Let me introduce myself and my story of growing from security researcher, pentester, and consultant to SAP Security expert. I hope it may help you in your way of becoming a professional in this area too. Now I’m CTO and co-founder of ERPScan, a company providing services and solutions to assess and secure SAP and Oracle’s business applications from attacks and insider frauds. I’m also a founder and a president of EAS-SEC, an organization focused on business application security. It was almost 10 years ago when I met the SAP Security issue for the first time. I was an intern pentester at a consulting company. During one of penetration tests in a large Oil organization, there was a server called SAP in our scope. I was not aware of these systems and their security at all, for me it was just yet another box I needed to exploit, get access to OS, create a screenshot with root access and then include it in the report along with hundreds of other servers. When all traditional tests such as OS vulnerabilities, SSH bruteforce, public exploits for different services, and other typical ways to get unauthorized access hadn’t succeeded, I tried to find something about this system (which apparently was SAP ERP) in public sources. Unfortunately (or fortunately), there was almost nothing on SAP Security area except some articles covering Segregation of Duties and access control. Thus, all that was possible to find was some information about how to configure a user account to prevent executing two critical actions such as create payment order and then approve it. However, methods that an attacker can get access to SAP without any rights and how to analyze whether any vulnerabilities exist in the system were missing. There wasn’t any information about vulnerabilities except a couple of buffer overflows, without any examples of working exploits. I decided to explore this system by myself. Surprisingly, it took me 15 minutes to find a 0-day vulnerability in the system and I obtained full access to SAP. At that moment, for me it was just another “BOX” which I needed to “PWN”. When we presented managers of the company our findings, they were shocked that we could break into such crucial system, that it was quite easy to do and that the system stored all mission-critical data of their company. After that, I realized that SAP system was crucial for every company and, surprisingly, nobody cared about its security, so I decided that I definitely should learn more about ERP systems. A completely new world of Business applications, totally unknown for most of the security experts opened to me. It was a kind of an insight – “What’ the use of hacking Domain Controller or network equipment of workstations if it’s much easier to directly target enterprise business applications such as SAP, which are weak to nothing in regards to security and allow committing fraud within a couple of mouse clicks”. This idea completely changed my conception of infrastructure security. According to Wikipedia, ERP is an integrated computer-based system used to manage internal and external resources including tangible assets, financial resources, materials, and human resources. All business processes of an enterprise are generally contained in ERP systems. Any information an attacker be it cybercriminal, industrial spy or competitor, might want is stored in the company’s ERP. This can include financial, customer or public relations, intellectual property, personally identifiable information, to name a few. Industrial espionage, sabotage, fraud or insider embezzlement may be very effective if targeted a victim’s ERP system and cause significant damage to the business. However, ERP is just one example, there are other systems which also store and process critical data. The most popular ones are provided by SAP in SAP Business Suite that consists of ERP, CRM, SRM, PLM, and SCM. Of course, SAP is not the only vendor who develops these types of products, but it’s definitely the market leader. Oracle has a bunch of systems that provide similar functionality such as Oracle E-Business Suite, Oracle JDE, and Oracle PeopleSoft. Besides, there are less common systems such as Microsoft Dynamics or Infor. Some companies may have all business applications based on SAP while others can use a crazy mix of different solutions from various vendors that is very hard to manage. All those large enterprise applications are connected with each other like a spider’s web in order to automate business processes. Assume, you want to automatically generate an invoice in SAP System and send money to a particular banking account via the banking system, so, you need to connect ERP and Banking system. In reality, there are dozens of such connections and all of them can be potentially dangerous in terms of security. To make the matter worse, those systems are connected not only inside corporate network but also with partner networks and with other providers such as banks or insurance companies via the Internet. Some of these systems are connected directly with ICS/SCADA network (for example, in Oil and Gas companies) and unauthorized access to them can result in industrial sabotage. So, what is SAP? First of all, SAP is a name of German company that develops and sells business software. Currently, SAP is the leader in this area and famous for their ERP system – the most popular business application. However, its products don’t limit to ERP. In 2005, they introduced SAP Business Suite – a number of different business applications, namely ERP, CRM, PLM, SCM, and SRM. These business applications consist of different modules. For example, ERP has a number of basic modules:
FI/CO – Finance and Controlling, SD – Sales and Distribution, MM – Material Management, PP – Production Planning, HR – Human resources.
SAP also provides different applications for specific industries such as SAP modules for Oil, Gas or Retail companies, but basically, all those modules are just add-ons, and they only introduce some business functionality while technically platform remains the same. All these solutions make SAP the world-renowned business application developer with 250000 customers worldwide including 83% of Forbes 500. So, when people talk about ERP they are likely to mean SAP’s one because it is the most popular software provider. Now let’s examine how SAP ERP system looks like from user’s point of view. Simply saying, SAP ERP system is a client-server application consisting of SAP NetWeaver ABAP application server and SAPGUI application as a client interface. SAP GUI tool connects users with the central SAP server. All data is transmitted between a client and server using proprietary DIAG protocol, developed by SAP. Looking ahead, this protocol doesn’t provide necessary security measures by default and transfers data almost in the clear text. Only a kind of compression is used, but there are tools, which can decode it and, for example, obtain user passwords transmitted, as said before, in the clear text. When a user connects to the server, he can perform different functions. To execute some functionality, for example, create payment order, create a new user or fill up any form, the user has to carry out a particular transaction, which is responsible for this functionality by writing a particular transaction name in SAP menu. The system will open a dialog window where the user can specify different parameters. For instance, if a user executes transaction SU01 to create new users in the system, he will see a screen where he needs to enter all details about new user and then click on the “Create” button. If everything is correct, a new user will be created in the system. In case existing functionality is not enough, SAP customers can extend it by writing programs using SAP’s proprietary language called ABAP. Customers can write their own transactions using this language, for example, if they have specific requirements for some forms that are used to create payment order or if they have specific business processes relevant only for their industry. Those programs, by the way, may have vulnerabilities because of developers’ mistakes, but we will revert to this topic soon. However, connecting to SAPGUI and running transactions is not the only way to perform some SAP functionality. As you will see later, SAP systems are very complex and the same action can be done by several ways, and, needless to say, all those ways should be somehow secured. For example, the other means how to execute functionality in SAP system include:
Running background job using RFC function (like RPC in Windows). Calling the same function via SOAP interface – a web-based interface to run RFC programs remotely. Executing Web Dynpro application. Web Dynpro is a web-based frontend for SAP System that can be used if users don’t have a client application and only have a web browser.
Along with SAP GUI application and SAP NetWeaver application server, SAP infrastructure includes multiple services to provide some management functionality. For example, in real life there are multiple application servers in one SAP System. If we look deeper, users connect to SAP Message Server first and then a message server redirects their requests to one or another application server. SAP Message Server is a kind of Load balancing system aimed to balance a load on different application servers. In large organizations, there can be thousands of users connected with dozens of application servers via Message Server. Another service that would be useful to know is SAP ICM, or Internet Communication Manager. This service allows you to run transactions via web interfaces. SAP Gateway service is another separate service. Typically, it is enabled. It allows performing some functionality as a background job. It means that you don’t need to interactively log into the system. You can run a simple script that will automatically connect to SAP Gateway and perform some functionality. All functionality is provided by means of RFC Functions. There are 30k+ RFC functions in SAP that can be called to perform almost every task in the system from technical (create user and read table) to business ones (create vendor, create payment order, close financial period, and so on). There are many other services enabled in SAP by default and not very well described in the documentation. However, these services sometimes allow performing very critical functionality. We will speak about them later, but as the first lesson, keep in mind that SAP is a very complex system with a plethora of services. The first step in implementing SAP Security should be analyzing if these services are enabled in your system and identifying all potential threats associated with them. Now let’s clarify some other basic SAP terms you need to know. The first and main one is SAP Landscape. Usually, SAP Landscape is identified by three-symbol name – SID (System ID). Dealing with a traditional network, you need to have an identification to connect multiple systems in one network such as domain name; in the SAP world, there is an SID to identify so-called SAP Domain. Traditionally, for each system, there are three or four landscapes called production, quality assurance, test, and development. In most cases, the Quality assurance and test levels are combined in one Test landscape. Usually, all new programs and changes are developed in a development landscape. The development landscape is where the consultants do the customization for the company’s requirement. When new development is done, the company conveys these changes into the test landscape. In the test landscape, the core team members and other employees test the customization on the copy of real data. If everything is OK, they transfer all changes to the Quality assurance landscape, where users can test everything on real data, which are a copy of production data. After the tests, new programs are transferred to the production landscape. The production landscape is where the live data of the company are recorded. Now let’s talk about Instances. If you have a small system, you usually have one instance, which is actually one application server. If you have many users and want to enable some load balancing, you can add more application servers (SAP Instances). Because System should somehow distinguish application servers, they have an instance number. The instance number is a two-digit value from 00 to 99. SIDs of all application servers of one system are the same. It is important that every application server can be configured differently and some services can be enabled or disabled. It means that you need to check every application server to be sure that your landscape is secure. The last thing we are going to talk about is SAP Clients. Assume you need to manage two or more separate business entities in one system, as you don’t have enough resources to install two systems on separate hardware. SAP Clients is performed to fix this issue. You can manage a number of business entities in one system. Clients are essentially self-contained business entities or units within each SAP system; using a web browser or one of SAP’s special user interfaces, you log into a client in SAP to actually access and use the system. A client has its own separate master records and own set of “tables”. The best way to get this idea might be to think about a really large company like ExxonMobil, General Motors, or Honeywell. Within each of these large multinational organizations, you might have three or more other companies or business units. Each SAP client might be tied to a different business unit. Really big companies might have two or even three production clients for a single SAP component like ERP. For example, the company might structure its clients around discrete business groups (Chevrolet, Cadillac, and GMC) or by geography (Americas, Europe, and Asia). When you log into SAP, you choose a specific client you want to log in. Each one is assigned a unique three-digit number, which you are required to know and fill in at login time. This makes it easy to distinguish between clients. Clients are identified by numbers from 000 to 999. In theory, users of one business unit are connected with one client and restricted to access any data of other business unit located in the separate client. However, in reality there are multiple ways how they can escalate their privileges and get direct access to OS or Database where all data are stored without any separation. You also need to know that there are some clients which are installed by default (for example, clients 000 001 and 066) and there are some default users preconfigured in those accounts, usually it’s the most dangerous and common vulnerability. SAP uses multiple platforms to build their business applications. Although NetWeaver ABAP platform (the core of ERP) is the most popular system, and we spoke mostly about SAP NetWeaver ABAP, there are many other platforms. On top of those technical platforms, SAP provides different business applications. Here is a list of SAP Platforms:
SAP R/3 (old and not supported) SAP NetWeaver ABAP (still most popular) SAP NetWeaver J2EE (less Popular) SAP Business Objects (for data analytics) SAP HANA (will be the most popular soon) SAP Mobile Platform (for mobile access) SAP Afaria (for mobile device management)
SAP NetWeaver ABAP is the main SAP Platform. Almost all business applications developed to automate different business processes of an organization (such as Enterprise Resource Planning or Supply Chain Management) are based on SAP NetWeaver ABAP Platform. If somebody gets access to these applications, he can stop mission-critical business processes, commit industrial espionage, or commit a fraud. SAP Netweaver J2EE is usually considered as an additional platform mainly for applications used by IT department. The aim of such applications is mainly the integration of different business systems based on ABAP engine. Examples of systems based on SAP NetWeaver J2EE include SAP Portal, which is usually a starting point to access to all SAP and non-SAP applications or SAP Process Integration, a system that simplifies data transfer between different systems. Though those systems usually don’t store critical data directly but transfer or provide access to them, if somebody can compromise, for example, SAP PI system, he can get control of all mission-critical processes; consequences may be even more hazardous comparing to attacks on an ABAP-based system such as SAP ERP. SAP Business Objects is less popular platform and mainly used in analytics tools such as SAP Business Intelligence. If an attacker can compromise this system, he can modify some analytics results so that management will make wrong decisions. SAP HANA is a new but quite popular platform with more than 6400 installations. SAP HANA is, first of all, In-Memory database but it also contains application server called SAP HANA XS. It will be a core platform for every SAP Business application soon and will replace the old SAP NetWeaver ABAP (currently it supports ERP, CRM, and HR…). If somebody compromises this platform, the consequences will be the same as hacking SAP NetWeaver ABAP – espionage, sabotage, and fraud. Here are some resources that can help you to learn more about SAP systems and now, since you have already known what SAP is, let’s talk about SAP Security.
How I started my SAP Security journey http://erpscan.com/press-center/blog/sap-security-for-cisos-part-one-how-i-started-my-sap-journey/ SAP 101 (very simple description what is SAP) http://www.youtube.com/watch?v=qMxSZwiDCKQ More detailed data about SAP and it’s architecture http://www.youtube.com/watch?v=I1fAcjEIEEM SAP IDES Practical Guide http://web.iku.edu.tr/~jvozcan/sap%20ides%20practic%20guide.pdf Good article about SAP for very beginners http://www.slideshare.net/jainulmusani/sap-for-beginners SAPTEC – SAP’s training about technical details of SAP Pentesting SAP Applications https://resources.infosecinstitute.com/pen-stesting-sap-applications-part-1/