search

OWASP / pysap

pysap is an open source Python library that provides modules for crafting and sending packets using SAP's NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols.
https://owasp.org/www-project-core-business-application-security/
GNU General Public License v2.0
220 stars 61 forks source link

SAPCredv2 fails if PSE subject has more than just CommonName and LPS is on #35

Closed rstenet closed 3 years ago

rstenet commented 3 years ago

Hi,

if LPS is off or subject has only CN then it works.

Steps to reproduce the problem

1 Create pse and cred file

sapgenpse gen_pse -x "1234567890" -p test2.pse "CN=PSEowner, C=BG"
sapgenpse seclogin -x "1234567890" -lps -p test2.pse

2 Create test script _readcred.py

from pysap.SAPCredv2 import *

with open("cred_v2", "rb") as fd:
    cred_v2_string = fd.read()

cred_v2_asn1 = SAPCredv2(cred_v2_string)
cred_v2_asn1.show()

cred_v2_plain = cred_v2_asn1.creds[0].cred.decrypt("none")
cred_v2_plain.show()

3 Execute

saphost:sidadm 170> python2 read_cred.py
Traceback (most recent call last):
  File "read_cred.py", line 6, in <module>
    cred_v2_asn1 = SAPCredv2(cred_v2_string)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/base_classes.py", line 266, in __call__
    i.__init__(*args, **kargs)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/packet.py", line 158, in __init__
    self.dissect(_pkt)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/packet.py", line 875, in dissect
    s = self.do_dissect(s)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/asn1packet.py", line 35, in do_dissect
    return self.ASN1_root.dissect(self, x)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/asn1fields.py", line 138, in dissect
    v, s = self.m2i(pkt, s)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/asn1fields.py", line 416, in m2i
    c, s = self.extract_packet(self.cls, s)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/asn1fields.py", line 122, in extract_packet
    c = cls(s)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/base_classes.py", line 266, in __call__
    i.__init__(*args, **kargs)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/packet.py", line 158, in __init__
    self.dissect(_pkt)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/packet.py", line 875, in dissect
    s = self.do_dissect(s)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/asn1packet.py", line 35, in do_dissect
    return self.ASN1_root.dissect(self, x)
  File "/usr/lib64/python2.7/site-packages/scapy-2.4.4-py2.7.egg/scapy/asn1fields.py", line 138, in dissect
    v, s = self.m2i(pkt, s)
  File "build/bdist.linux-x86_64/egg/pysap/utils/fields.py", line 353, in m2i
scapy.asn1.asn1.ASN1_Error
saphost:sidadm 171>
martingalloar commented 3 years ago

The reason why this fails in LPS is because the Cred structure differs when enabling LPS or not. The current implementation only considers a sequence of commonName, while we should be allowing for any X.509 OID within 2.5.4.X. I'll give it a try shortly and get back, but this is a good catch! Thanks for reporting!

martingalloar commented 3 years ago

Can you git pull and try it again now?

It seems to be properly fixed now:

$ pysapgenpse -c seclogin -dvf ~/sec/cred_v2 -x "Pa$$w0rd!"
pysapgenpse version: 0.1.20.dev0
pysapgenpse: Reading credentials file '/home/martin/sec/cred_v2'

 0 (LPS:FALLBACK): /C=AR/CN=PSEOwner
     (LPS:N/A): /home/martin/sec/test.pse
         Credential cipher format version 2, algorithm AES256
         PIN:       1234567890

 1 readable SSO-Credentials available
rstenet commented 3 years ago

Hi Martin, yes it is working now.