csw06 lord

50 %
50 %
Information about csw06 lord

Published on October 25, 2007

Author: Nikita

Source: authorstream.com

Mo’ Budget, Mo’ Problems:  Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian What is this talk about?:  What is this talk about? Large IT Projects System Integrators SAP What is SAP?:  What is SAP? Enterprise Resource Planning (SAP R/3) CRM EP HR FI/CO BW MM PP What is SAP/R3, really?:  What is SAP/R3, really? Business process re-implementation Fancy MIS framework with template processes Big basket for corporate eggs Fundamentals of Large Projects:  Fundamentals of Large Projects The bigger the budget, the harder the fall Compound delays due to complex dependencies Corners cut to meet deadlines Functionality Vs. Security Decision rarely based upon business case When was the last time you signed off $xxx million? Don’t believe me? Irish HSE PPARs and FISP Systems:  Irish HSE PPARs and FISP Systems PPARs (HR) and FISP (FI/CO) Projected Combined Cost - £6.2mil PPARs Cost when halted in 2005 - £80mil FISP Cost when halted - £20.7mil Revenues for Deloitte & Touche - £34.5mil Revenues for SAP – Undisclosed (not part of D&T’s fees) PPARs:  PPARs “It’s like a case study in how not to run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader PPARs could’ve paid for: A 600 bed Hospital 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland HP’s Internal Failure:  HP’s Internal Failure iGSO Launched in 2002 Consolidate 350 Digital, Compaq, HP, Tandem systems Expected finish date 2007 HP: The Adaptive Enterprise that couldn’t adapt:  HP: The Adaptive Enterprise that couldn’t adapt Total cost of Implementation failure US$400 mil (revenue) US$275 mil (operating profit) 3 Executives heads Did I mention this was the total for Q3 2002? How is SAP Implemented Internally?:  How is SAP Implemented Internally? Usually Poorly Inadequate Skills/Experience Poor/No Business Requirements Capture Technology Driven Implementation Poor Documentation Usually very expensive ($20mil+) How is SAP implemented by External Integrators?:  How is SAP implemented by External Integrators? Poorly Front-loading Skills Business Requirements Capture? Partner-driven Implementation Poor/No Documentation Subject to contract wrangling Can be extremely expensive ($50mil+) Where does it all go wrong?:  Where does it all go wrong? Lack of: Communication Contingency Requirements Capture/Analysis Simplicity Security Where does Security come in?:  Where does Security come in? At the end of a long queue By the time it reaches us, it is: Non or semi-functional Delayed Costing the business Security’s role is to SUSO (Shut Up, Sign Off) Show me the SUSO:  Show me the SUSO You need to sign this off If you don’t You’re blocking the business You’re costing us money You’re getting in the way of the project If you do It’s your backside on the dotted line End of Talk:  End of Talk Oh you want more? This is the price, right?:  This is the price, right? Come on down! This is the price, right?:  This is the price, right? Quiz Show Prizes Need Victims Volunteers How it works:  How it works Question is asked Potential answers are shown You have to guess which one of the answers was an actual response This is the price, right?:  This is the price, right? Question 1 Why can’t we use SSH?:  Why can’t we use SSH? A) It (PuTTY) isn’t vendor supported B) SFTP Doesn’t support ASCII C) We don’t have a PKI D) Key Management is too difficult E) The TCO for OpenSSH is too high Why can’t we switch off RSH?:  Why can’t we switch off RSH? A) It requires a server rebuild B) It requires extensive testing that would cost millions C) CowboyNeal D) We use telnet, you insensitive clod! E) We don’t know what it would break Why did the SI buy the tin prior to completing the design stage?:  Why did the SI buy the tin prior to completing the design stage? A) Because the vendor rebate would be lower next year B) Because the client will have to write off the hardware expenditure anyway C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin D) If the client has already paid a fortune up front they’re less likely to pull the plug later Why were all the consultants on the job South African?:  Why were all the consultants on the job South African? A) Because of S.A’s extensive investment in enterprise technology training B) Because all the experienced guys are from Joburg C) Because they’re cheaper than native employees and have a lesser understanding of local employment law Why are these not risks?:  Why are these not risks? A) Because it’s not live yet B) Because you need an account to access the systems C) Because you’d need to have an RSH client and a copy of finger to access the systems D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd E) Because there are plenty of other ways in F) Because you’re holding the project up so just sign off or there’ll be trouble Well done!:  Well done! The good news is People got prizes The bad news is We’re all losers in the end Breaking SAP:  Breaking SAP Send in the clowns SAP Structure:  SAP Structure Infrastructure Issues Front-End Application Business Logic Business Processes Database Skullduggery Infrastructure Issues:  Infrastructure Issues Let me paint you a picture What does an SAP deployment look like?:  What does an SAP deployment look like? What does an SAP deployment look like?:  What does an SAP deployment look like? Points of interest:  Points of interest There is no standard deployment There should be Firewalls involved If there are, Any-Any rules may be used Sometimes the File Server(s) are shared between dev, test and live too Sometimes the App Server(s) are shared between dev, test and live too How (not) to conduct an SAP Pentest:  How (not) to conduct an SAP Pentest Nmap Amap Nikto Nessus Metasploit How to conduct an SAP Pentest:  How to conduct an SAP Pentest Nmap (-sS and –sU only, no –sV or –A and watch timings) Manual confirmation of services with standard client tools RSH, Finger, Net View, Showmount, FTP No active exploitation Password guessing possible, but not automated SAP Systems are:  SAP Systems are Unpatched Unhardened Unmaintained (caveat: security) Unmanaged (caveat: security) Once you’ve got local access:  Once you’ve got local access Useful tools R3Trans TP SQL Trusts OSQL –E SQLPLUS “/ as sysdba” MySQL –u root, mysqld_safe R3Trans:  R3Trans Uses SAP’s abstracted SQL model (T-SQL) Uses ‘control files’ to perform actions upon databases R3Trans –d –v Test database connection R3Trans Control File:  R3Trans Control File EXPORT FILE=‘/tmp/.export/’ CLIENT=000 SELECT * FROM USR02 Start with: R3Trans /tmp/control Don’t forget to check trans.log Where to look:  Where to look /usr/sap/trans /usr/sap/<SID> /home/<SID>adm There is no reason for these directories to be world writeable! Most should be 700, 770 or 775 From the trenches:  From the trenches “We use RSH to copy files around the environment. RSH has a feature call .rhosts which enables us to restrict access to specific users or hosts” Front-End Issues:  Front-End Issues Busting down the door citing section 404 What front-end?:  What front-end? SAP has many SAPGUI WebGUI/NetWeaver/ITS/EP SAPRFC For the sake of time we will focus on SAPGUI These issues do apply elsewhere though SAPGUI:  SAPGUI SAPGUI:  SAPGUI See the box up next to the green tick? Use /? to start debugging Type in a transaction code (T-Code) to start a transaction SAP Transactions of Note:  SAP Transactions of Note SU01 – User Authorization SU02 – User Profile Administration RZ04 – Maintain SAP Instances SECR – Audit Information System SE11 – Data Dictionary SE38 – ABAP Editor SE61 – R/3 Documentation SM21 – System Log SM31 – Table Maintenance SM51 – List of Targets SAP Servers SU24 – Disable Authorization Checks SM49 – Execute Operating System Commands SU12 – Delete All Users PE51 – HR Form Editor (HR) P013 – Maintain Positions (HR) P001 – Maintain Jobs (HR) SAP Transactions of Note:  SAP Transactions of Note AL08 – Users Logged On AL11 – Display SAP Directories OS01 – LAN Check with Ping OS03 – Local OS Parameter changes OS04 – Local System Configuration OSO5 – Remote System Configuration OSS1 – SAP’s Online Service System PFCG – Profile Generator RZ01 – Job Scheduling Monitor RZ20 – CCMS Monitoring RZ21 – Customize CCMS Monitor SA38 – ABAP/4 Reporting SCC0 – Client Copy SE01 – Transport and Correction System SE13 – Maintain Technical Settings (Tables) SUIM – Repository Information System You can’t access those!:  You can’t access those! I can access them (or equivalents) if restrictions are based on: Easy Access Menu Items Transactions only Custom-tables (e.g a ZUSERS table of allowed users) Restrictions need to be implemented at the Authorization level So what else is there? Reports:  Reports RPCIFU01 – Display File RPCIFU03 – Download Unix File RPCIFU04 – Upload Unix File RPR_ABAP_SOURCE_SCAN – Search ABAP for a string ;) RSBDCOS0 – Execute OS Command RSPARAM – Check System Parameters RSORAREL – Get the Oracle System Release Tables:  Tables Accessible through: SE16 (Maintain Tables) SE17 (Display Tables) SA38 (Execute ABAP) SE38 (ABAP Editor) Customizations (ZZ_TABLE_ADMIN etc.) Will Be Covered Later Job Scheduler:  Job Scheduler Can’t get OS access? Use SM36 or SM36WIZ Instead Specify Immediate Start External Program as Step Custom Transaction fun:  Custom Transaction fun Input Validation Selection Criteria Expansion Path specification (../../, // etc) Shell Escapes (; /bin/ls, |”/bin/ls”| etc) SQL Injection Export/Import file fun and games Bypass Authorization Checks From the trenches:  From the trenches “As discussed in the meeting on <redacted> with <redacted>, we’ve agreed that there is no further action required. I appreciate that you are on holiday at the moment, but we will take your expected non-response in advance as agreement upon the matter.” Database Skullduggery:  Database Skullduggery Here be Dragons Database Stuff:  Database Stuff The Database contains all the data. The Database is accessed by SAP users through the SAP system. The SAP database is not subject to the same controls as SAP itself. WARNING: DO NOT MODIFY THE DATABASE WITHOUT PERMISSION SIGNED IN BLOOD (not yours) Getting In:  Getting In Patch Weaknesses Brute Force Roundhouse Kicks Default Accounts Speaking of Default Accounts:  Speaking of Default Accounts Default Accounts (with Oracle Hashes) DDIC/199220706 (4F9FFB093F909574) SAP/SAPR3 (BEAA1036A464F9F0) SAP/6071992 (B1344DC1B5F3D903) SAPR3/SAP (58872B4319A76363) EARLYWATCH/SUPPORT (8AA1C62E08C76445) Note about Schemas:  Note about Schemas <610 has SAPR3 as Schema Owner >610 uses SAP as Schema Owner Database Queries of Note:  Database Queries of Note Select MANDT,BNAME,BCODE,USTYP,CLASS from <SAPDB>..USR02 SELECT * FROM UST04 SELECT * FROM TSTCT WHERE SPRSL = ‘E’ SELECT * FROM DBCON exec master.dbo.xp_cmdshell 'cmd.exe /c net view’ Common Values in the DB:  Common Values in the DB ACTVT – Activity Code USTYP – User Type MANDT – Client Number BUKRS – Company Code BEGRU – Authorization USTYP values:  USTYP values USTYP specifies the type of user (used in USR02) A – Dialog (interactive user) C – Communications (CPIC) D – System (BDC) S – Service L – Reference People often don’t change passwords on CPIC users as they’re not sure what breaks Tables to look at:  Tables to look at BKPF – Accounting Header (FI) BSEG – Accounting Document Segment (FI) CEPC – Profit Master Data EKKO – PO Header RSEG – Incoming Invoice RBKP – Invoice Receipts KNA1 – Customer Master Records LFA1 – Vendor Master Records PNP – Personnel Data (HR Only) CSKS – Cost Centre Master (HR) T569V – Payroll Control Records (HR) Subverting Business Logic:  Subverting Business Logic It’s not a lie, we just didn’t tell you that How SAP Controls Access:  How SAP Controls Access Local logon details in USR02 Profile details in UST04, USR04 etc. Authorizations & Profiles Custom SAP Code and Access Control:  Custom SAP Code and Access Control ABAPs and Auths 101 Authorization checks AUTHORITY-CHECK OBJECT <object> If the authority check statement isn’t there, it is assumed that you can go ahead! SAP Authorization Concept:  SAP Authorization Concept Common Authorization Snafus:  Common Authorization Snafus ‘Pyramid Structure’ Approach Overly Restrictive Approach Use Standard SAP Profiles Approach Transactions/Menu only Approach Objects only Approach So what happens when things go wrong?:  So what happens when things go wrong? When things go wrong:  When things go wrong Too much access Too little access Disgruntled Employees and no audit trail Enron style fun Business Process Hacking:  Business Process Hacking Where you too can be like Neo Business Process Hacking:  Business Process Hacking When your business processes are correctly aligned all is good. When they aren’t… … And it’s even worse when it’s legislation BPH Vs. Social Engineering:  BPH Vs. Social Engineering From the Canadian charter of rights and freedoms: 20. (1) Any member of the public in Canada has the right to communicate with, and to receive available services from, any head or central office of an institution of the Parliament or government of Canada in English or French, and has the same right with respect to any other office of any such institution where a) there is a significant demand for communications with and services from that office in such language; or b) due to the nature of the office, it is reasonable that communications with and services from that office be available in both English and French. Is this charter open to abuse? BPH Example:  BPH Example User provisioning policy not correctly implemented Weakness: New users created but old ones not disabled Result: Accounts can be used after owners leave BPH Example #2:  BPH Example #2 Evening meal expense claim requires signature of most senior person present Then signed off by person at higher grade No requirement to list people present How does this tie into SAP?:  How does this tie into SAP? SAP process integration If the process fits… If it doesn’t? A word from our sponsors:  A word from our sponsors Well, Steve has to get revenue somehow A word from our sponsors:  A word from our sponsors OWASP-EAS:  OWASP-EAS Stays crisp in milk OWASP-EAS:  OWASP-EAS What? Why? How? When? What?:  What? OWASP-Enterprise Application Security Project Enterprise Grade Schnizzle Requirements Guidelines Audit Programmes Business-level and tech guidance docs Why?:  Why? OWASP is great for Web-based stuff It’s great for toy applications It’s not great for large business systems Not applicable Not relevant Not ‘Enterprise Grade’ How?:  How? Initial Launch Parent OWASP-EAS Mailing List Develop industry links Initial projects OWASP-EAS RFP Guide Security Document Templates SAP Assessment Guide White Papers When?:  When? Real Soon Now* Formal launch in June ‘06 ‘Soft’ Launch End April Mailing List Sub-Projects Initiation *may contain nuts Conclusions:  Conclusions Conclusions:  Conclusions SAP is teh r0x0r The people who implement it aren’t necessarily so OWASP-EAS will help them… to a point

Add a comment

Related presentations

Related pages

Slide 1 - CanSecWest PPT ( 4.2 MB )

http://cansecwest.com/slides06/csw06-lord.ppt Download Slide 1 - CanSecWest ...
Read more

CanSecWest Applied Security Conference: Vancouver, British ...

... pdf 355K csw06-duflot.ppt 666K csw06-fischbach.pdf 127K csw06-halvar.zip 911K csw06-lord.ppt 1.0M csw06-malfunction.pdf 3.3M csw06-moore.pdf 642K ...
Read more

Hour-of-Rap-and-Comedy-about-SAP--CanSecWest-Applied ...

Source : https://cansecwest.com/slides06/csw06-lord.ppt. Sponsored Links. About; Contact Us; Family safe; Privacy Policy; Terms Of Service;
Read more

Lord Buddha stole - Set of 5 - Rudraksha Ratna

Lord Buddha stole - Set of 5. ... Product Code : CSW06 Jai Shri Ram Shawl - I. INR: 675.00 | USD: ... Lord Shiva; Diwali Festival Puja;
Read more

Jai Shri Ram Shawl - I - Rudraksha Ratna

CSW06. View Equivalent Price Refer a friend and Earn double rudraksha point Add to WISHLIST ... Lord Shiva; Diwali Festival Puja; Sri Yantra Benefits;
Read more

www.erpscan.com www.eas- sec.org - docplayer.net

Analysis of 3000 vulnerabilities in SAP Disclaimer... 2 1. Intro... 3 2. Brief results... 4 3. General vulnerability statistics... 6 4. Number of ...
Read more

10: But the day of the Lord will come as a thief in the ...

10: But the day of the Lord will come as a thief in the night; in the which the heavens shall pass away with a great noise, and the elements shall melt ...
Read more

Audit-Issues-with-SAPR3--PPT | Powerpoint Presentations ...

View and Download PowerPoint Presentations on AUDIT ISSUES WITH SAPR3 PPT. Find PowerPoint Presentations and Slides using the power of XPowerPoint.com ...
Read more

Sap 101 Quiz Answers PPT - Ebookinga

Sap 101 Quiz Answers downloads at Ebookinga.com - Download free ppt files,ebooks and documents - City Budget 101 - CSMFO
Read more

pp sap PPT Powerpoint Presentations and Slides - View and ...

pp sap - PPT slides, PowerPoint presentations for download - SAP Quality Management (QM): When to Leverage It, How to Set It Up, and How to Integrate It ...
Read more