Many companies spend millions for locking down their SAP landscape. But even the highest invest in SAP security is in vain, if there are backdoors in the SAP standard that allow malicious parties to bypass all existing measures. This talk demonstrates how a single, fundamental backdoor in SAP's RFC protocol allows external attackers to penetrate even the strongest SAP security fortress. This severe security vulnerability was reported to SAP in January 2012 and has recently been fixed.
Hans-Christian "HC" Esperer joined the CodeProfiler Research Labs at Virtual Forge in 2012. His focus is on static code analysis, efficient parsing and analysis strategies for new SAP technologies. "HC" has participated in and organized various CTF challenges in the past, together with TU Darmstadt and RWTH Aachen. His focus there is on improving measurability of success by standardizing the CTF environment in such a way that skill of the partaking teams is directly seen in the CTF scoring, while individual prerequisites such as access to commercial debugging and memory analysis tools is minimized. "HC" has also written his own CTF scoring system which is available from his website.
Frederik Weidemann is Head of Consulting at Virtual Forge GmbH with a focus on SAP Security for eight years. He is co-author of the first book on ABAP Security "Sichere-ABAP Programmierung" by SAP Press and spoke at several SAP and Security related conferences like RSA, OWASP and DSAG. Frederik frequently teaches on secure ABAP programming (course WDESA3) at SAP University in Walldorf and on SAP security for Virtual Forge's customers. He also writes articles on SAP Security on a regular basis and has found numerous Zero Day defects in Business Software. Frederik holds a German Diploma in Computer Science and scored several Capture-The-Flag hacking contests first or second place during his time in university.