Arch bugs in SAP Software Deployment Manager
Download
1 / 13

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst - PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst. SAP NetWeaver Development Infrastructure. Design Time Repository (DTR) Component Build Service (CBS) Change Management Service (CMS) Software Landscape Directory (SLD) / NS

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst' - neola


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Arch bugs in SAP Software Deployment ManagerEvgeny Neyolov feat. Dmitry ChastuhinERP Security Analyst


Sap netweaver development infrastructure
SAP NetWeaver Development Infrastructure

  • Design Time Repository (DTR)

  • Component Build Service (CBS)

  • Change Management Service (CMS)

  • Software Landscape Directory (SLD) / NS

  • Software Deployment Manager (SDM)

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure1
SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure2
SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure3
SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure4
SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure5
SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure6
SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Software deployment manager
Software Deployment Manager

  • Single interface for the deployment

  • Deploy apps (*.ear, *.war, *.sda)

  • Implement custom patches

  • only one user at time

  • only hardcoded admin user

ERPScan — invest in security to secure investments


Sdm ume love
SDM + UME = Love

  • User Management Engine

  • affects almost all SAP-Java-stuff

ERPScan — invest in security to secure investments


Sdm attack intro
SDM Attack Intro

  • thick client Java application (sad story)

  • SAP has own SAP Java Virtual Machine (JVM)

  • Java 6 has Attach API

  • attaching to another JVM at runtime

  • intercept and modify calls

ERPScan — invest in security to secure investments


Sdm post exploitation
SDM Post Exploitation

ERPScan — invest in security to secure investments


Post exploitation
Post Exploitation

ERPScan — invest in security to secure investments


ad