Often Fortune 1000 companies consist of a plethora of software, hardware, vendors, and solutions all operating to keep the business running and alive. With all this complexity, there is often a single vendor that's common amongst them all: SAP.
SAP's software relationship with the enterprise is well established, often responsible for processing billions of dollars, but with such a vital role in business, what would the impact be if serious flaws were exploited?
At the heart of every SAP deployment there is always one core mandatory product that's connected to many other systems: The SAP Solution Manager (SolMan). Think of this as what Active Directory is for Windows networks.
Given the criticality of this component, the Onapsis Research Labs conducted a thorough security assessment of SolMan to understand the threat model, how attackers could compromise it and how customers should protect themselves. The results were overwhelming. From unauthenticated HTTP access, an attacker would be able to compromise all systems in the SAP landscape. Furthermore, chaining a series of vulnerabilities, it would be possible to get reliable root access not only in the attacked core system, but also in all satellites connected to it.
The aim of this presentation is to show the journey we took while researching SolMan, a journey that included binary and Java application analysis, understanding how SolMan worked as well as how we identified exploitation methods that could be used by rogue parties to attack it. By talking about this journey, we hope attendees can use our experience to tackle similar projects where little, or no, information is available about how complex components work.
Finally, we'll explain in detail, not only how these issues were fixed by SAP, but also what you can do in terms of detecting and preventing these kinds of threats at your organization.