Uncovering SAP vulnerabilities: reversing and breaking the Diag protocol

Monday, July 30, 2012
Martin Gallo
Conference / Publication: 
Defcon 20 Conference

Nowadays, SAP Netweaver has become the most extensive platform for building enterprise applications and run critical business processes. In recent years it has become a hot topic in information security. Although, while fixes and countermeasures are released monthly by SAP at an incredibly rate, the available security knowledge is limited and some components are still not well covered.

SAP Diag is the application-level protocol used for communications between SAP GUI and SAP Netweaver Application Servers and it's a core part of any ABAP-based SAP Netwever installation. Therefore, if an attacker is able to compromise this component, this would result in a total takeover of a SAP system. In recent years, the Diag protocol has received some attention from the security community and several tools were released focused on decompression and sniffing. Nevertheless, protocol specification is not public and internal components and inner-workings remains unknown; the protocol was not understood and there is no publicly available tool for active exploitation of real attack vectors.

This talk is about taking SAP penetration testing out of the shadows and shedding some light into SAP Diag, by introducing a novel way to uncover vulnerabilities in SAP software through a set of tools that allows analysis and manipulation of the SAP Diag protocol. In addition, we will show how these tools and the acquired knowledge while researching the protocol can be used for vulnerability research, fuzzing and practical exploitation of novel attack vectors involving both SAP's client and server applications: man-in-the-middle attacks, RFC calls injection, rogue SAP servers deployment, SAP GUI client-side attacks and more. As a final note, this presentation will also show how to harden your SAP installations and mitigate these threats.