Heidelberg, Germany - March 19, 2014 Alexander Polyakov & Dimitry Chastuhin delivered a presentation titled "Injecting Evil Code in your SAP J2EE systems – Security of SAP Software Deployment Server" at Troopers14.
Why break critical systems themselves when we can attack Deployment Server: the core from which all J2EE code spreads into other systems? The core is called SAP Software Deployment Server and consists of many subsystems like SDM, DTR, CMS. They have their own SVN-like subsystem and Build service.
By offering a single point of entry for all Java development tools and an integration point for all SAP infrastructure components, the SAP NWDS supports you in developing Web Dynpro and J2EE applications. Application developers do not need to switch between different development environments and can develop, build, deploy, and execute applications centrally from the Developer Studio.
Who cares about the security of Deployment Server? That's why it is full of issues and it is possible to deploy your own code anonymously without having any access to NWDS via architecture flaws. In the end, your evil code will spread to any system you want, giving you the ability to control every business system.
The seventh edition of the one of the most significant IT-Security Conferences, where the world's leading IT-Security experts and hackers present their latest research, took place on March 17th – 21th 2014 in Heidelberg, Germany.
Troopers provides a networking platform for security-interested people from all over the world and gives experts from the industry, academia and the research community an opportunity to share knowledge and talk about their work. The Troopers event is famous for their main interest lying in the area of high-end workshops with hands-on experiences and most importantly real answers and practical benefits from the up-to-date experience.
Troopers was one of the first global IT events where ERPScan took its first steps of becoming a worldwide recognised product in 2010. And after a small break ERPScan team once again participated in Troopers14's Special Track: SAP Security.