“SAPocalypse now. Crushing SAP J2EE Engine” from HITBKUL 2011

“Many SAP clients still don’t understand that even if one technical vulnerability which is overlooked or unpatched, it can have dire impact to their company,” Polyakov said. There are more than 1500 SAP Security notes released to-date detailing vulnerabilities in SAP products. The worm, when released, is able to detect vulnerable SAP servers and then exploits them using a vulnerability in the J2EE engine. It then uploads a payload into the server via the internet.

As the server is usually connected using trusted links to other servers hosted internally, the worm’s payload can obtain credentials for trusted connections and connects itself to the internal linked servers to download critical information including financial information, human resources and material management, inventory and other such data. It can also harness information about linked connections from the internal server and spread this to other servers. And if there are no linked connections, the worm uses default usernames and passwords in its attempt to connect to other systems.

“Once lodged into the server, the worm is hard to detect and can sit idle for years even if the vulnerability is patched. All the attacker needs to do is send a command to all servers for getting any kind of critical corporate data he needs, whenever he needs it. The hacker can also overwrite bank account numbers and manipulate money transfers,”

SAPocalypse Now. Crushing SAP’s J2EE Engine – HITBKUL2011