Invest in securityto secure investments

Arch bugs in SAP Software Deployment Manager

Evgeny Neyolov feat. Dmitry ChastuhinERP Security Analyst

SAP NetWeaver Development Infrastructure

• Design Time Repository (DTR)• Component Build Service (CBS)• Change Management Service (CMS)• Software Landscape Directory (SLD) / NS• Software Deployment Manager (SDM)

erpscan.com 2ERPScan — invest in security to secure investments

SAP NetWeaver Development Infrastructure

erpscan.com 3ERPScan — invest in security to secure investments

SAP NetWeaver Development Infrastructure

erpscan.com 4ERPScan — invest in security to secure investments

SAP NetWeaver Development Infrastructure

erpscan.com 5ERPScan — invest in security to secure investments

SAP NetWeaver Development Infrastructure

erpscan.com 6ERPScan — invest in security to secure investments

SAP NetWeaver Development Infrastructure

erpscan.com 7ERPScan — invest in security to secure investments

SAP NetWeaver Development Infrastructure

erpscan.com 8ERPScan — invest in security to secure investments

Software Deployment Manager

• Single interface for the deployment• Deploy apps (*.ear, *.war, *.sda)• Implement custom patches• only one user at time• only hardcoded admin user

9erpscan.com ERPScan — invest in security to secure investments

SDM + UME = Love

• User Management Engine• affects almost all SAP-Java-stuff

10erpscan.com ERPScan — invest in security to secure investments

SDM Attack Intro

• thick client Java application (sad story)• SAP has own SAP Java Virtual Machine (JVM)• Java 6 has Attach API• attaching to another JVM at runtime• intercept and modify calls

11erpscan.com ERPScan — invest in security to secure investments

SDM Post Exploitation

12erpscan.com ERPScan — invest in security to secure investments

Post Exploitation

13erpscan.com ERPScan — invest in security to secure investments