August 8, 2013 at 14:13SAP Backdoor
Conducting SAP security research is one of my primary goals at Positive Technologies. In addition, I had to figure out what to speak to the audience on our PHDays III forum . So the topic for research was found: how in the SAP system you can hide the presence of the user profile SAP_ALL (that is, all possible authorizations). If the attacker managed to penetrate the system, gain the rights to create users and assign them privileges, then most likely the next step for fixing in the system will be to create a new account for itself, of course with all the necessary rights. But such a user will appear in the results of internal audits, external audits, and it is difficult to expect that a user with SAP_ALL rights will go unnoticed.
So let's get started. I outlined two vectors of work:
For the first vector, those who are interested are invited to see the materials of my speech, the second will be discussed below.
We turn to the logic of the report. The logic is simple: a list of all users of the system is taken, and each user is checked step by step for the presence of the required authority. If the user does not meet the search conditions, he is removed from the list. Everything seems to be simple ... But during analysis, the following line attracts attention:
The user with the mysterious name '..............' (12 points) is removed from the output list. Let's check our assumption in practice: create a user with a name of 12 points, assign him various roles and profiles - and look at the results of the analysis of the report. As expected, the user with this name is not in the results of the report!
Isn't it interesting, why would the SAP manufacturer need this? Of course, I cannot give an answer to this question. Maybe this user was created when generating EARLYWATCH reports and “did” something in the system? ..
For the vulnerability, the following CVSS-vector was determined: The
rating seems to be low, but agree: it’s unpleasant to realize that the manufacturer of the system in which we store and process all critical business information, left such loopholes to hide some specially wound up users. Actually, what could this be for?
However, not so bad. In June 2013, an update to close this vulnerability was already released: SAP Note 1844202. By downloading the released update, you will get rid of a similar problem on your systems.
As can be seen from the table below, a patch has been released for all existing versions of SAP_BASIS, starting with version 4.6B. In other words, if you have not yet had time to upgrade, then this tab with one hundred percent probability will be with you.
That's all, in fact, what I wanted to tell. I recommend using the “note” initiated by your humble servant :)
SAP Security note 1844202: https://service.sap.com/sap/support/notes/1844202
Author: Dmitry Gutsko, leading expert at Positive Technologies.
PS Video (Valdai Hall from 16:00) and presentation slides at PHDays.
So let's get started. I outlined two vectors of work:
- Confuse the work of reports on the analysis of permissions: by nesting profiles, using a reference user, roles, copies of the profile, etc.
- If you ask specialists on SAP: "How to get a list of users who have certain rights?" - they will call transaction SUIM, report RSUSR002, which, in essence, is one and the same. Hence the following idea: based on the analysis of the ABAP code of the RSUSR002 report, come up with a mechanism to overcome the algorithm of the report, thereby hiding the user.
For the first vector, those who are interested are invited to see the materials of my speech, the second will be discussed below.
We turn to the logic of the report. The logic is simple: a list of all users of the system is taken, and each user is checked step by step for the presence of the required authority. If the user does not meet the search conditions, he is removed from the list. Everything seems to be simple ... But during analysis, the following line attracts attention:
The user with the mysterious name '..............' (12 points) is removed from the output list. Let's check our assumption in practice: create a user with a name of 12 points, assign him various roles and profiles - and look at the results of the analysis of the report. As expected, the user with this name is not in the results of the report!
Isn't it interesting, why would the SAP manufacturer need this? Of course, I cannot give an answer to this question. Maybe this user was created when generating EARLYWATCH reports and “did” something in the system? ..
For the vulnerability, the following CVSS-vector was determined: The
CVSS Base Score: 4.6CVSS Base Vector: AV:N/AC:H/AU:S/C:P/I:P/A:Prating seems to be low, but agree: it’s unpleasant to realize that the manufacturer of the system in which we store and process all critical business information, left such loopholes to hide some specially wound up users. Actually, what could this be for?
However, not so bad. In June 2013, an update to close this vulnerability was already released: SAP Note 1844202. By downloading the released update, you will get rid of a similar problem on your systems.
As can be seen from the table below, a patch has been released for all existing versions of SAP_BASIS, starting with version 4.6B. In other words, if you have not yet had time to upgrade, then this tab with one hundred percent probability will be with you.
That's all, in fact, what I wanted to tell. I recommend using the “note” initiated by your humble servant :)
SAP Security note 1844202: https://service.sap.com/sap/support/notes/1844202
Author: Dmitry Gutsko, leading expert at Positive Technologies.
PS Video (Valdai Hall from 16:00) and presentation slides at PHDays.