Budapest, Hungary - October 11-12, 2013 Dmitry Chastuchin, Director of SAP Pentesting at ERPScan, delivered a presentation titled "Injecting evil code in your SAP J2EE systems: Security of SAP Software Deployment Server" at Hacktivity conference.
ERPScan researchers have helped SAP to significantly increase the security of SDM (Software Deployment Manager) tool. During a deep research, ERPScan team has reviewed SDM security for program vulnerabilities and architecture issues, including authentication process.
SDM is a part of SAP NetWeaver J2EE Engine and facilitates uploading new custom-developed software to the J2EE Engine. The security model of this tool was increased by patching software issues as well as architecture problems targeting client-server interaction. The solution was reviewed thoroughly by SAP Product Security Response Team in collaboration with ERPScan. SAP released the security advisory and patch for those vulnerabilities early in October 2012.This patch must be installed on both server and client side of SDM to be able to work properly. We were waiting for one year to keep customers secure and give them time to close those issues and now we presented it in public.
Here is the detailed description of research:
Why break critical systems themselves when we can attack Deployment Server: the core from which all J2EE code spreads into other systems? The core is called SAP Software Deployment Server and consists of many subsystems like SDM, DTC, CBS, CMS. They have their own SVN-like subsystem and Build service.
By offering a single point of entry for all Java development tools and an integration point for all SAP infrastructure components, the SAP NWDS supports you in developing Web Dynpro and J2EE applications. Application developers do not need to switch between different development environments and can develop, build, deploy, and execute applications centrally from the Developer Studio." Isn't it a perfect victim for an attack? Who cares about the security of Deployment Server? That's why it is full of issues and it is possible to deploy your own code anonymously without having any access to NWDS using architecture flaws. In the end, your evil code will spread to any system you want, giving you the ability to control every business system.
We want to draw customers' attention to this research and recommend that all SAP users implement it if it was not implemented before because it closes 6 different issues from Denial of Service to Authentication Bypass.