ERPScan, the leading SAP AG partner in discovering and solving security vulnerabilities, presented its latest research on SAP Forensics at the international conference called CONFidence, held in Krakow on May 28 and 29.
Dmitry Chastukhin, the director of SAP security audit department in ERPScan, with the help of Evgeny Neyolov, a security analyst focused on computer forensics, SAP Forensics and SAP anti-Forensics and cyber-investigations in ERPScan, has presented a talk called "Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine". He spoke about various attacks on SAP Portal and taught to investigate them with the help of audit trails, trace logs, and other Forensic techniques. "SAP Forensics became one of the most interested topics in SAP security this year, after the news about a potential Anonymous attack on Greek Ministry of Finance, allegedly conducted in November 2012 using an SAP 0-day vulnerability. While this fact is not officially approved by SAP or other authorities, we believe that attacks of this type are more than real. This talk is focused on potential ways of executing those attacks and how people can prevent them or at least be able to identify facts of compromise by analyzing malicious activity in log files", – Dmitry commented in an interview.
Why SAP Forensics
- Dmitry, why forensicating SAP Portal is important?
- Even a most carefully secured system can be breached. In this case, it is crucially important to at least expose the attack and, if you are lucky, to react on time.
- Why is it important for SAP systems?
- It is important for any kind of systems. As for SAP, after the scandal about the alleged attack in Greece, new attack attempts and successful attacks are bound to happen. Anyway, if you do not use forensics, how can you tell that your SAP system has never been attacked yet?
- But there has been no public information other than the gossip about Anonymous in Greece?
- First, if your SAP has been breached, will you let it go public? Second, we have a large experience of assessing the security of productive SAP systems, and we can tell that very few companies have the chance of discovering an attack because even the simplest measure – I mean storing and analyzing log files – is quite rarely implemented.
We have conducted a little research, and now we know that only 70% of companies have a configured HTTP log in SAP. Keep in mind that HTTP log is enabled by default. What about the other types of logs?
Security audit log in ABAP: 10%
Table access logging: 4%
Message Server log: 2%
SAP Gateway access log: 2%
Now, can you see why the chance of discovering an attack is negligible?
What's more, even the companies that enable logs rarely gather them in a central storage where they will not be modified by the attacker, and even less companies analyze system events and can correlate them.
How to perform SAP Forensics for SAP Portal
- Why did you choose SAP Portal to demonstrate the problem?
- We chose SAP Portal as the example because this application is directly available from the Internet and connected to other systems, so it is very dangerous. An attack on internal SAP resources is very likely to start at SAP Portal.
- Can you describe a specific attack vector on SAP Portal?
- There are two types of attacks in terms of investigation. There are simple attacks which can be tracked from the standard HTTP request log, where headers are stored. And then there are complex attacks which are tracked by POST requests rather than by standard logs.
The easiest way to analyze POST requests is to enable advanced logging of all requests. But in this case, you will get loads of unnecessary data including, by the way, fields like Cookie, JsessionID and passwords – which is, again, insecure. There are, of course, settings which prohibit storing this kind of data. But the great amount of useless POST request logs is a problem anyway, and their analysis requires additional tools.
In SAP Portal and WebDynPro, all of the required data is transmitted as a huge wallpaper of POST requests containing up to 100 parameters, whereas logs will show any action as a request to the same service URL. To sum up, you have to analyze POST requests to understand what happened, but the analysis is tricky.
- Are there any other methods besides POST request analysis?
- Collateral event analysis, for example. See, Portal interface has various icons to mark various actions, including critical actions, for example, changing event logging level or uploading a file to the server. An attacker can use them to upload an HTML file with a file hijacking script to the public directory, or to disable logs. Those actions address the web server to download the relevant icon. This is logged, providing collateral evidence of the attack. Legitimate users usually have those icons in their browser cache since their first logon, so they will mainly be downloaded for illegal purposes.
Of course, there are lots of nuances and false positives, and the issue is easily bypassed. But nobody will bypass it unless they know exactly what the icons do. And if the icon trick is combined with other forensic tricks, they can comprise a decent system which would then become an alternative to full logging or provide triggers which would only enable full logging in case of suspicious events.
Infosec experts do not need explanations why this event, held for the 10th time this year, is deemed legendary. Thanks to the organizers and speakers of CONFidence, the conference has become a favored venue for hackers and seems to be one of the main infosecurity events in Eastern Europe.
About Dmitry Chastukhin
Dmitry Chastukhin is one of the leading experts in SAP security and web application security. A big fan of bug bounties. Has official acknowledgements from SAP, Yandex, Nokia, and Google for the vulnerabilities that he has found. Spoke at BlackHat USA, HackInTheBox, BruCON.
ERPScan is an award-winning innovative company founded in 2010, the leading SAP AG partner in discovering and solving security vulnerabilities. ERPScan is engaged in the research of ERP and business application security, particularly SAP, and the development of cybercrime and internal fraud prevention software. Our flagship product is the award-winning ERPScan Security Monitoring Suite for SAP: the only solution in the market which can analyze all tiers of ERP security (continuous monitoring, standard compliance, vulnerability assessment, SoD, and source code review). ERPScan experts are frequent speakers at prime international conferences held in USA, Europe and Asia, such as BlackHat and RSA.