Everyone knows SAP, everyone uses SAP, everyone uses RFC, no one knows RFC: From RFC to RCE 16 years later

Download Slides

Watch Video

With an 87% share of global commerce and 99 of the world’s 100 largest companies, it is fair to say that software vendor SAP SE’s customers run our world as we know it. Remote Function Call (RFC) is a proprietary communication protocol required for all systems operating the SAP Application Server for ABAP, making it one of the most appealing targets for attacks on business-critical SAP system landscapes. Looking back at the talk “Attacking the Giants: Exploiting SAP Internals” presented by M. Nunez at Black Hat Europe 2007 [1], the protocol reached the security research community for the first time.

Nowadays, SAP systems became increasingly interconnected not only internally, but also across network-trust boundaries. Established technologies are integrated with modern programming paradigms, deployment architectures, and the cloud. This circumstance results in enterprises relying on the RFC interface technology and its codebase more than ever.

16 years after the protocol was initially introduced to the community, I want to put it once more on the stage it deserves, unveiling research results on server-to-server communications that yielded alternate logon material, cryptographic failures, memory corruptions, and ABAP programming pitfalls. With a responsible disclosure that took almost 2 years for all patches to be complete, major design flaws affected both kernel components in maintenance and development of nearly all SAP products.

This presentation starts with a high-level introduction discussing the evolution of RFC, previous research, and security mechanisms. Taking a deep dive into the kernel catacombs and low-level protocol analysis, I will demonstrate how I went from stumbling over an authentication bypass to achieving a vulnerability chain with wormable exploitation capabilities hiding in plain sight for many years. Finally, I will provide further insights into the implications of the findings, concluding with recommendations for SAP customers and offensive security researchers.

[1] M. Nunez. (2007). Attacking the Giants: Exploiting SAP Internals. Presented at the Black Hat Europe 2007 Conf. [Online]. Available: https://www.blackhat.com/presentations/bh-europe-07/Nunez-Di-Croce/Whitepaper/bh-eu-07-nunez_di_croce-WP-apr19.pdf

About the Speaker

Fabian Hagg

Fabian Hagg\ SEC Consult, an Atos company\ Technical Security Consultant and Head of Security for SAP Services

Fabian Hagg is a passionate penetration tester, vulnerability researcher, and security consultant specialized in business-critical software systems. He is the Head of Security for SAP Services at SEC Consult where he conducted various security assessments for a customer base that ranges from SMEs to large organizations and leading market share holders. He is publicly acknowledged by the vendor SAP SE for reporting and responsibly disclosing multiple critical security vulnerabilities. Graduated from the University of Applied Sciences Offenburg (DE) in 2020, he holds a Bachelor of Science degree in Corporate and IT Security. After his graduation, he joined the SAP research community and started multiple projects at the SEC Consult Vulnerability Lab. Today, he is studying in the master’s program of IT Security at the University of Applied Sciences Technikum Vienna (AT). His curriculum vitae and research results show that SAP security should be a top priority not only for professionals with 15 years of experiences in the field of SAP technology, but also newcomers having a security background and little knowledge about complex business software systems.