Uncovering SAP Vulnerabilities: Reversing and Breaking the Diag Protocol

DEF CON 20

Presented by: Martin Gallo
Date: Saturday July 28, 2012
Time: 15:00 - 15:50
Location: Track 5 / Penn & Teller

Nowadays, SAP Netweaver has become the most extensive platform for building enterprise applications and run critical business processes. In recent years it has become a hot topic in information security. However, while fixes and countermeasures are released monthly by SAP at an incredible rate, the available security knowledge is limited and some components are still not well covered.

SAP Diag is the application-level protocol used for communications between SAP GUI and SAP Netweaver Application Servers and it's a core part of any ABAP-based SAP Netweaver installation. Therefore, if an attacker is able to compromise this component, this would result in a total takeover of a SAP system. In recent years, the Diag protocol has received some attention from the security community and several tools were released focused on decompression and sniffing. Nevertheless, protocol specification is not public and internal components and inner-workings remains unknown; the protocol was not understood and there is no publicly available tool for active exploitation of real attack vectors.

This talk is about taking SAP penetration testing out of the shadows and shedding some light into SAP Diag, by introducing a novel way to uncover vulnerabilities in SAP software through a set of tools that allows analysis and manipulation of the SAP Diag protocol. In addition, we will show how these tools and the knowledge acquired while researching the protocol can be used for vulnerability research, fuzzing and practical exploitation of novel attack vectors involving both SAP's client and server applications: man-in-the-middle attacks, RFC calls injection, rogue SAP servers deployment, SAP GUI client-side attacks and more. As a final note, this presentation will also show how to harden your SAP installations and mitigate these threats.

Martin Gallo

Martin Gallo is a Security Consultant at CORE Security, where he performs application and network penetration testing, conducts code reviews and identifies vulnerabilities in enterprise and third party software. His research interests include enterprise software security, vulnerability research and reverse engineering.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats