SSRF 2.0 - ERPScan

Download PDF
0 downloads 103 Views 3MB Size Report
Comment
worldwide (BlackHat (US/EU/DC/UAE), RSA, Defcon, HITB). • First to release software for NetWeaver J2EE platform assess
Invest in security to secure investments

SSRF VS. BUSINESS-CRITICAL APPLICATIONS PART 2: NEW VECTORS AND CONNECT-BACK ATTACKS Alexander Polyakov – CTO at ERPScan

Alexander Polyakov

Business application security expert

ERPScan

• Developers of “ERPScan Security Scanner for SAP” • Leader by the number of acknowledgements from SAP ( >60 ) • Invited to talk at more than 30 key security conferences worldwide (BlackHat (US/EU/DC/UAE), RSA, Defcon, HITB) • First to release software for NetWeaver J2EE platform assessment • Research team with experience in different areas of security from ERP and web security to mobile, embedded devices, and critical infrastructure, accumulating their knowledge in SAP research. • Conducted workshops for SAP

Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities

Agenda

• Enterprise applications • SSRF – History – Types

• SSRF Proxy attacks – Example of Attacking SAP with SSRF

• SSRF Connect-back attacks – Examples

• XXE Scanner • Conclusion

Enterprise applications: Definitions Business software is generally any software that helps business to increase its efficiency or measure its performance • Small (MS Office)

• Medium (CRM, Shops)

• Enterprise (ERP, BW…)

Why are they critical? Any information an attacker might want, be it a cybercriminal, industrial spy or competitor, is stored in corporate ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage, and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system, and they can cause significant damage to the business.

Business-critical systems architecture

• Located in a secure subnetwork • Secured by firewalls • Monitored by IDS systems • Regularly patched

Noahhh…

But let’s assume that they are, because it will be much more interesting to attack them

Secure corporate network

The Internet

Corporate network

ERP network

Industrial network

But wait. There must be some links!

Real corporate network The Internet

Corporate network

ERP network

Industrial network

And… Attackers can use them!

Corporate network attack scenario The Internet

Corporate network

ERP network

Industrial network

But how?

SSRF History: the beginning • SSRF: Server Side Request Forgery. • An attack which was discussed in 2008 with very little information about theory and practical examples. • Like any new term, SSRF doesn’t show us something completely new like a new type of vulnerability. SSRF-style attacks were known before.

SSRF History: Basics • • • •

We send Packet A to Service A Service A initiates Packet B to service B Services can be on the same host or on different hosts We can manipulate some fields of packet B within packet A • Various SSRF attacks depend on how many fields we can control in packet B

Packet A Packet B

SSRF history • •

• •

• • •

DeralHeiland – Shmoocon 2008 – Web Portals Gateway To Information Or A Hole In Our Perimeter Defenses Spiderlabs 2012 – http://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.html Vorontsov 2012 – SSRF via XXE http://2012.caro.org/presentations/attacks-on-large-modern-web-applications ERPScan (Polyakov,Chastuchin) - SSRF vs business critical applications (Gopher protocol) 2012 august – http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXETunelling-in-SAP.pdf ssrfsocks by iamultra: a tool for ERPScan’s vulnerability in Gopher – https://github.com/iamultra/ssrfsocks 2012 august Less Known Web App Vulnerabilities: Real World Examples. (From ERPScan paper) 2012 October ERPScan - Gopher SSRF in JVM advisory October 2012 –



ERPScan (Polyakov) - SSRF 2.0 –



http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/ http://erpscan.com/category/publications/

New research will be published at ZeroNights http://2012.zeronights.org/

Ideal SSRF The idea is to find victim server interfaces that will allow sending packets initiated by the victim server to the localhost interface of the victim server or to another server secured by a firewall from outside. Ideally, this interface : • Must allow sending any packet to any host and any port • Must be accessed remotely without authentication

Why? In this research, we wanted to :

• • • •

Collect the information about SSRF attacks Categorize them Show examples of SSRF attacks Show new potential and real SSRF vectors

SSRF SSRF proxy attack Trusted SSRF

SSRF back connect

Remote SSRF

SSRF counter attack

Local SSRF

Full

Partial

Simple

SSRF proxy attack

Corporate network

Packet B Packet A

Secure network

Packet B

SSRF back connect attack

Packet B Packet A

Packet B Packet C

SSRF proxy attacks

• Trusted SSRF (Can forge requests to remote services but only to predefined ones)

• Remote SSRF (Can forge requests to any remote IP and port) – Simple Remote SSRF (No control on app level) – Partial Remote SSRF (Control in some fields of app level) – Full Remote SSRF (Control on app level)

Exploiting SSRF

For every SSRF attack, there must be at least 2 vulnerabilities to successfully trigger the attack: • First vulnerability – Functionality to create/use links (for trusted SSRF) – Functionality in some service on Server A which allows us to send remote packets (for other types of SSRF)

• Second vulnerability – – – –

Insecure link (for trusted SSRF) Vuln. in service on server B (for remote SSRF ) Vuln. in localhost service on server A (for local SSRF) Vuln. in client app. on server A (for back-connect SSRF)

Trusted SSRF • Trusted SSRF in Oracle – SELECT * FROM myTable@HostB – EXECUTE Schema.Package.Procedure('Parameter')@HostB • Trusted SSRF in MSSQL – Select * from openquery(HostB,'select * from @@version')] • Trusted SSRF in SAP NetWeaver – SM59 transaction • Also Lotus Domino and others

Not so interesting…

First vulnerability (functionality on Server A)

• Unusual calls • Multiprotocol calls (URI) – In engines (XML) – In applications

• • • • • •

UNC calls HTTP calls FTP calls LDAP calls SSH calls Other calls

Functionality on server A: Unusual calls • Remote port scan – SAP NetWeaver wsnavigator (sapnote 1394544,871394) – SAP NetWeaver ipcpricing (sapnote 1545883) – SAP BusinessObjects viewrpt (sapnote 1583610) • Remote password bruteforce – SAP NetWeaver (NDA) • Other – Information disclosure by testing if a file or a directory exists – Timing attacks – Etc????

Very application-specific. Can be very interesting

Example of unusual calls • It is possible to scan internal network from the Internet • Authentication is not required • SAP NetWeaver J2EE engine is vulnerable

/ipcpricing/ui/BufferOverview.jsp? server=172.16.0.13 & port=31337 & dispatcher= & targetClient= & view=

Port scan via ipcpricing JSP

Host is not alive

HTTP port

Port closed

SAP port

Multiprotocol calls (in XML) • XML seems to be the new TCP. • Almost all big projects use XML-based > http://ServerB/

2. http://ServerB/

Successfully Tested (0-day)

WS-Policy

1.

Not Tested

WS-Security

1. ]> &date;

What will happen??

XXE Tunneling (Example) Server A (Portal or XI)

POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap. web.DilbertMSG?format=post HTTP/1.1 Host: 192.168.0.1:8000 ]> &date;

XXE Tunneling to Buffer Overflow (Result)

Server A on the Internet (SAP XI) POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap. web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80