Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian.

Similar presentations


Presentation on theme: "Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian."— Presentation transcript:

1 Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

2 What is this talk about? Large IT Projects Large IT Projects System Integrators System Integrators SAP SAP

3 What is SAP? Enterprise Resource Planning (SAP R/3) Enterprise Resource Planning (SAP R/3) CRM CRM EP EP HR HR FI/CO FI/CO BW BW MM MM PP PP

4 What is SAP/R3, really? Business process re-implementation Business process re-implementation Fancy MIS framework with template processes Fancy MIS framework with template processes Big basket for corporate eggs Big basket for corporate eggs

5 Fundamentals of Large Projects The bigger the budget, the harder the fall The bigger the budget, the harder the fall Compound delays due to complex dependencies Compound delays due to complex dependencies Corners cut to meet deadlines Corners cut to meet deadlines Functionality Vs. Security Functionality Vs. Security Decision rarely based upon business case Decision rarely based upon business case When was the last time you signed off $xxx million? When was the last time you signed off $xxx million? Don’t believe me? Don’t believe me?

6 Irish HSE PPARs and FISP Systems PPARs (HR) and FISP (FI/CO) PPARs (HR) and FISP (FI/CO) Projected Combined Cost - £6.2mil Projected Combined Cost - £6.2mil PPARs Cost when halted in £80mil PPARs Cost when halted in £80mil FISP Cost when halted - £20.7mil FISP Cost when halted - £20.7mil Revenues for Deloitte & Touche - £34.5mil Revenues for Deloitte & Touche - £34.5mil Revenues for SAP – Undisclosed (not part of D&T’s fees) Revenues for SAP – Undisclosed (not part of D&T’s fees)

7 PPARs “It’s like a case study in how not to run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader “It’s like a case study in how not to run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader PPARs could’ve paid for: PPARs could’ve paid for: A 600 bed Hospital A 600 bed Hospital 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland

8 HP’s Internal Failure iGSO iGSO Launched in 2002 Launched in 2002 Consolidate 350 Digital, Compaq, HP, Tandem systems Consolidate 350 Digital, Compaq, HP, Tandem systems Expected finish date 2007 Expected finish date 2007

9 HP: The Adaptive Enterprise that couldn’t adapt Total cost of Implementation failure Total cost of Implementation failure US$400 mil (revenue) US$400 mil (revenue) US$275 mil (operating profit) US$275 mil (operating profit) 3 Executives heads 3 Executives heads Did I mention this was the total for Q3 2002? Did I mention this was the total for Q3 2002?

10 How is SAP Implemented Internally? Usually Poorly Usually Poorly Inadequate Skills/Experience Inadequate Skills/Experience Poor/No Business Requirements Capture Poor/No Business Requirements Capture Technology Driven Implementation Technology Driven Implementation Poor Documentation Poor Documentation Usually very expensive ($20mil+) Usually very expensive ($20mil+)

11 How is SAP implemented by External Integrators? Poorly Poorly Front-loading Skills Front-loading Skills Business Requirements Capture? Business Requirements Capture? Partner-driven Implementation Partner-driven Implementation Poor/No Documentation Poor/No Documentation Subject to contract wrangling Subject to contract wrangling Can be extremely expensive ($50mil+) Can be extremely expensive ($50mil+)

12 Where does it all go wrong? Lack of: Lack of: Communication Communication Contingency Contingency Requirements Capture/Analysis Requirements Capture/Analysis Simplicity Simplicity Security Security

13 Where does Security come in? At the end of a long queue At the end of a long queue By the time it reaches us, it is: By the time it reaches us, it is: Non or semi-functional Non or semi-functional Delayed Delayed Costing the business Costing the business Security’s role is to Security’s role is to SUSO (Shut Up, Sign Off) SUSO (Shut Up, Sign Off)

14 Show me the SUSO You need to sign this off You need to sign this off If you don’t If you don’t You’re blocking the business You’re blocking the business You’re costing us money You’re costing us money You’re getting in the way of the project You’re getting in the way of the project If you do If you do It’s your backside on the dotted line It’s your backside on the dotted line

15 End of Talk Oh you want more? Oh you want more?

16 This is the price, right? Come on down!

17 This is the price, right?

18 How it works Question is asked Potential answers are shown You have to guess which one of the answers was an actual response

19 Question 1

20 Why can’t we use SSH? A) It (PuTTY) isn’t vendor supported A) It (PuTTY) isn’t vendor supported B) SFTP Doesn’t support ASCII B) SFTP Doesn’t support ASCII C) We don’t have a PKI C) We don’t have a PKI D) Key Management is too difficult D) Key Management is too difficult E) The TCO for OpenSSH is too high E) The TCO for OpenSSH is too high

21 Why can’t we switch off RSH? A) It requires a server rebuild A) It requires a server rebuild B) It requires extensive testing that would cost millions B) It requires extensive testing that would cost millions C) CowboyNeal C) CowboyNeal D) We use telnet, you insensitive clod! D) We use telnet, you insensitive clod! E) We don’t know what it would break E) We don’t know what it would break

22 Why did the SI buy the tin prior to completing the design stage? A) Because the vendor rebate would be lower next year A) Because the vendor rebate would be lower next year B) Because the client will have to write off the hardware expenditure anyway B) Because the client will have to write off the hardware expenditure anyway C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin D) If the client has already paid a fortune up front they’re less likely to pull the plug later D) If the client has already paid a fortune up front they’re less likely to pull the plug later

23 Why were all the consultants on the job South African? A) Because of S.A’s extensive investment in enterprise technology training A) Because of S.A’s extensive investment in enterprise technology training B) Because all the experienced guys are from Joburg B) Because all the experienced guys are from Joburg C) Because they’re cheaper than native employees and have a lesser understanding of local employment law C) Because they’re cheaper than native employees and have a lesser understanding of local employment law

24 Why are these not risks? A) Because it’s not live yet A) Because it’s not live yet B) Because you need an account to access the systems B) Because you need an account to access the systems C) Because you’d need to have an RSH client and a copy of finger to access the systems C) Because you’d need to have an RSH client and a copy of finger to access the systems D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd E) Because there are plenty of other ways in E) Because there are plenty of other ways in F) Because you’re holding the project up so just sign off or there’ll be trouble F) Because you’re holding the project up so just sign off or there’ll be trouble

25 Well done! The good news is The good news is People got prizes People got prizes The bad news is The bad news is We’re all losers in the end We’re all losers in the end

26 Breaking SAP Send in the clowns

27 SAP Structure Infrastructure Issues Infrastructure Issues Front-End Application Front-End Application Business Logic Business Logic Business Processes Business Processes Database Skullduggery Database Skullduggery

28 Infrastructure Issues Let me paint you a picture

29 What does an SAP deployment look like?

30

31 Points of interest There is no standard deployment There is no standard deployment There should be Firewalls involved There should be Firewalls involved If there are, Any-Any rules may be used If there are, Any-Any rules may be used Sometimes the File Server(s) are shared between dev, test and live too Sometimes the File Server(s) are shared between dev, test and live too Sometimes the App Server(s) are shared between dev, test and live too Sometimes the App Server(s) are shared between dev, test and live too

32 How (not) to conduct an SAP Pentest Nmap Nmap Amap Amap Nikto Nikto Nessus Nessus Metasploit Metasploit

33 How to conduct an SAP Pentest Nmap (-sS and –sU only, no –sV or –A and watch timings) Nmap (-sS and –sU only, no –sV or –A and watch timings) Manual confirmation of services with standard client tools Manual confirmation of services with standard client tools RSH, Finger, Net View, Showmount, FTP RSH, Finger, Net View, Showmount, FTP No active exploitation No active exploitation Password guessing possible, but not automated Password guessing possible, but not automated

34 SAP Systems are Unpatched Unpatched Unhardened Unhardened Unmaintained (caveat: security) Unmaintained (caveat: security) Unmanaged (caveat: security) Unmanaged (caveat: security)

35 Once you’ve got local access Useful tools Useful tools R3Trans R3Trans TP TP SQL Trusts SQL Trusts OSQL –E OSQL –E SQLPLUS “/ as sysdba” SQLPLUS “/ as sysdba” MySQL –u root, mysqld_safe MySQL –u root, mysqld_safe

36 R3Trans Uses SAP’s abstracted SQL model (T- SQL) Uses SAP’s abstracted SQL model (T- SQL) Uses ‘control files’ to perform actions upon databases Uses ‘control files’ to perform actions upon databases R3Trans –d –v R3Trans –d –v Test database connection Test database connection

37 R3Trans Control File EXPORTFILE=‘/tmp/.export/’CLIENT=000 SELECT * FROM USR02 Start with: Start with: R3Trans /tmp/control R3Trans /tmp/control Don’t forget to check trans.log Don’t forget to check trans.log

38 Where to look /usr/sap/trans /usr/sap/trans /usr/sap/ /usr/sap/ /home/ adm /home/ adm There is no reason for these directories to be world writeable! There is no reason for these directories to be world writeable! Most should be 700, 770 or 775 Most should be 700, 770 or 775

39 From the trenches “We use RSH to copy files around the environment. RSH has a feature call.rhosts which enables us to restrict access to specific users or hosts” “We use RSH to copy files around the environment. RSH has a feature call.rhosts which enables us to restrict access to specific users or hosts”

40 Front-End Issues Busting down the door citing section 404

41 What front-end? SAP has many SAP has many SAPGUI SAPGUI WebGUI/NetWeaver/ITS/EP WebGUI/NetWeaver/ITS/EP SAPRFC SAPRFC For the sake of time we will focus on SAPGUI For the sake of time we will focus on SAPGUI These issues do apply elsewhere though These issues do apply elsewhere though

42 SAPGUI

43 SAPGUI See the box up next to the green tick? See the box up next to the green tick? Use /? to start debugging Use /? to start debugging Type in a transaction code (T-Code) to start a transaction Type in a transaction code (T-Code) to start a transaction

44 SAP Transactions of Note

45 AL08 – Users Logged On AL08 – Users Logged On AL11 – Display SAP Directories AL11 – Display SAP Directories OS01 – LAN Check with Ping OS01 – LAN Check with Ping OS03 – Local OS Parameter changes OS03 – Local OS Parameter changes OS04 – Local System Configuration OS04 – Local System Configuration OSO5 – Remote System Configuration OSO5 – Remote System Configuration OSS1 – SAP’s Online Service System OSS1 – SAP’s Online Service System PFCG – Profile Generator PFCG – Profile Generator RZ01 – Job Scheduling Monitor RZ01 – Job Scheduling Monitor RZ20 – CCMS Monitoring RZ20 – CCMS Monitoring RZ21 – Customize CCMS Monitor RZ21 – Customize CCMS Monitor SA38 – ABAP/4 Reporting SA38 – ABAP/4 Reporting SCC0 – Client Copy SCC0 – Client Copy SE01 – Transport and Correction System SE01 – Transport and Correction System SE13 – Maintain Technical Settings (Tables) SE13 – Maintain Technical Settings (Tables) SUIM – Repository Information System SUIM – Repository Information System

46 You can’t access those! I can access them (or equivalents) if restrictions are based on: I can access them (or equivalents) if restrictions are based on: Easy Access Menu Items Easy Access Menu Items Transactions only Transactions only Custom-tables (e.g a ZUSERS table of allowed users) Custom-tables (e.g a ZUSERS table of allowed users) Restrictions need to be implemented at the Authorization level Restrictions need to be implemented at the Authorization level So what else is there? So what else is there?

47 Reports RPCIFU01 – Display File RPCIFU01 – Display File RPCIFU03 – Download Unix File RPCIFU03 – Download Unix File RPCIFU04 – Upload Unix File RPCIFU04 – Upload Unix File RPR_ABAP_SOURCE_SCAN – Search ABAP for a string ;) RPR_ABAP_SOURCE_SCAN – Search ABAP for a string ;) RSBDCOS0 – Execute OS Command RSBDCOS0 – Execute OS Command RSPARAM – Check System Parameters RSPARAM – Check System Parameters RSORAREL – Get the Oracle System Release RSORAREL – Get the Oracle System Release

48 Tables Accessible through: Accessible through: SE16 (Maintain Tables) SE16 (Maintain Tables) SE17 (Display Tables) SE17 (Display Tables) SA38 (Execute ABAP) SA38 (Execute ABAP) SE38 (ABAP Editor) SE38 (ABAP Editor) Customizations (ZZ_TABLE_ADMIN etc.) Customizations (ZZ_TABLE_ADMIN etc.) Will Be Covered Later Will Be Covered Later

49 Job Scheduler Can’t get OS access? Can’t get OS access? Use SM36 or SM36WIZ Instead Use SM36 or SM36WIZ Instead Specify Immediate Start Specify Immediate Start External Program as Step External Program as Step

50 Custom Transaction fun Input Validation Input Validation Selection Criteria Expansion Selection Criteria Expansion Path specification (../../, // etc) Path specification (../../, // etc) Shell Escapes (; /bin/ls, |”/bin/ls”| etc) Shell Escapes (; /bin/ls, |”/bin/ls”| etc) SQL Injection SQL Injection Export/Import file fun and games Export/Import file fun and games Bypass Authorization Checks Bypass Authorization Checks

51 From the trenches “As discussed in the meeting on with, we’ve agreed that there is no further action required. I appreciate that you are on holiday at the moment, but we will take your expected non-response in advance as agreement upon the matter.” “As discussed in the meeting on with, we’ve agreed that there is no further action required. I appreciate that you are on holiday at the moment, but we will take your expected non-response in advance as agreement upon the matter.”

52 Database Skullduggery Here be Dragons

53 Database Stuff The Database contains all the data. The Database contains all the data. The Database is accessed by SAP users through the SAP system. The Database is accessed by SAP users through the SAP system. The SAP database is not subject to the same controls as SAP itself. The SAP database is not subject to the same controls as SAP itself. WARNING: DO NOT MODIFY THE DATABASE WITHOUT PERMISSION SIGNED IN BLOOD (not yours) WARNING: DO NOT MODIFY THE DATABASE WITHOUT PERMISSION SIGNED IN BLOOD (not yours)

54 Getting In Patch Weaknesses Patch Weaknesses Brute Force Brute Force Roundhouse Kicks Roundhouse Kicks Default Accounts Default Accounts

55 Speaking of Default Accounts Default Accounts (with Oracle Hashes) Default Accounts (with Oracle Hashes) DDIC/ (4F9FFB093F909574) DDIC/ (4F9FFB093F909574) SAP/SAPR3(BEAA1036A464F9F0) SAP/SAPR3(BEAA1036A464F9F0) SAP/ (B1344DC1B5F3D903) SAP/ (B1344DC1B5F3D903) SAPR3/SAP(58872B4319A76363) SAPR3/SAP(58872B4319A76363) EARLYWATCH/SUPPORT (8AA1C62E08C76445) EARLYWATCH/SUPPORT (8AA1C62E08C76445)

56 Note about Schemas <610 has SAPR3 as Schema Owner <610 has SAPR3 as Schema Owner >610 uses SAP as Schema Owner >610 uses SAP as Schema Owner

57 Database Queries of Note Select MANDT,BNAME,BCODE,USTYP,CLASS from..USR02 Select MANDT,BNAME,BCODE,USTYP,CLASS from..USR02 SELECT * FROM UST04 SELECT * FROM UST04 SELECT * FROM TSTCT WHERE SPRSL = ‘E’ SELECT * FROM TSTCT WHERE SPRSL = ‘E’ SELECT * FROM DBCON SELECT * FROM DBCON exec master.dbo.xp_cmdshell 'cmd.exe /c net view’ exec master.dbo.xp_cmdshell 'cmd.exe /c net view’

58 Common Values in the DB ACTVT – Activity Code ACTVT – Activity Code USTYP – User Type USTYP – User Type MANDT – Client Number MANDT – Client Number BUKRS – Company Code BUKRS – Company Code BEGRU – Authorization BEGRU – Authorization

59 USTYP values USTYP specifies the type of user (used in USR02) USTYP specifies the type of user (used in USR02) A – Dialog (interactive user) A – Dialog (interactive user) C – Communications (CPIC) C – Communications (CPIC) D – System (BDC) D – System (BDC) S – Service S – Service L – Reference L – Reference People often don’t change passwords on CPIC users as they’re not sure what breaks People often don’t change passwords on CPIC users as they’re not sure what breaks

60 Tables to look at BKPF – Accounting Header (FI) BKPF – Accounting Header (FI) BSEG – Accounting Document Segment (FI) BSEG – Accounting Document Segment (FI) CEPC – Profit Master Data CEPC – Profit Master Data EKKO – PO Header EKKO – PO Header RSEG – Incoming Invoice RSEG – Incoming Invoice RBKP – Invoice Receipts RBKP – Invoice Receipts KNA1 – Customer Master Records KNA1 – Customer Master Records LFA1 – Vendor Master Records LFA1 – Vendor Master Records PNP – Personnel Data (HR Only) PNP – Personnel Data (HR Only) CSKS – Cost Centre Master (HR) CSKS – Cost Centre Master (HR) T569V – Payroll Control Records (HR) T569V – Payroll Control Records (HR)

61 Subverting Business Logic It’s not a lie, we just didn’t tell you that

62 How SAP Controls Access Local logon details in USR02 Local logon details in USR02 Profile details in UST04, USR04 etc. Profile details in UST04, USR04 etc. Authorizations & Profiles Authorizations & Profiles

63 Custom SAP Code and Access Control ABAPs and Auths 101 ABAPs and Auths 101 Authorization checks Authorization checks AUTHORITY-CHECK OBJECT AUTHORITY-CHECK OBJECT If the authority check statement isn’t there, it is assumed that you can go ahead! If the authority check statement isn’t there, it is assumed that you can go ahead!

64 SAP Authorization Concept

65 Common Authorization Snafus ‘Pyramid Structure’ Approach ‘Pyramid Structure’ Approach Overly Restrictive Approach Overly Restrictive Approach Use Standard SAP Profiles Approach Use Standard SAP Profiles Approach Transactions/Menu only Approach Transactions/Menu only Approach Objects only Approach Objects only Approach

66 So what happens when things go wrong?

67 When things go wrong Too much access Too much access Too little access Too little access Disgruntled Employees and no audit trail Disgruntled Employees and no audit trail Enron style fun Enron style fun

68 Business Process Hacking Where you too can be like Neo

69 Business Process Hacking When your business processes are correctly aligned all is good. When they aren’t… When they aren’t… … And it’s even worse when it’s legislation … And it’s even worse when it’s legislation

70 BPH Vs. Social Engineering From the Canadian charter of rights and freedoms: From the Canadian charter of rights and freedoms: 20. (1) Any member of the public in Canada has the right to communicate with, and to receive available services from, any head or central office of an institution of the Parliament or government of Canada in English or French, and has the same right with respect to any other office of any such institution where 20. (1) Any member of the public in Canada has the right to communicate with, and to receive available services from, any head or central office of an institution of the Parliament or government of Canada in English or French, and has the same right with respect to any other office of any such institution where a) there is a significant demand for communications with and services from that office in such language; or a) there is a significant demand for communications with and services from that office in such language; or b) due to the nature of the office, it is reasonable that communications with and services from that office be available in both English and French. b) due to the nature of the office, it is reasonable that communications with and services from that office be available in both English and French. Is this charter open to abuse? Is this charter open to abuse?

71 BPH Example User provisioning policy not correctly implemented User provisioning policy not correctly implemented Weakness: New users created but old ones not disabled Weakness: New users created but old ones not disabled Result: Accounts can be used after owners leave Result: Accounts can be used after owners leave

72 BPH Example #2 Evening meal expense claim requires signature of most senior person present Evening meal expense claim requires signature of most senior person present Then signed off by person at higher grade Then signed off by person at higher grade No requirement to list people present No requirement to list people present

73 How does this tie into SAP? SAP process integration SAP process integration If the process fits… If the process fits… If it doesn’t? If it doesn’t?

74 A word from our sponsors Well, Steve has to get revenue somehow

75 A word from our sponsors

76 OWASP-EAS Stays crisp in milk

77 OWASP-EAS What? What? Why? Why? How? How? When? When?

78 What? OWASP-Enterprise Application Security Project OWASP-Enterprise Application Security Project Enterprise Grade Schnizzle Enterprise Grade Schnizzle Requirements Guidelines Requirements Guidelines Audit Programmes Audit Programmes Business-level and tech guidance docs Business-level and tech guidance docs

79 Why? OWASP is great for Web-based stuff OWASP is great for Web-based stuff It’s great for toy applications It’s great for toy applications It’s not great for large business systems It’s not great for large business systems Not applicable Not applicable Not relevant Not relevant Not ‘Enterprise Grade’ Not ‘Enterprise Grade’

80 How? Initial Launch Initial Launch Parent OWASP-EAS Mailing List Parent OWASP-EAS Mailing List Develop industry links Develop industry links Initial projects Initial projects OWASP-EAS RFP Guide OWASP-EAS RFP Guide Security Document Templates Security Document Templates SAP Assessment Guide SAP Assessment Guide White Papers White Papers

81 When? Real Soon Now* Real Soon Now* Formal launch in June ‘06 Formal launch in June ‘06 ‘Soft’ Launch End April ‘Soft’ Launch End April Mailing List Mailing List Sub-Projects Initiation Sub-Projects Initiation *may contain nuts *may contain nuts

82 Conclusions

83 Conclusions SAP is teh r0x0r SAP is teh r0x0r The people who implement it aren’t necessarily so The people who implement it aren’t necessarily so OWASP-EAS will help them… to a point OWASP-EAS will help them… to a point


Download ppt "Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian."

Similar presentations


Ads by Google