Attacking the Giants: Exploiting SAP Internals presented at DeepSec 2007

by Mariano Croce,

Summary : The SAP Remote Function Call (RFC) Interface is the heart of communications between SAP systems, and between SAP and external software. Almost every system that wants to interact with SAP does so using the RFC interface. As stated by SAP: "The RFC library is the most commonly used and installed component of existing SAP software". Our presentation will describe, after a short description of RFC interface purpose and internals, vulnerabilities discovered in our research, both in the RFC protocol implementation and in the RFC Library itself. Besides these vulnerabilities, we will be disclosing new vulnerabilities in other related SAP key components. Beyond this, we will be presenting different attacks, abusing default mis-configurations and design flaws. These attacks will let you: . Grab logon credentials. . Hi-jack RFC communications. . Perform Man-In-The-Middle attacks over RFC. . COMPLETELY OWN a SAP Application Server, remotely. All these attacks will be demonstrated live with the help of sapyto, the first public framework for Penetration Testing of SAP systems. This tool enables penetration testers to assess the security of SAP systems. It can perform harmless security audits, but also active exploitation of discovered flaws. The stable version of sapyto will be released, shipped with many new plugins.