DeepSec 2012 Talk: SAP Slapping

René Pfeiffer/ September 30, 2012/ Conference

DeepSec 2012 covers SAP in-depth, and we decided also to include a presentation on how to test/pen-test SAP installation. Dave Hartley will give you an overview about how to approach SAP, show you what you can do, and probably achieve complete compromise of insecure and misconfigured SAP environments by pressing buttons. ☺

SAP systems can incorporate many different modules ERP, ECC, CRM, PLM, SCM, SR, … that are installed on multiple operating systems (UNIX, HP-UX, Linux and Windows etc.) which in turn rely on many different back end databases (DB2, Sybase ASE, Oracle, MS SQL, MaxDB and Informix). There are also many different versions/application stacks (SAP Netweaver 7.1 ABAP AS, 7.2 ABAP/Java AS, 7.3 ABAP/Java AS, …). Basically SAP systems often consist of very complex architectures and employ a myriad of integration choices in order to offer interoperability with enterprise systems. This has led to a situation whereby a SAP deployment can expose an incomprehensibly massive attack surface and can often expose an organisation to the very real threat of compromise. As SAP systems are the core operational system of many businesses, even the smallest level of compromise can have devastating effects.

Many pentesters and security professionals tend to shy away from assessing SAP systems in the belief that they do not possess the necessary skills/capabilities and/or knowledge to take on the beast that is SAP. The truth of the matter is that SAP is no different than any other interconnected business system. Traditional network and application testing tool sets/methodologies are just as applicable and network and application security best practices/principals are just as relevant. In recent years there has been a number of quality researchers turning their attentions to SAP and publishing some great works. However, often pentesters need to quickly get up to speed on application technologies, system specifics and protocol idiosyncrasies etc. prior to delivering an engagement for a client. This talk aims to serve that purpose.

SAP Slapping is a talk aimed at pentester’s looking to go from zero to hero when assessing or encountering SAP systems during their engagements. There are a number of very good white papers and presentations available to those looking to gain a deep understanding of SAP systems and their vulnerabilities, this talk attempts to condense those materials into a consumable and manageable format. The talk provides a high level overview of common SAP system vulnerabilities and misconfigurations as well as introducing tools and frameworks that can be leveraged to quickly and easily exploit and compromise misconfigured/vulnerable SAP systems.

A number of Metasploit modules that have been authored by the speaker will be demoed during the presentation that can be used to form the base of an open source SAP assessment toolkit. Previously options for building a SAP assessment tool set were limited to only commercial offerings such as X1 from Onapsis, ERP-Scan,  and ESNC. However with the recent updates to Bizploit  and the soon to be released IronSAP framework, consultants have more choice than ever – and more importantly, the opportunity to contribute back and extend these tool sets to the benefit of all. Hopefully the audience will be inspired to get involved and to familiarise themselves with the more in depth and comprehensive materials that inspired the speaker to create this talk and craft the MSF modules.

We strongly believe that no one running, using or testing SAP should miss this presentation.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.