1 / 83

Mo’ Budget, Mo’ Problems

Mo’ Budget, Mo’ Problems. Steve Lord, Mandalorian. What is this talk about?. Large IT Projects System Integrators SAP. What is SAP?. Enterprise Resource Planning (SAP R/3) CRM EP HR FI/CO BW MM PP. What is SAP/R3, really?. Business process re-implementation

eagan
Download Presentation

Mo’ Budget, Mo’ Problems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mo’ Budget, Mo’ Problems Steve Lord, Mandalorian

  2. What is this talk about? • Large IT Projects • System Integrators • SAP

  3. What is SAP? • Enterprise Resource Planning (SAP R/3) • CRM • EP • HR • FI/CO • BW • MM • PP

  4. What is SAP/R3, really? • Business process re-implementation • Fancy MIS framework with template processes • Big basket for corporate eggs

  5. Fundamentals of Large Projects • The bigger the budget, the harder the fall • Compound delays due to complex dependencies • Corners cut to meet deadlines • Functionality Vs. Security • Decision rarely based upon business case • When was the last time you signed off $xxx million? • Don’t believe me?

  6. Irish HSE PPARs and FISP Systems • PPARs (HR) and FISP (FI/CO) • Projected Combined Cost - £6.2mil • PPARs Cost when halted in 2005 - £80mil • FISP Cost when halted - £20.7mil • Revenues for Deloitte & Touche - £34.5mil • Revenues for SAP – Undisclosed (not part of D&T’s fees)

  7. PPARs • “It’s like a case study in how not to run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader • PPARs could’ve paid for: • A 600 bed Hospital • 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland

  8. HP’s Internal Failure • iGSO • Launched in 2002 • Consolidate 350 Digital, Compaq, HP, Tandem systems • Expected finish date 2007

  9. HP: The Adaptive Enterprise that couldn’t adapt • Total cost of Implementation failure • US$400 mil (revenue) • US$275 mil (operating profit) • 3 Executives heads • Did I mention this was the total for Q3 2002?

  10. How is SAP Implemented Internally? • Usually Poorly • Inadequate Skills/Experience • Poor/No Business Requirements Capture • Technology Driven Implementation • Poor Documentation • Usually very expensive ($20mil+)

  11. How is SAP implemented by External Integrators? • Poorly • Front-loading Skills • Business Requirements Capture? • Partner-driven Implementation • Poor/No Documentation • Subject to contract wrangling • Can be extremely expensive ($50mil+)

  12. Where does it all go wrong? • Lack of: • Communication • Contingency • Requirements Capture/Analysis • Simplicity • Security

  13. Where does Security come in? • At the end of a long queue • By the time it reaches us, it is: • Non or semi-functional • Delayed • Costing the business • Security’s role is to • SUSO (Shut Up, Sign Off)

  14. Show me the SUSO • You need to sign this off • If you don’t • You’re blocking the business • You’re costing us money • You’re getting in the way of the project • If you do • It’s your backside on the dotted line

  15. End of Talk • Oh you want more?

  16. This is the price, right? Come on down!

  17. This is the price, right? • Quiz Show • Prizes • Need Victims Volunteers

  18. How it works • Question is asked • Potential answers are shown • You have to guess which one of the answers was an actual response

  19. This is the price, right? Question 1

  20. Why can’t we use SSH? • A) It (PuTTY) isn’t vendor supported • B) SFTP Doesn’t support ASCII • C) We don’t have a PKI • D) Key Management is too difficult • E) The TCO for OpenSSH is too high

  21. Why can’t we switch off RSH? • A) It requires a server rebuild • B) It requires extensive testing that would cost millions • C) CowboyNeal • D) We use telnet, you insensitive clod! • E) We don’t know what it would break

  22. Why did the SI buy the tin prior to completing the design stage? • A) Because the vendor rebate would be lower next year • B) Because the client will have to write off the hardware expenditure anyway • C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin • D) If the client has already paid a fortune up front they’re less likely to pull the plug later

  23. Why were all the consultants on the job South African? • A) Because of S.A’s extensive investment in enterprise technology training • B) Because all the experienced guys are from Joburg • C) Because they’re cheaper than native employees and have a lesser understanding of local employment law

  24. Why are these not risks? • A) Because it’s not live yet • B) Because you need an account to access the systems • C) Because you’d need to have an RSH client and a copy of finger to access the systems • D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd • E) Because there are plenty of other ways in • F) Because you’re holding the project up so just sign off or there’ll be trouble

  25. Well done! • The good news is • People got prizes • The bad news is • We’re all losers in the end

  26. Breaking SAP Send in the clowns

  27. SAP Structure • Infrastructure Issues • Front-End Application • Business Logic • Business Processes • Database Skullduggery

  28. Infrastructure Issues Let me paint you a picture

  29. What does an SAP deployment look like?

  30. What does an SAP deployment look like?

  31. Points of interest • There is no standard deployment • There should be Firewalls involved • If there are, Any-Any rules may be used • Sometimes the File Server(s) are shared between dev, test and live too • Sometimes the App Server(s) are shared between dev, test and live too

  32. How (not) to conduct an SAP Pentest • Nmap • Amap • Nikto • Nessus • Metasploit

  33. How to conduct an SAP Pentest • Nmap (-sS and –sU only, no –sV or –A and watch timings) • Manual confirmation of services with standard client tools • RSH, Finger, Net View, Showmount, FTP • No active exploitation • Password guessing possible, but not automated

  34. SAP Systems are • Unpatched • Unhardened • Unmaintained (caveat: security) • Unmanaged (caveat: security)

  35. Once you’ve got local access • Useful tools • R3Trans • TP • SQL Trusts • OSQL –E • SQLPLUS “/ as sysdba” • MySQL –u root, mysqld_safe

  36. R3Trans • Uses SAP’s abstracted SQL model (T-SQL) • Uses ‘control files’ to perform actions upon databases • R3Trans –d –v • Test database connection

  37. R3Trans Control File EXPORT FILE=‘/tmp/.export/’ CLIENT=000 SELECT * FROM USR02 • Start with: • R3Trans /tmp/control • Don’t forget to check trans.log

  38. Where to look • /usr/sap/trans • /usr/sap/<SID> • /home/<SID>adm • There is no reason for these directories to be world writeable! • Most should be 700, 770 or 775

  39. From the trenches • “We use RSH to copy files around the environment. RSH has a feature call .rhosts which enables us to restrict access to specific users or hosts”

  40. Front-End Issues Busting down the door citing section 404

  41. What front-end? • SAP has many • SAPGUI • WebGUI/NetWeaver/ITS/EP • SAPRFC • For the sake of time we will focus on SAPGUI • These issues do apply elsewhere though

  42. SAPGUI

  43. SAPGUI • See the box up next to the green tick? • Use /? to start debugging • Type in a transaction code (T-Code) to start a transaction

  44. SAP Transactions of Note • SU01 – User Authorization • SU02 – User Profile Administration • RZ04 – Maintain SAP Instances • SECR – Audit Information System • SE11 – Data Dictionary • SE38 – ABAP Editor • SE61 – R/3 Documentation • SM21 – System Log • SM31 – Table Maintenance • SM51 – List of Targets SAP Servers • SU24 – Disable Authorization Checks • SM49 – Execute Operating System Commands • SU12 – Delete All Users • PE51 – HR Form Editor (HR) • P013 – Maintain Positions (HR) • P001 – Maintain Jobs (HR)

  45. SAP Transactions of Note • AL08 – Users Logged On • AL11 – Display SAP Directories • OS01 – LAN Check with Ping • OS03 – Local OS Parameter changes • OS04 – Local System Configuration • OSO5 – Remote System Configuration • OSS1 – SAP’s Online Service System • PFCG – Profile Generator • RZ01 – Job Scheduling Monitor • RZ20 – CCMS Monitoring • RZ21 – Customize CCMS Monitor • SA38 – ABAP/4 Reporting • SCC0 – Client Copy • SE01 – Transport and Correction System • SE13 – Maintain Technical Settings (Tables) • SUIM – Repository Information System

  46. You can’t access those! • I can access them (or equivalents) if restrictions are based on: • Easy Access Menu Items • Transactions only • Custom-tables (e.g a ZUSERS table of allowed users) • Restrictions need to be implemented at the Authorization level • So what else is there?

  47. Reports • RPCIFU01 – Display File • RPCIFU03 – Download Unix File • RPCIFU04 – Upload Unix File • RPR_ABAP_SOURCE_SCAN – Search ABAP for a string ;) • RSBDCOS0 – Execute OS Command • RSPARAM – Check System Parameters • RSORAREL – Get the Oracle System Release

  48. Tables • Accessible through: • SE16 (Maintain Tables) • SE17 (Display Tables) • SA38 (Execute ABAP) • SE38 (ABAP Editor) • Customizations (ZZ_TABLE_ADMIN etc.) • Will Be Covered Later

  49. Job Scheduler • Can’t get OS access? • Use SM36 or SM36WIZ Instead • Specify Immediate Start • External Program as Step

  50. Custom Transaction fun • Input Validation • Selection Criteria Expansion • Path specification (../../, // etc) • Shell Escapes (; /bin/ls, |”/bin/ls”| etc) • SQL Injection • Export/Import file fun and games • Bypass Authorization Checks

More Related