Here are the slides from Hack In The Box (HITB) 2010 held in Kuala-Lumpur, Netherlands where ERPScan experts spoke about SAP security and particularly about weaknesses in client-side SAP applications such as SAPGUI.
Author: Alexander Polyakov
Alexander talk was about the possible ways of getting unauthorized access to corporate SAP servers through the SAP Frontend vulnerabilities and misconfigurations with new examples of attacks.
He also demonstrated that the scenario which was done by Stuxnet for SCADA systems was applicable for ERP systems for example in SAP and it is possible to make a worm which wiould steal business critical data.
The new free online service [styled_link link=’#’ type=’visit’]ERPSCAN Online[/styled_link] was presented at the conference, it is meant for assessing SAP Frontend security and user awareness and decreasing the possibility of SAP Stuxnet scenario.[styled_link link=’http://erpscan.com/wp-content/uploads/presentations/2010-HITB-AMS-Attacking-SAP-users-with-sapsploit2.pdf’ type=’attachment’]Alexander Polyakov — Attacking SAP Users with sapsploit Extended.pdf[/styled_link]