Avoiding Compliance Issues in ABAP code - Virtual Forge

Andreas WiegensteinDr. Markus SchumacherPPT Avoiding Masterfolie Compliance Issues in ABAP codezur Erstellung von Präsentationen„Daimler ITM/S Global Information Security Conference“, 23. - 25. April, Stuttgart© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

DisclaimerPPT Masterfoliezur Erstellung von PräsentationenThis session shows security risks in the ABAP programming language.The fact that certain security defects can occur in ABAP does notnecessarily imply that such defects exist in SAP standard code.However, Virtual Forge has found all security defects discussed in thissession in code written by SAP customers.© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

My car, my house, my boat, …AndreasPPT MasterfolieWiegensteinzur Erstellung von Präsentationen• Founder of Virtual Forge (Heidelberg), responsible for Research &Development• SAP Security Researcher, active since 2003• Received Credits from SAP for more than 20 reported 0-day Vulnerabilities• Frequent Speaker at international Conferences• SAP TechEd 2004 (USA & Europa) / 2005 (USA) / 2006 (USA), DSAG 2009• BlackHat 2011 (Europe), Hack in the Box 2011 (Europe)• Troopers 2011 / 2012, RSA 2012 (USA)• Co-Author of „Sichere ABAP Programmierung" (SAP Press)• Training Class WDESA3 @ SAP University© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

„Our SAP systems are secure…“PPT Masterfoliezur Erstellung von Präsentationen„…and this is our ABAP security department.“© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

The Attack Surface of ABAPPPT Masterfoliezur Erstellung von Präsentationen© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

SAP ALL in 5 Minutes… (Part 1)PPT Masterfoliezur Erstellung von PräsentationenDEMO© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Vulnerabilities (1a)AuthorizationsREPORT PPT MasterfolieZFT.DATA lv_msg TYPE string.zur Erstellung von PräsentationenAUTHORITY-CHECK OBJECT 'S_DEVELOP'ID 'DEVCLASS' FIELD '*'ID 'OBJTYPE' FIELD 'PROG'ID 'OBJNAME' FIELD 'ZTEST'ID 'ACTVT'FIELD '02'.CONCATENATE 'No authority in ' SY-REPID INTO lv_msg.IF sy-subrc 0.WRITE : / lv_msg.EXIT.ENDIF.© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Vulnerabilities (1b)AuthorizationsREPORT PPT MasterfolieZFT.DATA lv_msg TYPE string.zur Erstellung von PräsentationenAUTHORITY-CHECK OBJECT 'S_DEVELOP'ID 'DEVCLASS' FIELD 'ZHR'ID 'OBJTYPE' FIELD 'PROG'ID 'OBJNAME' FIELD 'ZTEST'ID 'P_GROUP' FIELD DUMMYID 'ACTVT'IF sy-subrc 0.FIELD '02'.CONCATENATE 'No authority in ' SY-REPID INTO lv_msg.WRITE : / lv_msg.EXIT.ENDIF.Meaningful restrictionID intentionally ignoredsy-subrc correclty checked© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Vulnerabilities (1c)AuthorizationsPPT Masterfoliezur Erstellung von Präsentationen* Proprietary Authorization CheckIF sy-uname NE 'WIEGENSTEINA'.ENDIF.RAISE no_authority.© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Risks (2)Client SeparationPPT Masterfoliezur Erstellung von PräsentationenSAP maintains multiple ClientsClient SeparationClient 007Client 023Client 042© 2010 Virtual Forge GmbH. All rights reserved.Risks• Cross-client Access to Business Data© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Vulnerabilities (2)Client SeparationPPT Masterfolie* OPEN SQLzur Erstellung von PräsentationenDELETE FROM usr02 CLIENT SPECIFIED.* Native SQLEXEC SQL.DELETE FROM usr02.ENDEXEC.* ABAP Database Connectivity (ADBC)CALL FUNCTION 'DB_EXECUTE_SQL'EXPORTINGstmt = 'DELETE FROM usr02'.© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Risks (3)Development ProcessPPT Masterfoliezur Erstellung von PräsentationenControlled Development & Quality AssuranceSystem SeparationTransportTransportDEV TEST PROD© 2010 Virtual Forge GmbH. All rights reserved.Risks• Bypassing Quality Assurance• Developing Code on the Productive System© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Vulnerabilities (3)Development ProcessPPT MasterfoliePARAMETERS lv_name TYPE string.zur Erstellung von PräsentationenIF sy-sysid = 'PFI'.Code only runs on Prod-Systemlt_prog = 'REPORT ZFT.'. APPEND lt_prog.CONCATENATE `DATA lv_tmp(80) TYPE c VALUE '`lv_name `'.` INTO lt_prog. APPEND lt_prog.lt_prog = 'WRITE / lv_tmp.'. APPEND lt_prog.INSERT REPORT 'ZFT' FROM lt_prog.SUBMIT ('ZFT').Development withoutABAP WorkbenchENDIF.© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Risks (4)Operating System CommandsPPT Masterfoliezur Erstellung von PräsentationenControlled Execution of Operating System CommandsControlled Operating System (OS) Command ExecutionABAP OS CallSM49 / SM69CommandProgramOS Command'LIST'LISTPINGlsping'ls'X_PYTHONx_pythonOS© 2010 Virtual Forge GmbH. All rights reserved.SAP Standard Function Modules• SXPG_CALL_SYSTEM• SXPG_COMMAND_EXECUTERisks• Insecure Alternatives© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Vulnerabilities (4)Operating System CommandsPPT Masterfolie1. Kernel callszur Erstellung von PräsentationenCALL 'SYSTEM' ID 'COMMAND' FIELD 'net.exe user test pass /add'ID 'TAB'FIELD rt-*sys*.2. Filter option in OPEN DATASETOPEN DATASET lv_fileFOR OUTPUTIN TEXT MODE ENCODING DEFAULTFILTER 'format c:'.3. Residual Risks© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

General Problems in ABAP SecurityPPT Masterfoliezur Erstellung von Präsentationen• No Precedent (ABAP Hack) in the press• Managers and Developers lack Awareness• Very large amounts of custom Code• Massive Legacy Problems• No central Responsibility in Corporations• ABAP Security is a an S.E.P. (Someone Else’s Problem)• Quality of 3 rd Party Code not transparent• Backdoors & Security Defects are Part of the Delivery• Missing Know-How• No Guidelines, No Trainings, No Test Tools© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

2. PPT Compliance Masterfolie Riskszur Erstellung von Präsentationen© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Security in a Compliance ContextICS-Structure PPT Masterfoliein the ERP Environmentzur Erstellung von PräsentationenIT General Controls (ITGC)Change ManagementABAP CodeBusiness Risks regardingCompletenessCorrectnessSegregation of DutiesRightsNon-Repudiation …Data Protection© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Code RisksExemplary technical Defects• PPT Unauthorized Masterfolie Execution of Business Logiczur Erstellung von Präsentationen• Authorization Defects, ABAP Command Injection, OS Command Injection• Unauthorized read Access to Business and Configuration Data• OSQL Injection, Cross-Client DB Access, Directory Traversal, ABAP Command Injection• Unauthorized write Access to Business and Configuration Data• OSQL Injection, ADBC Injection, Directory Traversal, ABAP Command Injection• Jeopardizing the Availability of the System• ADBC Injection, OS Command Injection, Directory Traversal, ABAP Command Injection• Adverse Effects on Non-Repudiation• ADBC Injection, ABAP Command Injection• Identity Theft• Alias Authorizations, Cross-Site Scripting, Cross-Site Request Forgery© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

Check List BIZEC APP/11The most common Security Defects in ABAP ProgramsID PPT MasterfolieDefect Descriptionzur Erstellung von PräsentationenAPP-01 ABAP Command Injection Execution of arbitrary ABAP CodeAPP-02 OS Command Injection Execution of arbitrary Operating System CommandsAPP-03Improper Authorization(Missing, Broken, Proprietary, Generic)Missing or erroneous Authorization ChecksAPP-04 Generic Module Execution Unauthorized Execution of Modules (Reports, FuMo, etc.)APP-05 Cross-Client Database Access Cross-Client Access to Business DataAPP-06 SQL Injection Malicious Manipulation of Database CommandsAPP-07 Unmanaged SQL Usage of native SQL CommandsAPP-08 Cross-Site Scripting Manipulation of Browser UI, Authorization TheftAPP-09 Cross-Site Request Forgery Execution of Business Logic in the Name of a different User.APP-10 File Upload (Malware) Storage of malicious Files on an SAP ServerAPP-11 Directory Traversal Unauthorized read/write Access to Files (SAP Server)© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

Risks of SQL Injection (APP-06)Exemplary Analysis of a technical Risk• PPT Illegal MasterfolieAccess to data of another SAP Client• zur Manipulation Erstellung of User von Accounts Präsentationenand Authorizations (SOX Violation)• E.g. assign SAP_ALL Rights to unauthorized Users• Undocumented Changes to critical Tables (SOX Violation)• No Entries in CDHDR, CDPOS, …• Read Access to HR Data (Violation of Data Protection Law)• E.g. Social Security Number (PA0002-PERID)• Access to Credit Card Data (PCI/DSS Violation)• E.g. BSEGC-CCNUM• Access to Bank Account Data of Customers and Suppliers• E.g. Customer Bank Data (KNBK-BANKN)• Manipulation von financial Data (SOX Violation)• E.g. Manipulation of Table BSEG© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

SAP ALL in 5 Minutes (Part 2)PPT Masterfoliezur Erstellung von PräsentationenDEMO© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

3. PPT ABAP Masterfolie Security at the Process Levelzur Erstellung von Präsentationen© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

Secure Development Process (SDP)PPT Masterfoliezur Spezification Erstellung Design von PräsentationenImplementationTestingGoing LiveTools© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

The SDP Maturity ModelPPT Masterfoliezur Erstellung von PräsentationenThe SDP Maturity Model determines, to what degree an organization appliesMethods and (automated) Tools, in order to ensure the Quality of its DevelopmentProcess.SpezificationDesignImplementationTestingGoing Live• Ad-Hoc• Quality is a reactive Process• Minimal• Basic Awareness for Quality, but only minimal Application of Tests• Without Feedback• Established Process, but Feedback/Results not used in order to improve it• Planned and controlled• Code-Quality is considered from the Beginning• There are sufficient Metrics in order to supervise the Process• The Process is enhanced, whenever necessary© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ChallengesPPT Masterfolie• zur Management Erstellung von Support Präsentationen• Responsibility, Budget• Dealing with Legacy Problems• What must be corrected, what is a residual Risk ?• Developer Acceptance of the Process• Tolerant Introduction Phase• Support for Mitigations© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

4. PPT Practical Masterfolie ABAP Securityzur Erstellung von Präsentationen© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

Internal ABAP DevelopmentPPT Masterfoliezur Erstellung von Präsentationen• Central Requirements for secure ABAP Development• Security as Part of the Project• Time and Budget Planning• Mandatory Training for all Developers• Development Guidelines as Reference• Peer-Reviews• Internal Expert-Team for Questions• Test Tools• Regular Updates of all Information• Manual Penetration Testing© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

Externe ABAP DevelopmentPPT Masterfoliezur Erstellung von Präsentationen• Central Requirements in the Call for Tenders• General contractual Conditions (Liability etc)• Tests on all external Code• Extensive manual Penetration Testing© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

Automated Tests• Tool should have Focus on Security & CompliancePPT Masterfoliezur Erstellung von Präsentationen• Potential Synergies in other Test Domains should be leveraged• Data- and Control-Flow Analysis is important• Otherwise False-Positive Rate will be high• Performance und Scalability are important Factors• How often is new Test-Content delivered?• Explanations for Findings should be detailed and comprehensive• What is the Problem? How is it solved?• Integration into the Development Landscape / Workbench• TMS, ChaRM, SE80, …• Is SAP-specific Context considered?• Critical Tables, dangerous Kernel Calls, …© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

ABAP Security ResourcesPPT Masterfoliezur Erstellung von PräsentationenOrganizationsBIZEC – Business Security Initiativehttp://www.bizec.orgLiteratureSichere ABAP-Programmierung(SAP PRESS, 372 S., 2009)Andreas Wiegenstein, Markus Schumacher,Sebastian Schinzel, Frederik WeidemannHandbuch SAP-Revision(SAP PRESS, 672 S., 2011)Maxim Chuprunov© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

Questions?PPT Masterfoliezur Erstellung von PräsentationenVIRTUALFORGE GmbHAndreas.Wiegenstein@virtualforge.deSpeyerer Straße 669115 HeidelbergDeutschlandTelefon: + 49 (0) 6221 86 89 0 - 0Fax: + 49 (0) 6221 86 89 0 - 101© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.