Hello Friends , since I am working with SAP systems for quite some time now and although I am still astonished to see it’s business scope and framework-specific power I just cannot stop myself to do a FU-JUJUTSU research on it on free hours while at office or at home. Yeah! man i know KUNG-FU now 😉
Well since my computer foundations were utterly disoriented … I would always ask myself – “like this is where everything resides man, all secrets ,all trades everything..”. So how would someone actually abuse this. So now all the experts be like.. “Dude there is a thing called Metasploit“. Yeah well I am familiar about the sap modules by some really cool guys as nmonkee and all… but this tutorial is different as rather than actually hitting with the TCP protocol we will go after the sap-DIAG protocol this time. That’s right we will have a sap-client and we will connect to the server with a SAP-GUI (that’s like this cool sap client) in a windows system (leave linux it’s already full-proof). So we will see a cool SAP getaway crime (maybe nearly getaway). I know man enough talking!!
Blue/White Collar HaX0rs !
Business guy Mr W_X (since he’s wannabe hax0r 😉 ) is inside the SAP-terminal from a machine on LDAP which has access to SAP-server inside the company he has to change a certain FI/SD/MM (any confidential document for that matter) which has a huge business impact and since he is leaving the company he has decided to take all the secrets from this company to the competitor (it’s his last day). Since Mr W_X is not sure about the underlying logging and audit system , well he knows it is there but he is altogether not sure as how to evade it and getaway with a perfect crime. So he get’s his partner Mr. X , now here is a man of skills (ABAP/BASIS guy) and for whom it is only the end that justify the means. So now Mr. X and Mr. W_X are working together, it’s pretty late and at this time the sys-admin has gone home while the newly recruited BASIS-cum-DevSecOps Intern is currently looking after in his absence at night-shift since there are very few customer transactions going on in the SAP system but just enough to for there activities to go unnoticed. Assuming Mr. X has already ran the mac-changer and terminal-name/ip spoofer scripts now Mr. X has 3 attack vectors in his mind :
- The SAP-Portal running on port 8000
- The SAP-GUI Client.
- The exposed Services/API’s from SAP system (SOAP/ODATA).
He evaluates the second option (obliviously that’s his favourite) to go via the GUI but Mr. W_X who was a accustomed enterprise portal user tells him to go with the first but soon he remembers that contrary to popular beliefs there are separate portal roles which he need to have in SU01 in conjunction with his other transaction roles to actually see anything on the portal and so it is not good to raise alarm in SU53 or SLG1 for that matter and he decides to keep his tracks off from the portal.
Now just when he was going to login inside the terminal they came across the RSA pop-up which was not new to these guys, rather to be honest they were already expecting it and Mr. W_X has already came prepared for this. Since Mr. W_X is a business analyst (functional consultant) he’s been given quite a few authorisations inside the SAP that means he’s having a RSA token from which they are inside the SAP. It’s PROD with 500 as client and ID_XXXXXX_01 instance. So from here they need to be very careful as Mr. X realises that everything is recorded now as all the change and audit logs are enabled in the system (but at the same time he knows that there is limitations to all the logging). First objective is to get enough authorisations to have at-least change/read access for all the important tables and transactions and we will escalate from there. The only role which have any significant access at this time is the FIRE-FIGHTER role. Although the GRC has removed the change on debugging authorisation for this role also it still has significant access across the system and a good place to get that foot-hold in the system. There is only one way he opens SET.
An email is spoofed from our DevSecOps consultant (cybersecops@Ecorp.com) to the senior GRC consultant regarding providing the FF role to one of the user id for analysis of some ABAP dump as this was a normal activity for the team to analyse the dumps after the business hours so Mr. X knew this is going to work and within 10 mins they had a decent access inside the system courtesy of our secops.
Since GRC actually copied this role from standard SAP role it had even the acess to change user master record in a particular user group i.e. USR02 but not create new 🙂 . Thus begins our mass revenge plot, they went inside and Mr. W_X suggested to reset his Boss’es password (typical analyst) but Mr. X knew that this won’t work as everything is protected via RSA so they resort to change the roles of current user which to their surprise was also not possible. So he starts to explore the role and it’s Auth. Objects inside and to his surprise someone has left S_DEVELOP inside the FF role . WOAH… WOAH… WHAT….! well it’s common and yeah therotically there is no developer account in PROD so there is no worry right as SAP will ask for the dev_key when changing anything. But little did they knew about Mr. W_X plans and Mr. X skill-set. Now this gave them enough access to SE38 program execution. He went inside the transaction and started to search for a particular program meanwhile Mr. W_X has been changing the entries for MSEG and BSEG tables with SE37 -> SE16N_INTERFACE and downloading the FM_RP_BUDCON and the global balance-sheet for the company. With the pc-payroll_result he was even able to see his CEO’s salary. 🙂
Mr. X has finally found the repair_source_code program and contrary to what most people believe this was the actual game changer and with correct set of debugging skills he will be given access to write code in production. But he knew one thing has to be done in order for them to be successful at this hack and that was to get the S_DEBUG updated with the correct activity (ACTVT) in order to get any sort of control they desired. So he goes to SE80 -> GRC package/ SUSR -> grc_update_auth_obj FM , which takes a role , the auth_obj inside and the particular field and it’s value to be updated along with a COMMIT. A simple SUIM search revealed the role and it’s object and Bang!! they have debugging with change access now. So he went to SE38 -> repair_source_code report -> open a junk PROD program and executed it by placing a break-point at DEV_KEY_CHECK and skipped everything precisely and perfectly to went inside the auxiliary editor which gave them the option to write code but this has to be written precise and with patience as one mistake would lead to the abap dump entries inside the ST22 log. They downloaded/changed numerous values inside the system with this access.
So it was pretty late in night at that time and after meddling, stealing and playing with the data it was time to clear the footprints. So Mr. X starts to backtrack every-step they had taken along the way and it was just as he had rehearsed the whole scenario 100 times in DEV and QUALITY. Simple transaction and master data entry changes which were not under audit log were changed directly in CDHR/CDPOS, while some were changed on direct tables such as REPOSRC for programs , PO/PR historical data tables/ change log tables. This was a doubly-sure strategy as :
the greatest trick the devil ever pulled was convincing the world he doesn’t exists !
“Convincing” was really important part above, since Mr. X knew that it was not all the tables he had to take care of but rather than just 2/3 standard reports where certain enhancements will do the trick, which he had send long back in a deceiving TR import via CG3Y/CG3Z transactions as auditors/reviewers will only go through these reports. So know the SAP part is secured but what about the log files on server. Well this is pretty interesting as to what these guys did next.
Since it is pretty big post we will continue this in another blog post and finally conclude our SAP-WARS. Hope you enjoyed it!!
Disclaimer: all respective images are owned by people who put them on the internet and other stuff…. I guess only words are mine after-all.
Until next time 🙂
VAD3R 