worldwide (BlackHat (US/EU/DC/UAE), RSA, Defcon, HITB). ⢠First to release software for NetWeaver J2EE platform assess
Invest in security to secure investments
SSRF VS. BUSINESS-CRITICAL APPLICATIONS PART 2: NEW VECTORS AND CONNECT-BACK ATTACKS Alexander Polyakov – CTO at ERPScan
Alexander Polyakov
Business application security expert
ERPScan
• Developers of “ERPScan Security Scanner for SAP” • Leader by the number of acknowledgements from SAP ( >60 ) • Invited to talk at more than 30 key security conferences worldwide (BlackHat (US/EU/DC/UAE), RSA, Defcon, HITB) • First to release software for NetWeaver J2EE platform assessment • Research team with experience in different areas of security from ERP and web security to mobile, embedded devices, and critical infrastructure, accumulating their knowledge in SAP research. • Conducted workshops for SAP
Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities
Agenda
• Enterprise applications • SSRF – History – Types
• SSRF Proxy attacks – Example of Attacking SAP with SSRF
• SSRF Connect-back attacks – Examples
• XXE Scanner • Conclusion
Enterprise applications: Definitions Business software is generally any software that helps business to increase its efficiency or measure its performance • Small (MS Office)
• Medium (CRM, Shops)
• Enterprise (ERP, BW…)
Why are they critical? Any information an attacker might want, be it a cybercriminal, industrial spy or competitor, is stored in corporate ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage, and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system, and they can cause significant damage to the business.
Business-critical systems architecture
• Located in a secure subnetwork • Secured by firewalls • Monitored by IDS systems • Regularly patched
Noahhh…
But let’s assume that they are, because it will be much more interesting to attack them
Secure corporate network
The Internet
Corporate network
ERP network
Industrial network
But wait. There must be some links!
Real corporate network The Internet
Corporate network
ERP network
Industrial network
And… Attackers can use them!
Corporate network attack scenario The Internet
Corporate network
ERP network
Industrial network
But how?
SSRF History: the beginning • SSRF: Server Side Request Forgery. • An attack which was discussed in 2008 with very little information about theory and practical examples. • Like any new term, SSRF doesn’t show us something completely new like a new type of vulnerability. SSRF-style attacks were known before.
SSRF History: Basics • • • •
We send Packet A to Service A Service A initiates Packet B to service B Services can be on the same host or on different hosts We can manipulate some fields of packet B within packet A • Various SSRF attacks depend on how many fields we can control in packet B
Packet A Packet B
SSRF history • •
• •
• • •
DeralHeiland – Shmoocon 2008 – Web Portals Gateway To Information Or A Hole In Our Perimeter Defenses Spiderlabs 2012 – http://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.html Vorontsov 2012 – SSRF via XXE http://2012.caro.org/presentations/attacks-on-large-modern-web-applications ERPScan (Polyakov,Chastuchin) - SSRF vs business critical applications (Gopher protocol) 2012 august – http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXETunelling-in-SAP.pdf ssrfsocks by iamultra: a tool for ERPScan’s vulnerability in Gopher – https://github.com/iamultra/ssrfsocks 2012 august Less Known Web App Vulnerabilities: Real World Examples. (From ERPScan paper) 2012 October ERPScan - Gopher SSRF in JVM advisory October 2012 –
•
ERPScan (Polyakov) - SSRF 2.0 –
•
http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/ http://erpscan.com/category/publications/
New research will be published at ZeroNights http://2012.zeronights.org/
Ideal SSRF The idea is to find victim server interfaces that will allow sending packets initiated by the victim server to the localhost interface of the victim server or to another server secured by a firewall from outside. Ideally, this interface : • Must allow sending any packet to any host and any port • Must be accessed remotely without authentication
Why? In this research, we wanted to :
• • • •
Collect the information about SSRF attacks Categorize them Show examples of SSRF attacks Show new potential and real SSRF vectors
SSRF SSRF proxy attack Trusted SSRF
SSRF back connect
Remote SSRF
SSRF counter attack
Local SSRF
Full
Partial
Simple
SSRF proxy attack
Corporate network
Packet B Packet A
Secure network
Packet B
SSRF back connect attack
Packet B Packet A
Packet B Packet C
SSRF proxy attacks
• Trusted SSRF (Can forge requests to remote services but only to predefined ones)
• Remote SSRF (Can forge requests to any remote IP and port) – Simple Remote SSRF (No control on app level) – Partial Remote SSRF (Control in some fields of app level) – Full Remote SSRF (Control on app level)
Exploiting SSRF
For every SSRF attack, there must be at least 2 vulnerabilities to successfully trigger the attack: • First vulnerability – Functionality to create/use links (for trusted SSRF) – Functionality in some service on Server A which allows us to send remote packets (for other types of SSRF)
• Second vulnerability – – – –
Insecure link (for trusted SSRF) Vuln. in service on server B (for remote SSRF ) Vuln. in localhost service on server A (for local SSRF) Vuln. in client app. on server A (for back-connect SSRF)
Trusted SSRF • Trusted SSRF in Oracle – SELECT * FROM myTable@HostB – EXECUTE Schema.Package.Procedure('Parameter')@HostB • Trusted SSRF in MSSQL – Select * from openquery(HostB,'select * from @@version')] • Trusted SSRF in SAP NetWeaver – SM59 transaction • Also Lotus Domino and others
Not so interesting…
First vulnerability (functionality on Server A)
• Unusual calls • Multiprotocol calls (URI) – In engines (XML) – In applications
• • • • • •
UNC calls HTTP calls FTP calls LDAP calls SSH calls Other calls
Functionality on server A: Unusual calls • Remote port scan – SAP NetWeaver wsnavigator (sapnote 1394544,871394) – SAP NetWeaver ipcpricing (sapnote 1545883) – SAP BusinessObjects viewrpt (sapnote 1583610) • Remote password bruteforce – SAP NetWeaver (NDA) • Other – Information disclosure by testing if a file or a directory exists – Timing attacks – Etc????
Very application-specific. Can be very interesting
Example of unusual calls • It is possible to scan internal network from the Internet • Authentication is not required • SAP NetWeaver J2EE engine is vulnerable
/ipcpricing/ui/BufferOverview.jsp? server=172.16.0.13 & port=31337 & dispatcher= & targetClient= & view=
Port scan via ipcpricing JSP
Host is not alive
HTTP port
Port closed
SAP port
Multiprotocol calls (in XML) • XML seems to be the new TCP. • Almost all big projects use XML-based > http://ServerB/
2. http://ServerB/
Successfully Tested (0-day)
WS-Policy
1.
Not Tested
WS-Security
1. ]> &date;
What will happen??
XXE Tunneling (Example) Server A (Portal or XI)
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap. web.DilbertMSG?format=post HTTP/1.1 Host: 192.168.0.1:8000 ]> &date;
XXE Tunneling to Buffer Overflow (Result)
Server A on the Internet (SAP XI) POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap. web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80