Attacking the Giants: Exploiting SAP Internals - Cybsec

More documents

Recommendations

Info

Attacking the Giants: Exploiting SAP Internals Advanced Attacks © 2007 Attacking the R/3 with a Registered Server (cont.) RESPONSE ID=REG1 RCF Call SAP GW SAP R/3 ID=REG1 Poisoned RCF Callback - Yes, Here Again, But now, we again the are when same the again, a same RFC malicious blocking call scenario: is client/server received, valid the connections valid we connects client, perform to a with the valid the External SAP callback… innocent R/3 server, RFC External Server, and RCF register the Server. SAP R/3 itself Server with and the the ID of SAP the Gateway -original SAP R/3 external Application server. Server OWNED!! External RFC Malicius Server 42
Attacking the Giants: Exploiting SAP Internals © 2007 Conclusions & Comments • The RFC Interface is a wide door into SAP Systems. It has to be locked! • SAP has responded quickly and provided solutions with SAP notes 1003908, 1003910, 1004084, and 1005397. • SAP Administrators must apply patches. • SNC prevents credential and information sniffing. It is included in SAP systems and must be activated. • Network must be properly segmented. • Attacks and caveats described can be avoided with proper configuration + patches (don’ t forget to use sec_info and reg_info!!) 43
Page 1 and 2: Attacking the Giants: Exploiting SA
Page 41: Attacking the Giants: Exploiting SA
Page 45: Attacking the Giants: Exploiting SA

Attacking the Giants: Exploiting SAP Internals - Cybsec

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?