Friday, September 18, 2015

Backdoors in SAP ABAP Code Part-1



ABAP Intro:

ABAP is SAP's proprietary programming language used since last 30years. Almost 90% of the Business logic and functionality were written in ABAP. SAP delivers standard Business functionality and with standard programs(Developed by SAP, Shipped during installation). Any new developments or modification to ABAP Programs are logged in the system and later moved to Production system via SAP Change And Transport System (CTS).

Modification to Standard Programs:

SAP will not allow their customers to modify Standard Programs, but instead customers can perform modifications to standard ABAP programs only after following a process called SAP Software Change Registration (SSCR). According to this registration, SAP does not guarantee that the modified programs will not be overwritten in the future SAP upgrades.

Custom Developments:

In order to meet the business requirements of their customers, SAP allows them to develop their own custom ABAP programs and custom business scenarios via builtin development environment. All the custom developments and program names will start with letters 'Y' and 'Z' (also called zprograms).


ABAP Backdoors:

Like many other application, SAP is vulnerable to backdoors. Backdoors can be used to bypass authorization checks and authentication mechanisms in an application. These backdoor can take different forms like hardcoded usernames within ABAP program, hardcoded credentials in RFC connections without use of encryption, Maintaining default User names and Password.

All the SAP standard and custom ABAP programs are stored at Database level in table "REPOSRC". Source code of all the programs exists in "DATA" field of table "REPOSRC" in compressed format.

Hard-Coded Usernames:

It's been found that many custom developed ABAP programs contain hardcoded usernames like below code snippets and were moved to Production systems. Even the SAP Standard Programs have room for hardcoded usernames, these hardcoded usernames were left by developers for testing purpose and were delivered to the SAP customers. Attacker can take advantage of these hardcoded usernames to bypass security controls and can perform critical business transactions.

Lets check the first ABAP code snippet with hardcoded Username "Dev":
...
Snippet-1
.........
TABLES: USR02.
 DATA:  YLOCK(1) TYPE X VALUE  '0', ZLOCK(1) TYPE X VALUE '64'.
 parameters: client like sy-mandt.

CHECK SY-UNAME = 'Dev'. (SY-UNAME contains the name of currently logged-on user)

      select * from usr02 client specified
       where mandt = client.
       usr02-UFLAG =  ZLOCK.
       UPDATE  USR02 client specified.
      endselect.
...

Execution Flow:

  • Program checks if the current user account is "Dev" or not.
  • If the current user is "Dev", system locks all the users available in the specified client.
  • If the user is not "Dev", it does nothing.

Risk:

  • In general, locking down all the users in an SAP system can lead to DOS(Denial Of Service) attack.
  • Here an attacker can take advantage of these hard-coded checks to bypass security controls.
  • In this case, if attacker creates the user account "Dev" and execute the program in Production system. All users will be locked.



Snippet-2 with hardcoded Username "DEVELOPER"

ABAP System field "SY-UNAME" in the code snippets always contains the name of currently logged-on user. ABAP developers make use of statement "AUTHORITY-CHECK" to performs the authorization checks wherever required. These checks are performed based on arguments (authorization object, field, values) passed in "AUTHORITY-CHECK" statement.
...
Snippet-2
.........
IF sy-uname <> 'DEVELOPER'. (SY-UNAME contains the name of currently logged-on user)
    AUTHORITY-CHECK OBJECT <authorization object="">
     ID <authority 1="" field=""> FIELD <field 1="" value="">. 
     ID <authority 2="" field=""> FIELD <field 2="" value="">. 
ENDIF.
...

Execution Flow:

  • Above code snippet makes use of IF statement to check whether the current user is "DEVELOPER" or not.
  • If current user is different from the account "DEVELOPER", then system performs the authorization checks as defined.
  • If the user account is equal to "DEVELOPER", then system skips the authorization checks and continues the execution with other code.


Risk:

  • Attacker can take advantage of hard-coded checks to bypass security controls.
  • If the attacker doesn't have required authorization, he creates a new user account "DEVELOPER" and execute the program, which in this case if user account is "DEVELOPER" system does not perform authorization checks thereby bypasses the security check.


Countermeasures:

  • Before moving ABAP developments to Production, use SAP standard report RS_ABAP_SOURCE_SCAN to search and detect dangerous ABAP code snippets.
  • As recommended by SAP check and apply the security notes on regular basis.

Reference:






Posted by at No comments:

Thursday, September 10, 2015

Backdoor in SAP User Master Record



SAP User master holds the information related to the User, Personal information, Assigned roles and authorizations, etc. In the world of SAP, any user with Authorization Profile "SAP_ALL" will have the highest privileges in the System.

In the previous post, we have noticed that the SAP systems store passwords in database table USR02 and can generate downwards-compatible hashes in order to communicate properly with the interconnected SAP systems (older versions) where newer hashing mechanisms are not supported.

During the logon procedure, a hash value of a password is generated by the system outside the SAP kernel and then compared with the stored password hashes in the USR02 table. This process is controlled by SAP parameter "login/password_downwards_compatibility".

As per the requirement SAP administrators can set different values-(0-5) for the parameter "login/password_downwards_compatibility". In the newer SAP Releases this parameter is delivered with a default value set to '1'.

Parameters          
------------------------------------------------------
login/password_downwards_compatibility  

Values (0-5) as below
------------------------------------------------------
0: Stores passwords in a format that systems with older kernels cannot interpret. The system only generates new (non-backward-compatible) password hash values.

1: System generates backward compatible password hash values internally, but does not evaluate these for password-based logons (to its own system). 

2: System generates backward compatible password hash values internally and checks them when logon using non-backward compatible password (newer hashes) fails. In this way, the system checks whether the logon would have been accepted with the backward compatible password (truncated after eight characters, and converted to uppercase).

3: As with 2, but the logon is regarded as successful. This setting is to allow the avoidance of backward incompatibility problems.

4: As with 3, but the system does not create an entry in the system log.

5: Full backward compatibility: the system only creates backward compatible password hash values.


SAP system supports different password hashing algorithms called Code Versions, but due to downwards-compatibility requirement newer SAP Releases are still having support for older password hash algorithms, Some SAP releases use code versions 'G'. for more info about SAP Code Versions check here.


One thing to be clear, SAP Code version 'G' is not an algorithm. But its a combination of both Code Version 'B' and 'F'. Which means when we use code version 'G' SAP generates two types of hashes and stores them in database:

  • Code Version 'B' password is stored as MD5 hash (up to 8-characters, Upper case) in "BCODE" field of table USR02
  • Code Version 'F' password is stored as SHA1 hash (up to 40-characters, Case insensitive) in "PASSCODE" field of table USR02




How can a attacker could gain the highest privileges (SAP_ALL)...?
  • Attacker generates his own MD5 password hash for userid BASIS. 
  • Replaces the BASIS user's password hash with a attacker's hash by updating the "BCODE" field in SAP table USR02. 
  • Changes the SAP Profile parameter "login/password_downwards_compatibility" value to '4' (no SAP system log entry).
  • Logs into the SAP system with the user BASIS and his own password, without knowing the legitimate user's password.
  • Now the legitimate user can log into the system with his userID and password, whereas the attacker can also log into the system using the same userID (i.e. BASIS) but with different password.
  • Attacker can now login to SAP system without knowing the actual password, Once getting access into the system he could assign the required permissions or can perform some database activities.

Countermeasure:
  • Restrict access to all critical tables. 
  • Changes to the value of profile parameters should be monitored.
  • Set the parameter "login/password_downwards_compatibility" value to '0', if downwards-compatibility not required. 
  • 1023437 - ABAP syst: Downwardly incompatible passwords (since NW2004s)
  • 1458262 - ABAP: recommended settings for password hash algorithms


Posted by at No comments:
Subscribe to: Posts (Atom)