Mo Budget, Mo Problems

1
Mo Budget, Mo Problems

• Steve Lord, Mandalorian

2
What is this talk about?

• Large IT Projects
• System Integrators
• SAP

3
What is SAP?

• Enterprise Resource Planning (SAP R/3)
• CRM
• EP
• HR
• FI/CO
• BW
• MM
• PP

4
What is SAP/R3, really?

• Business process re-implementation
• Fancy MIS framework with template processes
• Big basket for corporate eggs

5
Fundamentals of Large Projects

• The bigger the budget, the harder the fall
• Compound delays due to complex dependencies
• Corners cut to meet deadlines
• Functionality Vs. Security
• Decision rarely based upon business case
• When was the last time you signed off xxx
  million?
• Dont believe me?

6
Irish HSE PPARs and FISP Systems

• PPARs (HR) and FISP (FI/CO)
• Projected Combined Cost - 6.2mil
• PPARs Cost when halted in 2005 - 80mil
• FISP Cost when halted - 20.7mil
• Revenues for Deloitte Touche - 34.5mil
• Revenues for SAP Undisclosed (not part of DTs
  fees)

7
PPARs

• Its like a case study in how not to run a
  project Its appaling stuff. Enda Kenny,
  Fine Gael Leader
• PPARs couldve paid for
• A 600 bed Hospital
• 20 St. Patricks Day beers for Every Man, Woman
  and Child in Ireland

8
HPs Internal Failure

• iGSO
• Launched in 2002
• Consolidate 350 Digital, Compaq, HP, Tandem
  systems
• Expected finish date 2007

9
HP The Adaptive Enterprise that couldnt adapt

• Total cost of Implementation failure
• US400 mil (revenue)
• US275 mil (operating profit)
• 3 Executives heads
• Did I mention this was the total for Q3 2002?

10
How is SAP Implemented Internally?

• Usually Poorly
• Inadequate Skills/Experience
• Poor/No Business Requirements Capture
• Technology Driven Implementation
• Poor Documentation
• Usually very expensive (20mil)

11
How is SAP implemented by External Integrators?

• Poorly
• Front-loading Skills
• Business Requirements Capture?
• Partner-driven Implementation
• Poor/No Documentation
• Subject to contract wrangling
• Can be extremely expensive (50mil)

12
Where does it all go wrong?

• Lack of
• Communication
• Contingency
• Requirements Capture/Analysis
• Simplicity
• Security

13
Where does Security come in?

• At the end of a long queue
• By the time it reaches us, it is
• Non or semi-functional
• Delayed
• Costing the business
• Securitys role is to
• SUSO (Shut Up, Sign Off)

14
Show me the SUSO

• You need to sign this off
• If you dont
• Youre blocking the business
• Youre costing us money
• Youre getting in the way of the project
• If you do
• Its your backside on the dotted line

15
End of Talk

• Oh you want more?

16
This is the price, right?

• Come on down!

17
This is the price, right?

• Quiz Show
• Prizes
• Need Victims Volunteers

18
How it works

• Question is asked
• Potential answers are shown
• You have to guess which one of the answers was an
  actual response

19
This is the price, right?

• Question 1

20
Why cant we use SSH?

• A) It (PuTTY) isnt vendor supported
• B) SFTP Doesnt support ASCII
• C) We dont have a PKI
• D) Key Management is too difficult
• E) The TCO for OpenSSH is too high

21
Why cant we switch off RSH?

• A) It requires a server rebuild
• B) It requires extensive testing that would cost
  millions
• C) CowboyNeal
• D) We use telnet, you insensitive clod!
• E) We dont know what it would break

22
Why did the SI buy the tin prior to completing
the design stage?

• A) Because the vendor rebate would be lower next
  year
• B) Because the client will have to write off the
  hardware expenditure anyway
• C) Because its easier to justify spending on one
  round of big tin than two rounds of smaller tin
• D) If the client has already paid a fortune up
  front theyre less likely to pull the plug later

23
Why were all the consultants on the job South
African?

• A) Because of S.As extensive investment in
  enterprise technology training
• B) Because all the experienced guys are from
  Joburg
• C) Because theyre cheaper than native employees
  and have a lesser understanding of local
  employment law

24
Why are these not risks?

• A) Because its not live yet
• B) Because you need an account to access the
  systems
• C) Because youd need to have an RSH client and a
  copy of finger to access the systems
• D) Because youd need to have an FTP client to
  gain access to an unshadowed /etc/passwd
• E) Because there are plenty of other ways in
• F) Because youre holding the project up so just
  sign off or therell be trouble

25
Well done!

• The good news is
• People got prizes
• The bad news is
• Were all losers in the end

26
Breaking SAP

• Send in the clowns

27
SAP Structure

• Infrastructure Issues
• Front-End Application
• Business Logic
• Business Processes
• Database Skullduggery

28
Infrastructure Issues

• Let me paint you a picture

29
What does an SAP deployment look like?
30
What does an SAP deployment look like?
31
Points of interest

• There is no standard deployment
• There should be Firewalls involved
• If there are, Any-Any rules may be used
• Sometimes the File Server(s) are shared between
  dev, test and live too
• Sometimes the App Server(s) are shared between
  dev, test and live too

32
How (not) to conduct an SAP Pentest

• Nmap
• Amap
• Nikto
• Nessus
• Metasploit

33
How to conduct an SAP Pentest

• Nmap (-sS and sU only, no sV or A and watch
  timings)
• Manual confirmation of services with standard
  client tools
• RSH, Finger, Net View, Showmount, FTP
• No active exploitation
• Password guessing possible, but not automated

34
SAP Systems are

• Unpatched
• Unhardened
• Unmaintained (caveat security)
• Unmanaged (caveat security)

35
Once youve got local access

• Useful tools
• R3Trans
• TP
• SQL Trusts
• OSQL E
• SQLPLUS / as sysdba
• MySQL u root, mysqld_safe

36
R3Trans

• Uses SAPs abstracted SQL model (T-SQL)
• Uses control files to perform actions upon
  databases
• R3Trans d v
• Test database connection

37
R3Trans Control File

• EXPORT
• FILE/tmp/.export/
• CLIENT000
• SELECT FROM USR02
• Start with
• R3Trans /tmp/control
• Dont forget to check trans.log

38
Where to look

• /usr/sap/trans
• /usr/sap/
• /home/adm
• There is no reason for these directories to be
  world writeable!
• Most should be 700, 770 or 775

39
From the trenches

• We use RSH to copy files around the environment.
  RSH has a feature call .rhosts which enables us
  to restrict access to specific users or hosts

40
Front-End Issues

• Busting down the door citing section 404

41
What front-end?

• SAP has many
• SAPGUI
• WebGUI/NetWeaver/ITS/EP
• SAPRFC
• For the sake of time we will focus on SAPGUI
• These issues do apply elsewhere though

42
SAPGUI
43
SAPGUI

• See the box up next to the green tick?
• Use /? to start debugging
• Type in a transaction code (T-Code) to start a
  transaction

44
SAP Transactions of Note

• SU01 User Authorization
• SU02 User Profile Administration
• RZ04 Maintain SAP Instances
• SECR Audit Information System
• SE11 Data Dictionary
• SE38 ABAP Editor
• SE61 R/3 Documentation
• SM21 System Log
• SM31 Table Maintenance
• SM51 List of Targets SAP Servers
• SU24 Disable Authorization Checks
• SM49 Execute Operating System Commands
• SU12 Delete All Users
• PE51 HR Form Editor (HR)
• P013 Maintain Positions (HR)
• P001 Maintain Jobs (HR)

45
SAP Transactions of Note

• AL08 Users Logged On
• AL11 Display SAP Directories
• OS01 LAN Check with Ping
• OS03 Local OS Parameter changes
• OS04 Local System Configuration
• OSO5 Remote System Configuration
• OSS1 SAPs Online Service System
• PFCG Profile Generator
• RZ01 Job Scheduling Monitor
• RZ20 CCMS Monitoring
• RZ21 Customize CCMS Monitor
• SA38 ABAP/4 Reporting
• SCC0 Client Copy
• SE01 Transport and Correction System
• SE13 Maintain Technical Settings (Tables)
• SUIM Repository Information System

46
You cant access those!

• I can access them (or equivalents) if
  restrictions are based on
• Easy Access Menu Items
• Transactions only
• Custom-tables (e.g a ZUSERS table of allowed
  users)
• Restrictions need to be implemented at the
  Authorization level
• So what else is there?

47
Reports

• RPCIFU01 Display File
• RPCIFU03 Download Unix File
• RPCIFU04 Upload Unix File
• RPR_ABAP_SOURCE_SCAN Search ABAP for a string
  )
• RSBDCOS0 Execute OS Command
• RSPARAM Check System Parameters
• RSORAREL Get the Oracle System Release

48
Tables

• Accessible through
• SE16 (Maintain Tables)
• SE17 (Display Tables)
• SA38 (Execute ABAP)
• SE38 (ABAP Editor)
• Customizations (ZZ_TABLE_ADMIN etc.)
• Will Be Covered Later

49
Job Scheduler

• Cant get OS access?
• Use SM36 or SM36WIZ Instead
• Specify Immediate Start
• External Program as Step

50
Custom Transaction fun

• Input Validation
• Selection Criteria Expansion
• Path specification (../../, // etc)
• Shell Escapes ( /bin/ls, /bin/ls etc)
• SQL Injection
• Export/Import file fun and games
• Bypass Authorization Checks

51
From the trenches

• As discussed in the meeting on with
  , weve agreed that there is no further
  action required. I appreciate that you are on
  holiday at the moment, but we will take your
  expected non-response in advance as agreement
  upon the matter.

52
Database Skullduggery

• Here be Dragons

53
Database Stuff

• The Database contains all the data.
• The Database is accessed by SAP users through the
  SAP system.
• The SAP database is not subject to the same
  controls as SAP itself.
• WARNING DO NOT MODIFY THE DATABASE WITHOUT
  PERMISSION SIGNED IN BLOOD (not yours)

54
Getting In

• Patch Weaknesses
• Brute Force
• Roundhouse Kicks
• Default Accounts

55
Speaking of Default Accounts

• Default Accounts (with Oracle Hashes)
• DDIC/199220706 (4F9FFB093F909574)
• SAP/SAPR3 (BEAA1036A464F9F0)
• SAP/6071992 (B1344DC1B5F3D903)
• SAPR3/SAP (58872B4319A76363)
• EARLYWATCH/SUPPORT (8AA1C62E08C76445)

56
Note about Schemas

• 610 uses SAP as Schema Owner

57
Database Queries of Note

• Select MANDT,BNAME,BCODE,USTYP,CLASS from
  ..USR02
• SELECT FROM UST04
• SELECT FROM TSTCT WHERE SPRSL E
• SELECT FROM DBCON
• exec master.dbo.xp_cmdshell 'cmd.exe /c net view

58
Common Values in the DB

• ACTVT Activity Code
• USTYP User Type
• MANDT Client Number
• BUKRS Company Code
• BEGRU Authorization

59
USTYP values

• USTYP specifies the type of user (used in USR02)
• A Dialog (interactive user)
• C Communications (CPIC)
• D System (BDC)
• S Service
• L Reference
• People often dont change passwords on CPIC users
  as theyre not sure what breaks

60
Tables to look at

• BKPF Accounting Header (FI)
• BSEG Accounting Document Segment (FI)
• CEPC Profit Master Data
• EKKO PO Header
• RSEG Incoming Invoice
• RBKP Invoice Receipts
• KNA1 Customer Master Records
• LFA1 Vendor Master Records
• PNP Personnel Data (HR Only)
• CSKS Cost Centre Master (HR)
• T569V Payroll Control Records (HR)

61
Subverting Business Logic

• Its not a lie, we just didnt tell you that

62
How SAP Controls Access

• Local logon details in USR02
• Profile details in UST04, USR04 etc.
• Authorizations Profiles

63
Custom SAP Code and Access Control

• ABAPs and Auths 101
• Authorization checks
• AUTHORITY-CHECK OBJECT
• If the authority check statement isnt there, it
  is assumed that you can go ahead!

64
SAP Authorization Concept
65
Common Authorization Snafus

• Pyramid Structure Approach
• Overly Restrictive Approach
• Use Standard SAP Profiles Approach
• Transactions/Menu only Approach
• Objects only Approach

66
So what happens when things go wrong?
67
When things go wrong

• Too much access
• Too little access
• Disgruntled Employees and no audit trail
• Enron style fun

68
Business Process Hacking

• Where you too can be like Neo

69
Business Process Hacking

• When your business processes are correctly
  aligned all is good.
• When they arent
• And its even worse when its legislation

70
BPH Vs. Social Engineering

• From the Canadian charter of rights and freedoms
• 20. (1) Any member of the public in Canada has
  the right to communicate with, and to receive
  available services from, any head or central
  office of an institution of the Parliament or
  government of Canada in English or French, and
  has the same right with respect to any other
  office of any such institution where
• a) there is a significant demand for
  communications with and services from that office
  in such language or
• b) due to the nature of the office, it is
  reasonable that communications with and services
  from that office be available in both English and
  French.
• Is this charter open to abuse?

71
BPH Example

• User provisioning policy not correctly
  implemented
• Weakness New users created but old ones not
  disabled
• Result Accounts can be used after owners leave

72
BPH Example 2

• Evening meal expense claim requires signature of
  most senior person present
• Then signed off by person at higher grade
• No requirement to list people present

73
How does this tie into SAP?

• SAP process integration
• If the process fits
• If it doesnt?

74
A word from our sponsors

• Well, Steve has to get revenue somehow

75
A word from our sponsors
76
OWASP-EAS

• Stays crisp in milk

77
OWASP-EAS

• What?
• Why?
• How?
• When?

78
What?

• OWASP-Enterprise Application Security Project
• Enterprise Grade Schnizzle
• Requirements Guidelines
• Audit Programmes
• Business-level and tech guidance docs

79
Why?

• OWASP is great for Web-based stuff
• Its great for toy applications
• Its not great for large business systems
• Not applicable
• Not relevant
• Not Enterprise Grade

80
How?

• Initial Launch
• Parent OWASP-EAS Mailing List
• Develop industry links
• Initial projects
• OWASP-EAS RFP Guide
• Security Document Templates
• SAP Assessment Guide
• White Papers

81
When?

• Real Soon Now
• Formal launch in June 06
• Soft Launch End April
• Mailing List
• Sub-Projects Initiation
• may contain nuts

82
Conclusions
83
Conclusions

• SAP is teh r0x0r
• The people who implement it arent necessarily so
• OWASP-EAS will help them to a point