870 likes | 1.15k Views
Mo’ Budget, Mo’ Problems. Steve Lord, Mandalorian. What is this talk about?. Large IT Projects System Integrators SAP. What is SAP?. Enterprise Resource Planning (SAP R/3) CRM EP HR FI/CO BW MM PP. What is SAP/R3, really?. Business process re-implementation
E N D
Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian
What is this talk about? • Large IT Projects • System Integrators • SAP
What is SAP? • Enterprise Resource Planning (SAP R/3) • CRM • EP • HR • FI/CO • BW • MM • PP
What is SAP/R3, really? • Business process re-implementation • Fancy MIS framework with template processes • Big basket for corporate eggs
Fundamentals of Large Projects • The bigger the budget, the harder the fall • Compound delays due to complex dependencies • Corners cut to meet deadlines • Functionality Vs. Security • Decision rarely based upon business case • When was the last time you signed off $xxx million? • Don’t believe me?
Irish HSE PPARs and FISP Systems • PPARs (HR) and FISP (FI/CO) • Projected Combined Cost - £6.2mil • PPARs Cost when halted in 2005 - £80mil • FISP Cost when halted - £20.7mil • Revenues for Deloitte & Touche - £34.5mil • Revenues for SAP – Undisclosed (not part of D&T’s fees)
PPARs • “It’s like a case study in how not to run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader • PPARs could’ve paid for: • A 600 bed Hospital • 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland
HP’s Internal Failure • iGSO • Launched in 2002 • Consolidate 350 Digital, Compaq, HP, Tandem systems • Expected finish date 2007
HP: The Adaptive Enterprise that couldn’t adapt • Total cost of Implementation failure • US$400 mil (revenue) • US$275 mil (operating profit) • 3 Executives heads • Did I mention this was the total for Q3 2002?
How is SAP Implemented Internally? • Usually Poorly • Inadequate Skills/Experience • Poor/No Business Requirements Capture • Technology Driven Implementation • Poor Documentation • Usually very expensive ($20mil+)
How is SAP implemented by External Integrators? • Poorly • Front-loading Skills • Business Requirements Capture? • Partner-driven Implementation • Poor/No Documentation • Subject to contract wrangling • Can be extremely expensive ($50mil+)
Where does it all go wrong? • Lack of: • Communication • Contingency • Requirements Capture/Analysis • Simplicity • Security
Where does Security come in? • At the end of a long queue • By the time it reaches us, it is: • Non or semi-functional • Delayed • Costing the business • Security’s role is to • SUSO (Shut Up, Sign Off)
Show me the SUSO • You need to sign this off • If you don’t • You’re blocking the business • You’re costing us money • You’re getting in the way of the project • If you do • It’s your backside on the dotted line
End of Talk • Oh you want more?
This is the price, right? Come on down!
This is the price, right? • Quiz Show • Prizes • Need Victims Volunteers
How it works • Question is asked • Potential answers are shown • You have to guess which one of the answers was an actual response
This is the price, right? Question 1
Why can’t we use SSH? • A) It (PuTTY) isn’t vendor supported • B) SFTP Doesn’t support ASCII • C) We don’t have a PKI • D) Key Management is too difficult • E) The TCO for OpenSSH is too high
Why can’t we switch off RSH? • A) It requires a server rebuild • B) It requires extensive testing that would cost millions • C) CowboyNeal • D) We use telnet, you insensitive clod! • E) We don’t know what it would break
Why did the SI buy the tin prior to completing the design stage? • A) Because the vendor rebate would be lower next year • B) Because the client will have to write off the hardware expenditure anyway • C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin • D) If the client has already paid a fortune up front they’re less likely to pull the plug later
Why were all the consultants on the job South African? • A) Because of S.A’s extensive investment in enterprise technology training • B) Because all the experienced guys are from Joburg • C) Because they’re cheaper than native employees and have a lesser understanding of local employment law
Why are these not risks? • A) Because it’s not live yet • B) Because you need an account to access the systems • C) Because you’d need to have an RSH client and a copy of finger to access the systems • D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd • E) Because there are plenty of other ways in • F) Because you’re holding the project up so just sign off or there’ll be trouble
Well done! • The good news is • People got prizes • The bad news is • We’re all losers in the end
Breaking SAP Send in the clowns
SAP Structure • Infrastructure Issues • Front-End Application • Business Logic • Business Processes • Database Skullduggery
Infrastructure Issues Let me paint you a picture
Points of interest • There is no standard deployment • There should be Firewalls involved • If there are, Any-Any rules may be used • Sometimes the File Server(s) are shared between dev, test and live too • Sometimes the App Server(s) are shared between dev, test and live too
How (not) to conduct an SAP Pentest • Nmap • Amap • Nikto • Nessus • Metasploit
How to conduct an SAP Pentest • Nmap (-sS and –sU only, no –sV or –A and watch timings) • Manual confirmation of services with standard client tools • RSH, Finger, Net View, Showmount, FTP • No active exploitation • Password guessing possible, but not automated
SAP Systems are • Unpatched • Unhardened • Unmaintained (caveat: security) • Unmanaged (caveat: security)
Once you’ve got local access • Useful tools • R3Trans • TP • SQL Trusts • OSQL –E • SQLPLUS “/ as sysdba” • MySQL –u root, mysqld_safe
R3Trans • Uses SAP’s abstracted SQL model (T-SQL) • Uses ‘control files’ to perform actions upon databases • R3Trans –d –v • Test database connection
R3Trans Control File EXPORT FILE=‘/tmp/.export/’ CLIENT=000 SELECT * FROM USR02 • Start with: • R3Trans /tmp/control • Don’t forget to check trans.log
Where to look • /usr/sap/trans • /usr/sap/<SID> • /home/<SID>adm • There is no reason for these directories to be world writeable! • Most should be 700, 770 or 775
From the trenches • “We use RSH to copy files around the environment. RSH has a feature call .rhosts which enables us to restrict access to specific users or hosts”
Front-End Issues Busting down the door citing section 404
What front-end? • SAP has many • SAPGUI • WebGUI/NetWeaver/ITS/EP • SAPRFC • For the sake of time we will focus on SAPGUI • These issues do apply elsewhere though
SAPGUI • See the box up next to the green tick? • Use /? to start debugging • Type in a transaction code (T-Code) to start a transaction
SAP Transactions of Note • SU01 – User Authorization • SU02 – User Profile Administration • RZ04 – Maintain SAP Instances • SECR – Audit Information System • SE11 – Data Dictionary • SE38 – ABAP Editor • SE61 – R/3 Documentation • SM21 – System Log • SM31 – Table Maintenance • SM51 – List of Targets SAP Servers • SU24 – Disable Authorization Checks • SM49 – Execute Operating System Commands • SU12 – Delete All Users • PE51 – HR Form Editor (HR) • P013 – Maintain Positions (HR) • P001 – Maintain Jobs (HR)
SAP Transactions of Note • AL08 – Users Logged On • AL11 – Display SAP Directories • OS01 – LAN Check with Ping • OS03 – Local OS Parameter changes • OS04 – Local System Configuration • OSO5 – Remote System Configuration • OSS1 – SAP’s Online Service System • PFCG – Profile Generator • RZ01 – Job Scheduling Monitor • RZ20 – CCMS Monitoring • RZ21 – Customize CCMS Monitor • SA38 – ABAP/4 Reporting • SCC0 – Client Copy • SE01 – Transport and Correction System • SE13 – Maintain Technical Settings (Tables) • SUIM – Repository Information System
You can’t access those! • I can access them (or equivalents) if restrictions are based on: • Easy Access Menu Items • Transactions only • Custom-tables (e.g a ZUSERS table of allowed users) • Restrictions need to be implemented at the Authorization level • So what else is there?
Reports • RPCIFU01 – Display File • RPCIFU03 – Download Unix File • RPCIFU04 – Upload Unix File • RPR_ABAP_SOURCE_SCAN – Search ABAP for a string ;) • RSBDCOS0 – Execute OS Command • RSPARAM – Check System Parameters • RSORAREL – Get the Oracle System Release
Tables • Accessible through: • SE16 (Maintain Tables) • SE17 (Display Tables) • SA38 (Execute ABAP) • SE38 (ABAP Editor) • Customizations (ZZ_TABLE_ADMIN etc.) • Will Be Covered Later
Job Scheduler • Can’t get OS access? • Use SM36 or SM36WIZ Instead • Specify Immediate Start • External Program as Step
Custom Transaction fun • Input Validation • Selection Criteria Expansion • Path specification (../../, // etc) • Shell Escapes (; /bin/ls, |”/bin/ls”| etc) • SQL Injection • Export/Import file fun and games • Bypass Authorization Checks