SAP Forensics interview – ERPScan’s pentesting director talks about SAP forensics at CONFidence

ERPScan, the leading SAP AG partner in discovering and solving security vulnerabilities, presented its latest research on SAP Forensics at CONFidence, the international conference held in Krakow on May 28-29.

Dmitry Chastukhin, the director of SAP security audit department at ERPScan, with the help of Evgeny Neyolov, a security analyst focused on computer forensics, SAP Forensics and SAP anti-Forensics and cyber-investigations at ERPScan, has presented a talk “Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine“. He spoke about various attacks on SAP Portal and taught to investigate them with the help of audit trails, trace logs, and other Forensic techniques.

SAP Forensics became one of the most interesting topics in SAP security this year, after the news about a potential Anonymous attack on Greek Ministry of Finance, allegedly conducted in November 2012 using an SAP 0-day vulnerability. While this fact is not officially approved by SAP or other authorities, we believe that attacks of this type are more than real. This talk is focused on potential ways of executing those attacks and how people can prevent them or at least be able to identify facts of compromise by analyzing malicious activity in log files
– Dmitry commented in the interview.

Why SAP Forensics

– Dmitry, why forensicating SAP Portal is so important?

– Even a most carefully secured system can be breached. In this case, it is crucially important to at least expose the attack and, if you are lucky, to react on time.

– Why is it essential for SAP systems?

– It has an importance for for any kind of systems. As for SAP, after the scandal about the alleged attack in Greece, new attack attempts and successful attacks are bound to happen. Anyway, if you do not use forensics, how can you tell that your SAP system has never been attacked?

– Has there been any public information besides the gossip about Anonymous in Greece?

– First, if your SAP has been breached, will you let it go public? Secondly, we have a large experience in assessing the security of productive SAP systems, and we can tell that very few companies have a chance to discover an attack because even the simplest measure – I mean storing and analyzing log files – is quite rarely implemented.

We have conducted some research and now we know that only 70% of the companies have a configured HTTP log in SAP. Keep in mind that HTTP log is enabled by default. What about the other types of logs?
Security audit log in ABAP: 10%
Table access logging: 4%
Message Server log: 2%
SAP Gateway access log: 2%
Now, can you see why the chance of discovering an attack is negligible?

What is more, even the companies that enable logs rarely gather them in a central storage where they will not be modified by an attacker. Even fewer companies analyze system events and can correlate them.

How to perform SAP Forensics for SAP Portal

– Why did you choose SAP Portal to demonstrate the problem?

– We chose SAP Portal as an example because this application is directly available on the Internet and connected to other systems which makes it so dangerous. An attack on internal SAP resources is very likely to start from SAP Portal.

– Can you describe a specific attack vector on SAP Portal?

– There are two types of attacks in terms of investigation. There are simple attacks which can be tracked from the standard HTTP request log, where the headers are stored. Also there are complex attacks which are tracked by POST requests, not by standard logs.

The easiest way to analyze POST requests is to enable advanced logging of all requests. Though in this case, you will get loads of unnecessary data including, by the way, fields like Cookie, JsessionID and passwords – which is insecure. There are settings which prohibit storing this kind of data, but the great number of useless POST request logs is a problem anyway, and their analysis requires additional tools.

In SAP Portal and WebDynPro, all of the required data is transmitted as a huge wallpaper of POST requests containing up to 100 parameters, whereas logs will show any action as a request to the same service URL. To sum up, you have to analyze POST requests to understand what happened, but the analysis is tricky.

– Are there any other methods besides POST request analysis?

– Collateral event analysis, for example. See, the Portal interface has various icons for making different actions, including critical ones, for example, changing event logging level or uploading a file to the server. An attacker can use them to upload an HTML file with a file hijacking script to the public directory, or to disable logs. Those actions address the web server to download the relevant icon. This is logged, providing collateral evidence of the attack. Legitimate users usually have those icons in their browser cache since their first logon, so they will mainly be downloaded for illegal purposes.

Of course, there are a lot of of nuances and false positives, and the issue can be easily bypassed. The fact is that nobody will bypass it unless they know exactly what the icons do. If the icon trick is combined with other forensic tricks, they can comprise a decent system which would become an alternative to full logging or provide triggers enabling full logging in case of suspicious events.

About CONFidence

Infosec experts do not need explanations why this event held for the 10th time this year is deemed legendary. Thanks to the organizers and speakers of CONFidence, the conference has become a favored venue for hackers and seems to be one of the main infosecurity events in Eastern Europe.

About Dmitry Chastukhin

Dmitry Chastukhin is one of the leading experts in SAP security and web application security, a big fan of bug bounties. He has official acknowledgements from SAP, Yandex, Nokia, and Google for the found vulnerabilities. He spoke at BlackHat USA, HackInTheBox, BruCON.

About ERPScan

ERPScan is an award-winning innovative company founded in 2010, the leading SAP AG partner in discovering and solving security vulnerabilities. ERPScan is engaged in the research of ERP and business application security, especially SAP, and the development of cybercrime and internal fraud prevention software. Our flagship product is the award-winning ERPScan Security Monitoring Suite for SAP: the only solution in the market which can analyze all tiers of ERP security (continuous monitoring, standard compliance, vulnerability assessment, SoD, and source code review). ERPScan experts are frequent speakers at prime international conferences held in USA, Europe and Asia, such as BlackHat and RSA.

Do you want more?

Subscribe me to your mailing list