt Cyberwarfare & Surveillance
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 8 Why bothering about ERPs? • They run business-critical processes • They Store the most sensitive information • Organizations are highly-dependent on them ERP
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 9 History of ERP security
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 10 History of ERP security 1970 1980 1990 2000 2013 1993 SAP R/3 Realtime 3-tier 1972 – SAP RF → R/1 1980 SAP R/2 (mainframe) 1988 Morris Worm 2004 SAP Netweaver 2003 “SAP” Password Sicherheit 2008 SAP @JtR 2009 (3) Attacking SAP clients Decompression of SAP's DIAG protocol The risks of downward compatibility 2002 SAP “virus” SAPVir Wir hacken eine SAP Datenbank 2007 Exploiting SAP Internals 2010 (5+) SAP Knowledge Management Attacking users with SAPSploit Rootkits and Trojans on your SAP Landscape The truth about ABAP Security Protecting SAP Applications Against Common Attacks (SAP) SAP Security Notes 2011 (5+) The Invoker Servlet SAP Backdoors & Rootikts Arch. & program vulns in SAP's J2EE engine Security of Enterprise Business Application Systems Attacks to SAP Web Applications 2012(10+) 30 years of SoD 13 years 1996 Ping of Death 1972 Buffer Overflows 1995 XSS 2002 SQLiCSRF 2001 Heap SprayingOWASP 2003 Metasploit 2006 Bluepill 2010 Practical Padding Oracles 2011 BEAST 2012 CRIME 2008 Debian PRNG Bug @
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 11 ERP Security for hackers FRAUD ESPIONAGESABOTAGE Extract customer/vendor/HR data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. Paralyze the operation of the organization by shutting down the ERP system, disrupting interfaces with other systems and deleting critical information, etc. Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
2. Targeting ERPs
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 13 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors Client (web/API/thick client) Application Server DB OS Proprietary protocols / HTTP / SOAP / CORBA Trust relationships / ODBC / Other External Servers & Other Application servers
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 14 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors - SAP http://bit.ly/19AXe7Y
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 15 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors - SAP http://bit.ly/19AXe7Y
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 16 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors – Oracle JD Edwards http://bitly.com/QB12xx HTTP HTTP HTTP JDENET O DBC ODBC Web Server JDE Java Application Server (JAS) JDE Enterprise Server Database Server JDE Deployment Server
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 17 Attack Vectors • Components and servers through protocols – P4, DIAG, RFC, NI, CORBA, SOAP, JDENET, HTTP, SNC, etc, etc. • Crypto – Stored keys, default certificates, proprietary schemes • Business through data manipulation – Default credentials, lack of checks • Apps – Web , companion apps. , transactions, reports, external tools, APIs • DB – Connectors, trust relationships, default accounts
Demo Time!
SABOTAGE
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 20 JD Edwards: Shutdown via UDP The JDENet component listens on port 6015 (UDP) for control commands: SHOWCONN TOGGLE_LOG CONNECT_FROM CONNECT_TO CONNECT_REJECT GET_WRKMGT VIEW_KERNEL_TRACE SHUTDOWN USRBROADCAST … Wait...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 21 JD Edwards: Shutdown via UDP Demo
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 22 JD Edwards: Shutdown via UDP >>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN")) 0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F 0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT 0020 44 4F 57 4E DOWN An attacker needs: – Access to port 6015 on target – Send UDP packet An Attacker gets: – Immediate JDE Enterprise Server shutdown
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 23 JD Edwards: Shutdown via UDP >>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN")) 0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F 0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT 0020 44 4F 57 4E DOWN An attacker needs: – Access to port 6015 on target – Send UDP packet An Attacker gets: – Immediate JDE Enterprise Server shutdown Fix: Apply the latest Oracle Critical Patch Update, as the fix for this attack was released by oracle in a scheduled CPU.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 24 Siebel: Bypass log in The Anonymous user • Required even if the applications do not allow access by unregistered users • Used at start up, to connect to“datasource” • If deleted, no user could access Siebel • At installation time, Siebel asks you to choose an already created user that will become the Anonymous user • Should have low privileges, but to avoid configuration issues...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 25 Siebel: Bypass log in An attacker needs: – Access to the application – Insecure configuration of Anonymous user An Attacker gets: – Complete control of the Siebel installation
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 26 Siebel: Bypass log in Demo
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 27 Siebel: Bypass log in Demo Fix: In the Siebel configuration file, set the “anonymous user” property to a low-privileged user.
FRAUD
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 29 SAP* w/Master password on installation SAP: Diverting payments (default credentials) SAP Clients (or mandants) – Entity w/ independent data (like a tenant) – 3-digit identifiers – “special” default clients (created on installation) • 000 → Cross-client tasks • 001 → Template for new clients • 066 → SAP support http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm SAP* left w/pass 06071992 Catch: SAP* in client 066 not w/ SAP_ALL privileges, but...
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 30 SAP: Diverting payments (default credentials) Demo
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 31 SAP: Diverting payments (default credentials) Demo Fix: - Change SAP* password on all clients (specially 066) - Correctly assign SAP* permissions
ESPIONAGE
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 33 JD Edwards: Stealing passwords Again, the JDENet... is also listening on port 6015 (TCP) for JDEMsg commands Remotely retrieve information from the JDE.INI file, and also sensitive information in clear-text Kernel types and configuration Security Server configuration SSO Node information Database information
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 34 JD Edwards: Stealing passwords An Attacker needs: – Access to port 6015 on target (TCP) – Send function call (JdeMsg number 563) •Use hard-coded key and provide victim's username An Attacker gets: – Victim's password
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 35 JD Edwards: Stealing passwords Demo Fix: Apply the latest Oracle Critical Patch Update, as the fix for this attack was released by oracle in a scheduled CPU.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 36 Siebel: Search Inside Siebel Query Language (no, it's not SQL) • Used everywhere in Siebel • Originally designed to filter data inside Applets • Executing queries not restricted by authorization checks (privilege independent)
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 37 Siebel: Search Inside Access control in Siebel @ View Level @ Business Component Level Who can access the views Who can access the data
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 38 Siebel Query Language Injection Demo Fix: Using eScript, catch the pre-query or Invoke query methods applying a custom filter which should prevent the use of dangerous functions.
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 39 SAP: Getting DB Admin rights “The J2EE Engine provides a secure storage area where applications or service components on the J2EE Engine can store sensitive data such as passwords or communication destinations, in encrypted form” (*) (*) http://help.sap.com/saphelp_nw73/helpdata/en/47/b08e68542e3378e10000000a421937/content.htm /usr/sap/<SID>/SYS/global/security/data/SecStore.properties 3DES Problem #1 get the file Problem #2 decrypt file Problem #3 access DB
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 40 SAP: Getting DB Admin rights 1. Getting the Secure Store File https://service.sap.com/sap/support/notes/1682613 RMI CORBA P4 (RMI) SAP NetWeaver Application Server Uses P4 for: • Communication between objects in different namespaces (e.g. FileTransfer_Stub) • Reliable client-server connections • Transparent failover for clustered remote objects • Etc /usr/sap/<SID>/SYS/global/security/data/SecStore.properties
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 41 SAP: Getting DB Admin rights 2.Decrypt Secure Store 3.Access DB 3DES Key bundle? /usr/sap/<SID>/SYS/global/security/data/SecStore.properties /usr/sap/<SID>/SYS/global/security/data/SecStore.key
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 42 SAP: Getting DB Admin rights Demo Fix: - Apply note https://service.sap.com/sap/support/notes/1682613 - Correctly handle access to SecStore.key file
3. Conclusions
ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 44 Conclusions ● ERP Systems are among the most critical systems in the organization and that makes them a really interesting target to the attackers ● ERP security has a long history, most of it was about SoD ● Technical vulnerabilities are more critical than SoD since the attacker doesn't need any user in the system ● The attack surface is huge, proprietary protocols and custom technologies are everywhere ● Inherited code from the past ● Patching practices are delayed due to complexity and cost ● Since 2009 ERP cyber-security is getting more attention. Leading organizations are already leading with this.
Ezequiel GutesmanEzequiel Gutesman (@gutes)(@gutes) egutesman@onapsis.comegutesman@onapsis.com Jordan SantarsieriJordan Santarsieri (@jsansec)(@jsansec) jsantarsieri@onapsis.comjsantarsieri@onapsis.com blog.onapsis.comblog.onapsis.com adventure.onapsis.comadventure.onapsis.com

More Related Content

PDF
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Onapsis Inc.
 
PDF
Attacks Based on Security Configurations
Onapsis Inc.
 
PDF
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
 
PDF
Penetration Testing SAP Systems
Onapsis Inc.
 
PDF
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
PDF
Pen Testing SAP Critical Information Exposed
Onapsis Inc.
 
PDF
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
 
PDF
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Onapsis Inc.
 
Attacks Based on Security Configurations
Onapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
 
Penetration Testing SAP Systems
Onapsis Inc.
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Onapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 

What's hot (20)

PDF
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
PDF
Cyber-attacks to SAP Systems
Onapsis Inc.
 
PDF
Onapsis SAP Backdoors
Onapsis Inc.
 
PDF
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
PDF
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Onapsis Inc.
 
PDF
SAP Business Objects Attacks
Onapsis Inc.
 
PDF
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
PDF
All your SAP passwords belong to us
ERPScan
 
PDF
Attacking SAP users with sapsploit
ERPScan
 
PDF
5 real ways to destroy business by breaking SAP applications
ERPScan
 
PDF
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
PDF
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
PPT
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
PDF
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
PDF
Incident Response and SAP Systems
Onapsis Inc.
 
PDF
Assess and monitor SAP security
ERPScan
 
PDF
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
PDF
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
PDF
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
PDF
SAP SDM Hacking
ERPScan
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Cyber-attacks to SAP Systems
Onapsis Inc.
 
Onapsis SAP Backdoors
Onapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Onapsis Inc.
 
SAP Business Objects Attacks
Onapsis Inc.
 
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
All your SAP passwords belong to us
ERPScan
 
Attacking SAP users with sapsploit
ERPScan
 
5 real ways to destroy business by breaking SAP applications
ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
Incident Response and SAP Systems
Onapsis Inc.
 
Assess and monitor SAP security
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
SAP SDM Hacking
ERPScan
 

Similar to How Hackers can Open the Safe and Take the Jewels (20)

PDF
What CISOs should know about SAP security
ERPScan
 
PDF
Practical pentesting of ERPs and business applications
ERPScan
 
PDF
EAS-SEC Project
ERPScan
 
PDF
ERP Security. Myths, Problems, Solutions
ERPScan
 
PDF
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
PDF
SAP security made easy
ERPScan
 
PDF
Forgotten world - Corporate Business Application Systems
ERPScan
 
PPTX
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
Tunde Ogunkoya
 
PDF
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
PDF
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
CODE BLUE
 
PDF
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
PDF
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
PDF
Unbreakable oracle er_ps_siebel_jd_edwards
Onapsis Inc.
 
PPSX
Enterprise mobileapplicationsecurity
Venkat Alagarsamy
 
PDF
Architecture vulnerabilities in SAP platforms
ERPScan
 
PDF
Assessing and Securing SAP Solutions
ERPScan
 
PDF
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
PDF
SAP portal: breaking and forensicating
ERPScan
 
PDF
SAP security in figures
ERPScan
 
PDF
Short introduction to SAP security research (sitNL)
Twan van den Broek
 
What CISOs should know about SAP security
ERPScan
 
Practical pentesting of ERPs and business applications
ERPScan
 
EAS-SEC Project
ERPScan
 
ERP Security. Myths, Problems, Solutions
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
SAP security made easy
ERPScan
 
Forgotten world - Corporate Business Application Systems
ERPScan
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
Tunde Ogunkoya
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
CODE BLUE
 
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
Unbreakable oracle er_ps_siebel_jd_edwards
Onapsis Inc.
 
Enterprise mobileapplicationsecurity
Venkat Alagarsamy
 
Architecture vulnerabilities in SAP platforms
ERPScan
 
Assessing and Securing SAP Solutions
ERPScan
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
SAP portal: breaking and forensicating
ERPScan
 
SAP security in figures
ERPScan
 
Short introduction to SAP security research (sitNL)
Twan van den Broek
 

Recently uploaded (20)

PDF
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
PDF
How Onsite IT Support Drives Business Efficiency, Security, and Growth.pdf
Captain IT
 
PDF
This slide provides an overview Technology
mineshkharadi333
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
PDF
CIFDAQ'S Market Insight: BTC to ETH money in motion
CIFDAQ
 
PDF
Software Development Methodologies in 2025
KodekX
 
PPTX
How to Build a Scalable Micro-Investing Platform in 2025 - A Founder’s Guide ...
Third Rock Techkno
 
PDF
agentic-ai-and-the-future-of-autonomous-systems.pdf
siddharthnetsavvies
 
PDF
madgavkar20181017ppt McKinsey Presentation.pdf
georgschmitzdoerner
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PDF
Make GenAI investments go further with the Dell AI Factory - Infographic
Principled Technologies
 
DOCX
Top AI API Alternatives to OpenAI: A Side-by-Side Breakdown
vilush
 
PDF
CIFDAQ's Token Spotlight: SKY - A Forgotten Giant's Comeback?
CIFDAQ
 
PPTX
Smart Infrastructure and Automation through IoT Sensors
Rejig Digital
 
PDF
Doc9.....................................
SofiaCollazos
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
How Onsite IT Support Drives Business Efficiency, Security, and Growth.pdf
Captain IT
 
This slide provides an overview Technology
mineshkharadi333
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
CIFDAQ'S Market Insight: BTC to ETH money in motion
CIFDAQ
 
Software Development Methodologies in 2025
KodekX
 
How to Build a Scalable Micro-Investing Platform in 2025 - A Founder’s Guide ...
Third Rock Techkno
 
agentic-ai-and-the-future-of-autonomous-systems.pdf
siddharthnetsavvies
 
madgavkar20181017ppt McKinsey Presentation.pdf
georgschmitzdoerner
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
Make GenAI investments go further with the Dell AI Factory - Infographic
Principled Technologies
 
Top AI API Alternatives to OpenAI: A Side-by-Side Breakdown
vilush
 
CIFDAQ's Token Spotlight: SKY - A Forgotten Giant's Comeback?
CIFDAQ
 
Smart Infrastructure and Automation through IoT Sensors
Rejig Digital
 
Doc9.....................................
SofiaCollazos
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 

How Hackers can Open the Safe and Take the Jewels

  • 1. ERP Security: How hackers can open the safe and take the jewels September 25-27, 2013 Ekoparty Security Conference Buenos Aires, Argentina Ezequiel GutesmanEzequiel Gutesman (@gutes)(@gutes) [email protected]@onapsis.com Jordan SantarsieriJordan Santarsieri (@jsansec)(@jsansec) [email protected]@onapsis.com
  • 2. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 2 Disclaimer This publication is copyright 2013 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. This publication contains references to the products of Oracle and services mentioned herein are trademarks or registered trademarks of Oracle in all countries all over the world. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for its content, and Oracle Corporation shall not be liable for errors or omissions with respect to the materials.
  • 3. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 3 Agenda 1.Introduction ● Why bothering about ERPs? ● History of ERP Security ● ERP Security for hackers 2.Targeting ERPs ● Reinventing the wheel: Technology stacks ● Attack Vectors ● Demo time! ● Sabotage ● Espionage ● Fraud 3.Conclusions
  • 5. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 5 Why bothering about ERPs? SALESSALES PRODUCTIONPRODUCTION FINANCIAL PLANNINGFINANCIAL PLANNING INVOICINGINVOICING PROCUREMENTPROCUREMENT TREASURYTREASURY LOGISTICSLOGISTICS PAYROLLPAYROLL BILLINGBILLING HUMAN RESOURCESHUMAN RESOURCES
  • 6. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 6 Why bothering about ERPs? Forbes 500 Mid-size companies
  • 7. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 7 Why bothering about ERPs? Zombies → Botnets → Hacktivism(*) Vulns (*) http://suelette.home.xs4all.nl/underground/underground.txt Cyberwarfare & Surveillance
  • 8. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 8 Why bothering about ERPs? • They run business-critical processes • They Store the most sensitive information • Organizations are highly-dependent on them ERP
  • 9. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 9 History of ERP security
  • 10. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 10 History of ERP security 1970 1980 1990 2000 2013 1993 SAP R/3 Realtime 3-tier 1972 – SAP RF → R/1 1980 SAP R/2 (mainframe) 1988 Morris Worm 2004 SAP Netweaver 2003 “SAP” Password Sicherheit 2008 SAP @JtR 2009 (3) Attacking SAP clients Decompression of SAP's DIAG protocol The risks of downward compatibility 2002 SAP “virus” SAPVir Wir hacken eine SAP Datenbank 2007 Exploiting SAP Internals 2010 (5+) SAP Knowledge Management Attacking users with SAPSploit Rootkits and Trojans on your SAP Landscape The truth about ABAP Security Protecting SAP Applications Against Common Attacks (SAP) SAP Security Notes 2011 (5+) The Invoker Servlet SAP Backdoors & Rootikts Arch. & program vulns in SAP's J2EE engine Security of Enterprise Business Application Systems Attacks to SAP Web Applications 2012(10+) 30 years of SoD 13 years 1996 Ping of Death 1972 Buffer Overflows 1995 XSS 2002 SQLiCSRF 2001 Heap SprayingOWASP 2003 Metasploit 2006 Bluepill 2010 Practical Padding Oracles 2011 BEAST 2012 CRIME 2008 Debian PRNG Bug @
  • 11. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 11 ERP Security for hackers FRAUD ESPIONAGESABOTAGE Extract customer/vendor/HR data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. Paralyze the operation of the organization by shutting down the ERP system, disrupting interfaces with other systems and deleting critical information, etc. Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
  • 13. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 13 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors Client (web/API/thick client) Application Server DB OS Proprietary protocols / HTTP / SOAP / CORBA Trust relationships / ODBC / Other External Servers & Other Application servers
  • 14. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 14 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors - SAP http://bit.ly/19AXe7Y
  • 15. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 15 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors - SAP http://bit.ly/19AXe7Y
  • 16. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 16 Reinventing the wheel: Technology stacks Layered architecture Attack Vectors – Oracle JD Edwards http://bitly.com/QB12xx HTTP HTTP HTTP JDENET O DBC ODBC Web Server JDE Java Application Server (JAS) JDE Enterprise Server Database Server JDE Deployment Server
  • 17. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 17 Attack Vectors • Components and servers through protocols – P4, DIAG, RFC, NI, CORBA, SOAP, JDENET, HTTP, SNC, etc, etc. • Crypto – Stored keys, default certificates, proprietary schemes • Business through data manipulation – Default credentials, lack of checks • Apps – Web , companion apps. , transactions, reports, external tools, APIs • DB – Connectors, trust relationships, default accounts
  • 20. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 20 JD Edwards: Shutdown via UDP The JDENet component listens on port 6015 (UDP) for control commands: SHOWCONN TOGGLE_LOG CONNECT_FROM CONNECT_TO CONNECT_REJECT GET_WRKMGT VIEW_KERNEL_TRACE SHUTDOWN USRBROADCAST … Wait...
  • 21. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 21 JD Edwards: Shutdown via UDP Demo
  • 22. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 22 JD Edwards: Shutdown via UDP >>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN")) 0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F 0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT 0020 44 4F 57 4E DOWN An attacker needs: – Access to port 6015 on target – Send UDP packet An Attacker gets: – Immediate JDE Enterprise Server shutdown
  • 23. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 23 JD Edwards: Shutdown via UDP >>> send((IP(dst="192.168.254.128")/UDP(dport=6015)/"SHUTDOWN")) 0000 45 00 00 24 00 01 00 00 40 11 F9 25 C0 A8 00 46 E..$....@..%...F 0010 C0 A8 00 0C 00 35 17 7F 00 10 22 3D 53 48 55 54 .....5...."=SHUT 0020 44 4F 57 4E DOWN An attacker needs: – Access to port 6015 on target – Send UDP packet An Attacker gets: – Immediate JDE Enterprise Server shutdown Fix: Apply the latest Oracle Critical Patch Update, as the fix for this attack was released by oracle in a scheduled CPU.
  • 24. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 24 Siebel: Bypass log in The Anonymous user • Required even if the applications do not allow access by unregistered users • Used at start up, to connect to“datasource” • If deleted, no user could access Siebel • At installation time, Siebel asks you to choose an already created user that will become the Anonymous user • Should have low privileges, but to avoid configuration issues...
  • 25. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 25 Siebel: Bypass log in An attacker needs: – Access to the application – Insecure configuration of Anonymous user An Attacker gets: – Complete control of the Siebel installation
  • 26. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 26 Siebel: Bypass log in Demo
  • 27. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 27 Siebel: Bypass log in Demo Fix: In the Siebel configuration file, set the “anonymous user” property to a low-privileged user.
  • 28. FRAUD
  • 29. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 29 SAP* w/Master password on installation SAP: Diverting payments (default credentials) SAP Clients (or mandants) – Entity w/ independent data (like a tenant) – 3-digit identifiers – “special” default clients (created on installation) • 000 → Cross-client tasks • 001 → Template for new clients • 066 → SAP support http://help.sap.com/saphelp_nw70/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm SAP* left w/pass 06071992 Catch: SAP* in client 066 not w/ SAP_ALL privileges, but...
  • 30. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 30 SAP: Diverting payments (default credentials) Demo
  • 31. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 31 SAP: Diverting payments (default credentials) Demo Fix: - Change SAP* password on all clients (specially 066) - Correctly assign SAP* permissions
  • 33. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 33 JD Edwards: Stealing passwords Again, the JDENet... is also listening on port 6015 (TCP) for JDEMsg commands Remotely retrieve information from the JDE.INI file, and also sensitive information in clear-text Kernel types and configuration Security Server configuration SSO Node information Database information
  • 34. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 34 JD Edwards: Stealing passwords An Attacker needs: – Access to port 6015 on target (TCP) – Send function call (JdeMsg number 563) •Use hard-coded key and provide victim's username An Attacker gets: – Victim's password
  • 35. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 35 JD Edwards: Stealing passwords Demo Fix: Apply the latest Oracle Critical Patch Update, as the fix for this attack was released by oracle in a scheduled CPU.
  • 36. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 36 Siebel: Search Inside Siebel Query Language (no, it's not SQL) • Used everywhere in Siebel • Originally designed to filter data inside Applets • Executing queries not restricted by authorization checks (privilege independent)
  • 37. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 37 Siebel: Search Inside Access control in Siebel @ View Level @ Business Component Level Who can access the views Who can access the data
  • 38. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 38 Siebel Query Language Injection Demo Fix: Using eScript, catch the pre-query or Invoke query methods applying a custom filter which should prevent the use of dangerous functions.
  • 39. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 39 SAP: Getting DB Admin rights “The J2EE Engine provides a secure storage area where applications or service components on the J2EE Engine can store sensitive data such as passwords or communication destinations, in encrypted form” (*) (*) http://help.sap.com/saphelp_nw73/helpdata/en/47/b08e68542e3378e10000000a421937/content.htm /usr/sap/<SID>/SYS/global/security/data/SecStore.properties 3DES Problem #1 get the file Problem #2 decrypt file Problem #3 access DB
  • 40. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 40 SAP: Getting DB Admin rights 1. Getting the Secure Store File https://service.sap.com/sap/support/notes/1682613 RMI CORBA P4 (RMI) SAP NetWeaver Application Server Uses P4 for: • Communication between objects in different namespaces (e.g. FileTransfer_Stub) • Reliable client-server connections • Transparent failover for clustered remote objects • Etc /usr/sap/<SID>/SYS/global/security/data/SecStore.properties
  • 41. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 41 SAP: Getting DB Admin rights 2.Decrypt Secure Store 3.Access DB 3DES Key bundle? /usr/sap/<SID>/SYS/global/security/data/SecStore.properties /usr/sap/<SID>/SYS/global/security/data/SecStore.key
  • 42. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 42 SAP: Getting DB Admin rights Demo Fix: - Apply note https://service.sap.com/sap/support/notes/1682613 - Correctly handle access to SecStore.key file
  • 44. ERP Security: How hackers can open the safe – www.onapsis.com – © 2013 Onapsis , Inc. – All rights reserved 44 Conclusions ● ERP Systems are among the most critical systems in the organization and that makes them a really interesting target to the attackers ● ERP security has a long history, most of it was about SoD ● Technical vulnerabilities are more critical than SoD since the attacker doesn't need any user in the system ● The attack surface is huge, proprietary protocols and custom technologies are everywhere ● Inherited code from the past ● Patching practices are delayed due to complexity and cost ● Since 2009 ERP cyber-security is getting more attention. Leading organizations are already leading with this.
  • 45. Ezequiel GutesmanEzequiel Gutesman (@gutes)(@gutes) [email protected]@onapsis.com Jordan SantarsieriJordan Santarsieri (@jsansec)(@jsansec) [email protected]@onapsis.com blog.onapsis.comblog.onapsis.com adventure.onapsis.comadventure.onapsis.com