Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo - Core Security Defcon 20 -July 2012 EIsecurity Agenda • Introduction • Motivation and related work • SAP Netweaver architecture and protocols layout • Dissecting and understanding the Diag protocol • Results and findings • Defenses and countermeasures • Conclusion and future work PAG E2 aalSECURITY Introduction PAG E3 flaMSECURITY Introduction • Leader business software provider • Sensitive enterprise business processes runs on SAP systems • SAP security became a hot topic • Some components still not well covered • Proprietary protocols used at different components PAG E4 aalSECURITY Introduction • Dynamic Information and Action Gateway (Diag) protocol (aka "SAP GUI protocol") • Link between presentation layer (SAP GUI) and application layer (SAP Netweaver) • Present in every SAP NW ABAP AS • Compressed but unencrypted by default • TCP ports 3200 to 3298 PAG E5 aalSECURITY Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout Dissecting and understanding the Diag protocol Results and findings Defenses and countermeasures Conclusion and future work PAG E6 aalSECURITY Motivation and related work PAG E7 flaMSECURITY Previous work on Diag protocol Proprietary tools Sniffing through reflection- method Compression algorithm disclosed Proxy- 1 ike tool Decompression Wireshark plug-in Cain&Abel sniffing PAGE 8 SECURITY Motivation • Previous work mostly focused on decompression • Protocol inner workings remains unknown • No practical tool for penetration testing Only 2 out of -2300 security fixes published by SAP since 2009 affected components related to Diag 2009 2010 2011 2012 PAG E9 aalSECURITY Agenda Introduction SAP Netweaver architecture and protocols layout Dissecting and understanding the Diag protocol Results and findings Defenses and countermeasures Conclusion and future work PAGE 1 aalSECURITY SAP Netweaver architecture and protocols layout PAGE 1 1 flaMSECURITY SAP Netweaver architecture SAP GUI I I *r owser Y 33 1 1 n ii ■ ni ■ ii l| i i ■ t l , „,Tnn« ■ ■ « m Internet Communication Manager (I CM) Dispatcher Java Dispatcher WP A vtS P Java VM WP ABAP VM WP Java VM ABAP VM Java VM Xo ABAP/ Java Engine Message Server Enqueua Server Central Services Java ii SP Java SP Java VM Java VM = i ! * SAP Database Schema SDM J2EE Engine SAP Database Schema Relevant concepts and components • ABAP • SAP's programming language • Dispatcher and work processes (wp) • Dispatcher: distribute user requests across wp • Work processes: handles specific tasks • Types: dialog, spool, update, background, lock • Dialog processing • Programming method used by ABAP • Separates business programs in screens and dialog steps PAGE 1 3 aalSECURITY SAP Protocols layout PAGE 1 4 SECURITY Agenda Dissecting and understanding the Diag protocol Results and findings Defenses and countermeasures Conclusion and future work PAG E 1 5 JSECURITY Dissecting and understanding the Diag protocol PAGE 1 6 flaMSECURITY Dissecting and understanding the Diag protocol Approach • 'Black-box' • No binary reverse engineering techniques were used • Enable system/developer traces (GUI/app server) • Analyze network and application traces • Learn by interacting with the components (GUI/app server) • Continuous improvement of test tools based on gained knowledge PAGE 1 7 aalSECURITY Dissecting and understanding the Diag protocol Nl (Network Interface) Protocol Dissecting and understanding the Diag protocol Initialization • Identified only two relevant protocol states: • Not initialized • Initialized • User's context assigned in shared memory • Started by GUI application • Only first packet • Always uncompressed PAGE 1 9 aalSECURITY Dissecting and understanding the Diag protocol DP Header • 200 bytes length • Two different semantics • IPC (inter process communication) • Used in communications between dispatcher and work processes • Synchronization and status • Network • Most fields filled with default values • Relevant fields: Terminal name, Length • Only present during initialization (first packet) PAG E20 aalSECURITY Dissecting and understanding the Diag protocol Diag Header Compression enabled/disabled, 1 r ^ Mode Comm Mode Error Flag Stat Flag 4 L encryption using SNC J 5 6 AT B Msg r ^ Msg Comp Info RC Flag Identifies different sessions using the same channel PAG E2 1 aalSECURITY Dissecting and understanding the Diag protocol Compression • Enabled by default • Uses two variants of Lempel-Ziv Adaptive Compression Algorithm • LZH (Lempel-Ziv-Huffman) LZ77 • LZC (Lempel-Ziv-Welch-Thomas) LZ78 • Same implementation as SAP's MaxDB open source project • Can be disabled in GUI by setting TDW_NOCOMPRESS environment variable PAG E 2 2 JSECURITY Dissecting and understanding the Diag protocol Compression Header LZH: compression level LZC: max # of bits per code XT r 1 r 1 1 r i Uncompressed length Comp Alg I Magic Bytes x1Fx9D Special Byte LZH: 0x12 LZC: 0x10 PAG E23 aalSECURITY Dissecting and understanding the Diag protocol Payload SES Fixed length (16 bytes) Session information ICO Fixed length (20 bytes) Icon information TIT Fixed length (3 bytes) Title information Diag Message Fixed length (76 bytes) Old Diag message OKC (? Bytes) CHL Fixed length (22 bytes) SBA Fixed length (9 bytes) List items EOM Fixed length (0 bytes) End of message APPL/APPL4 Variable length DIAG XMLBlob Variable length XML Blob SBA2 Fixed length (36 bytes) List items PAG E24 aalSECURITY Dissecting and understanding the Diag protocol APPL/APPL4 items APPLOxlO APPL4:0x12 APPL: 2 bytes APPL4: 4 bytes APPL/APPL4 Variable length 1 3..5 4..6 r 1 Type Length Field ID SID PAG E25 aalSECURITY Diag protocol security highlights Protocol version • APPL item included in payload during initialization • Can disable compression using version number "200" Authentication • Performed as a regular dialog step • Set user's context on work processes shared memory Embedded RFC calls • APPL item that carries RFC calls in both directions • Server doesn't accept RFC calls until authenticated PAGE26 JSECURITY Agenda Results and findings Defenses and countermeasures Conclusion and future work PAG E27 aalSECURITY Results and findings PAG E28 flaMSECURITY Packet dissection • Wireshark plug-in written in C/C++ • Nl Protocol dissector _/ • TCP reassembling V • Router Protocol dissector • Basic support • Diag protocol dissector • Decompression • DP header / Diag Header / Compression Header • Item ID/SID identification and dissection of relevant items • Call RFC dissector for embedded calls • RFC protocol dissector • Basic coverage of relevant parts PAG E29 SECURITY Packet dissection Capturing Fromethl [Wireshark ISA (SVN Rev 43678 From /trunk)] (an ubuntu-gui70Z) File Edit View Go Capture Analyze Statistics Telephony Tools Internals Help m < m m ¥ 2 I I m & a h st H - Filter: [sapdiag ]( C ] Expression.. Clear App Save No. Time Source Destination Protocol Length Info 110 134.664006000 10.0.0.4 10.0.0.103 SAPDIAG 391 Uncompressed Length=439 111 134.672241000 10.0.0. 103 10.0.0.4 SAPDIAG 659 Uncompressed Length=1 051 [> SAP NI Protocol, Len: 589 ^ SAP Diag Protocol,, Uncompressed Len: 1051 ^ Header Mode: > Com Flag: 0x00 Mode Stat: 17 Error Flag: False Message Type: Message Info: 1 Message Rc: Compress: Compression switched on (0x01) Compression Header Uncompressed Length: 1051 Compression Algorithm: LZH (0x12) Magic Bytes: Oxlf 9d Special: 0x02 0000 10 06 11 00 20 ff 7f fe 0010 13 05 97 15 97 eb f2 3f 0020 00 00 00 00 00 10 06 23 nmn ti no u u jlc to 2d d8 b7 37 d6 74 08 7e 8d 03 70 ff Of 00 00 00 00 Of 00 00 10 0e 01 34 n n a_o m nn in nn nn Frame (659 bytes) Uncompressed Data (1 051 bytes) O Frame (Frame), 659 bytes P..„ Profile: Der 111 1 34.672241 000 1 0.0.0.1 03 1 0.0.04 SAPDIAG 659 Uncompressed Length=1051 (on ubuntu-gui7€2) [> SAP NI Protocol, Len: 589 ^ SAP Diag Protocol, Uncompressed Len: 1051 > Header t> Compression Header Item: APPL, ST_ _R3INFO, SUPPORTDATA, Len=32 » Item: APPL, ST_ _R3INFO, CODEPAGE_DIAG_GUI , Len=15, Codepage number (numeric representation)=41 1 , Hi nil Item: APPL, ST_ _R3INFO, CODE PAG E_AP P_S E RVE R_ 1 ( Len=32, Codepage number (numeric representation)=41 03 , 1 > Item: APPL, ST. _R3INFO, CDNTEXTID, Len=32, Value=5A34CCE1 87C1 F1468E58000C297D2E1 1 Item: APPL, ST_ _R3INFO, DBNAME , Len=3, Value=NSP > Item: APPL, ST_ _R3INFD, CPUNAME, Len=13, Value=win2003-NW702 Item: APPL, ST_ _R3INFO, USERID, Len=2, User ID=16093 > Item: APPL, -ir_ _R3INF0, MODENUMBER, Len=2, Mode Number=0 Item: APPL, 5T_ _R3INFO, IMODENUMBER, Len=2, IHode Number=0 > Item: APPL, ST_ _R3INFD, IMDDEUUIDS2 , Len=18 > Item: APPL, ST_ _R3INFO, GUI_THEME ( Len=10, Value=TRADESH0W kFRWFi unpgirm ipn=i? r^t^base version=702. Kernel version=7200 . Kernel patcf 0000 0010 10 06 11 00 20 ff 7f fe 2d d8 b7 37 d6 74 08 7e 13 05 97 15 97 eb f2 3f 8d 03 70 ff Of 00 00 00 Frame (659 bytes] Uncompressed Data (1 051 bytes) PAGE30 ^SECURITY Packet crafting • Scapy classes • SAPNi • SAPDiagDP (DP Header) • SAPDiag (Diag header + compression) • SAPDiagltem • Custom classes for relevant Diag items • PoC and example scripts • Information gathering • Login Brute Force • Proxy/MITM script • Diag server PAG E3 1 aalSECURITY Fuzzing approach • Fuzzing scheme using • scapy classes • test cases generation • delivery • windbg • monitoring • xmlrpc • syncronization • Monitoring of all work processes PAG E32 aalSECURITY Vulnerabilities found • 6 vulnerabilities released on May 2012 affecting SAP NW 7.01/7.02, fix available on SAP Note 168710 • Unauthenticated remote denial of service when developed traces enabled • CVE-201 2-2511 - DiagTraceAtoms function • CVE-201 2-251 2 - DiagTraceStreaml function • CVE-201 2-261 2 - DiagTraceHex function PAG E33 aalSECURITY Vulnerabilities found • Unauthenticated remote denial of service • CVE-201 2-251 3 - Diaginput function • CVE-201 2-251 4 - DiagiEventSource function • Unauthenticated remote code execution when developer traces enabled • CVE-201 2-2611 - DiagTraceR3lnfo function • Stack-based buffer overflow while parsing ST_R3INFO CODEPAGE item • Thanks to Francisco Falcon (@fdfalcon) for the exploit PAGE 34 JSECURITY Attack scenarios Target applications servers PAG E35 aalSECURITY Attack scenarios Target GUI users PAGE36 ^SECURITY Agenda Defenses and countermeasures Conclusion and future work PAG E37 aalSECURITY Defenses and countermeasures PAG E38 flaMSECURITY Defenses and countermeasures • Restrict network access to dispatcher service • TCP ports 3200-3298 • Use application layer gateways • Implement SNC client encryption • Provides authentication and encryption • Available for free at SAP Marketplace since 201 1 • See SAP Note 1 643878 • Restrict use of GUI shortcuts • SAP GUI > 7.20 disabled by default • See SAP Note 1 397000 PAGE39 ^SECURITY Defenses and countermeasures • Use WebGUI with HTTPS • See SAP Note 314568 • Patch regularly • Patch Tuesday • RSECNOTE program, see SAP Note 888889 • Patch CVEs affecting Diag • Look at CORE'S advisory for mitigation/countermeasures • See SAP Note 168710 • Test regularly PAG E40 aalSECURITY Agenda Conclusion and future work PAG E4 1 aalSECURITY Conclusion and future work PAG E42 flaMSECURITY Conclusion • Protocol details now available to the security community • Practical tools for dissection and crafting of protocol's messages published • New vectors for testing and assessing SAP environments • Discussed countermeasures and defenses PAG E43 aalSECURITY Future work • Security assessment and fuzzing of GUI/app server. • Complete dissection of embedded RFC calls. • Full implementation of attack scenarios • Integration with external libraries and exploitation tools. • Security assessment of SNC and coverage of encrypted traffic. PAG E44 aalSECURITY Q & A PAG E45 flaMSECURITY Thank you ! Thanks to Diego, Flavio, Dana, Wata and Euge PAG E46 flaMSECURITY References https://service.sap.com/sap/support/notes/1643879 http://www.secaron.de/Content/presse/fa^ http://conus.info/RE-articles/sapgui.html http://www.sensepost.com/labs/conferences/2011/systems_application_proxy_pwnage http://ptresearch.blogspot.com/2011/10/sap-diag-decompress-plugin-for.html http://www.oxid.it/index.html https://service.sap.com/securitynotes http://help.sap.com/saphelp_nw70/helpdata/en/84/54953fc405330ee1 0000000a1 1 4084/f rameset.htm http://www.troopers.de/wp-content/uploads/2011/04/TR11_Wiegenstein_SAP_GUI_hacW http://www.virtualforge.com/tl_files/Theme/Presentations/The%20ABAP%20Underverse%20-%20S http://www.wireshark.org/ http://www.secdev.org/projects/scapy/ http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities https://service.sap.eom/sap/support/notes/1 68791 http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.ht https://service.sap.com/sap/support/notes/1643878 https://service.sap.com/sap/support/notes/1397000 https://service.sap.com/sap/support/notes/314568 https://service.sap.com/sap/support/notes/888889 PAGE 47 JSECURITY