Uncovering SAP Vulnerabilities: Reversing and Breaking the Diag Protocol

Presented at DEF CON 20 (2012), July 28, 2012, 3 p.m. (50 minutes)

Nowadays, SAP Netweaver has become the most extensive platform for building enterprise applications and run critical business processes. In recent years it has become a hot topic in information security. However, while fixes and countermeasures are released monthly by SAP at an incredible rate, the available security knowledge is limited and some components are still not well covered. SAP Diag is the application-level protocol used for communications between SAP GUI and SAP Netweaver Application Servers and it's a core part of any ABAP-based SAP Netweaver installation. Therefore, if an attacker is able to compromise this component, this would result in a total takeover of a SAP system. In recent years, the Diag protocol has received some attention from the security community and several tools were released focused on decompression and sniffing. Nevertheless, protocol specification is not public and internal components and inner-workings remains unknown; the protocol was not understood and there is no publicly available tool for active exploitation of real attack vectors. This talk is about taking SAP penetration testing out of the shadows and shedding some light into SAP Diag, by introducing a novel way to uncover vulnerabilities in SAP software through a set of tools that allows analysis and manipulation of the SAP Diag protocol. In addition, we will show how these tools and the knowledge acquired while researching the protocol can be used for vulnerability research, fuzzing and practical exploitation of novel attack vectors involving both SAP's client and server applications: man-in-the-middle attacks, RFC calls injection, rogue SAP servers deployment, SAP GUI client-side attacks and more. As a final note, this presentation will also show how to harden your SAP installations and mitigate these threats.

Presenters:

• Martin Gallo - Security Consultant, Core Security
  Martin Gallo is a Security Consultant at CORE Security, where he performs application and network penetration testing, conducts code reviews and identifies vulnerabilities in enterprise and third party software. His research interests include enterprise software security, vulnerability research and reverse engineering.

Links:

• https://defcon.org/html/defcon-20/dc-20-speakers.html#Gallo
• https://www.youtube.com/watch?v=1YOPyHvhHUg

Similar Presentations:

• DeepSec 2018 „I like to mov &6974,%bx“ / ERP Security: Assess, Exploit and Defend SAP Platforms
• TROOPERS17 (2017) / SAP strikes back. Your SAP server now counter-attacks
• DeepSec 2017 „Science First!“ / SAP CTF Pentest : From Outside To Company Salaries Tampering (closed)