Real SAP Backdoors presented at TROOPERS 2012

by Andreas Wiegenstein,

Tags: Security

Summary : In the past year the number of lecture sessions with traumatizing headlines about hacking SAP systems has dramatically risen. Their content, however, is usually the same. Insecure implementations of algorithms, side effects in commands, flawed business logic and designs that brilliantly miss the point of security. In essence, security defects built into the SAP framework by mistake.
This session, however, demonstrates several security defects in SAP NetWeaver that do not appear to have been created by mistake. In order to make a point, I will first discuss with the audience what exactly defines a backdoor. Then I will demonstrate several security defects discovered by me & my team and finally discuss with the audience if these defects qualify as backdoors. All security defects shown are highly critical and have never been publicly discussed before.* They enable attackers to remotely execute arbitrary ABAP commands and arbitrary OS commands. In essence, full control over SAP NetWeaver Application Server ABAP.