SAP Netweaver is one of the most important platforms developed by SAP. It supports all of the business-critical processes companies depend on such as payroll, sales, invoicing, production and others.
During this presentation, we will analyze different parts of the SAP Netweaver platform such as SAP Message Server, the ABAP application server and the SAP Gateway. We will also discuss how these components communicate with each other, the relationships between them, and how an attacker can exploit these relationships.
SAP has been improving their default security settings, making it harder for an attacker to exploit systems by default without any user interaction. This probability is even smaller If reliable operating system command execution is added to the equation.
Going deeper in this relationship, we have found a new attack vector that appears to complete the circle of trust: how an attacker can execute commands leveraging the trust that the SAP system has in the registered application servers.
We will end our presentation by showing this new attack. Combining known vectors with new techniques, this attack allows attackers to obtain network access to the system, enabling them to fully compromise the SAP platform.
It affects SAP Netweaver from versions 7.2 up to 7.5, and still exists within the default security settings on this platform.
Nahuel D. Sanchez is as a security researcher at Onapsis. Being a member of Onapsis Research Labs, his work focuses on performing extensive research of SAP products and components, identifying and reporting security vulnerabilities, attack vectors and advanced exploitation techniques that are applicable to different platforms. Nahuel is one of the most frequent reporter of vulnerabilities in SAP products and is a frequent author of the publication "SAP Security In-Depth". He previously worked as a security consultant, evaluating the security of Web applications and participating of Penetration Testing projects. His areas of interest include Web security, reverse engineering, and the security of Business-Critical applications.
Gaston is a Security Researcher at the Onapsis Research Labs. He holds a computer degree from Universidad Nacional de La Plata (UNLP), where he works for more than six years in the CERT Team, handling computer security incidents at the university infrastructure. Before joining Onapsis he also worked as an Ethical Hacker for several companies. Currently, he work on discovering security vulnerabilities in SAP and Oracle and creating detection rules for ERP attacks for Onapsis Security Platform.