uncovering sap vulnerabilities reversing and breaking the
play

Uncovering SAP vulnerabilities: Reversing and breaking the Diag - PowerPoint PPT Presentation

Apr 08, 2023 •359 likes •785 views

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core Security Defcon 20 July 2012 P A G E Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout

  1. Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo – Core Security Defcon 20 – July 2012 P A G E

  2. Agenda • Introduction • Motivation and related work • SAP Netweaver architecture and protocols layout • Dissecting and understanding the Diag protocol • Results and findings • Defenses and countermeasures • Conclusion and future work 2 P A G E

  3. Introduction 3 P A G E

  4. Introduction • Leader business software provider • Sensitive enterprise business processes runs on SAP systems • SAP security became a hot topic • Some components still not well covered • Proprietary protocols used at different components 4 P A G E

  5. Introduction • Dynamic Information and Action Gateway (Diag) protocol (aka “SAP GUI protocol”) • Link between presentation layer (SAP GUI) and application layer (SAP Netweaver) • Present in every SAP NW ABAP AS • Compressed but unencrypted by default • Optional encryption using an additional component (SNC) • TCP ports 3200 to 3299 5 P A G E

  6. Motivation and related work 6 P A G E

  7. Previous work on Diag protocol Proprietary Sniffing Compression Proxy-like tools through algorithm tool reflection- disclosed Decompression method ? Wireshark plug-in Cain&Abel sniffing 7 P A G E

  8. Motivation • Previous work mostly focused on decompression • Protocol inner workings remains unknown • No practical tool for penetration testing • Relevant protocol in every NW installation # of Security Notes 836 734 Only 2 out of ~2300 security fixes 518 published by SAP 289 since 2009 affected components related to Diag 2009 2010 2011 2012 8 P A G E

  9. SAP Netweaver architecture and protocols layout 9 P A G E

  10. SAP Netweaver architecture http://help.sap.com/saphelp_nw70/helpdata/en/84/54953fc405330ee10000000a114084/frameset.htm 1 0 P A G E

  11. Relevant concepts and components • ABAP • SAP’s programming language • Dispatcher and work processes (wp) • Dispatcher : distribute user requests across wp • Work processes : handles specific tasks • Types: dialog , spool, update, background, lock • Dialog processing • Programming method used by ABAP • Separates business programs in screens and dialog steps 1 1 P A G E

  12. SAP Protocols layout Diag RFC Router BAPI SOAP Protocol NI (Network Interface) Protocol HTTP SSL Proprietary protocols Standard protocols 1 2 P A G E

  13. Dissecting and understanding the Diag protocol 1 3 P A G E

  14. Dissecting and understanding the Diag protocol Approach • ‘Black - box’ • Not reverse engineering of binaries • Enable system/developer traces (GUI/app server) • Analyze network and application traces • Learn by interacting with the components (GUI/app server) • Continuous improvement of test tools based on gained knowledge 1 4 P A G E

  15. Dissecting and understanding the Diag protocol NI (Network Interface) Protocol Diag Protocol Payload Diag Item 1 Compression DP Header Header Diag Header … (optional) (optional) Diag Item n 1 5 P A G E

  16. Dissecting and understanding the Diag protocol Initialization • Identified only two relevant protocol states: • Not initialized • Initialized • User’s context assigned in shared memory • Started by GUI application • Only first packet • Always uncompressed NI (Network Interface) Protocol Diag Protocol Payload Diag Item 1 Compressi DP Header Diag on Header … (optional) Header (optional) Diag Item n 1 6 P A G E

  17. Dissecting and understanding the Diag protocol DP Header • 200 bytes length • Two different semantics • IPC (inter process communication) • Used in communications between dispatcher and work processes • Synchronization and status • Network • Most fields filled with default values • NI (Network Interface) Protocol Relevant fields: Diag Protocol • Terminal name, Length Payload Diag Item 1 • Only present during initialization Compressi DP Header Diag on Header … (optional) Header (optional) Diag Item n (first packet) 1 7 P A G E

  18. Dissecting and understanding the Diag protocol Diag Header Compression enabled/disabled, encryption using SNC 0 1 2 3 4 5 6 7 Comm Mode Error Msg Msg Msg Comp Mode Flag Stat Flag type Info RC Flag NI (Network Interface) Protocol Identifies different sessions using the Diag Protocol Payload same channel Diag Item 1 Compressi DP Header Diag on Header … (optional) Header (optional) Diag Item n 1 8 P A G E

  19. Dissecting and understanding the Diag protocol Compression • Enabled by default • Uses two variants of Lempel-Ziv Adaptive Compression Algorithm • LZH (Lempel-Ziv-Huffman) LZ77 • LZC (Lempel-Ziv-Welch-Thomas) LZ78 • Same implementation as SAP’s MaxDB open source project NI (Network Interface) Protocol • Can be disabled in GUI by setting Diag Protocol Payload TDW_NOCOMPRESS environment Diag Item 1 Compressi DP Header Diag on Header … (optional) Header variable (optional) Diag Item n 1 9 P A G E

  20. Dissecting and understanding the Diag protocol Compression Header LZH: compression level LZC: max # of bits per code 0 4 5 7 Comp Magic Bytes Special Uncompressed length Alg x1F x9D Byte NI (Network Interface) Protocol LZH: 0x12 Diag Protocol LZC: 0x10 Payload Diag Item 1 Compressi DP Header Diag on Header … (optional) Header (optional) Diag Item n 2 0 P A G E

  21. Dissecting and understanding the Diag protocol Payload SES Fixed length (16 bytes) Session information ICO Fixed length (20 bytes) Icon information TIT Fixed length (3 bytes) Title information DiagMessage Fixed length (76 bytes) Old Diag message OKC (? Bytes) CHL Fixed length (22 bytes) SBA Fixed length (9 bytes) List items EOM Fixed length (0 bytes) End of message NI (Network Interface) Protocol Diag Protocol APPL/APPL4 Variable length Payload Diag Item 1 Compressi DIAG_XMLBlob Variable length XML Blob DP Header Diag on Header … (optional) Header (optional) Diag Item n SBA2 Fixed length (36 bytes) List items 2 1 P A G E

  22. Dissecting and understanding the Diag protocol APPL/APPL4 items 0 1 3..5 4..6 Type Length Field ID SID NI (Network Interface) Protocol Diag Protocol Payload Diag Item 1 Compressi APPL: 0x10 APPL: 2 bytes DP Header Diag on Header … (optional) Header (optional) APPL4: 0x12 APPL4: 4 bytes Diag Item n 2 2 P A G E

  23. Diag protocol security highlights Protocol version • APPL item included in payload during initialization • Can disable compression using version number “200” Authentication • Performed as a regular dialog step • Set user’s context on work processes shared memory Embedded RFC calls • APPL item that carries RFC calls in both directions • Server doesn’t accept RFC calls until authenticated 2 3 P A G E

  24. Results and findings 2 4 P A G E

  25. Packet dissection • Wireshark plug-in written in C/C++ • NI Protocol dissector • TCP reassembling • Router Protocol dissector • Basic support • Diag protocol dissector • Decompression • DP header / Diag Header / Compression Header • Item ID/SID identification and dissection of relevant items • Call RFC dissector for embedded calls • RFC protocol dissector • Basic coverage of relevant parts 2 5 P A G E

  26. Packet dissection 2 6 P A G E

  27. Packet crafting • Scapy classes • SAPNi • SAPDiagDP (DP Header) • SAPDiag (Diag header + compression) • SAPDiagItem • Custom classes for relevant Diag items • C++ extension for compression/decompression • PoC and example scripts • Information gathering • Login Brute Force • Proxy/MITM script • Diag server 2 7 P A G E

  28. Fuzzing approach • Fuzzing scheme using • scapy classes • test cases generation • delivery • windbg • monitoring • xmlrpc • syncronization • Monitoring of all work processes 2 8 P A G E

  29. Vulnerabilities found • 6 vulnerabilities released on May 2012 affecting SAP NW 7.01/7.02, fix available on SAP Note 168710 • Unauthenticated remote denial of service when developed traces enabled • CVE-2012-2511 – DiagTraceAtoms function • CVE-2012-2512 – DiagTraceStreamI function • CVE-2012-2612 – DiagTraceHex function 2 9 P A G E

  30. Vulnerabilities found • Unauthenticated remote denial of service • CVE-2012-2513 – Diaginput function • CVE-2012-2514 – DiagiEventSource function • Unauthenticated remote code execution when developer traces enabled • CVE-2012-2611 – DiagTraceR3Info function • Stack-based buffer overflow while parsing ST_R3INFO CODEPAGE item • Thanks to Francisco Falcon (@fdfalcon) for the exploit 3 0 P A G E

  31. Attack scenarios Target applications servers Exploit mentioned CVEs Attacker Gather server information SAP NW AS Login brute force 3 1 P A G E

  32. Attack scenarios Target GUI users Gather credentials Attacker Inject RFC calls in user’s GUI GUI Shortcut Rogue Server MitM GUI User GUI User GUI User SAP NW AS 3 2 P A G E

  33. Defenses and countermeasures 3 3 P A G E

Recommend

How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a

How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a

How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a security system Paradox security system 16.11.2018. IT-SECX 2018, Austria Author Lead researcher at Possible Security, Latvia Hacking and

700 views • 29 slides
Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and Windows Servers About the presentation Whoami Introduction 0days and the rush for public vulnerabilities And Advanced fuzzing techniques

432 views • 31 slides
Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
Reversing a firmware uploader & Others NFC stories 1

Reversing a firmware uploader & Others NFC stories 1

7/1/2019 Reversing a Firmware uploader & others NFC stories Reversing a firmware uploader & Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader & others NFC stories

920 views • 41 slides
Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus Mannheim Centre for European Social Research (MZES) University of Mannheim www.mzes.uni-mannheim.de www.mzes.uni mannheim.de Overcoming early exit

380 views • 9 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as quickly as possible without having to read disassembled code Advantages Active Reversing reveals contextual relationships between user actions,

1.41k views • 91 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security & Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Reversing Land Degrada.on in Landlocked Countries

Reversing Land Degrada.on in Landlocked Countries

Reversing Land Degrada.on in Landlocked Countries Magda Lovei Prac&ce Manager for Environment and Natural Resources, World Bank I. Present

461 views • 18 slides
Reversing Hydraulic Fan Drives Stephen Frantz Staff Engineer Danfoss Power Solutions 1 1

Reversing Hydraulic Fan Drives Stephen Frantz Staff Engineer Danfoss Power Solutions 1 1

Reversing Hydraulic Fan Drives Stephen Frantz Staff Engineer Danfoss Power Solutions 1 1 Benefits/Requirements for a Reversing Hydraulic Fan Drive Requirements Benefits Returns to forward in the event of a control signal loss Increased

280 views • 15 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Uncovering Interactions Between Moving Objects Gennady Andrienko & Natalia Andrienko

Uncovering Interactions Between Moving Objects Gennady Andrienko & Natalia Andrienko

Uncovering Interactions Between Moving Objects Gennady Andrienko & Natalia Andrienko http://geoanalytics.net Monica Wachowicz & Daniel Orellana Uncovering Interactions between Moving Objects Research Topic Research focus: interactions (

376 views • 26 slides
Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities > analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP

413 views • 20 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

969 views • 57 slides
Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD Breaking down iD 15% Rendering Painting 21% Javascript 64% HTML A sample of what iD is doing behind the scenes Breaking down JS 13% Draw Vector

426 views • 27 slides
THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING p.1/31 OUTLINE Introduction Higgs sector Tree-level masses EWSB and fine-tuning Supersymmetric spectrum Dark

361 views • 34 slides
Cross-platform reversing with at NoConName December 2015 by oleavr Who am I? My name is Ole

Cross-platform reversing with at NoConName December 2015 by oleavr Who am I? My name is Ole

Cross-platform reversing with at NoConName December 2015 by oleavr Who am I? My name is Ole Andr Vadla Ravns Author of Frida, CryptoShark, oSpy, libmimic... Developer, Hacker and Reverse Engineer Currently working at

1.26k views • 43 slides
Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner

Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner

Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner with IRIS Date : 23 rd September, 2017 Indian Rural Panel Uncovering Farmers Mindset_777_520 1 Content Overview of Indian agriculture and

268 views • 24 slides
TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction Session Goals Presenter and Trustwave SpiderLabs background Analysis Overview Data Source Most frequently found SEVERE vulnerabilities

907 views • 62 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier with a Prenup) Easier with a Prenup) Gregory S. Gregory S. William Williams, , Esq. Esq. Carr rruthe uthers & rs & Roth, P.A.

170 views • 6 slides
FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant with focus on incident handling, forensics and malware analysis Not a dedicated reverser RE is just part of my job => I avoid RE as much as

670 views • 15 slides

More recommend