2nd Rounds of TROOPERS17 Talks!

It is the end of the year and we are hoping it is not too hectic of a time for you all! But if it is, hopefully the announcement of our next round of TROOPERS17 talks is enough to get you in the TROOPERS (if not the holiday) spirit 🙂

Francis Alexander & Bharadwaj Machiraju: How we hacked Distributed Configuration Management Systems

With increase in necessity of distributed applications, coordination and configuration management tools for these classes of applications have popped up. These systems might pop-up occasionally during penetration tests. The major focus of this research was to find ways to abuse these systems as well as use them for getting deeper access to other systems. Continue reading “2nd Rounds of TROOPERS17 Talks!”

Continue reading

Some infos about SAP Security Note 2258786

On the 8th of March SAP released the security note for a vulnerability we reported during an assessment of a SAP landscape. The issue affects the SAP NetWeaver Web Administration Interface.  By knowing a special URL a malicious user can acquire version information about the services enabled in the SAP system as well as the operating system used.  We wanted to share some details on the issue.
Continue reading “Some infos about SAP Security Note 2258786”

Continue reading

SAP Security @ Troopers16

When it comes to SAP, Troopers has two events that are about Security in SAP Systems in particular. On the first day of the Troopers16 Trainings the BIZEC workshop takes place. The second event is a dedicated SAP track during the conference. Apart from these events there were of course a lot of nice folks to talk to (about SAP) 🙂 This post is a short overview about SAP security @ TROOPERS16.

Continue reading “SAP Security @ Troopers16”

Continue reading

Patch Me If You Can

Right after the Opening Keynote of TROOPERS16, an informative and interesting talk took place at the SAP Security track. This talk was given by three speakers; Damian Poddebniak who is currently a master student at the University of Applied Sciences of Münster, Sebastian Schinzel who works as an IT security Professor at the University of Applied Sciences of Münster and he is also the founder of CycleSEC GmbH and finally the sixth-time speaker at Troopers “Andreas Wiegenstein” who is the CTO of Virtual Forge GmbH and a professional SAP security consultant since 2003. Continue reading “Patch Me If You Can”

Continue reading

Check your SAP landscape for default Solution Manager users

This is a guest post from Joris van de Vis @jvis,  on his upcoming Troopers talk. Additional credits go to: Robin Vleeschhouwer, and Fred van de Langenberg.



As presented at Troopers this year, ERP-SEC research has uncovered a set of potential default accounts related to the use of SAP Solution Manager. These default accounts might pose a big risk to your SAP supported business as some of them have wide authorisations. It is therefore important to check if they exist in your landscape and change the default passwords.

Continue reading “Check your SAP landscape for default Solution Manager users”

Continue reading

XSS in SAP Netweaver

We just got credits for a flaw we found in SAP Netweaver. The issue is a reflected Cross-Site Scripting (XSS). It can be triggered in the administrative interface for the Internet Communication Manager (ICM) and Web Dispatcher. This means that the targets for this XSS will definitely be users with administrative privileges. This makes it especially juicy for an attacker. Continue reading “XSS in SAP Netweaver”

Continue reading

Latest SAP threats, SAP Forensics & BIZEC @Troopers!

This is a guest post from Mariano Nunez and Juan Perez-Etchegoyen

Juan Perez-Etchegoyen (@jp_pereze) and Mariano Nunez (@marianonunezdc) from Onapsis here, thrilled to be troopers for the third time! In this post we want to share with you a glimpse of what you will see regarding SAP security at this amazing conference.

Last week we released advisories regarding several vulnerabilities affecting SAP platforms. Some of these vulnerabilities are in fact very critical, and their exploitation could lead to a full-compromise of the entire SAP implementation – even by completely anonymous attackers. Following our responsible disclosure policy, SAP released the relevant SAP Security Notes (patches) for all these vulnerabilities a long time ago, so if you are an SAP customer make sure you have properly implemented them!

Continue reading “Latest SAP threats, SAP Forensics & BIZEC @Troopers!”

Continue reading

ERP Platforms Are Vulnerable

This is a guest post by the SAP security expert Juan Pablo Perez-Etchegoyen, CTO of  Onapsis. Enjoy reading:

At Onapsis we are continuously researching in the ERP security field to identify the risks that ERP systems and business-critical applications are exposed to. This way we help customers and vendors to increase their security posture and mitigate threats that may be affecting their most important platform: the one that stores and manages their business’ crown jewels.

We have been talking about SAP security in many conferences over the last years, not only showing how to detect insecure settings and vulnerabilities but also explaining how to mitigate and solve them.  However, something that is still less known is that since 2009 we have been also doing research over Oracle’s ERP systems (JD Edwards, Siebel, PeopleSoft, E-Business Suite) and reporting vulnerabilities to the vendor. In this post, I’m going to discuss some of the vulnerabilities that we reported, Oracle fixed and released patches in the latest CPU (Critical Patch Update) of January 2012. In this CPU, 8 vulnerabilities reported by Onapsis affecting JD Edwards were fixed.

What’s really important about these vulnerabilities is that most of them are highly critical, enabling a remote unauthenticated attacker to fully compromise the ERP server just having network access to it.  I’m going to analyze some these vulnerabilities to shed some light on the real status of JD Edwards’ security. Most of these vulnerabilities are exploitable through the JDENET service, which is a proprietary protocol used by JDE for connecting the different servers.

Let’s take a look at the most interesting issues:

ONAPSIS-2012-001: Oracle JD Edwards JDENET Arbitrary File Write

Sending a specific packet in the JDENET message, an attacker can basically instruct the server to write an arbitrary content in an arbitrary location, leading to an arbitrary file write condition.

ONAPSIS-2012-002: Oracle JD Edwards Security Kernel Remote Password Disclosure

Sending a packet containing key hard-coded in the kernel, an attacker can “ask for” a user’s password (!)

ONAPSIS-2012-003: Oracle JD Edwards SawKernel Arbitrary File Read

An attacker can read any file, by connecting to the JDENET service.

ONAPSIS-2012-007: Oracle JD Edwards SawKernel SET_INI Configuration Modification Modifications to the server configuration (JDE.INI) can be performed remotely and without authentication. Several attacks are possible abusing this vulnerability.

ONAPSIS-2012-006: Oracle JD Edwards JDENET Large Packets Denial of Service

If an attacker sends packets larger than a specific size, then the server’s CPU start processing at 100% of its capacity. Game over.

As a “bonus” to this guest blog post, I would like to analyze a vulnerability related to the set of  security advisories we released back on April 2011 (many of them also critical). This vulnerability is the ONAPSIS-2011-07.

The exploitation of this weakness is very straight-forward, as the only thing an attacker needs to do is to send a packet to the JDENET command service (typically UDP port 6015) with the message “SHUTDOWN”, and all JD Edwards services are powered off! Business impact? None of the hundreds/thousands of the company’s employees that need the ERP system to do their every-day work will be able to do their job.

Some people still talk about ERP security as a synonym of Segregation of Duties controls. This is just an example of a high-impact Denial of Service attack that can be performed against the technical components of these systems. No user or password. No roles or authorizations.

Even worse, as UDP connections are stateless, it’s trivial for the attacker to forge its source and exploit the vulnerability potentially bypassing firewall filters.

Hope you enjoyed our post and I’d like to thank Enno, Florian and the great ERNW team for their kind invitation.

You can get more information about our work at

BTW: Meet Mariano Nuñez Di Croce, CEO of Onapsis at TROOPERS12 in about ten days! He will give a talk and also host a dedicated workshop on SAP security.

Continue reading