Digital Security Research Group: News

ERPScan researchers guard Adobe

Adobe, the global leader in digital marketing and digital media solutions, thanks Dmitry Chastukhin, ERPScan lead assessor, for the dangerous vulnerabilities that he has found at Adobe.Com in the framework of research conducted by Digital Security Research Group, a subdivision of ERPScan.

The website contained several vulnerabilities which allow compromising user accounts and getting additional information about the system so that an attacker could devise specific attack vectors with the gathered data. A possibility of injecting malicious code into the web page was also revealed, which would do serious harm to the public image of the company if exploited. In the course of one of the possible attacks, a hacker could replace legitimate content with malware, so that downloading a regular Adobe Flash Player update would lead to infection of millions PCs worldwide. Thanks to ERPScan researchers, no hacker can exploit the security breach anymore.

‛I hope other world-famous corporations like Adobe will follow suit and pay more attention to the security of their web sites. A web representation of company as a basis for their reputation must be undervalued“, Dmitry comments on his findings.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

ERPScan has released a new version of Security Scanner for SAP: ERPScan v2.0

ERPScan company, one of the key players in ERP security, has released ERPScan Security Scanner for SAP 2.0 – a complex solution to continuously monitor all areas of SAP security, from vulnerability assessment and misconfigurations to ABAP code review and analysis of business-critical privileges.

One of the most significant changes is a new module which can make static analysis of ABAP code security. It makes ERPScan the only solution on the market which makes both security assessment of platform and code review. We have also significantly increased the number of anonymous checks which can be performed in Penetration testing mode to help companies identify issues without using credentials in the system. The new engine can help to perform audit and compliance checks not just through RFC – it allows making complete scan through the web-interface which is a great feature for external penetration tests and can make pen-testers’ lives easier.

‛Today, almost all critical operations like procurements, stock resources management, human resources management, financial reports and much more, and all the data related to them, are stored in SAP system. This is why the main target for an insider or an external attacker would be to gain illicit access to SAP with the purpose of malicious manipulation of company resources. In spite of the increasing popularity of ERP systems security in the security community, companies are still vulnerable to cybercriminal and insider attacks. At this moment SAP has released more than 2000 Security notes closing various vulnerabilities, which is quite a lot, especially if you keep in mind that sometimes it is enough to get access to all business critical data through only one issue. An example was presented at BlackHat last summer. On the other side, almost every company develops custom ABAP code which can also have vulnerabilities and backdoors left by developers“, said Alexander Polyakov, CTO of ERPScan.

Using ERPScan, all kinds of customers can decrease their expenses and get different benefits.

Consulting companies can save time and resources. ERPScan allows them to significantly simplify the task of assessment by automating most of the ordinary checks, so auditors can pay more attention to the analysis of the customized part. Moreover, the unique database of checks gives consulting companies competitive advantages.
CISOs can effectively monitor security of SAP systems and prevent insider and hacker threats.
Penetration testers can easily perform black-box and white-box assessments of SAP with the largest knowledge base in the world and 0-day vulnerabilities.
SAP team can manage business-critical authorizations and control development by applying preventive measures.

‛SAP security assessment, according to our experience, usually takes quite a long time. Additionally, the complexity of the system and the large amount of different installation types require the participation of specialists from various fields of security. Even the application server may have either ABAP or Java platform, and they require completely different specialists, not to mention particular applications and modules. ERPScan allows you to significantly simplify the task of assessment by automating most of the ordinary checks, so you can pay more attention to the analysis of the customized part“, said Alexander Polyakov.

More new functions:

Support of different web application types (bsp/iviews/jsp/webservices/webdynpro’s)
More than 5000 different checks covering misconfigurations, vulnerabilities, access to web-applications; search for 50 different types of vulnerabilities in ABAP code
Elaborated black-box vulnerability assessment
Cataloguing of SAP systems and services

‛Earlier, you needed to implement many different solutions to secure SAP from threats, now it is all in one place“, said Ilya Medvedovsky, CEO of ERPScan.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Installation of vendor's patch does not always guarantee security

Experts from ERPScan Company, specialized in business applications security and SAP security, found out that even well-timed installation of vendor’s patch does not always guarantee security because the fixes are not always correct. In 2011, three critical patches from the key software vendors like SAP, IBM and VMware actually did not fix or not completely fixed vulnerabilities that ERPScan or other researchers had found in their products. This allows potential attackers to continue exploiting the vulnerabilities, whereas all most scanners and auditors would say that the problem is no more because patch is installed.

On the BlackHat Europe conference held from March 14 to March 16, Alexey Sintsov, head of information security audit department in ERPScan Company, shared his experience in penetration testing and presented the results of a recently conducted research of Lotus Domino security.

His presentation told about lack of time and frequently desire for companies to dig into the details of existing vulnerabilities to exploit them, and how it often impairs the quality of their work.

In the demonstration, a private vulnerability in Lotus Domino was quite quickly disassembled, the resulting exploit used, the existing patch bypassed and a critical 0-day vulnerability found. The result was an attack on the Domino Controller service (the Lotus Domino administration service) which allows full server compromise.

Vulnerable services were also exposed which, one would suppose, should not be accessible from the Internet. Moreover, in the course of the research, services with the 0-day vulnerability and ever older vulnerabilities were found on the USA government servers (the .gov domain), on the servers of Russian universities and, curiously enough, even in the corporate network of IBM itself.

Thus, it can be concluded that penetration threats are quite easily actualized for pretty much any network; even governments and corporate giants are vulnerable to attacks from the Internet, such as those made by LulzSec and Anonymous.

Links to vulnerabilities:

Vulnerability in IBM Lotus (ZDI)
Vulnerability in VMware (Advisory,Vendor’s patch)
Vulnerabilities in SAP (Advisory, New patch, Old patch); another one is still being patched again.

Alexey’s presentation can be found here.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP critical patch update March 2012

SAP has released monthly critical patch update for March 2012. This patch update closes many vulnerabilities in SAP products. This month, 2 vulnerabilities found by ERPScan researchers Dmitriy Chastukhin and Alexey Tyurin were closed.

Detailed list of corrected vulnerabilities is below:

An XSS vulnerability was found in SAP Portal. An attacker can use the XSS vulnerability by sending a link to malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control over business-critical information which can be accessed by victim. Update is available in SAP Note 1656549. Criticality, according to CVSS, is 4.3.
Missing authorization checks in RFC function from BASIS module. Update is available in SAP Note 1657891. Criticality, according to CVSS, is 2.3. An attacker can execute vulnerable transaction, program or RFC function remotely without authentication because authorization check is missing. It can lead to different threats from information disclosure to full system compromise.

SAP has traditionally published acknowledgements for found vulnerabilities to security researchers from DSecRG on their acknowledgement page.

It is highly recommended to patch all those issues to prevent business risks.

Advisories for those issues with technical details will be available within 3 months on ERPScan.com and also on DSecRG.com.

Exploits will be available soon in ERPScan Security Scanner and ERPScan SaaS.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

DSecRG supports Project BaseCamp by releasing WAGO PLC 0-day vulnerabilities

One of the key events in SCADA and PLC security – the S4ICS symposium – took place in Miami on January, 18 to 19.

Aside from several reports and SCADA security trainings, the results of a colossal project, dedicated to research of vulnerabilities in industrial controllers, were presented to the symposium.

The project was named Project Basecamp.

The following industrial controllers were examined:

General Electric D20ME

Koyo/Direct LOGIC H4-ES

Rockwell Automation/Allen-Bradley ControlLogix

Rockwell Automation/Allen-Bradley MicroLogix

Schneider Electric Modicon Quantum

Schweitzer SEL-2032 (a communication module for relays)

The DSecRG researchers decided to support the project by their independent research and added the 750 series WAGO controller to the list. They have also published a variety of 0-day vulnerabilities for this controller and for the SCADA systems of wellintech KingSCADA and OPC Systems.NET, to draw the public attention to this problem once more.

The following links lead to the details about found vulnerabilities:

http://dsecrg.com/pages/vul/show.php?id=401
http://dsecrg.com/pages/vul/show.php?id=402
http://dsecrg.com/pages/vul/show.php?id=403
http://dsecrg.com/pages/vul/show.php?id=404
http://dsecrg.com/pages/vul/show.php?id=405
http://dsecrg.com/pages/vul/show.php?id=406
http://dsecrg.com/pages/vul/show.php?id=407

The results of the Project BaseCamp research are available here:

http://www.digitalbond.com/2012/01/19/project-basecamp-at-s4/
http://www.wired.com/threatlevel/2012/01/scada-exploits/
http://reversemode.com/downloads/logix_report_basecamp.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

ERPScan Company enters the Google and Yandex Halls of Fame for work in information security

DSecRG researchers Dmitry Chastukhin and Alexey Sintsov were inducted into the Google Company Hall of Fame (http://www.google.com/about/corporate/company/halloffame.html) within the vulnerability search section. The goal of the program is recognition of information security specialists who found and reported about the vulnerabilities in WEB resources of Google Company.

During the research a very interesting and unique vulnerability at the Google Documents resource was found that allowed the addition of random EXCEL formulas into the documents via Google Forms. Using the given vulnerability potential malefactors can obtain critical data from user charts.

Google specialists considered the vulnerability in ‛elite“ sum $1337 class, expressing their surprise and noted the originality of the found attack vector.

Also at the ZeroNights 2011 Conference the results of the ‛Month of searching for the vulnerabilities“ competition from Yandex were summed up.

Alexey Sintsov, the head of information security audit department at ERPScan took the second place and recieved $3000 as well as a place in the Yandex Hall of Fame.

According to an agreement with Yandex, in two months we will be able to reveal technical details of found vulnerability.

It is worth noting that Yandex Company became a pioneer in similar kinds of programs in Russian Internet segment and is not going to stop on conducting of only one competition.

‛By these awards, received for the researches, connected with searching for the vulnerabilities in the products of two leading searchers, we clearly demonstrated the highest level of our employees’ qualification, who constantly sharpen their skills, including in the similar researches“-noted Ilya Medvedovsky, ERPScan CEO.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP critical patch update October 2011

SAP released monthly critical patch update for October 2011. This patch update closes many vulnerabilities in SAP products. 6 of those vulnerabilities were found by different experts. Traditionally Dmitry Evdokimov , DSecRG researcher, is among them.

SAP traditionally sent acknowledgements for found vulnerabilities to security researchers from DSecRG on their acknowledgement page.

Detailed list of corrected vulnerabilities is below:

XSS vulnerability. Update is available in sap note 1585652. Criticality according to CVSS is 4.3. An attacker can use XSS vulnerability by sending a link on malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control on business-critical information which can be accessed by a victim.

It is highly recommended to patch all those issues to prevent business risks.

Solutions for those issues are available in SAP Notes: 1585652

Advisories for those issues with technical details will be available in 3 months on erpscan.com and also on DSecRG.com site.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAPocalypse - concept of a new SAP worm will be presented at HITB Malaysia

Two months have passed since the report on critical vulnerability in SAP's J2EE engine was published. Though it is a serious vulnerability, some people didn't estimate it, pointing to the fact that only systems on the JAVA basis which sometimes don't store critical data, as ERP or BI do and used for these systems' connection and collaboration.

In a new report which will be presented at the HITB conference in Malaysia, ERPScan specialists will show prototype of a new worm with a code name SAPacalypse. It will use a vulnerability in SAP NetWeaver JAVA server, available via the Internet and then connects to the connected ABAP servers in the internal network, where ERP, CRM, BI and other applications can be installed. After it virus steals critical data and data for connection to other linked servers from these systems. Taking into account a deep integration of business processes and as a result a multiple connections using internal links, it will allow to get into almost any corporate systems via the only vulnerable.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Whitepaper "Python arsenal for Reverse Engeneering" have been updated to version 1.0

We are happy to announce that Whitepaper Python arsenal for Reverse Engeneering updated to version 1.0.

New interesting projects have been added.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

DSecRG researchers took part in Brucon conference and conducted a meeting with SAP.

DSecRG specialists took part in Brucon conference which was held in September, 19-20 in Brussels (Belgium). An updated talk, devoted to program and architect vulnerabilities in J2EE engine of SAP NetWeaver platform, was presented at the conference. There were presented two new vulnerabilities, which allow getting information unauthorized about users’ names in the system, and also conducting a company internal network scanning via servers, available in the Internet.

After the conference there was a meeting with Security Response Team of SAP Company on the questions of cooperation in the field of vulnerabilities’ founding and remediation. A closer cooperation of DSecRG specialists with development team and Response Team at the stages of vulnerabilities’ closure and patches’ testing will allow reducing the time of critical updates’ publication.

Slides from Brucon presentation are available at our web site in the presentations’ section.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

ERPScan appeared at the SecurityByte conference

Researchers from ERPScan took part in the largest information security conference in India - SecurityByte.

A conference in information security - SecurityByte - was held from 6 to 9 September in Indian Silicon Valley - electronic city (Bangalor suburb).

Senior managers from RSA, (ICS)2, EC-Council, well-known persons such as Whitfield Diffie (pioneer of public-key cryptography), and also such Indian top officials as Karanataka state governor and Indian army general were invited.

ERPScan Company took part in a section of reports, trainings and round tables.

Alexander Polyakov made a presentation about security of J2EE of SAP engine, and also conducted a one-day training concerning hack and security of SAP systems. Remarkably that one of the vulnerable application developers attended this presentation. Moreover, Alexander took part in a round table, devoted to mobile devices’ security.

We remind you that for securing SAP from the presented attacks ERPScan developed free utility ERPScan web.xml checker which is a part of ERPScan security scanner for SAP and allows to check J2EE security settings of SAP applications on the presence of 9 different configuration mistakes. It can help administrator to set up system securely by himself and understand where there are lacks.

Next ERPScan performances will be at:

19 September – Brucon (Belgium, Brussels);

28-30 September – InfosecurityRussia (Russia, Moscow);

12 October –HITB KUL (Malaysia, Kuala Lumpur);

27 October – Hacker Halted(USA, Miami).

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP critical patch update september 2011

SAP released monthly critical patch update for september 2011. This patch update closes about 70 vulnerabilities in SAP products. 17 of those vulnerabilities were founded by different experts. Traditionnaly DSecRG researchers Alexander Polyakov, Alexey Tuyrin and Evgeniy Neyolov who found 3 vulnerabilities are among them.

SAP traditionally sent acknowledgements for founded vulnerabilities to security researchers from DSecRG on their acknowledgement page.

Detailed list of corrected vulnerabilities is below:

• The most critical vulnerability is bypassing authentication and authorization mechanisms in one of the WEB applications. Update is available is sap note 1567389. Criticality according to CVSS is 6.4.

• XSS vulnerability. Update is available in sap note 1591749. Criticality according to CVSS is 4.3.

• SMBrelay vulnerability in one of reports. Update is available in sap note 1591146. Criticality according to CVSS is 3.4.

It is highly recommended to patch all those issues to prevent business risks.

Solutions for those issues are available in SAP Notes: 1567389, 1591749, 1591146

Advisories for those issues with technical details will be available in 3 months on erpscan.com and also on DSecRG.com site.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

ERPScan warns about new vulnerabilities of DIAG protocol in SAP

SAP security topic gathers pace at the hacker conferences. Thus, at the recent 44con conference employees of Sensepost Company turned to the questions of SAP client applications’ security, continuing previously started researches of DSecRG researchers. Sensepost employees made a presentation, where they showed a dissection of algorithm of data encryption of DIAG protocol, which is used for data transmission between SAP client and server. Theoretical possibility of data decoding was known in narrow group of people for a long time, but practical examples, except for interception of passwords, were not available for public use. Sensepost specialists published two utilities, allowing fully intercepting, decrypting and modifying client-server requests very fast, thereby opening the ways for different MITM attacks. The second utility works as Proxy and created mostly for the searching for new vulnerabilities, and allows modifying requests for client and server and searching for new vulnerabilities in handling by fuzzing method.

So, it is possible that in the nearest future in the presence of such a powerful tool the amount of new vulnerabilities in SAP can significantly grow.

Continuing topic about security of SAP client applications, we remind that there is a free service online.erpscan.com, developed by the ERPScan experts and allowing checking SAP Frontend on presence of the latest vulnerabilities.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP security threads at the worldwide conferences

In the near future a series of worldwide conferences will take place, within which ERPScan will present reports with new details about the latest vulnerabilities, found in SAP, and also will conduct trainings on SAP security. For example, at the Hack In The Box conference at Kuala Lumpur it will be shown how it is possible, aside from the control over the J2EE server which is available remotely and on which Portal or Solution Manager is usually located, to get access to Company internal resources and to the ERP system, even if it is closed by the firewalls.

Recent events:

6 September – SecurityByte (India, Bangalore);

19 September – Brucon (Belgium, Brussels);

28-30 September – InfosecurityRussia (Russia, Moscow);

12 October -HITB KUL (Malaysia, Kuala Lumpur);

25 October - Hacker Halted (USA, Miami).

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Vulnerability detected in SAP got into the list of the most dangerous, presented at the recent BlackHat and Defcon conferences

Vulnerability detected by DSecRG specialists ( ERPScan subdivision), allowing to manipulate HTTP headings for the authentication bypass in SAP WEB applications, got into the list of the most dangerous threads presented at the recent BlackHat and Defcon along with such researches as vulnerabilities in Siemens PLC, machine theft by the commands’ emulation via wireless interface, remote disconnection of insulin pumps and other no less dangerous hacks.

http://podcasts.infoworld.com/d/security/the-10-scariest-hacks-black-hat-and-defcon-170259?_kip_ipx=949115097-1314167837

Because of the criticality of the detected vulnerability, ERPScan developed free utility ERPScan web.xml checker, which is a part of ERPScan Security scanner for SAP and allows to check the J2EE security settings of SAP applications for the presence of 9 different configuration mistakes, what can help administrator to set the system securely by himself and understand, where the lacks are.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

ERPScan participation in BlackHat and Defcon conferences

Two world biggest conferences devoted to security aspects were held in Las-Vegas from 4 to 9 August; this event gathered 8500 and 15000 visitors simultaneously. This year ERPScan specialists gave a talk at the BlackHat and took part in Defcon CTF (Capture The Flag) competition, where practical skills in reverse-engineering, exploitation, pen-tests and remote attacks defense were needed.

The team (IV) where our employee took part won 4th place and left behind a lot of old school participants of this event. Such a result is great for the first time. The report about new security threats in J2EE engine of SAP NetWeaver platform made by Alexander Polyakov made noise in mass-media even before the presentation. So after the presentation that was high-rated by the audience and foreign colleagues, it was covered by world-famous editions like CIO, PCWORLD, ItProPortal, CbrOnline and also on the internal portal of SAP Company.

Press attention was paid to the new vulnerability allowing manipulating with HTTP headers to avoid authentication in SAP web applications. Thus by sending Head request instead of GET to the interface of one undocumented application you could execute any actions in the system. The example performed on the conference showed how the account with the administrative access was created by the anonymous request; that could be used by the attackers for getting critical data and full control over the system. Another vulnerable application gives the opportunity to execute DoS attack by rewriting any system file.

At the moment SAP has closed only 2 examples of vulnerabilities of this type, but according to the results of our research there are about 40 potentially vulnerable SAP applications as well as user-made applications.

ERPScan has created free utility called ERPScan web.xml checker that is a part of ERPScan Security Scanner which helps to check J2EE SAP applications security settings; there are 9 different typical misconfigurations, so the analysis will help the administrator to securely tune the system and show if there are any flaws.

After the talk Alexander was interviewed by Reuters edition; he also commented on the situation with SAP security in video interview to Infosecland portal.

Presentation and research details in English are available on ERPScan.com.

Links:

http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/25792

http://www.itproportal.com/2011/08/05/sap-vulnerability-dawns-at-black-hat/

http://www.cio.com/article/687249/SAP_Will_Issue_Patch_for_NetWeaver_Vulnerability

http://www.pcworld.com/businesscenter/article/237373/sap_will_issue_patch_for_netweaver_vulnerability.html

http://www.reuters.com/article/2011/08/05/us-sap-security-idUSTRE7740B420110805

http://www.darkreading.com/compliance/167901112/security/application-security/231003085/over-half-of-sap-servers-on-the-internet-are-vulnerable-to-attack-researcher-says.html

http://security.cbronline.com/news/security-expert-reveals-new-class-of-vulnerabilities-in-sap-software-050811

http://podcasts.infoworld.com/d/security/the-10-scariest-hacks-black-hat-and-defcon-170259?_kip_ipx=949115097-1314167837

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP critical patch update august 2011

SAP Company has released august monthly set of updates. This set of updates closes more than 40 vulnerabilities is SAP products, 7 of which were found by outsider researchers.

In this set 5 vulnerabilities were found by DSecRG employees.

SAP Company traditionally gave thanks to DSecRG researchers for the found vulnerabilities and promotion for its closure on their portal.

The set of updates consists of patches for a number of dangerous vulnerabilities, including those which were published at the recent BlackHat conference in Las Vegas. Detailed list of corrected vulnerabilities is below:

• The most critical vulnerability is bypassing authentication and authorization mechanisms in JAVA engine and as the result – getting administrator rights on the server. Update is available is sap note 1589525. Criticality according to CVSS is 10. Priority is 1 according to SAP metrics.

• Possibility of creating a user in a system with any rights via CSRF attack. Update is available in sap note 1616058. Criticality according to CVSS is 7.8. Priority is 1 according to SAP metrics.

• Implementation of random code of OS via vulnerable RFC module. Update is available in sap note 1580017. Criticality according to CVSS is 6.0. Priority is 2 according to SAP metrics.

• XSS in SAP BW. Update is available in sap note 1572325. Criticality according to CVSS is 4.3. Priority is 2 according to SAP metrics.

• SMBrelay vulnerability in one of reports. Update is available in sap note 1583286. Criticality according to CVSS is 2.3. Priority is 2 according to SAP metrics.

Details of two first mentioned vulnerabilities and also other information about J2EE applications security of SAP platform are available in the document http://erpscan.com/wp-content/uploads/2011/08/A-crushing-blow-at-the-heart-SAP-J2EE-engine_whitepaper.pdf

It is highly recommended to download the updates which close the given vulnerabilities. The information about updates is available from the following SAP notes: 1589525, 1616058, 1580017, 1572325, 1583286

Recommendations disclosing technical details of these vulnerabilities will be available in 3 months at erpscan.com and DSecRG.com . Verifications on presence of these vulnerabilities are available at ERPScan Security Scanner for SAP.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Next week a half of SAP systems, available in Internet, can be hacked

On the 4th of august at the world largest technical security conference - BlackHat USA 2011, which will take place in Las Vegas, SAP security expert and CTO of ERPScan Alexander Polyakov will show how any malicious attacker can get access to the systems running on SAP via Internet using new critical vulnerability.

SAP systems are used in more than 100 000 world companies to handle business-critical data and processes. Almost in each company from Forbes 500 system data are set for the handling of any process beginning from purchasing, human resources and financial reporting and ending with communication with other business systems. Thus receiving an access by the malicious attacker leads to complete control over the financial flow of the company, which can be used for espionage, sabotage and fraudful actions against hacked company.

The given attack is possible due to dangerous vulnerability of the new type, detected by Alexander in J2EE engine of SAP NetWeaver software, which allows bypassing authorization checks. For example it is possible to create a user and assign him to the administrators group using two unauthorized requests to the system. It is also dangerous because that attack is possible on systems, protected by the two-factor authentication systems, in which it is needed to know secret key and password to get access. To prove it researchers from ERPScan created a program, which detects SAP servers in the Internet with help of secret Google keyword and checks found servers on potential dangerous vulnerability. As the result, more than half of available servers could be hacked with help of found vulnerability.

‛Danger is in that it is not only a new vulnerability, but a whole class of vulnerabilities that was theoretically described earlier but not popular in practice. During our research we only detected several examples in standard system configuration, and because each company customizes the system under its own business processes, new examples of vulnerabilities of the given class can be potentially detected at each company in the future. We have developed a free program which can detect unique vulnerabilities of such type in order to protect companies on time and it is also included in our professional product – ERPScan Security Scanner for SAP.“ — noted Alexander.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP critical patch update july 2011

SAP released monthly critical patch update for july 2011. This patch update closes about 40 vulnerabilities in SAP products. 9 of those vulnerabilities were founded by different experts. Traditionnaly DSecRG researchers Dmitriy Chastuhin and Dmitriy Evdokimov who found 2 vulnerabilities are among them.

SAP traditionally sent acknowledgements for founded vulnerabilities to security researchers from DSecRG on their acknowledgement page.

Most critycal vulnerability are found in BAPI component and can be exploited to execute unwanted functions without authorization. Malicious user may use this to impersonate the user on the front-end system and access all information with the same rights as the target user.

It is highly recommended to patch all those issues to prevent business risks.

Solutions for those issues are available in SAP Notes: 546307, 1599550.

Advisories for those issues with technical details will be available in 3 months on erpscan.com and also on DSecRG.com site.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

DSecRG researchers invited to present at BlackHat and take part at Defcon CTF

CTO at ERPScan and the Head of DSecRG Research Center Alexander Polyakov was once again invited to the BlackHat conference, which will take place in Las Vegas, to make a presentation about newest attacks on JAVA-kernel of SAP system, which is used in such applications as SAP Portal.

BlackHat conference has been held since 1997 and collects more than 10,000 visitors at the annual briefing in Las-Vegas and is the main event in the world of information security, some kind of Mecca for technical specialists, pentesters, auditors, researchers, hackers, students of technical universities, SCO's of the largest companies and people who are somehow related to hacking and security, which are the most actual information security questions for today.

BlackHat conference is famous for the presentation of the latest researches and unique, unknown before attacks. The leading researchers from all over the world tell about these attacks. This year there will be researchers from NSA, U.S. Army, Carnegie Mellon University, Stanford, Intel, IBM, Symantec, McAfee, Qualys, Verizon, Rapid7 and other companies and organisations.

Moreover, DSecRG employees joined the team "IV«,which got the fourth place in Defcon CTF international competitions. The team called «IV» («four») is a combined team of four teams — «Leet More», «Smoked Chicken», «SiBears», «HackerDom». As the result of hard and difficult qualifying games the team managed to take 4th place and get to the finale, which will take place at the Defcon conference in Las-Vegas. It is worth noting that the captain of the «Leet More» team — Alexander Minozhenko, an employee of DSecRG (Research center of ERPScan).

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP critical patch update june 2011

SAP released monthly critical patch update for june 2011. This patch updates close about 40 vulnerabilities in SAP products. 10 of those vulnerabilities were founded by different experts. Traditionnaly DSecRG researcher Dmitriy Chastuhin who found 2 vulnerabilities is among them.

SAP traditionally send acknowledgements for founded vulnerabilities to security researchers from DSecRG on their acknowledgement page.

Both vulnerabilities have medium security level (5.0 and 4.3 by CVSS). Vulnerabilities are found in SAP NetWeaver J2EE Engine and can give attacker access to user's session.

It is highly recommended to patch all those issues to prevent business risks.

Solutions for those issues are available in SAP Notes: 1545883, 1562292.

Advisories for those issues with technical details will be available in 3 months on erpscan.com and also on DSecRG.com site.

We also published details about vulnerabilities that were closed 3 month ago in march 2011

DSECRG-11-023
DSECRG-11-024
DSECRG-11-025
DSECRG-11-026

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Critical vulnerabilities in Oracle Business Intelligence applications are found out by DSecRG experts.

Vulnerability allows the legitimate user of business analytics system to raise the privileges up to the administrative level, and also to get access to an operating system and to all critical for business data.

‛The patch for founded vulnerability was released in April, but we decided to give to users two more months on installation of the given updating before publishing an exploit code.

The given research was held by DSecRG in the field of business applications security research and working out of the ERPScan Security Scanner, aimed at business applications security audit, which is at present realized for SAP system security assessment“ – commented Alexander Polyakov CTO at ERPScan and the head of DSecRG research center.

Additional information about exploiting Oracle BI can be found on DSecRG blog: http://dsecrg.blogspot.com/2011/06/hacking-oracle-business-intellegence.html

Details about vulnerabilities are available on the following websites: http://erpscan.com and http://dsecrg.com:

http://erpscan.com/advisories/dsecrg-11-021-oracle-bi-%E2%80%94-wb_olap_aw_remove_solve_id-%E2%80%93-%D0%BF%D0%BE%D0%B2%D1%8B%D1%88%D0%B5%D0%BD%D0%B8%D0%B5-%D0%BF%D1%80%D0%B8%D0%B2%D0%B8%D0%BB%D0%B5%D0%B3%D0%B8%D0%B9/

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP Critical Patch Update for May 2011

SAP released monthly critical patch update for May 2011. This patch updates close 10 public vulnerabilities in SAP products. 2 of those vulnerabilities were founded by DSecRG researchers Alexey Sintsov and Dmitriy Evdokimov.

SAP traditionally send acknowledgements for founded vulnerabilities to security researchers from DSecRG on their acknowledgement page.

The most critical one is missing authorization check vulnerability in one of the RFC modules which can lead to privilege escalation and SMB relay attacks (priority 2 according to SAP metrics). Second vulnerability is XSS in one of the Java application.

It is highly recommended to patch all those issues to prevent business risks.

Solutions for those issues are available in SAP Notes: 1554030, 1553292.

Advisories for those issues with technical details will be available in 3 months on erpscan.com and also on DSecRG.com site.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP Critical patch update April 2011

SAP released monthly critical patch update for April 2011. This patch updates close 8 public vulnerabilities in SAP products. 3 of those vulnerabilities were founded by DSecRG researchers.
SAP traditionally send acknowledgements for founded vulnerabilities to security researchers from DSecRG on their acknowledgement page.

The most critical one is critical unauthorized information disclose and memory corruption in SAP Kernel which have CVSS score 7.5 (priority 1 according to SAP metrics). Others are cross-site scripting vulnerabilities in SAP NetWeaver.

It is highly recommended to patch all those issues to prevent business risks.

Solutions for those issues are available in sap notes: 1548548 1543318 1442517

Advisories for those issues with technical details will be available in 3 months on erpscan.com and also on DSecRG.com site.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SMBRealay Bible blog series overview part one

About 2 month ago we started our new blog series about smbrelay attacks.

‛…The goal of this encyclopedia is to collect all possibilities of obtaining NTLM authentication for conducting SMB-relay attacks or stealing credentials. We are often using those methodologies in different penetration testing and business- application security assessments and decide to collect all this information in one place. It is very useful area in penetration tests and great example of tactical exploitation methodologies because you don’t need to use any exploit to get full access in corporate network, just pass and relay!“ - from first post.

Since the first announcement we had published 5 blog posts describing different areas which can be attacked from ERP and Database to Security products like Kaspersky AV and client-side attacks.We also get many feedback and some reposts (thanks to marcello).
You can read it all here:

SMBRelay Bible 5: SMBRelay attacks on corporate users

SMBRelay Bible 4: SMBrelay with no action or attacking security software ( Kaspersky AV,Symantec DLP, GFI Languard 0-days)

SMBRelay bible 3: SMBRelay by Oracle

SMBRelay bible 2: SMBRelay by MS SQL server

SMBRelay bible 1: Attacking Enterprise business (ERP)

New blog section: SMBRelay Bible

We still have many interesting attacks unpublished end will publish them in near future. So say thanks to main contributors of this topic: Alexey Tyurin and Alexey Sintsov and keep watching on our blog! Don’t miss.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP Critical patch update march 2011

SAP released monthly critical patch update for April 2011. This patch updates close 7 public vulnerabilities in SAP products. 4 of those vulnerabilities were founded by DSecRG researchers Alexander Polyakov and Dmitriy Evdokimov .
SAP traditionally send acknowledgements for founded vulnerabilities to security researchers from DSecRG on their acknowledgement page.

The most critical one is authentication bypass that can be exploited remotely to gain unauthorized access to SAP NetWeaver systems which have CVSS score 9.0 (priority 1 according to SAP metrics). Others are cross-site scripting and information disclosure vulnerabilities in SAP NetWeaver.

It is highly recommended to patch all those issues to prevent business risks.

Solutions for those issues are available in sap notes: 1503579, 1503856,1475767, 1486679

Advisories for those issues with technical details will be available in 3 month on erpscan.com and also on DSecRG.com site.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Espionage, sabotage and fraudful actions: about attacks on ERP – systems on the BlackHat DC conference

During the BlackHat DC conference DSecRG experts have told about attacks on corporate business-applications which can be used by cybercriminals for espionage, sabotage and fraudful actions concerning competitors. At the conference unknown earlier methods of attacks were presented on popular ERP-systems, such as SAP, JD Edwards, and also on RDBMS Open Edge, which is a universal platform for development custom business-applications.

Despite of the fact, such companies like SAP and Oracle, regularly release security updates in their products, they still are a subject for attacks, pointed on architectural vulnerabilities and configuration errors. In the report of Alexander Polyakov, and Head of DSecRG, the attention was paid to the architectural vulnerabilities of the listed systems, different methods of exploitation of these vulnerabilities were shown. Given vulnerabilities in the majority are hard to patch, and it entails the possibility of their exploitation in future.

‛Very few administrators of SAP-systems install updates regularly, and extremely few people who deeply understand technical details of ERP-systems, in the best limiting by SOD problems. That is why we see insecurely configured systems as the result of security assessments“ , - stated Alexander Polyakov.

There is an example in his report when during audit there was found JD Edwards system of one decade’s prescription version, which had an architectural vulnerability, allowing any user to get access to all business-critical data. This vulnerability still exist in 2-tier installation with fat client. Another example of architectural vulnerability was found in RDBMS ‛Open Edge“, which is used in many companies from the list ‛Fortune TOP 100 companies“. In this application the trivial error takes place during authentification. Verification of a password’s hash was implemented on the client side (part), therefore the authentification in system is possible, without knowing the password and the user name. The problem is that such vulnerability won’t be corrected by the manufacturer because of the necessity of the rewriting of all architecture.

Another example is a system SAP SRM, which is used among all other for the organization of tenders’ system. As a result of one architectural misconfiguration any supplier can get access to tenders of others suppliers, and also upload the Trojan program to a competitor network, that may be used for an industrial espionage..

‛The majority of the examples considered in the report tells us that security of ERP-applications is at level of one decade’s prescription and with the trend to post business-applications on the Internet for exchanging data between branches of companies or suppliers all these systems became accessible to a wide range of people seeking to use these loopholes for personal purpose. Till now the companies spent millions of dollars, eliminating SOD conflicts, and though it is an integral part of the ERP security, the amount of technical vulnerabilities is growing exponentially, as an interest of attackers to these systems“, “ – noted Alexander Polyakov.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Oracle released Critical Patch Updates Advisory - January 2011

In this CPU Oracle gives recognition to four DSecRG experts for founded security vulnerabilities in business applications.

Recognitions goes to Alexander Polyakov, Alexey Sintsov, Dmitriy Evdokimov and Andrey Labunets. This is our third year of getting recognitions from Oracle.

There were published multiple vulnerabilities in Oracle Document Capture and Peoplesoft application that can be found here

Earlier DSecRG received recognitions 8 times from January 2008

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

DSecRG Performance in 2010

2010 – the third year of DSecRG public work has come to an end. This year was quite complicated, but very productive. In 2010 multiple vulnerabilities were found, though the amount of vulnerabilities published is less than previously as the vendors have not yet introduced updates allowing their disclosure. Moreover, vulnerabilities have become more critical and diversified, while the scope of applications under research was broadened with banking software and new ERP systems.
Significant research expertise in several areas was accumulated within these three years, and what is important for goal setting and continuous advancement is that there have been worked out the core research area – thus we are going to proceed. The main research area is business-critical systems, applications and technologies, and among them we are making research under ERP systems, corporate DBMS, as well as banking and processing software. This year we have turned our attention to SCADA and technological system security as one of the current research areas, making a review of Stuxnet.
During the last year apart from vulnerability research and their publication we were frequently invited to speak at international conferences. The talks were given at 8 European and Asian information security conferences known worldwide:

Chaos Constructions’ 2010 in St.Petersburg, Russia – Defeating Windows security (ROP),
Troopers10 in Heidelberg, Germany – Some Notes on SAP Security,
CONFidence 2010 in Krakow, Poland – You can’t stop us: latest trends on exploit techniques,
Hack In The Box 2010 in Amsterdam, The Netherlands – Attacking SAP Users with Sapsploit and JIT-Spray Attacks and Advanced Shellcode,
Source Barcelona 2010 in Barcelona, Spain – ERP Security. Myths, Problems, Solutions,
Hack In The Box 2010 in Kuala-Lumpur, Malaysia – Attacking SAP users with sapsploit Extended,
DEEPSEC 2010 in Vienna, Austria – Attacking SAP Users with Sapsploit Extended 1.1,
CONFidence 2.0 2010 in Prague, Czech Republic – Stupid Mistakes. Architecture and Business Logic Vulnerabilities.

Speaking at these conferences enabled us to share our new results of research work with international community, get to know many experts, and broaden the outlook regarding new methods and technologies.
The report and research work in 2010 was mostly dedicated to SAP security. Since September 2010 we started receiving official monthly acknowledgements (at http://sdn.sap.com) for the vulnerabilities found in security updates, keeping up the leadership in the quantity of the vulnerabilities found. Moreover we launched free service that helps SAP users assess their awareness level and security level of the SAP GUI client software and new NetWeaver Business Client. The service at http://erpscan.com will be updated and completed with the latest vulnerabilities and new analyzed software.
What concerns business application security, in 2010 we started taking part in OWASP and now we are working under the OWASP_EAS project dedicated to enterprise business applications. Speaking about banking security we continued annual Bank-Client security analysis of popular Russian software.

Facts of interest

We support our blog and our plan for the next year is to add several columns, thus significantly extending its content;
All of us registered on Twitter to get instant access to current news and enhance its distribution;
Our four experts are writing articles and several columns for the Hacker magazine;
New research groups started springing up in Russia following DSecRG;
Our page About and name are copied by young researchers from various countries.

Prospects

New year 2011 is starting for us on January 18, the day we will speak at the top-ranked information security conference – BlackHat DC 2011 held in Virginia, USA. We will talk about our research work within ERP security and demonstrate the difference in the approach towards the common pentest and the pentest aimed at critical business applications (security analysis) at the same time drawing examples of different vulnerabilities and misconfigurations in the architecture. In addition we will keep on speaking at various conferences during the whole year. This year most of the projects have been implemented and considering the fact that the main efforts have turned to development of our ERPScan security scanner for SAP systems, this year has proved to be very fruitful.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

DSecRG will give a talk at BlackHat DC 2011

The annual BlackHat DC conference is held in Virginia, USA 16-19 January. This is the most prominent event in information security around the world, where the newest research trends of attack and security constantly spoken about.

This year Alexander Polyakov, CTO of Digital Security and Head of DSecRG together with Val Smith from AttackResearch will give a talk at the conference. The event is a breakthrough for Russian experts as there were no speakers representing Russian market of information security consulting before.

Agenda:
‛Do you know where all the critical company data is stored? Do you know how easily you can be attacked by cybercriminals targeting this data? How can an attacker sabotage or commit espionage against your company having access just to one system? This paper will describe some basic and advanced threats and attacks on Enterprise Business Applications – the core of many companies.“

The talk will be about enterprise business applications, the way attackers can gain access to critical business data, steal money or disable technological corporate network like SCADA, using vulnerabilities and misconfigurations in the architecture of business applications. We will show the examples of various business applications including custom ones as well as the more popular ones, like SAP and JD Edwards and previously unknown vulnerabilities and attack methods that can be exploited not just for popping a shell, but to gain unauthorized access to business-critical data. These attack methods can also be useful in penetration tests against ERP systems. Many problems that will be shown cannot be easily patched because they are design flaws or business logic problems requiring re-design of a system.

After this talk people will understand the differences in approaches for pentesting standard networks and business-critical systems.

There will be drawn ERP-systems known in Russia and worldwide, as an example.

Talk abstract

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary