Hiding Breadcrumbs – Antiforensics on SAP BusinessObjects

At Troopers 14, JP and I gave a talk called “Anti-Forensics on SAP Systems”. The talk focused on the methods attackers could use to hide their tracks on an SAP system. This blog post highlights one of the attacks we discussed.

SAP BusinessObjects has long supported Auditing and it has been enabled within the product by default for a number of years. By design all Audit events are written to the Auditing Data Store (ADS) on a schedule. However, as BO is designed to be a distributed platform, there is a delay between the moment when an event occurs and the time that event reaches the ADS. As discussed in the Administrator Guide, the steps before an event reaches the ADS are as follows:

  1. After an event occurs (e.g. Logon, Report Generation) the Auditee writes the event to a temporary file.
  2. The Auditor polls all auditees for new events on a set schedule. In BO4, the polling interval is dependent on the utilization of the Auditor. Higher utilization means that the Auditees are polled less often. In one of the lab system’s the delay is typically 3 minutes with 1% utilization.
  3. If an auditee has new events, it takes them from the temporary file and sends them to the auditor in a batch.
  4. The auditee waits to receive confirmation from the auditor that the events have been received.
  5. After confirmation, the auditee deletes the events from the temporary file.

Continue reading

Share Button

Assessing the security of SAP ecosystems with bizploit: Vulnerability Assessment

In the previous post we discovered the SAP Services listening on each one of the open ports. Now we can execute Bizploit plug-ins to assess the security of these SAP services.

Let’s have a look at the Discovery and Vulnassess plug-ins available in Bizploit.

Discovery and Vulnassess Plug-ins

Discovery and Vulnassess Plug-ins

Bizploit displays several columns for each plug-in: Plug-in name, Status (enabled or not), Conf (reading ’yes’ if the plug-in is configurable) and Description.

We could enable all Bizploit modules to perform a full vulnerability assessment, but for the purpose of this post we will only enable those plug-ins which will be useful to illustrate the attacks described in upcoming posts.

Continue reading

Share Button