Tuesday, July 21, 2015

Exploiting SAP Database via Oracle OS Authentication


About Oracle OS authentication, parameters used with SAP:

Oracle supports OS authentication, which allows Oracle to pass control of user authentication to the operating system. When a connection is attempted, the OS level user is sent to the oracle server. And oracle accepts the connection only if the user is recognized, otherwise the connection will be rejected.

The param "remote_os_authent" specifies whether remote clients will be authenticated with the value of the “os_authent_prefix” parameter

           SAP recommends the use of Oracle parameter “remote_os_authent = TRUE” which means that Oracle will authenticate remote connections using the parameter “os_authent_prefix” value OPS$.

Oracle uses “os_authent_prefix = OPS$” to authenticate users attempting to connect to the server. Oracle concatenates the value of this parameter to the beginning of the user's operating system account name “<domain>\IDSADM“.

So when Oracle runs on windows platform the OPS$ user will look like:
                        OPS$<domain>\IDSADM                             where SID=IDS
                        OPS$<domain>\SAPServiceIDS                  where SID=IDS

About SAP and Oracle Connectivity:

           SAP customers widely use Oracle as their underlying database. In general, Oracle assumes SAP as a single user accessing the database using a user “SAPSR3” whose password is stored in table “SAPUSER”.

            In order to connect, retrieve, update data from database SAP initially needs the password of schema user “SAPSR3” stored in “SAPUSER” table. To do so SAP uses a connection mechanism called OPS$ mechanism.

How does OPS$ mechanism works?

            SAP system initially contacts the oracle database server using OS level user “<domain>\IDSADM”.
This OS level user must be same as the OPS$ user maintained in database and identified as externally “OPS$<domain>\IDSADM”.
            SAP retrieves the password of SAP schema user “SAPSR3” stored in SAPUSER table.
            Then it logs into the database as user “SAPSR3” to perform the transactions. 

Can this be used for exploiting? Yes...

  1. As SAP recommends the use of oracle parameter “remote_os_authent = TRUE”, which enable to communicate with oracle database server remotely.
  2. On the other hand SAP OS level user-ID will always have the following syntax “<Domain>\<SID>adm”.

Eg: “SAPIDES\IDSADM”,     where “SID=IDS”, “Domain/Host=SAPIDES”.



    So in our local machine (Linux) in my case, I have created a user-ID similar to “SAPIDES\IDSADM”.



Installed the Oracle instantclient and connected to the remote oracle database server using sqlplus.



OS level user "SAPIDES\IDSADM" corresponds to Oracle DB level user "OPS$SAPIDES\IDSADM"


Now we can access the table SAPUSER and retrieved the password hashes of SAP schema user “SAPSR3” from which we can retrieve the password of SAP schema user "SAPSR3".













Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)