Why break critical systems themselves when we can attack Deployment Server: the core from which all J2EE code spreads into other systems? The core is called SAP Software Deployment Server and consists of many subsystems like SDM, DTR, CMS. They have their own SVN-like subsystem and Build service. “By offering a single point of entry for all Java development tools and an integration point for all SAP infrastructure components, the SAP NWDS supports you in developing Web Dynpro and J2EE applications. Application developers do not need to switch between different development environments and can develop, build, deploy, and execute applications centrally from the Developer Studio.” Isn’t it a perfect victim for an attack? Who cares about the security of Deployment Server? That’s why it is full of issues and it is possible to deploy your own code anonymously without having any access to NWDS using architecture flaws. In the end, your evil code will spread to any system you want, giving you the ability to control every business system. Come and see how we did it in practice and how to prevent the described attacks.
Dmitry is a Director of security consulting at ERPScan. He works upon SAP security, particularly upon Web applications and JAVA, HANA and Mobile solutions. He has official acknowledgements from SAP for the vulnerabilities found. Dmitry is also a WEB 2.0 and social network security geek and bug bounty who found several critical bugs in Google, Nokia, Badoo. He is a contributor to the EAS-SEC project. He spoke at the following conferences: BlackHat, Hack in the Box, DeepSec, and BruCON
Founder of ERPScan, President of EAS-SEC.org project, accomplished R&D professional and Entrepreneur of the year. He is an expert at security for business-critical software like ERP, CRM, SRM and industry specific solutions. He has received due recognition having publishing over 100 vulnerabilities, as well as multiple whitepapers, such as annual award-winning "SAP Security in Figures”, surveys and a book devoted to information security research in SAP and Oracle. He has presented at more than 50 conferences in 20+ countries in all continents and held training sessions for the CISOs of Fortune 2000 companies, including SAP SE.