Arch bugs in SAP Software Deployment Manager
This presentation is the property of its rightful owner.
Sponsored Links
1 / 13

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst. SAP NetWeaver Development Infrastructure. Design Time Repository (DTR) Component Build Service (CBS) Change Management Service (CMS) Software Landscape Directory (SLD) / NS

Download Presentation

Arch bugs in SAP Software Deployment Manager Evgeny Neyolov feat. Dmitry Chastuhin ERP Security Analyst

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Arch bugs in sap software deployment manager evgeny neyolov feat dmitry chastuhin erp security analyst

Arch bugs in SAP Software Deployment ManagerEvgeny Neyolov feat. Dmitry ChastuhinERP Security Analyst


Sap netweaver development infrastructure

SAP NetWeaver Development Infrastructure

  • Design Time Repository (DTR)

  • Component Build Service (CBS)

  • Change Management Service (CMS)

  • Software Landscape Directory (SLD) / NS

  • Software Deployment Manager (SDM)

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure1

SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure2

SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure3

SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure4

SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure5

SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Sap netweaver development infrastructure6

SAP NetWeaver Development Infrastructure

ERPScan — invest in security to secure investments


Software deployment manager

Software Deployment Manager

  • Single interface for the deployment

  • Deploy apps (*.ear, *.war, *.sda)

  • Implement custom patches

  • only one user at time

  • only hardcoded admin user

ERPScan — invest in security to secure investments


Sdm ume love

SDM + UME = Love

  • User Management Engine

  • affects almost all SAP-Java-stuff

ERPScan — invest in security to secure investments


Sdm attack intro

SDM Attack Intro

  • thick client Java application (sad story)

  • SAP has own SAP Java Virtual Machine (JVM)

  • Java 6 has Attach API

  • attaching to another JVM at runtime

  • intercept and modify calls

ERPScan — invest in security to secure investments


Sdm post exploitation

SDM Post Exploitation

ERPScan — invest in security to secure investments


Post exploitation

Post Exploitation

ERPScan — invest in security to secure investments


  • Login