Cyber Thoughts: July 2015

About Oracle OS authentication, parameters used with SAP:

Oracle supports OS authentication, which allows Oracle to pass control of user authentication to the operating system. When a connection is attempted, the OS level user is sent to the oracle server. And oracle accepts the connection only if the user is recognized, otherwise the connection will be rejected.

The param "remote_os_authent" specifies whether remote clients will be authenticated with the value of the “os_authent_prefix” parameter

SAP recommends the use of Oracle parameter “remote_os_authent = TRUE” which means that Oracle will authenticate remote connections using the parameter “os_authent_prefix” value OPS$.

Oracle uses “os_authent_prefix = OPS$” to authenticate users attempting to connect to the server. Oracle concatenates the value of this parameter to the beginning of the user's operating system account name “<domain>\IDSADM“.

So when Oracle runs on windows platform the OPS$ user will look like:

OPS$<domain>\IDSADM where SID=IDS

OPS$<domain>\SAPServiceIDS where SID=IDS

About SAP and Oracle Connectivity:

SAP customers widely use Oracle as their underlying database. In general, Oracle assumes SAP as a single user accessing the database using a user “SAPSR3” whose password is stored in table “SAPUSER”.

In order to connect, retrieve, update data from database SAP initially needs the password of schema user “SAPSR3” stored in “SAPUSER” table. To do so SAP uses a connection mechanism called OPS$ mechanism.

How does OPS$ mechanism works?

SAP system initially contacts the oracle database server using OS level user “<domain>\IDSADM”.

This OS level user must be same as the OPS$ user maintained in database and identified as externally “OPS$<domain>\IDSADM”.

SAP retrieves the password of SAP schema user “SAPSR3” stored in SAPUSER table.

Then it logs into the database as user “SAPSR3” to perform the transactions.

Can this be used for exploiting? Yes...

As SAP recommends the use of oracle parameter “remote_os_authent = TRUE”, which enable to communicate with oracle database server remotely.
On the other hand SAP OS level user-ID will always have the following syntax “<Domain>\<SID>adm”.

Eg: “SAPIDES\IDSADM”, where “SID=IDS”, “Domain/Host=SAPIDES”.

So in our local machine (Linux) in my case, I have created a user-ID similar to “SAPIDES\IDSADM”.

Installed the Oracle instantclient and connected to the remote oracle database server using sqlplus.

OS level user "SAPIDES\IDSADM" corresponds to Oracle DB level user "OPS$SAPIDES\IDSADM"

Now we can access the table SAPUSER and retrieved the password hashes of SAP schema user “SAPSR3” from which we can retrieve the password of SAP schema user "SAPSR3".

What is Invoker Servlet…?

The invoker servlet is implemented in the InvokerServlet class that is part of the J2EE Engine’s Web Container.
It is declared in the global-web.xml descriptor file and is mapped to the /servlet/* URL pattern.
It can invoke servlets either by servlet name or by fully-qualified class name. This behavior can be controlled by the initialization parameter “InvokeByClassName” defined for the invoker servlet.
Invoker Servlet feature enables HTTP clients to invoke arbitrary servlets even if not defined in the web.xml file of the application. For security reasons, the Invoker Servlet has to be disabled by default to avoid malicious invocation of application servlets.

About SAPService<SAPSID>:

Since the SAP system runs as a Windows service, SAP has a special user account in windows environment “SAPService<SAPSID>” and this account helps in running all the Windows services related to SAP systems.
The account “SAPService<SAPSID>” also administers the SAP system and database resources.
As said above activities performed via Invoker Servlet will be executed with “SAPService<SAPSID>” rights.

By taking advantage of Invoker Servlet, we demonstrate performing malicious activities like RCE (Remote Command Execution), create, copy, move, delete files on the SAP server and even altering SAP System profile parameters etc.