Ghost in the Shell

March 13, 2013 (at 2:30 p.m.) in Attacks & Research

Security conferences in the past years have made it clear, that common security vulnerabilities such as SQL Injection, XSS, CSRF, HTTP verb tampering and many others also exist in SAP software.

This talk covers several vulnerabilities that are unique to SAP systems and shows how these can be used in order to bypass crucial security mechanisms and at the same time operate completely below the (forensic) Radar.

We uncovered undocumented mechanisms in the SAP kernel, that allow launching attacks that cannot be traced back to the attacker by forensic means. These mechanisms allow to actively inject commands at any time into the running backend-session of an arbitrary logged on user, chosen by the attacker. We named this attack mechanism “Ghost in the Shell”.

We will also demo how to use this attack vector to distribute malware to the attacked user’s client machine despite mechanisms in the SAP standard that are designed to prevent this.

BIO: Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications.

As CTO, he leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures. At the CodeProfiler Labs, he works on ABAP security guidelines, ABAP security trainings, an ABAP security scanner as well as white papers and publications.

Andreas has trained large companies and defense organizations on ABAP security and has spoken at SAP TechEd on several occasions as well as at security conferences such as Troopers, BlackHat, HITB, RSA as well as many smaller SAP specific conferences. He is co-author of the first book on ABAP security (SAP Press 2009). He is also member of BIZEC.org, the Business Security Community.

Xu Jia

Xu Jia is researching SAP security topics since 2006. His focus is on static code analysis for ABAP and he is the lead architect for a commercial SCA tool. Working in the CodeProfiler Research Labs at Virtual Forge, he also analyzes (ABAP) security defects in SAP standard software. Xu has received credit for more than 30 security advisories where he reported 0-days to SAP, including multiple new forms of attack that are specific to SAP software. He already presented some of his research at Troopers 2013 and 2014 in Heidelberg.

Andreas Wiegenstein

Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed numerous SAP security audits and received credit for more than 80 SAP security patches related to vulnerabilities he discovered in various SAP products. As CTO at Virtual Forge GmbH he leads Research & Innovation, a team focusing on SAP specific security research and new security solutions. Andreas has trained large companies and defense organizations on SAP security and has spoken at multiple SAP-specific conferences (like TechEd, DSAG, BIZEC and SAPience) as well as at general security conferences such as Troopers, Black Hat, HITB, IT Defense, DeepSec and RSA. He researched the ABAP Top 20 Risks published by the German Federal Office for Information Security (BSI) and is co-author of the first book on ABAP security (SAP Press 2009). He is also member of BIZEC.org, the Business Security Community.