tcpdb dat case
play

TCPDB.DAT case Archive file signatures Attack surface Attack - PowerPoint PPT Presentation

Jul 03, 2023 •419 likes •913 views

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

  2. Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats • CAR • SAR v2.00 • SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A G E 2

  3. • SAP • SAP systems • SAP security • Complexity • Archive files • Software packaging • Software distribution • Transport files P A G E 3

  4. • File formats are not known • Lack of public documentation • Lack of practical known attacks • Went deep into the compression mechanisms • A different attack vector • Targets sysadmins, operators and BASIS admins • High privileged users P A G E 4

  5. • Based on Lempel-Ziv algorithm • Adaptive dictionary compression • Custom implementation • Two variants • LZH (Lempel-Ziv-Huffman) • LZC (Lempel-Ziv-Welch-Thomas) P A G E 5

  6. Special byte Algorithm LZC=compression level LZC=0x10 LZH=max # bits per code LZH=0x12 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | LENGTH |ALG| MAGIC |SPE| +---+---+---+---+---+---+---+---+ Uncompressed length Magic bytes (LE unsigned int) 0x1F9D P A G E 6

  7. • SAPCAR program • Command-line • Available on multiple platforms • Allows listing, adding, extracting, verifying archive files • Works with CAR, SAR v2.00 and v2.01 files • Latest version release 721 • > 16 March 2015 P A G E 7

  8. $ ./SAPCAR usage: create a new archive: [..] SAPCAR -c[vir][f archive] [-P] [-C directory] append files to an archive: [-A filename] [-T filename] [-X filename] SAPCAR -a[v][f archive] file1 [file2....] [-p value] [-V] file1 file2 ... merge two archives: list the contents of an archive: SAPCAR -m[v]f "source target" SAPCAR -t[vs][f archive] [file1 file2....] check availability of files to be processed: extract files from an archive: SAPCAR -l [-A filename][-X filename] [file1 file2...] SAPCAR -x[v][f archive] [-R directory] [-A filename] [-V] [file1 file2....] sign archive: SAPCAR -S[v]f MY.SAR [-key keyname] [-H file hash] verify the archive: SAPCAR -d[v][f archive] [-V] [file1 file2....] verify the content of signed manifest: [..] SAPCAR -M[v][f manifest file] [-manifest file] [..] P A G E 8

  9. • Software packaging/distribution • CAR • SAR v2.00 • SAR v2.01 • Transport files • Transport files P A G E 9

  10. • Old (first?) version of the archive file • Text based archive header • Blob content • Still supported on SAPCAR for extracting • Not supported for creating new archives P A G E 1 0

  11. New lines Compressed length Eyecatcher (LE unsigned int) Checksum (CRC32) # CAR archive header\n F FILENAME MOD FSIZE CSIZE TSTAMP CHECKSUM\n .. # end of header\n File length File Timestamp (LE unsigned int) File Type Permission mode Name 640=-rwxrw---- 0 1 2 3 4 5 6 7 Len, alg, magic +---+---+---+---+---+---+---+---+=============+ and special bytes | COMPRESSION HEADER | COMPR. BLOB | Compressed +---+---+---+---+---+---+---+---+=============+ LZC/LZH blob P A G E 1 1

  12. $ ./SAPCAR -xvf carcar_test_string.sar processing archive carcar_test_string.sar... x test_string.txt $ xxd carcar_test_string.sar 0000000: 2320 4341 5220 6172 6368 6976 6520 6865 # CAR archive he 0000010: 6164 6572 0a46 2074 6573 745f 7374 7269 ader.F test_stri 0000020: 6e67 2e74 7874 2020 2020 2020 2020 2020 ng.txt 0000030: 2034 3434 2020 2020 2020 2020 3433 2020 444 43 0000040: 2020 2020 2020 3533 2031 3434 3930 3130 53 1449010 0000050: 3132 3820 3331 3136 3736 3331 3434 0a23 128 3116763144.# 0000060: 2065 6e64 206f 6620 6865 6164 6572 0a2b end of header.+ 0000070: 0000 0012 1f9d 027b 2119 a90a 85a5 99c9 .......{!....... 0000080: d90a 4945 f9e5 790a 69f9 150a 59a5 b905 ..IE..y.i...Y... 0000090: c50a f965 a945 0a25 40e9 9cc4 aa4a 8594 ...e.E.%@....J.. 00000a0: fc74 0000 .t.. File type=file , Filename=test_string.txt , Perm mode=444 , File length=43 , Compressed Length=53 , Timestamp=01 Dec 2015 19:48 , Checksum=0xb9c60808 , Uncompressed Length=43, Algorithm=LZH, Special byte=02 P A G E 1 2

  13. • New version of the archive file (R/3 > 4.70) • Binary based archive file header • Still supported on SAPCAR for extracting • Not supported for creating new archives P A G E 1 3

  14. 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | EYECATCHER | VERSION | +---+---+---+---+---+---+---+---+ “CAR ” “2.00” P A G E 1 4

  15. Permission mode File type RG=file 640=-rwxrw---- File length DR=dir (LE unsigned int) 0 1 2 3 4 5 6 7 8 9 a b c d e f +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 0x00 | FTYPE | PERM MODE | FILE LEN | UNKNOWN +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 0x10 | TIMESTAMP | UNKNOWN | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ File timestamp (LE unsigned int) P A G E 1 5

  16. If it’s a regular file, and file length > 0 Filename len (LE unsigned short) Filename string 0 1 +---+---+==================================+ |FN LEN | ...FN LEN bytes of “filename”... | +---+---+==================================+ 0 1 2 3 4 5 6 7 8 9 A B C D +---+---+---+---+---+---+---+---+---+---+---+---+---+---+=============+ | ED | COMP LEN | COMPRESSION HEADER | COMPR. BLOB | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+=============+ Len, alg, magic Compressed length Compressed and special bytes (LE unsigned int) LZC/LZH blob 0 1 2 3 +---+---+---+---+ File checksum | CRC32 | +---+---+---+---+ P A G E 1 6

  17. $ ./SAPCAR -xvf car200_test_string.sar SAPCAR: processing archive car200_test_string.sar (version 2.00) x test_string.txt SAPCAR: 1 file(s) extracted $ xxd car200_test_string.sar 0000000: 4341 5220 322e 3030 5247 b481 0000 2b00 CAR 2.00RG....+. 0000010: 0000 0000 0000 0000 0000 d023 5e56 0000 ...........#^V.. 0000020: 0000 0000 0000 0000 0f00 7465 7374 5f73 ..........test_s 0000030: 7472 696e 672e 7478 7445 4435 0000 002b tring.txtED5...+ 0000040: 0000 0012 1f9d 027b 2119 a90a 85a5 99c9 .......{!....... 0000050: d90a 4945 f9e5 790a 69f9 150a 59a5 b905 ..IE..y.i...Y... 0000060: c50a f965 a945 0a25 40e9 9cc4 aa4a 8594 ...e.E.%@....J.. 0000070: fc74 0000 0808 c6b9 .t...... Version=2.00 , File type=file , Perm mode=664 , File length=43 , Timestamp=01 Dec 2015 19:48 , Filename length=15 , Filename=test_string.txt , Compressed Length=53 , Uncompressed Length=43, Algorithm=LZH, Special byte=02 , Checksum=-1178204152 P A G E 1 7

  18. • Newest version of the archive file • Same structure as v2.00, except: • Handling of filename length • Filename is null-terminated • Default version on SAPCAR P A G E 1 8

  19. 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | EYECATCHER | VERSION | +---+---+---+---+---+---+---+---+ “CAR ” “2.01” P A G E 1 9

  20. File type Permission mode RG=file 640=-rwxrw---- File length DR=dir (LE unsigned int) 0 1 2 3 4 5 6 7 8 9 a b c d e f +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 0x00 | FTYPE | PERM MODE | FILE LEN | UNKNOWN +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 0x10 | TIMESTAMP | UNKNOWN | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ File timestamp (LE unsigned int) P A G E 2 0

  21. If it’s a regular file, and file length > 0 Filename len (LE unsigned short) 0 1 Filename string +---+---+==================================+ (null terminated) |FN LEN | ...FN LEN bytes of “filename”... | +---+---+==================================+ 0 1 2 3 4 5 6 7 8 9 A B C D +---+---+---+---+---+---+---+---+---+---+---+---+---+---+=============+ | ED | COMP LEN | COMPRESSION HEADER | COMPR. BLOB | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+=============+ Len, alg, magic Compressed length Compressed and special bytes (LE unsigned int) LZC/LZH blob 0 1 2 3 +---+---+---+---+ File checksum | CRC32 | +---+---+---+---+ P A G E 2 1

  22. $ ./SAPCAR -xvf car201_test_string.sar SAPCAR: processing archive car201_test_string.sar (version 2.01) x test_string.txt SAPCAR: 1 file(s) extracted $ xxd car201_test_string.sar 0000000: 4341 5220 322e 3031 5247 b481 0000 2b00 CAR 2.01RG....+. 0000010: 0000 0000 0000 0000 0000 d023 5e56 0000 ...........#^V.. 0000020: 0000 0000 0000 0000 1000 7465 7374 5f73 ..........test_s 0000030: 7472 696e 672e 7478 7400 4544 3500 0000 tring.txt.ED5... 0000040: 2b00 0000 121f 9d02 7b21 19a9 0a85 a599 +.......{!...... 0000050: c9d9 0a49 45f9 e579 0a69 f915 0a59 a5b9 ...IE..y.i...Y.. 0000060: 05c5 0af9 65a9 450a 2540 e99c c4aa 4a85 ....e.E.%@....J. 0000070: 94fc 7400 0008 08c6 b9 ..t...... Version=2.00 , File type=file , Perm mode=664 , File length=43 , Timestamp=01 Dec 2015 19:48 , Filename length=16 , Filename=test_string.txt , Compressed Length=53 , Uncompressed Length=43, Algorithm=LZH, Special byte=02 , Checksum=-1178204152 P A G E 2 2

  23. • Handling of absolute/relative paths • “/ usr/var/some_file_name ” • “../../ some_file_name ” $ ./SAPCAR usage: [..] using absolute pathnames: If you create an archive with absolute pathnames the files will be extracted with exactly these pathnames! SAPCAR does not cut the first slash like the UNIX tool tar. [..] P A G E 2 3

Recommend

1 Quick Comparison Variance (existing rule) Case by Case (new) Applies to any applicable

1 Quick Comparison Variance (existing rule) Case by Case (new) Applies to any applicable

Variances and Case-by-Case Determinations 1 OAC 3745-300-12 Certified Professional 8-Hour Training Changes to rule 2 Variances (existing) Case-by-Case Determinations (new) Fees (change) Withdrawals (new) Examples of

862 views • 6 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

912 views • 4 slides
ul#mate goal MEMORANDUM constitution and/or statute and/or regulation case case case

ul#mate goal MEMORANDUM constitution and/or statute and/or regulation case case case

ul#mate goal MEMORANDUM constitution and/or statute and/or regulation case case case treatise law review ideal case law mandatory precedent with similar facts,

106 views • 10 slides
Case Management Best P r actice Case Management regulations. Case Study. Community

Case Management Best P r actice Case Management regulations. Case Study. Community

Case Management Best P r actice Case Management regulations. Case Study. Community Links Wollondilly and the Case Work Team LEGISLATION AGENCY STANDARDS PROFESSIONAL STANDARDS CMSA STANDARDS STRENGTH BASED APPROACH PERSON

472 views • 25 slides
II . Directive for case documentation : Case reports must contain the following data: Medical

II . Directive for case documentation : Case reports must contain the following data: Medical

Guidelines for Comprehensive Case Presentation I . Case Type: Generalized moderate to advanced periodontitis with deep pockets and moderate to severe bone loss must be present in both arches. Cases must be of sufficient periodontal complexity to

667 views • 4 slides
Femoral Fracture During Cesarean Section: A Case of Professional Liability? Case Presentation and

Femoral Fracture During Cesarean Section: A Case of Professional Liability? Case Presentation and

DOI: 10.26502/acmcr.96550087 Arch Clin Med Case Rep 2019; 3 (5): 242-249 Case Report Femoral Fracture During Cesarean Section: A Case of Professional Liability? Case Presentation and Review of the Literature Luigi Papi 1* , Federica Gori 1 ,

643 views • 8 slides
CASE PROJECT CASE PROJECT IMPLEMENTATION 2017 AND PLANS FOR 2018 Antoine Zannotti CASE Project

CASE PROJECT CASE PROJECT IMPLEMENTATION 2017 AND PLANS FOR 2018 Antoine Zannotti CASE Project

CASE PROJECT CASE PROJECT IMPLEMENTATION 2017 AND PLANS FOR 2018 Antoine Zannotti CASE Project Coordinator, ECAC AFI SECFAL Plan SC/6, Montreal, 8 December 2017 CASE PROJECT Content Key elements of the CASE Project Duration

417 views • 16 slides
ANALYSE A CASE LAW Acelegal (Education Series) 1/38 ACELEGAL AGENDA What is a Case Law?

ANALYSE A CASE LAW Acelegal (Education Series) 1/38 ACELEGAL AGENDA What is a Case Law?

HOW TO ANALYSE A CASE LAW Acelegal (Education Series) 1/38 ACELEGAL AGENDA What is a Case Law? Elements of a Case Law How to Analyze a Case Law ACELEGAL 2/38 WHAT IS A CASE LAW ? Law based on previous judicial decisions,

1.06k views • 38 slides
Case Sleep Disorders: A Case-based Approach ROS: 30 Lbs wt gain/1year Fatigue LeRoy

Case Sleep Disorders: A Case-based Approach ROS: 30 Lbs wt gain/1year Fatigue LeRoy

Case Sleep Disorders: A Case-based Approach ROS: 30 Lbs wt gain/1year Fatigue LeRoy Essig, MD Heart burn Rami Khayat, MD Nasal congestion, dry mouth Reduced concentration/memory Case Case 47 y/o male presents to

552 views • 16 slides
The Montreal case The Montreal case 1 The Montreal case The Montreal case 2 Montreal 1992

The Montreal case The Montreal case 1 The Montreal case The Montreal case 2 Montreal 1992

The Montreal case The Montreal case 1 The Montreal case The Montreal case 2 Montreal 1992 Montreal 19922012 : Waterrelated investments related investments Value ($) $ / yr $ / yr Life expectancy (yrs) 30G$ 300M$ / yr 300M$ / yr 100

900 views • 17 slides
1 Case Presentation Running head: CASE PRESENTATION Alicia: A Case Presentation Christine S.

1 Case Presentation Running head: CASE PRESENTATION Alicia: A Case Presentation Christine S.

1 Case Presentation Running head: CASE PRESENTATION Alicia: A Case Presentation Christine S. CNSS 561 Holy Family University 2 Alicia: A Case Presentation Who is involved? In addition to the student client, Alicia, there are several others

364 views • 20 slides
case Statement Nesting if past two levels is error prone and possibly inefficient. case

case Statement Nesting if past two levels is error prone and possibly inefficient. case

case Statement Nesting if past two levels is error prone and possibly inefficient. case excels when many tests are performed on the same expression. case works well for muxes, decoders, and next state logic. SVerilog case has implied

279 views • 15 slides
Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc kland What We ll Co ve r T o day T he L ig htbulb Mo me nt My Ph.D Case Study Case Study Charac te ristic s Case Study Stre

424 views • 10 slides
Variances and Case by Case Determinations OAC 3745 300 12 Certified Professional 8

Variances and Case by Case Determinations OAC 3745 300 12 Certified Professional 8

Variances and Case by Case Determinations OAC 3745 300 12 Certified Professional 8 Hour Training Changes to rule Variances (existing) Case by Case Determinations (new) Fees (change) Withdrawals (new)

402 views • 24 slides
Neuropharmacy Masterclass Case Studies Jan 19 Case 1 29 yr old female RRMS diagnosed

Neuropharmacy Masterclass Case Studies Jan 19 Case 1 29 yr old female RRMS diagnosed

Neuropharmacy Masterclass Case Studies Jan 19 Case 1 29 yr old female RRMS diagnosed 10yrs ago Rebif started 2008 Jan 2016 - experiencing injection fatigue What are her options ? dimethyl fumarate or teriflunomide Case 1

507 views • 16 slides
Intro Presenters Garvin Seto (Case 04) Mike Lustig (Case 07) Goals: Inform

Intro Presenters Garvin Seto (Case 04) Mike Lustig (Case 07) Goals: Inform

Intro Presenters Garvin Seto (Case 04) Mike Lustig (Case 07) Goals: Inform students about opportunities at Case Mini-Codonics Update Provide Tech Demo/Discussion Quick Outline Case Section Kinect Tech Talk

709 views • 21 slides
CDN use-case. Abubakr Magzoub Content Delivery Network (CDN) Use-Case CDN Use case shows:

CDN use-case. Abubakr Magzoub Content Delivery Network (CDN) Use-Case CDN Use case shows:

Data Plane Broker Integration CDN use-case. Abubakr Magzoub Content Delivery Network (CDN) Use-Case CDN Use case shows: WIM connection across sites Multi-sites NS deployment NS Scaling across multiple datacentres Content Delivery

447 views • 9 slides
Imperative Programming Exercises 12.1 Compile-time complexity is a minor issue. In the case

Imperative Programming Exercises 12.1 Compile-time complexity is a minor issue. In the case

12 Imperative Programming Exercises 12.1 Compile-time complexity is a minor issue. In the case insensitive case, the Lexer can map all upper case letters into lower case. The rest of the compiler then remains ignorant of the issue. Having case

406 views • 6 slides
Case Managers Legislative Agenda Case Management Society of America (CMSA) Standards of

Case Managers Legislative Agenda Case Management Society of America (CMSA) Standards of

10/10/18 Case Management Society of New Englands (CMSNE) 29th Annual Conference All Eyes on Professional Practice: Seeking Clarity on Cross-Continuum Social and Clinical Complexity Legislators/Regulators Need Case Managers At The Table

205 views • 6 slides
Case studies and case selection Gary Goertz Kroc Institute for International Peace Studies

Case studies and case selection Gary Goertz Kroc Institute for International Peace Studies

Case studies and case selection Gary Goertz Kroc Institute for International Peace Studies University of Notre Dame ggoertz@nd.edu Spring 2018 One uses case studies based on Z to answer the question: How generalizable is the case study?

1.23k views • 29 slides
CASE PRESENTATION CASE PRESENTATION Prepared by: Dr. Lina Raffa Case Report p 14 year old

CASE PRESENTATION CASE PRESENTATION Prepared by: Dr. Lina Raffa Case Report p 14 year old

CASE PRESENTATION CASE PRESENTATION Prepared by: Dr. Lina Raffa Case Report p 14 year old boy known case of Vogt Kayanagi 14 year old boy known case of Vogt Kayanagi Harada disease diagnosed 2 yrs ago Following up in the clinic

977 views • 33 slides
SCALABILITY OF COMPOSITE INDICES OF WELL-BEING: INDICES OF WELL-BEING: THE CASE OF THE THE CASE

SCALABILITY OF COMPOSITE INDICES OF WELL-BEING: INDICES OF WELL-BEING: THE CASE OF THE THE CASE

FCD CWI FCD CWI SCALABILITY OF COMPOSITE INDICES OF WELL-BEING: INDICES OF WELL-BEING: THE CASE OF THE THE CASE OF THE CHILD AND YOUTH WELL-BEING INDEX* Kenneth C. Land, Ph.D., Duke University Italian Association for Quality of Life Studies

722 views • 35 slides
Business Case Development / Discovery Phase 1 Agenda What is a business case and why is it

Business Case Development / Discovery Phase 1 Agenda What is a business case and why is it

Business Case Development / Discovery Phase 1 Agenda What is a business case and why is it needed? Approach to creating a business case (including Discovery) Lessons learned 2 What is a business case? Provides the rationale to

306 views • 14 slides
CASE P E PRESEN ENTATION Dr . Sushrut Patil 2 nd year PG in Psychiatry . Case - 1 Referral from

CASE P E PRESEN ENTATION Dr . Sushrut Patil 2 nd year PG in Psychiatry . Case - 1 Referral from

CASE P E PRESEN ENTATION Dr . Sushrut Patil 2 nd year PG in Psychiatry . Case - 1 Referral from OBG Department seen on 28 th February Case of G2P1L1 with 36 weeks of gestation with 1 previous LSCS on psychiatric medication was referred for

383 views • 25 slides

More recommend