1 / 13

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst. SAP NetWeaver Development Infrastructure. Design Time Repository (DTR) Component Build Service (CBS) Change Management Service (CMS) Software Landscape Directory (SLD) / NS

neola
Download Presentation

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Arch bugs in SAP Software Deployment ManagerEvgeny Neyolov feat. Dmitry ChastuhinERP Security Analyst

  2. SAP NetWeaver Development Infrastructure • Design Time Repository (DTR) • Component Build Service (CBS) • Change Management Service (CMS) • Software Landscape Directory (SLD) / NS • Software Deployment Manager (SDM) ERPScan — invest in security to secure investments

  3. SAP NetWeaver Development Infrastructure ERPScan — invest in security to secure investments

  4. SAP NetWeaver Development Infrastructure ERPScan — invest in security to secure investments

  5. SAP NetWeaver Development Infrastructure ERPScan — invest in security to secure investments

  6. SAP NetWeaver Development Infrastructure ERPScan — invest in security to secure investments

  7. SAP NetWeaver Development Infrastructure ERPScan — invest in security to secure investments

  8. SAP NetWeaver Development Infrastructure ERPScan — invest in security to secure investments

  9. Software Deployment Manager • Single interface for the deployment • Deploy apps (*.ear, *.war, *.sda) • Implement custom patches • only one user at time • only hardcoded admin user ERPScan — invest in security to secure investments

  10. SDM + UME = Love • User Management Engine • affects almost all SAP-Java-stuff ERPScan — invest in security to secure investments

  11. SDM Attack Intro • thick client Java application (sad story) • SAP has own SAP Java Virtual Machine (JVM) • Java 6 has Attach API • attaching to another JVM at runtime • intercept and modify calls ERPScan — invest in security to secure investments

  12. SDM Post Exploitation ERPScan — invest in security to secure investments

  13. Post Exploitation ERPScan — invest in security to secure investments

More Related