Arch bugs in SAP Software Deployment Manager
Sponsored Links
This presentation is the property of its rightful owner.
1 / 13

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on
  • Presentation posted in: General

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst. SAP NetWeaver Development Infrastructure. Design Time Repository (DTR) Component Build Service (CBS) Change Management Service (CMS) Software Landscape Directory (SLD) / NS

Download Presentation

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Arch bugs in SAP Software Deployment ManagerEvgeny Neyolov feat. Dmitry ChastuhinERP Security Analyst


SAP NetWeaver Development Infrastructure

  • Design Time Repository (DTR)

  • Component Build Service (CBS)

  • Change Management Service (CMS)

  • Software Landscape Directory (SLD) / NS

  • Software Deployment Manager (SDM)

ERPScan — invest in security to secure investments


SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Software Deployment Manager

  • Single interface for the deployment

  • Deploy apps (*.ear, *.war, *.sda)

  • Implement custom patches

  • only one user at time

  • only hardcoded admin user

ERPScan — invest in security to secure investments


SDM + UME = Love

  • User Management Engine

  • affects almost all SAP-Java-stuff

ERPScan — invest in security to secure investments


SDM Attack Intro

  • thick client Java application (sad story)

  • SAP has own SAP Java Virtual Machine (JVM)

  • Java 6 has Attach API

  • attaching to another JVM at runtime

  • intercept and modify calls

ERPScan — invest in security to secure investments


SDM Post Exploitation

ERPScan — invest in security to secure investments


Post Exploitation

ERPScan — invest in security to secure investments


  • Login