mo budget mo problems l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Mo’ Budget, Mo’ Problems PowerPoint Presentation
Download Presentation
Mo’ Budget, Mo’ Problems

Loading in 2 Seconds...

play fullscreen
1 / 83

Mo’ Budget, Mo’ Problems - PowerPoint PPT Presentation


  • 192 Views
  • Uploaded on

Mo’ Budget, Mo’ Problems. Steve Lord, Mandalorian. What is this talk about?. Large IT Projects System Integrators SAP. What is SAP?. Enterprise Resource Planning (SAP R/3) CRM EP HR FI/CO BW MM PP. What is SAP/R3, really?. Business process re-implementation

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Mo’ Budget, Mo’ Problems' - Samuel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mo budget mo problems

Mo’ Budget, Mo’ Problems

Steve Lord, Mandalorian

what is this talk about
What is this talk about?
  • Large IT Projects
  • System Integrators
  • SAP
what is sap
What is SAP?
  • Enterprise Resource Planning (SAP R/3)
  • CRM
  • EP
  • HR
  • FI/CO
  • BW
  • MM
  • PP
what is sap r3 really
What is SAP/R3, really?
  • Business process re-implementation
  • Fancy MIS framework with template processes
  • Big basket for corporate eggs
fundamentals of large projects
Fundamentals of Large Projects
  • The bigger the budget, the harder the fall
    • Compound delays due to complex dependencies
    • Corners cut to meet deadlines
    • Functionality Vs. Security
    • Decision rarely based upon business case
      • When was the last time you signed off $xxx million?
  • Don’t believe me?
irish hse ppars and fisp systems
Irish HSE PPARs and FISP Systems
  • PPARs (HR) and FISP (FI/CO)
    • Projected Combined Cost - £6.2mil
    • PPARs Cost when halted in 2005 - £80mil
    • FISP Cost when halted - £20.7mil
    • Revenues for Deloitte & Touche - £34.5mil
    • Revenues for SAP – Undisclosed (not part of D&T’s fees)
ppars
PPARs
  • “It’s like a case study in how not to run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader
  • PPARs could’ve paid for:
    • A 600 bed Hospital
    • 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland
hp s internal failure
HP’s Internal Failure
  • iGSO
    • Launched in 2002
    • Consolidate 350 Digital, Compaq, HP, Tandem systems
    • Expected finish date 2007
hp the adaptive enterprise that couldn t adapt
HP: The Adaptive Enterprise that couldn’t adapt
  • Total cost of Implementation failure
    • US$400 mil (revenue)
    • US$275 mil (operating profit)
    • 3 Executives heads
  • Did I mention this was the total for Q3 2002?
how is sap implemented internally
How is SAP Implemented Internally?
  • Usually Poorly
    • Inadequate Skills/Experience
    • Poor/No Business Requirements Capture
    • Technology Driven Implementation
    • Poor Documentation
    • Usually very expensive ($20mil+)
how is sap implemented by external integrators
How is SAP implemented by External Integrators?
  • Poorly
    • Front-loading Skills
    • Business Requirements Capture?
    • Partner-driven Implementation
    • Poor/No Documentation
    • Subject to contract wrangling
    • Can be extremely expensive ($50mil+)
where does it all go wrong
Where does it all go wrong?
  • Lack of:
    • Communication
    • Contingency
    • Requirements Capture/Analysis
    • Simplicity
    • Security
where does security come in
Where does Security come in?
  • At the end of a long queue
    • By the time it reaches us, it is:
      • Non or semi-functional
      • Delayed
      • Costing the business
  • Security’s role is to
    • SUSO (Shut Up, Sign Off)
show me the suso
Show me the SUSO
  • You need to sign this off
    • If you don’t
      • You’re blocking the business
      • You’re costing us money
      • You’re getting in the way of the project
    • If you do
      • It’s your backside on the dotted line
end of talk
End of Talk
  • Oh you want more?
this is the price right17
This is the price, right?
  • Quiz Show
  • Prizes
  • Need Victims Volunteers
how it works
How it works
  • Question is asked
  • Potential answers are shown
  • You have to guess which one of the answers was an actual response
why can t we use ssh
Why can’t we use SSH?
  • A) It (PuTTY) isn’t vendor supported
  • B) SFTP Doesn’t support ASCII
  • C) We don’t have a PKI
  • D) Key Management is too difficult
  • E) The TCO for OpenSSH is too high
why can t we switch off rsh
Why can’t we switch off RSH?
  • A) It requires a server rebuild
  • B) It requires extensive testing that would cost millions
  • C) CowboyNeal
  • D) We use telnet, you insensitive clod!
  • E) We don’t know what it would break
why did the si buy the tin prior to completing the design stage
Why did the SI buy the tin prior to completing the design stage?
  • A) Because the vendor rebate would be lower next year
  • B) Because the client will have to write off the hardware expenditure anyway
  • C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin
  • D) If the client has already paid a fortune up front they’re less likely to pull the plug later
why were all the consultants on the job south african
Why were all the consultants on the job South African?
  • A) Because of S.A’s extensive investment in enterprise technology training
  • B) Because all the experienced guys are from Joburg
  • C) Because they’re cheaper than native employees and have a lesser understanding of local employment law
why are these not risks
Why are these not risks?
  • A) Because it’s not live yet
  • B) Because you need an account to access the systems
  • C) Because you’d need to have an RSH client and a copy of finger to access the systems
  • D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd
  • E) Because there are plenty of other ways in
  • F) Because you’re holding the project up so just sign off or there’ll be trouble
well done
Well done!
  • The good news is
    • People got prizes
  • The bad news is
    • We’re all losers in the end
breaking sap

Breaking SAP

Send in the clowns

sap structure
SAP Structure
  • Infrastructure Issues
  • Front-End Application
  • Business Logic
  • Business Processes
  • Database Skullduggery
infrastructure issues

Infrastructure Issues

Let me paint you a picture

points of interest
Points of interest
  • There is no standard deployment
  • There should be Firewalls involved
    • If there are, Any-Any rules may be used
  • Sometimes the File Server(s) are shared between dev, test and live too
  • Sometimes the App Server(s) are shared between dev, test and live too
how not to conduct an sap pentest
How (not) to conduct an SAP Pentest
  • Nmap
  • Amap
  • Nikto
  • Nessus
  • Metasploit
how to conduct an sap pentest
How to conduct an SAP Pentest
  • Nmap (-sS and –sU only, no –sV or –A and watch timings)
  • Manual confirmation of services with standard client tools
  • RSH, Finger, Net View, Showmount, FTP
  • No active exploitation
  • Password guessing possible, but not automated
sap systems are
SAP Systems are
  • Unpatched
  • Unhardened
  • Unmaintained (caveat: security)
  • Unmanaged (caveat: security)
once you ve got local access
Once you’ve got local access
  • Useful tools
    • R3Trans
    • TP
  • SQL Trusts
    • OSQL –E
    • SQLPLUS “/ as sysdba”
    • MySQL –u root, mysqld_safe
r3trans
R3Trans
  • Uses SAP’s abstracted SQL model (T-SQL)
  • Uses ‘control files’ to perform actions upon databases
  • R3Trans –d –v
    • Test database connection
r3trans control file
R3Trans Control File

EXPORT

FILE=‘/tmp/.export/’

CLIENT=000

SELECT * FROM USR02

  • Start with:
    • R3Trans /tmp/control
  • Don’t forget to check trans.log
where to look
Where to look
  • /usr/sap/trans
  • /usr/sap/<SID>
  • /home/<SID>adm
  • There is no reason for these directories to be world writeable!
  • Most should be 700, 770 or 775
from the trenches
From the trenches
  • “We use RSH to copy files around the environment. RSH has a feature call .rhosts which enables us to restrict access to specific users or hosts”
front end issues

Front-End Issues

Busting down the door citing section 404

what front end
What front-end?
  • SAP has many
    • SAPGUI
    • WebGUI/NetWeaver/ITS/EP
    • SAPRFC
  • For the sake of time we will focus on SAPGUI
    • These issues do apply elsewhere though
sapgui43
SAPGUI
  • See the box up next to the green tick?
    • Use /? to start debugging
    • Type in a transaction code (T-Code) to start a transaction
sap transactions of note
SAP Transactions of Note
  • SU01 – User Authorization
  • SU02 – User Profile Administration
  • RZ04 – Maintain SAP Instances
  • SECR – Audit Information System
  • SE11 – Data Dictionary
  • SE38 – ABAP Editor
  • SE61 – R/3 Documentation
  • SM21 – System Log
  • SM31 – Table Maintenance
  • SM51 – List of Targets SAP Servers
  • SU24 – Disable Authorization Checks
  • SM49 – Execute Operating System Commands
  • SU12 – Delete All Users
  • PE51 – HR Form Editor (HR)
  • P013 – Maintain Positions (HR)
  • P001 – Maintain Jobs (HR)
sap transactions of note45
SAP Transactions of Note
  • AL08 – Users Logged On
  • AL11 – Display SAP Directories
  • OS01 – LAN Check with Ping
  • OS03 – Local OS Parameter changes
  • OS04 – Local System Configuration
  • OSO5 – Remote System Configuration
  • OSS1 – SAP’s Online Service System
  • PFCG – Profile Generator
  • RZ01 – Job Scheduling Monitor
  • RZ20 – CCMS Monitoring
  • RZ21 – Customize CCMS Monitor
  • SA38 – ABAP/4 Reporting
  • SCC0 – Client Copy
  • SE01 – Transport and Correction System
  • SE13 – Maintain Technical Settings (Tables)
  • SUIM – Repository Information System
you can t access those
You can’t access those!
  • I can access them (or equivalents) if restrictions are based on:
    • Easy Access Menu Items
    • Transactions only
    • Custom-tables (e.g a ZUSERS table of allowed users)
  • Restrictions need to be implemented at the Authorization level
  • So what else is there?
reports
Reports
  • RPCIFU01 – Display File
  • RPCIFU03 – Download Unix File
  • RPCIFU04 – Upload Unix File
  • RPR_ABAP_SOURCE_SCAN – Search ABAP for a string ;)
  • RSBDCOS0 – Execute OS Command
  • RSPARAM – Check System Parameters
  • RSORAREL – Get the Oracle System Release
tables
Tables
  • Accessible through:
    • SE16 (Maintain Tables)
    • SE17 (Display Tables)
    • SA38 (Execute ABAP)
    • SE38 (ABAP Editor)
    • Customizations (ZZ_TABLE_ADMIN etc.)
    • Will Be Covered Later
job scheduler
Job Scheduler
  • Can’t get OS access?
    • Use SM36 or SM36WIZ Instead
      • Specify Immediate Start
      • External Program as Step
custom transaction fun
Custom Transaction fun
  • Input Validation
    • Selection Criteria Expansion
    • Path specification (../../, // etc)
    • Shell Escapes (; /bin/ls, |”/bin/ls”| etc)
    • SQL Injection
    • Export/Import file fun and games
  • Bypass Authorization Checks
from the trenches51
From the trenches
  • “As discussed in the meeting on <redacted> with <redacted>, we’ve agreed that there is no further action required. I appreciate that you are on holiday at the moment, but we will take your expected non-response in advance as agreement upon the matter.”
database skullduggery

Database Skullduggery

Here be Dragons

database stuff
Database Stuff
  • The Database contains all the data.
  • The Database is accessed by SAP users through the SAP system.
  • The SAP database is not subject to the same controls as SAP itself.
  • WARNING: DO NOT MODIFY THE DATABASE WITHOUT PERMISSION SIGNED IN BLOOD (not yours)
getting in
Getting In
  • Patch Weaknesses
  • Brute Force
  • Roundhouse Kicks
  • Default Accounts
speaking of default accounts
Speaking of Default Accounts
  • Default Accounts (with Oracle Hashes)
    • DDIC/199220706 (4F9FFB093F909574)
    • SAP/SAPR3 (BEAA1036A464F9F0)
    • SAP/6071992 (B1344DC1B5F3D903)
    • SAPR3/SAP (58872B4319A76363)
    • EARLYWATCH/SUPPORT (8AA1C62E08C76445)
note about schemas
Note about Schemas
  • <610 has SAPR3 as Schema Owner
  • >610 uses SAP as Schema Owner
database queries of note
Database Queries of Note
  • Select MANDT,BNAME,BCODE,USTYP,CLASS from <SAPDB>..USR02
  • SELECT * FROM UST04
  • SELECT * FROM TSTCT WHERE SPRSL = ‘E’
  • SELECT * FROM DBCON
  • exec master.dbo.xp_cmdshell 'cmd.exe /c net view’
common values in the db
Common Values in the DB
  • ACTVT – Activity Code
  • USTYP – User Type
  • MANDT – Client Number
  • BUKRS – Company Code
  • BEGRU – Authorization
ustyp values
USTYP values
  • USTYP specifies the type of user (used in USR02)
  • A – Dialog (interactive user)
  • C – Communications (CPIC)
  • D – System (BDC)
  • S – Service
  • L – Reference
  • People often don’t change passwords on CPIC users as they’re not sure what breaks
tables to look at
Tables to look at
  • BKPF – Accounting Header (FI)
  • BSEG – Accounting Document Segment (FI)
  • CEPC – Profit Master Data
  • EKKO – PO Header
  • RSEG – Incoming Invoice
  • RBKP – Invoice Receipts
  • KNA1 – Customer Master Records
  • LFA1 – Vendor Master Records
  • PNP – Personnel Data (HR Only)
  • CSKS – Cost Centre Master (HR)
  • T569V – Payroll Control Records (HR)
subverting business logic

Subverting Business Logic

It’s not a lie, we just didn’t tell you that

how sap controls access
How SAP Controls Access
  • Local logon details in USR02
  • Profile details in UST04, USR04 etc.
  • Authorizations & Profiles
custom sap code and access control
Custom SAP Code and Access Control
  • ABAPs and Auths 101
    • Authorization checks
      • AUTHORITY-CHECK OBJECT <object>
  • If the authority check statement isn’t there, it is assumed that you can go ahead!
common authorization snafus
Common Authorization Snafus
  • ‘Pyramid Structure’ Approach
  • Overly Restrictive Approach
  • Use Standard SAP Profiles Approach
  • Transactions/Menu only Approach
  • Objects only Approach
when things go wrong
When things go wrong
  • Too much access
  • Too little access
  • Disgruntled Employees and no audit trail
  • Enron style fun
business process hacking

Business Process Hacking

Where you too can be like Neo

business process hacking69
Business Process Hacking

When your business processes are correctly aligned all is good.

  • When they aren’t…
  • … And it’s even worse when it’s legislation
bph vs social engineering
BPH Vs. Social Engineering
  • From the Canadian charter of rights and freedoms:
    • 20. (1) Any member of the public in Canada has the right to communicate with, and to receive available services from, any head or central office of an institution of the Parliament or government of Canada in English or French, and has the same right with respect to any other office of any such institution where
      • a) there is a significant demand for communications with and services from that office in such language; or
      • b) due to the nature of the office, it is reasonable that communications with and services from that office be available in both English and French.
  • Is this charter open to abuse?
bph example
BPH Example
  • User provisioning policy not correctly implemented
    • Weakness: New users created but old ones not disabled
    • Result: Accounts can be used after owners leave
bph example 2
BPH Example #2
  • Evening meal expense claim requires signature of most senior person present
    • Then signed off by person at higher grade
    • No requirement to list people present
how does this tie into sap
How does this tie into SAP?
  • SAP process integration
    • If the process fits…
    • If it doesn’t?
a word from our sponsors

A word from our sponsors

Well, Steve has to get revenue somehow

owasp eas

OWASP-EAS

Stays crisp in milk

owasp eas77
OWASP-EAS
  • What?
  • Why?
  • How?
  • When?
slide78
What?
  • OWASP-Enterprise Application Security Project
  • Enterprise Grade Schnizzle
    • Requirements Guidelines
    • Audit Programmes
    • Business-level and tech guidance docs
slide79
Why?
  • OWASP is great for Web-based stuff
  • It’s great for toy applications
  • It’s not great for large business systems
    • Not applicable
    • Not relevant
    • Not ‘Enterprise Grade’
slide80
How?
  • Initial Launch
    • Parent OWASP-EAS Mailing List
    • Develop industry links
    • Initial projects
      • OWASP-EAS RFP Guide
      • Security Document Templates
      • SAP Assessment Guide
    • White Papers
slide81
When?
  • Real Soon Now*
    • Formal launch in June ‘06
    • ‘Soft’ Launch End April
      • Mailing List
      • Sub-Projects Initiation
  • *may contain nuts
conclusions83
Conclusions
  • SAP is teh r0x0r
  • The people who implement it aren’t necessarily so
  • OWASP-EAS will help them… to a point