A Backdoor in Wonderland presented at Troopers 2015

by Frederik Weidemann, Hans-christian Esperer,

Summary : Many companies spend millions for locking down their SAP landscape. But even the highest invest in SAP security is in vain, if there are backdoors in the SAP standard that allow malicious parties to bypass all existing measures. This talk demonstrates how a single, fundamental backdoor in SAP's RFC protocol allows external attackers to penetrate even the strongest SAP security fortress. This severe security vulnerability was reported to SAP in January 2012 and has recently been fixed.