Everyone knows SAP, everyone uses SAP, everyone uses RFC, no one knows RFC: From RFC to RCE 16 years later

With an 87% share of global commerce and 99 of the world’s 100 largest companies, it is fair to say that software vendor SAP SE’s customers run our world as we know it. Remote Function Call (RFC) is a proprietary communication protocol required for all systems operating the SAP Application Server for ABAP, making it one of the most appealing targets for attacks on business-critical SAP system landscapes. Looking back at the talk “Attacking the Giants: Exploiting SAP Internals” presented by M. Nunez at Black Hat Europe 2007 [1], the protocol reached the security research community for the first time.

Nowadays, SAP systems became increasingly interconnected not only internally, but also across network-trust boundaries. Established technologies are integrated with modern programming paradigms, deployment architectures, and the cloud. This circumstance results in enterprises relying on the RFC interface technology and its codebase more than ever.

16 years after the protocol was initially introduced to the community, I want to put it once more on the stage it deserves, unveiling research results on server-to-server communications that yielded alternate logon material, cryptographic failures, memory corruptions, and ABAP programming pitfalls. With a responsible disclosure that took almost 2 years for all patches to be complete, major design flaws affected both kernel components in maintenance and development of nearly all SAP products.

This presentation starts with a high-level introduction discussing the evolution of RFC, previous research, and security mechanisms. Taking a deep dive into the kernel catacombs and low-level protocol analysis, I will demonstrate how I went from stumbling over an authentication bypass to achieving a vulnerability chain with wormable exploitation capabilities hiding in plain sight for many years. Finally, I will provide further insights into the implications of the findings, concluding with recommendations for SAP customers and offensive security researchers.

[1] M. Nunez. (2007). Attacking the Giants: Exploiting SAP Internals. Presented at the Black Hat Europe 2007 Conf. [Online]. Available: https://www.blackhat.com/presentations/bh-europe-07/Nunez-Di-Croce/Whitepaper/bh-eu-07-nunez_di_croce-WP-apr19.pdf

About the Speaker