Mo budget mo problems
1 / 83

- PowerPoint PPT Presentation

  • Updated On :

Mo’ Budget, Mo’ Problems. Steve Lord, Mandalorian. What is this talk about?. Large IT Projects System Integrators SAP. What is SAP?. Enterprise Resource Planning (SAP R/3) CRM EP HR FI/CO BW MM PP. What is SAP/R3, really?. Business process re-implementation

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - Samuel

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Mo budget mo problems l.jpg

Mo’ Budget, Mo’ Problems

Steve Lord, Mandalorian

What is this talk about l.jpg
What is this talk about?

  • Large IT Projects

  • System Integrators

  • SAP

What is sap l.jpg
What is SAP?

  • Enterprise Resource Planning (SAP R/3)

  • CRM

  • EP

  • HR

  • FI/CO

  • BW

  • MM

  • PP

What is sap r3 really l.jpg
What is SAP/R3, really?

  • Business process re-implementation

  • Fancy MIS framework with template processes

  • Big basket for corporate eggs

Fundamentals of large projects l.jpg
Fundamentals of Large Projects

  • The bigger the budget, the harder the fall

    • Compound delays due to complex dependencies

    • Corners cut to meet deadlines

    • Functionality Vs. Security

    • Decision rarely based upon business case

      • When was the last time you signed off $xxx million?

  • Don’t believe me?

Irish hse ppars and fisp systems l.jpg
Irish HSE PPARs and FISP Systems

  • PPARs (HR) and FISP (FI/CO)

    • Projected Combined Cost - £6.2mil

    • PPARs Cost when halted in 2005 - £80mil

    • FISP Cost when halted - £20.7mil

    • Revenues for Deloitte & Touche - £34.5mil

    • Revenues for SAP – Undisclosed (not part of D&T’s fees)

Ppars l.jpg

  • “It’s like a case study in how not to run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader

  • PPARs could’ve paid for:

    • A 600 bed Hospital

    • 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland

Hp s internal failure l.jpg
HP’s Internal Failure

  • iGSO

    • Launched in 2002

    • Consolidate 350 Digital, Compaq, HP, Tandem systems

    • Expected finish date 2007

Hp the adaptive enterprise that couldn t adapt l.jpg
HP: The Adaptive Enterprise that couldn’t adapt

  • Total cost of Implementation failure

    • US$400 mil (revenue)

    • US$275 mil (operating profit)

    • 3 Executives heads

  • Did I mention this was the total for Q3 2002?

How is sap implemented internally l.jpg
How is SAP Implemented Internally?

  • Usually Poorly

    • Inadequate Skills/Experience

    • Poor/No Business Requirements Capture

    • Technology Driven Implementation

    • Poor Documentation

    • Usually very expensive ($20mil+)

How is sap implemented by external integrators l.jpg
How is SAP implemented by External Integrators?

  • Poorly

    • Front-loading Skills

    • Business Requirements Capture?

    • Partner-driven Implementation

    • Poor/No Documentation

    • Subject to contract wrangling

    • Can be extremely expensive ($50mil+)

Where does it all go wrong l.jpg
Where does it all go wrong?

  • Lack of:

    • Communication

    • Contingency

    • Requirements Capture/Analysis

    • Simplicity

    • Security

Where does security come in l.jpg
Where does Security come in?

  • At the end of a long queue

    • By the time it reaches us, it is:

      • Non or semi-functional

      • Delayed

      • Costing the business

  • Security’s role is to

    • SUSO (Shut Up, Sign Off)

Show me the suso l.jpg
Show me the SUSO

  • You need to sign this off

    • If you don’t

      • You’re blocking the business

      • You’re costing us money

      • You’re getting in the way of the project

    • If you do

      • It’s your backside on the dotted line

End of talk l.jpg
End of Talk

  • Oh you want more?

This is the price right17 l.jpg
This is the price, right?

  • Quiz Show

  • Prizes

  • Need Victims Volunteers

How it works l.jpg
How it works

  • Question is asked

  • Potential answers are shown

  • You have to guess which one of the answers was an actual response

Why can t we use ssh l.jpg
Why can’t we use SSH?

  • A) It (PuTTY) isn’t vendor supported

  • B) SFTP Doesn’t support ASCII

  • C) We don’t have a PKI

  • D) Key Management is too difficult

  • E) The TCO for OpenSSH is too high

Why can t we switch off rsh l.jpg
Why can’t we switch off RSH?

  • A) It requires a server rebuild

  • B) It requires extensive testing that would cost millions

  • C) CowboyNeal

  • D) We use telnet, you insensitive clod!

  • E) We don’t know what it would break

Why did the si buy the tin prior to completing the design stage l.jpg
Why did the SI buy the tin prior to completing the design stage?

  • A) Because the vendor rebate would be lower next year

  • B) Because the client will have to write off the hardware expenditure anyway

  • C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin

  • D) If the client has already paid a fortune up front they’re less likely to pull the plug later

Why were all the consultants on the job south african l.jpg
Why were all the consultants on the job South African? stage?

  • A) Because of S.A’s extensive investment in enterprise technology training

  • B) Because all the experienced guys are from Joburg

  • C) Because they’re cheaper than native employees and have a lesser understanding of local employment law

Why are these not risks l.jpg
Why are these not risks? stage?

  • A) Because it’s not live yet

  • B) Because you need an account to access the systems

  • C) Because you’d need to have an RSH client and a copy of finger to access the systems

  • D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd

  • E) Because there are plenty of other ways in

  • F) Because you’re holding the project up so just sign off or there’ll be trouble

Well done l.jpg
Well done! stage?

  • The good news is

    • People got prizes

  • The bad news is

    • We’re all losers in the end

Breaking sap l.jpg

Breaking SAP stage?

Send in the clowns

Sap structure l.jpg
SAP Structure stage?

  • Infrastructure Issues

  • Front-End Application

  • Business Logic

  • Business Processes

  • Database Skullduggery

Infrastructure issues l.jpg

Infrastructure Issues stage?

Let me paint you a picture

Points of interest l.jpg
Points of interest stage?

  • There is no standard deployment

  • There should be Firewalls involved

    • If there are, Any-Any rules may be used

  • Sometimes the File Server(s) are shared between dev, test and live too

  • Sometimes the App Server(s) are shared between dev, test and live too

How not to conduct an sap pentest l.jpg
How (not) to conduct an SAP Pentest stage?

  • Nmap

  • Amap

  • Nikto

  • Nessus

  • Metasploit

How to conduct an sap pentest l.jpg
How to conduct an SAP Pentest stage?

  • Nmap (-sS and –sU only, no –sV or –A and watch timings)

  • Manual confirmation of services with standard client tools

  • RSH, Finger, Net View, Showmount, FTP

  • No active exploitation

  • Password guessing possible, but not automated

Sap systems are l.jpg
SAP Systems are stage?

  • Unpatched

  • Unhardened

  • Unmaintained (caveat: security)

  • Unmanaged (caveat: security)

Once you ve got local access l.jpg
Once you’ve got local access stage?

  • Useful tools

    • R3Trans

    • TP

  • SQL Trusts

    • OSQL –E

    • SQLPLUS “/ as sysdba”

    • MySQL –u root, mysqld_safe

R3trans l.jpg
R3Trans stage?

  • Uses SAP’s abstracted SQL model (T-SQL)

  • Uses ‘control files’ to perform actions upon databases

  • R3Trans –d –v

    • Test database connection

R3trans control file l.jpg
R3Trans Control File stage?





  • Start with:

    • R3Trans /tmp/control

  • Don’t forget to check trans.log

Where to look l.jpg
Where to look stage?

  • /usr/sap/trans

  • /usr/sap/<SID>

  • /home/<SID>adm

  • There is no reason for these directories to be world writeable!

  • Most should be 700, 770 or 775

From the trenches l.jpg
From the trenches stage?

  • “We use RSH to copy files around the environment. RSH has a feature call .rhosts which enables us to restrict access to specific users or hosts”

Front end issues l.jpg

Front-End Issues stage?

Busting down the door citing section 404

What front end l.jpg
What front-end? stage?

  • SAP has many

    • SAPGUI

    • WebGUI/NetWeaver/ITS/EP

    • SAPRFC

  • For the sake of time we will focus on SAPGUI

    • These issues do apply elsewhere though

Sapgui l.jpg
SAPGUI stage?

Sapgui43 l.jpg
SAPGUI stage?

  • See the box up next to the green tick?

    • Use /? to start debugging

    • Type in a transaction code (T-Code) to start a transaction

Sap transactions of note l.jpg
SAP Transactions of Note stage?

  • SU01 – User Authorization

  • SU02 – User Profile Administration

  • RZ04 – Maintain SAP Instances

  • SECR – Audit Information System

  • SE11 – Data Dictionary

  • SE38 – ABAP Editor

  • SE61 – R/3 Documentation

  • SM21 – System Log

  • SM31 – Table Maintenance

  • SM51 – List of Targets SAP Servers

  • SU24 – Disable Authorization Checks

  • SM49 – Execute Operating System Commands

  • SU12 – Delete All Users

  • PE51 – HR Form Editor (HR)

  • P013 – Maintain Positions (HR)

  • P001 – Maintain Jobs (HR)

Sap transactions of note45 l.jpg
SAP Transactions of Note stage?

  • AL08 – Users Logged On

  • AL11 – Display SAP Directories

  • OS01 – LAN Check with Ping

  • OS03 – Local OS Parameter changes

  • OS04 – Local System Configuration

  • OSO5 – Remote System Configuration

  • OSS1 – SAP’s Online Service System

  • PFCG – Profile Generator

  • RZ01 – Job Scheduling Monitor

  • RZ20 – CCMS Monitoring

  • RZ21 – Customize CCMS Monitor

  • SA38 – ABAP/4 Reporting

  • SCC0 – Client Copy

  • SE01 – Transport and Correction System

  • SE13 – Maintain Technical Settings (Tables)

  • SUIM – Repository Information System

You can t access those l.jpg
You can’t access those! stage?

  • I can access them (or equivalents) if restrictions are based on:

    • Easy Access Menu Items

    • Transactions only

    • Custom-tables (e.g a ZUSERS table of allowed users)

  • Restrictions need to be implemented at the Authorization level

  • So what else is there?

Reports l.jpg
Reports stage?

  • RPCIFU01 – Display File

  • RPCIFU03 – Download Unix File

  • RPCIFU04 – Upload Unix File

  • RPR_ABAP_SOURCE_SCAN – Search ABAP for a string ;)

  • RSBDCOS0 – Execute OS Command

  • RSPARAM – Check System Parameters

  • RSORAREL – Get the Oracle System Release

Tables l.jpg
Tables stage?

  • Accessible through:

    • SE16 (Maintain Tables)

    • SE17 (Display Tables)

    • SA38 (Execute ABAP)

    • SE38 (ABAP Editor)

    • Customizations (ZZ_TABLE_ADMIN etc.)

    • Will Be Covered Later

Job scheduler l.jpg
Job Scheduler stage?

  • Can’t get OS access?

    • Use SM36 or SM36WIZ Instead

      • Specify Immediate Start

      • External Program as Step

Custom transaction fun l.jpg
Custom Transaction fun stage?

  • Input Validation

    • Selection Criteria Expansion

    • Path specification (../../, // etc)

    • Shell Escapes (; /bin/ls, |”/bin/ls”| etc)

    • SQL Injection

    • Export/Import file fun and games

  • Bypass Authorization Checks

From the trenches51 l.jpg
From the trenches stage?

  • “As discussed in the meeting on <redacted> with <redacted>, we’ve agreed that there is no further action required. I appreciate that you are on holiday at the moment, but we will take your expected non-response in advance as agreement upon the matter.”

Database skullduggery l.jpg

Database Skullduggery stage?

Here be Dragons

Database stuff l.jpg
Database Stuff stage?

  • The Database contains all the data.

  • The Database is accessed by SAP users through the SAP system.

  • The SAP database is not subject to the same controls as SAP itself.


Getting in l.jpg
Getting In stage?

  • Patch Weaknesses

  • Brute Force

  • Roundhouse Kicks

  • Default Accounts

Speaking of default accounts l.jpg
Speaking of Default Accounts stage?

  • Default Accounts (with Oracle Hashes)

    • DDIC/199220706 (4F9FFB093F909574)

    • SAP/SAPR3 (BEAA1036A464F9F0)

    • SAP/6071992 (B1344DC1B5F3D903)

    • SAPR3/SAP (58872B4319A76363)


Note about schemas l.jpg
Note about Schemas stage?

  • <610 has SAPR3 as Schema Owner

  • >610 uses SAP as Schema Owner

Database queries of note l.jpg
Database Queries of Note stage?





  • exec master.dbo.xp_cmdshell 'cmd.exe /c net view’

Common values in the db l.jpg
Common Values in the DB stage?

  • ACTVT – Activity Code

  • USTYP – User Type

  • MANDT – Client Number

  • BUKRS – Company Code

  • BEGRU – Authorization

Ustyp values l.jpg
USTYP values stage?

  • USTYP specifies the type of user (used in USR02)

  • A – Dialog (interactive user)

  • C – Communications (CPIC)

  • D – System (BDC)

  • S – Service

  • L – Reference

  • People often don’t change passwords on CPIC users as they’re not sure what breaks

Tables to look at l.jpg
Tables to look at stage?

  • BKPF – Accounting Header (FI)

  • BSEG – Accounting Document Segment (FI)

  • CEPC – Profit Master Data

  • EKKO – PO Header

  • RSEG – Incoming Invoice

  • RBKP – Invoice Receipts

  • KNA1 – Customer Master Records

  • LFA1 – Vendor Master Records

  • PNP – Personnel Data (HR Only)

  • CSKS – Cost Centre Master (HR)

  • T569V – Payroll Control Records (HR)

Subverting business logic l.jpg

Subverting Business Logic stage?

It’s not a lie, we just didn’t tell you that

How sap controls access l.jpg
How SAP Controls Access stage?

  • Local logon details in USR02

  • Profile details in UST04, USR04 etc.

  • Authorizations & Profiles

Custom sap code and access control l.jpg
Custom SAP Code and Access Control stage?

  • ABAPs and Auths 101

    • Authorization checks


  • If the authority check statement isn’t there, it is assumed that you can go ahead!

Common authorization snafus l.jpg
Common Authorization Snafus stage?

  • ‘Pyramid Structure’ Approach

  • Overly Restrictive Approach

  • Use Standard SAP Profiles Approach

  • Transactions/Menu only Approach

  • Objects only Approach

When things go wrong l.jpg
When things go wrong stage?

  • Too much access

  • Too little access

  • Disgruntled Employees and no audit trail

  • Enron style fun

Business process hacking l.jpg

Business Process Hacking stage?

Where you too can be like Neo

Business process hacking69 l.jpg
Business Process Hacking stage?

When your business processes are correctly aligned all is good.

  • When they aren’t…

  • … And it’s even worse when it’s legislation

Bph vs social engineering l.jpg
BPH Vs. Social Engineering stage?

  • From the Canadian charter of rights and freedoms:

    • 20. (1) Any member of the public in Canada has the right to communicate with, and to receive available services from, any head or central office of an institution of the Parliament or government of Canada in English or French, and has the same right with respect to any other office of any such institution where

      • a) there is a significant demand for communications with and services from that office in such language; or

      • b) due to the nature of the office, it is reasonable that communications with and services from that office be available in both English and French.

  • Is this charter open to abuse?

Bph example l.jpg
BPH Example stage?

  • User provisioning policy not correctly implemented

    • Weakness: New users created but old ones not disabled

    • Result: Accounts can be used after owners leave

Bph example 2 l.jpg
BPH Example #2 stage?

  • Evening meal expense claim requires signature of most senior person present

    • Then signed off by person at higher grade

    • No requirement to list people present

How does this tie into sap l.jpg
How does this tie into SAP? stage?

  • SAP process integration

    • If the process fits…

    • If it doesn’t?

A word from our sponsors l.jpg

A word from our sponsors stage?

Well, Steve has to get revenue somehow

Owasp eas l.jpg

OWASP-EAS stage?

Stays crisp in milk

Owasp eas77 l.jpg
OWASP-EAS stage?

  • What?

  • Why?

  • How?

  • When?

Slide78 l.jpg
What? stage?

  • OWASP-Enterprise Application Security Project

  • Enterprise Grade Schnizzle

    • Requirements Guidelines

    • Audit Programmes

    • Business-level and tech guidance docs

Slide79 l.jpg
Why? stage?

  • OWASP is great for Web-based stuff

  • It’s great for toy applications

  • It’s not great for large business systems

    • Not applicable

    • Not relevant

    • Not ‘Enterprise Grade’

Slide80 l.jpg
How? stage?

  • Initial Launch

    • Parent OWASP-EAS Mailing List

    • Develop industry links

    • Initial projects

      • OWASP-EAS RFP Guide

      • Security Document Templates

      • SAP Assessment Guide

    • White Papers

Slide81 l.jpg
When? stage?

  • Real Soon Now*

    • Formal launch in June ‘06

    • ‘Soft’ Launch End April

      • Mailing List

      • Sub-Projects Initiation

  • *may contain nuts

Conclusions l.jpg

Conclusions stage?

Conclusions83 l.jpg
Conclusions stage?

  • SAP is teh r0x0r

  • The people who implement it aren’t necessarily so

  • OWASP-EAS will help them… to a point