This is a short summary of the presentations in the SAP security track at Troopers 2018. Troopers is the yearly security conference in Heidelberg (Hackers sanctuary?) that brings together a great group of people from all over Europe and the world. It is known for it’s unique dedicated SAP track. For many years I have been involved in the main conference as a speaker in the SAP track and as part of the Bizec SAP security workshop. This Writeup is only about the main conference SAP track.
Ivan Genuer kicked of with his presentation of his research on the SAP Internet Graphics Server. He very well explained the steps he took to completely tear this component apart. From XSS and file overwrite vulnerabilities to XML XXE. Nice work! Too bad he could not disclose all his research as parts are still being patched by SAP, but still really nice research in this until now quite unknown component. See sap security note 2525222 for the details and solution. Great work Yvan, Merci!
A wireshark plugin is released by Martin Gallo from CoreSecurity to be able to decode these protocols and PySAP (also build and maintained by Martin) will be extended with Yvan his research too at a later stage.
SAP BUGS: The Phantom Security – Vahagn Vardanyan and Vladimir Egorov from ERPSCAN
Next were the guys from ERPSCAN that showed multiple vulnerabilities in SAP java, the Redwood add-on and in SAP CRM. As always these guys find great ways to compromise SAP systems. Some special love for their Starwars theme all over the slides! SAP Security notes 2547431 and 2486657 provide fixes.
Martin shed some light on the inner workings of the storing of sensitive data like certificates, private keys, etc in SAP systems. He zoomed in specifically on filesystem storage of these crypto secrets in the EPS files and different scenarios of post-exploitation attacks on these files to make them reveal their secrets.
I forgot Your password: Pwning modern password recovery systems through JSON injections – Nahuel D. Sánchez Martin Doyhenard
The guys from Onapsis showed some really nice research in general on Password recovery mechanisms and more specifically in the world of SAP. Their presentation included a nice example of design flaws and vulnerabilities in the Self Service password service that customers can enable in their SAP Hana system. A great example that shows that even the latest and greatest products of SAP are also not immune to these kind of vulnerabilities!
<Sorry no picture Fred>
Fred showed in his talk several examples of errors you can make when programming in different languages on the SAP Hana platform. And we are not speaking about regular errors one can make, but errors that can have security implications. Great examples especially for those in development!
In my own slot I presented the importance of applying SAP Patches (security notes) and showed some demos where just 1 missing note could have your SAP Systems completely compromised. Many SAP customers do not patch their systems frequent enough for all kind of reasons. I showed the struggles basis teams have in implementing these patches as this is a completely manual process. As a solution to this I showed a way to automate this unpleasant manual repetitive work that will make the life of your SAP basis team much easier and save a lot of time and money.
It was a pleasure as always to be at Troopers, to participate in the Bizec workshop and to present at the main conference. The people you meet, some new and old friends, the quality of the talks, the great place Hacker Sanctuary Heidelberg is, the Troopers run and other events; it all adds up to the fact that Troopers for sure is one of the greatest conferences in Europe I’ve been to. On to Troopers#19!