Nowadays, SAP Netweaver has become the most extensive platform for building enterprise applications and run critical business processes. In recent years it has become a hot topic in information security. However, while fixes and countermeasures are released monthly by SAP at an incredible rate, the available security knowledge is limited and some components are still not well covered.
SAP Diag is the application-level protocol used for communications between SAP GUI and SAP Netweaver Application Servers and it's a core part of any ABAP-based SAP Netweaver installation. Therefore, if an attacker is able to compromise this component, this would result in a total takeover of a SAP system. In recent years, the Diag protocol has received some attention from the security community and several tools were released focused on decompression and sniffing. Nevertheless, protocol specification is not public and internal components and inner-workings remains unknown; the protocol was not understood and there is no publicly available tool for active exploitation of real attack vectors.
This talk is about taking SAP penetration testing out of the shadows and shedding some light into SAP Diag, by introducing a novel way to uncover vulnerabilities in SAP software through a set of tools that allows analysis and manipulation of the SAP Diag protocol. In addition, we will show how these tools and the knowledge acquired while researching the protocol can be used for vulnerability research, fuzzing and practical exploitation of novel attack vectors involving both SAP's client and server applications: man-in-the-middle attacks, RFC calls injection, rogue SAP servers deployment, SAP GUI client-side attacks and more. As a final note, this presentation will also show how to harden your SAP installations and mitigate these threats.
Andrew Gavin, creator of OpenDLP, is an information security consultant at Verizon Business. He has more than 12 years of experience in security assessments of networks and applications. He has consulted for numerous customers in various industries around the world. Twitter: @OpenDLP (project), @andrewgavin (personal)
Michael Baucom is the VP of Engineering at N2 Net Security. Michael has taught classes on exploit development and was the technical editor for Gray Hat Hacking: the Ethical Hacker's Handbook. He has worked in development for over 15 years in various industries. While at N2 Net Security he has worked on a wide variety of projects including software security assessments, tool development, and penetration tests.
Charles Smith is a graduate of North Carolina State University, and has been building credit card software and developer tools and modules for the last ten years. Recently he has joined N2 Net Security, and has put his skills to ferreting out security vulnerabilities and building new tools to help penetration testers do their jobs more efficiently. He specializes in C++, but is also well-versed in Java, .NET, VB, and Perl.