Juan Perez-Etchegoyen (@jp_pereze) and Mariano Nunez (@marianonunezdc) from Onapsis here, thrilled to be troopers for the third time! In this post we want to share with you a glimpse of what you will see regarding SAP security at this amazing conference.
Last week we released advisories regarding several vulnerabilities affecting SAP platforms. Some of these vulnerabilities are in fact very critical, and their exploitation could lead to a full-compromise of the entire SAP implementation – even by completely anonymous attackers. Following our responsible disclosure policy, SAP released the relevant SAP Security Notes (patches) for all these vulnerabilities a long time ago, so if you are an SAP customer make sure you have properly implemented them!
Reverse engineering is generally thought of as using debuggers, disassemblers and hex editors. Much as I love hex editors, IDA and staring at opcodes for the last few years I have been focused on applying my reverse engineering methodology to larger, composed systems. At Troopers TelcoSec day this year I will be presenting Bluevoxing which demonstrates how this approach works. Bluevoxing is about reverse engineering how web based “audio one time password” systems work. Simply put audio one time password systems use a short audio file as an authentication token. When I discovered these systems I was intrigued as reversing them would involve a range of techniques and tools from web testing, audio tools, signal analysis, phreaking and cryptanalysis. The disassembler would be of no use instead I would have to employ audio tools such as audacity and ruby-processing.
My methodology was:
collect a large sample set of audio one time passwords
Here’s a number of updates as for upcoming TROOPERS13.
The preliminary agenda for this year’s TelcoSecDay can be found here.
Here‘s the (again: preliminary) agenda of the IPv6 Security Summit.
Last, but not least we’ve included another four talks in the main conference:
======
Sergey Bratus & Travis Goodspeed: You wouldn’t share a syringe. Would you share a USB port?
Synopsis: Previous work has shown that a USB port left unattended may be subject to pwnage via insertion of a device that types into your command shell (e.g. here). Impressive attack payloads have been delivered over USB to jailbreak PS3 and a “smart TV“. Not surprisingly, USB stacks started incorporating defenses such as device registration, USB firewalls, and other protective kits. But do these protective measures go far enough to let you safely plug in a strange thumb drive into your laptop’s USB port?
We demonstrate that the scope of the OS code manipulation feasible through a USB port is much broader than could be expected. USB stack abuse is not limited to emulating HID keyboards or a few exotic devices — it is a clear and present danger throughout the USB software stack and can reach into any part of the operating system kernel and driver code. We show a simple development environment that is capable of emulating any USB device to engage whatever software on the host computer is meant to interact with such devices — and break any and all of the assumptions made by such software, leading to pwnage. In a nutshell, sharing a USB port belongs in the past — just as the era of downloading arbitrary executables and other Internet “free love”.
We’re very happy to announce the third round of Troopers 2013 talks today (first round here, second here).
So much quality stuff… it seems to get (ever) better every year ;-).
Here we go:
==================
Michael Ossmann & Dominic Spill: Introducing Daisho – monitoring multiple communication technologies at the physical layer.
Synopsis: Most communications media can be monitored and debugged at various levels of the stack, but we believe that it is most important to examine them at the physical layer. From there, the security of every level can be investigated and tested. The task of monitoring physical layer communications has become increasingly difficult as we try to squeeze more and more bandwidth out of our links. A passive tapping circuit can be used to monitor a 100BASE-TX connections, but no such circuit exists for 1000BASE-T networks.
Our solution to this problem is Project Daisho; an open source hardware and software project to build a device that can monitor high speed communication links and pass all of the data back to a host system for analysis. Daisho will include a modular, high bandwidth design that can be extended to monitor future technologies. The project will also produce the first open source USB 3.0 FPGA core, bringing high speed data transfer to any projects that build on the open platform.
As a proof of concept at this early stage, we will demonstrate monitoring of a low bandwidth RS-232 connection using our first round of hardware and discuss the challenges involved with the high speed targets such as 1000BASE-T and USB 3.0 that we will take on later this year.
Bios: Michael Ossmann is known for his experience with radio communications technology and open source hardware design, having produced both the Ubertooth and HackRF as well as regularly teaching workshops on software defined radio. He has spoken about his work with software defined radio and Bluetooth at Troopers, Black Hat, DEF CON, ToorCon, ShmooCon and more.
Dominic Spill has been building a Bluetooth packet sniffer since 2007; last year he took over as lead developer for the Ubertooth and has recently begun working with Michael on Daisho. He has previously presented his Bluetooth work at DEF CON, ShmooCon, USENIX WOOT, and Kiwicon.
Both speakers have a passion for building open source tools to allow curious people to examine the technologies and protocols that we use to communicate.
We’re very happy to announce the second round of Troopers 2013 talks today (first round here).
Some (well, actually most ;-)) of these talks haven’t been presented before, at any other occasion, so this is exciting fresh material which was/is prepared especially for Troopers.
Here we go:
==================
Andreas Wiegenstein & Xu Jia: Ghost in the Shell.FIRST TIME MATERIAL
Synopsis: Security conferences in the past years have made it clear, that common security vulnerabilities such as SQL Injection, XSS, CSRF, HTTP verb tampering and many others also exist in SAP software. This talk covers several vulnerabilities that are unique to SAP systems and shows how these can be used in order to bypass crucial security mechanisms and at the same time operate completely below the (forensic) Radar. We uncovered undocumented mechanisms in the SAP kernel, that allow launching attacks that cannot be traced back to the attacker by forensic means. These mechanisms allow to *actively* inject commands at any time into the running backend-session of an arbitrary logged on user, chosen by the attacker. We named this attack mechanism “Ghost in the Shell”. We will also demo how to use this attack vector to distribute malware to the attacked user’s client machine despite mechanisms in the SAP standard that are designed to prevent this.
Bios: Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications. As CTO, he leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures. At the CodeProfiler Labs, he works on ABAP security guidelines, ABAP security trainings, an ABAP security scanner as well as white papers and publications. Andreas has trained large companies and defense organizations on ABAP security and has spoken at SAP TechEd on several occasions as well as at security conferences such as Troopers, BlackHat, HITB, RSA as well as many smaller SAP specific conferences. He is co-author of the first book on ABAP security (SAP Press 2009). He is also member of BIZEC.org [LINK], the Business Security Community.
Xu Jia is researching SAP security topics since 2006. His focus is on static code nalysis for ABAP and he is the lead architect for a commercial SCA tool. Working in the CodeProfiler Research Labs at Virtual Forge, he also analyzes (ABAP) security defects in SAP standard software. Xu has submitted a significant number of 0-days to SAP, including multiple new forms of attack that are specific to SAP software. He already presented some of his research at the 16th IBS security conference, 2012 in Hamburg.
We’re delighted to provide the first announcement of talks of next year’s Troopers edition. Looks like it’s going to be a great event again 😉
Here we go:
==================
Peter Kieseberg: Malicious pixels – QR-codes as attack vectors.
Synopsis: QR-Codes, a version of two-dimensional barcodes that are able to store quite large amounts of information, started gaining huge popularity throughout the last few years, including all sorts of new applications for them. Originating from the area of logistics, they found their ways into marketing and since the rise of modern smartphones with their ability to scan them in the street; they can be found virtually everywhere, often linking to sites on the internet. Currently even standards for paying using QR-codes were proposed and standardized. In this talk we will highlight possible attack vectors arising from the use of QR-Codes. Furthermore we will outline an algorithm for calculating near-collisions in order to launch phishing attacks and we will demonstrate the practical utilization of this technique.
Bio: Peter Kieseberg is a researcher at SBA Research, the Austrian non-profit research institute for IT-Security. He received a Dipl. Ing. (equivalent to MSc) degree in Technical Mathematics in Computer Science from the Vienna University of Technology. His research interests include digital forensics, fingerprinting of structured data and mobile security. Continue reading “Troopers 2013 – First Round of Talks Selected”
As I mentioned the Telco Sec Day in the last post… for those who missed Flo’s announcement: in the interim all slides of the Telco Sec Day are available online here.
Obviously, given I initiated the event, I’m biased 😉 but to me it provided great insight from both the talks and the networking with other guys from the telco security field, and it did actually what it was meant for: fostering the exchange between different players in that space, for the sake of sustainably improving its’ overall security posture.
A number of participants suggested performing it again which we hence plan to do, at next year’s Troopers (probably happening in the week 03/12-03/16 [calendar week 11]).
As there has been some public demand for that, here we go with the final agenda for the Troopers “TelcoSecDay“. The workshop is meant to provide a platform for research exchange between operators, vendors and researchers. The slides of the talks will potentially be made available as well.
8:30: Opening Remarks & Introduction
9:00: Sebastian Schrittwieser (SBA Research): Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
10:00: Peter Schneider (NSN): How to secure an LTE-Network: Just applying the 3GPP security standards and that’s it?
10:45: Break
11:00: Kevin Redon (T-Labs): Weaponizing Femtocells – The Effect of Rogue Devices on Mobile Telecommunications
11:45: Christian Kagerhuber (Group IT Security, Deutsche Telekom AG): Security Compliance Audit Automation (SCA, TeleManagementForum TMF528)
12:30: Lunch
13:45: Philipp Langlois (P1 Security): Assault on the GRX (GPRS Roaming eXchange) from the Telecom Core Network perspective, from 2.5G to LTE Advanced.
15:00: Break
15:15: Harald Welte (sysmocom): Structural deficits in telecom security
16:30: Closing Remarks
17:00: End of workshop
19:00: Joint dinner (hosted by ERNW) in Heidelberg Altstadt for those interested and/or staying for the main conference
====
Synopses & Bios
Sebastian Schrittwieser: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
Synopsis: Recently, a new generation of Internet-based messaging applications for smartphones was introduced. While user numbers are estimated in the millions, little attention has so far been paid to the security of these applications. In this talk, we present our experimental results, which revealed major security flaws, allowing attackers to hijack accounts, spoof sender-IDs, and enumerate subscribers.
Bio: Sebastian Schrittwieser is a PhD candidate at the Vienna University of Technology and a researcher at SBA Research. His research interests include, among others, digital forensics, software protection, code obfuscation, and digital fingerprinting. Sebastian received a Dipl.-Ing. (equivalent to MSc) degree in Business Informatics with focus on IT security from the Vienna University of Technology in 2010.
===
Peter Schneider: How to secure an LTE-Network: Just applying the 3GPP security standards and that’s it?
Synopsis: This talk briefly introduces the security architecture of an LTE mobile network as specified by 3GPP and shows which threats it mitigates and which not. It discusses additional, not-standardized security measures and how they can contribute to making mobile networks as secure as they need to be.
Bio: After many years of research, prototyping and systems engineering in the area of communication technologies, Peter works currently as a senior expert for mobile network security in the Security Technologies Team at Nokia Siemens Networks Research. He is author of various mobile network related security concepts. He is also active in the 3GPP security standardization and in several security research projects.
===
Kevin Redon: Weaponizing Femtocells – The Effect of Rogue Devices on Mobile Telecommunications
Synopsis: Mobile phones and carriers trust the traditional base stations which serve as the interface between the mobile devices and the fixed-line communication network. Femtocells, miniature cellular base stations installed in homes and businesses, are equally trusted yet are placed in possibly untrustworthy hands. By making several modifications to a commercially available femtocell, we evaluate the impact of attacks originating from a compromised device. We show that such a rogue device can violate all the important aspects of security for mobile subscribers, including tracking phones, intercepting communication and even modifying and impersonating traffic. The specification also enables femtocells to directly communicate with other femtocells over a VPN and the carrier we examined had no filtering on such communication, enabling a single rogue femtocell to directly communicate with (and thus potentially attack) all other femtocells within the carrier’s network.
Bio: Kevin Redon does his master of computing at the Technische Universitaet Berlin. He also works for “Security in Telecommunication” (SecT), a research group of the university.
===
Christian Kagerhuber: Security Compliance Audit Automation (SCA, TeleManagementForum TMF528)
Synopsis: Today, Service Providers are in need of comprehensive information relevant to effective security management. Service Providers have to evaluate and verify the compliance of their infrastructure and services to corporate security directives and legal guidelines. This includes being able to retrace OSS Operators’ behavior on OSS systems via standardized log messages. But to answer all necessary security compliance questions, log data alone appears not to be sufficient.
Service Providers need configuration data and telemetry data centralized at hand without manual, time-consuming OSS Operator activity. Even interactive polling of their devices is not sufficient because Service Providers must track down changes in the environment and the effective date/period. The talk is about what to solve this problem.
Bio: Christian is a Senior Security Expert at Deutsche Telekom (DT), responsible for the security of DT’s NGOSS system (called NGSSM) and BNG/SCRAT project. He build up T-Online’s Identity Management and CERT and is the author of various Deutsche Telekom security standards, e.g. on platform virtualisation and SSH.
===
Philippe Langlois: Assault on the GRX (GPRS Roaming eXchange) from the Telecom Core Network perspective, from 2.5G to LTE Advanced.
Synopsis: GRX is the global private network where Telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system. GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was being to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
We’ll see how this infrastructure is protected and can be attacked, and we’ll discover the issues with the specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see its implication with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several typical vulnerabilities that we will be showed in this speech. We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
Bio: Philippe Langlois is a leading security researcher and expert in the domain of telecom and network security. He founded internationally recognized security companies (Qualys, WaveSecurity, INTRINsec, P1 Security) as well as led technical, development and research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France. His founded his first business, Worldnet, France’s first public Internet service provider, in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB, Hack.lu). Previously professor at Ecole de Guerre Economique and various universities in France (Amiens, Marne La Vallée) and internationally (FUSR-U, EERCI). He is a FUSR-U (Free University for Security Research) collaborator and founding member. Philippe is providing industry associations (GSM Association Security Group, several national organizations) and governmental officials with Critical Infrastructure advisory conferences in Telecom and Network security. Now Philippe is providing with P1 Security the first Core Network Telecom Signaling security scanner & auditor which help telecom companies, operator and government analyze where and how their critical telecom network infrastructure can be attacked. He can be reached through his website at: http://www.p1security.com
He has presented previously at these security/hacking conferences: Hack.lu, Hack in the Box (HITB), Blackhat, Hackito Ergo Sum (paris, France), SOURCE, Chaos Communication Congress (Berlin, Germany), ekoparty (bueos aires, argentina), H2HC (sao paulo, brazil), SYSCAN (Hong Kong; Thailand), Bellua (Jakarta, Indonesia), INT (Mauritius), Interop… (some events listed there http://www.p1sec.com/corp/about/events/ )
===
Harald Welte: Structural deficits in telecom security
Synopsis: Especially in recent years, numerous practical attacks and tools have been developed and released. The attack patterns and methods from the dynamic Internet world have finally caught up with the dinosaur of the Telecom world. So far, the industry has failed to demonstrate sufficient interest in developing proper responses. The changes so far have been superficial. Are they a sufficient response for what is to come? Has the telecom industry realized the true implications of having left the “walled garden”? The talk will leave the field of actual attacks behind in order to talk about what at least the author perceives as structural deficits in terms of IT security at operators and equipment vendors.
Bio: Harald Welte is communications security consultalt for more than a decade. He was co-author of tne netfilter/iptables packet filter in the Linux kernel and has since then been involved in a variety of Free Software based implementations of protocol stacks for RFID, GSM, GPRS, and TETRA. His main interest is to look at security of communication systems beyond the IP-centric mainstream. Besides his consulting work, he is the general manager of Sysmocom GmbH, providing custom tailored communications solutions to customers world-wide.
===
Have a great Sunday everybody, see you soon at Troopers 😉
This is a guest post by the SAP security expert Juan Pablo Perez-Etchegoyen, CTO of Onapsis. Enjoy reading:
At Onapsis we are continuously researching in the ERP security field to identify the risks that ERP systems and business-critical applications are exposed to. This way we help customers and vendors to increase their security posture and mitigate threats that may be affecting their most important platform: the one that stores and manages their business’ crown jewels.
We have been talking about SAP security in many conferences over the last years, not only showing how to detect insecure settings and vulnerabilities but also explaining how to mitigate and solve them. However, something that is still less known is that since 2009 we have been also doing research over Oracle’s ERP systems (JD Edwards, Siebel, PeopleSoft, E-Business Suite) and reporting vulnerabilities to the vendor. In this post, I’m going to discuss some of the vulnerabilities that we reported, Oracle fixed and released patches in the latest CPU (Critical Patch Update) of January 2012. In this CPU, 8 vulnerabilities reported by Onapsis affecting JD Edwards were fixed.
What’s really important about these vulnerabilities is that most of them are highly critical, enabling a remote unauthenticated attacker to fully compromise the ERP server just having network access to it. I’m going to analyze some these vulnerabilities to shed some light on the real status of JD Edwards’ security. Most of these vulnerabilities are exploitable through the JDENET service, which is a proprietary protocol used by JDE for connecting the different servers.
Sending a specific packet in the JDENET message, an attacker can basically instruct the server to write an arbitrary content in an arbitrary location, leading to an arbitrary file write condition.
An attacker can read any file, by connecting to the JDENET service.
ONAPSIS-2012-007: Oracle JD Edwards SawKernel SET_INI Configuration Modification Modifications to the server configuration (JDE.INI) can be performed remotely and without authentication. Several attacks are possible abusing this vulnerability.
ONAPSIS-2012-006: Oracle JD Edwards JDENET Large Packets Denial of Service
If an attacker sends packets larger than a specific size, then the server’s CPU start processing at 100% of its capacity. Game over.
As a “bonus” to this guest blog post, I would like to analyze a vulnerability related to the set of security advisories we released back on April 2011 (many of them also critical). This vulnerability is the ONAPSIS-2011-07.
The exploitation of this weakness is very straight-forward, as the only thing an attacker needs to do is to send a packet to the JDENET command service (typically UDP port 6015) with the message “SHUTDOWN”, and all JD Edwards services are powered off! Business impact? None of the hundreds/thousands of the company’s employees that need the ERP system to do their every-day work will be able to do their job.
Some people still talk about ERP security as a synonym of Segregation of Duties controls. This is just an example of a high-impact Denial of Service attack that can be performed against the technical components of these systems. No user or password. No roles or authorizations.
Even worse, as UDP connections are stateless, it’s trivial for the attacker to forge its source and exploit the vulnerability potentially bypassing firewall filters.
Hope you enjoyed our post and I’d like to thank Enno, Florian and the great ERNW team for their kind invitation.
You can get more information about our work at www.onapsis.com
BTW: Meet Mariano Nuñez Di Croce, CEO of Onapsis at TROOPERS12 in about ten days! He will give a talk and also host a dedicated workshop on SAP security.
This is a guest post by the SAP security experts of BIZEC. Enjoy reading:
On March 20th, the first BIZEC workshop will be held at the amazing Troopers conference in Heidelberg, Germany. For those still unfamiliar with BIZEC: the business application security initiative is a non-profit organization focused on security threats affecting ERP systems and business-critical infrastructures.
The main goals of BIZEC are:
Raise awareness, demonstrating that ERP security must be analyzed holistically.
Analyze current and future threats affecting these systems.
Serve as a unique central point of knowledge and reference in this subject.
Provide experienced feedback to global organizations, helping them to increase the security of their business-critical information.
Organize events with the community to share and exchange information.
The “BIZEC workshop at Troopers 2012” will dive into the security of SAP platforms. Still to this day, a big part of the Auditing and Information Security industries believe that Segregation of Duties (SoD) controls are enough to protect these business-critical systems.
By attending this session, InfoSec professionals and SAP security managers will be able to stop “flying blind” with regards to the security of their SAP systems. They will learn why SoD controls are not enough, which current threats exist that could be exploited by evil hackers, and how to protect their business-critical information from cyber-attacks.
Attendees can expect a high-dose of technical content covering the latest advances in the SAP security field.
The agenda is really exciting, covering hot topics such as:
Real-world cyber-threats to SAP systems, by Mariano Nunez Di Croce (Onapsis)
Five years of ABAP Code Reviews – A retrospective, by Frederik Weidemann (VirtualForge)
SAP Solution Manager from the hackers point of view, by Ralf Kemp (akquinet)
The workshop will be full of live demonstrations of attacks and discussions on possible mitigation techniques. Furthermore, attendees will have the pleasure of enjoying a great introduction by Gary McGraw, CTO of Cigital and pioneer in software security.
If you want to stay ahead of the threats affecting your SAP platforms, you can’t miss this workshop!
The BIZEC team
Comment by the Insinuator: We’ve prolongued the early-bird period until February 10th. We hope that helps to get your favorite event budgeted 😉