Heidelberg, Germany - March 19, 2014 After a small break, the ERPScan team once again participates in Troopers as part of the Special Track: SAP Security. It was the Troopers event where the long path of ERPScan becoming a worldwide recognized product started in 2010. And it was ERPScan to speak about SAP security for the first time during a Troopers event.
It is needless to remind you that SAP security problems have now become a traditional point of interest for presentations and workshops on different infosec events. More than 30 presentations on SAP security are delivered annually. That's why it's no wonder to see interest in SAP security at the Troopers annual event, as this conference usually takes place in Heidelberg, not far from SAP AG headquarters in Walldorf. The Troopers 2014 edition wasn't an exception. Eight experts from four companies revealed modern problems in SAP security, and even a special workshop on SAP security took place before the main conference program. And once again, the world experts in SAP security issues from ERPScan have made a stunning presentation: "Injecting Evil Code in Your SAP J2EE systems – Security of SAP Software Deployment Server".
Why break critical systems themselves when we can attack the core from which all J2EE code spreads into other systems? The core is called SAP Software Deployment Server and consists of many subsystems like SDM, DTR, CMS. SAP has its own SVN-like subsystem and Build service. Who cares about the security of Deployment Server? That's why it is full of issues, and it is possible to deploy your own code anonymously without having any access to NWDS using architecture flaws. In the end, your evil code will spread to any system you want, giving you the ability to control every business system. No need to say that all tricks described here were executed by Dmitry Chastukhin and his department in a series of pentests.
Alexander Polyakov, the co-founder and CTO of ERPScan
Troopers provides a networking platform for security interested people from all over the world, and enables security folks from the industry, academia, and the research community to exchange knowledge and talk about their work. Since 2007, it has been one of the most significant events in the industry.
The goal is to share in-depth knowledge about the aspects of attacking and defending information technology infrastructure and applications. The featured presentations and demonstrations represent the latest discoveries and developments of the global hacking scene and corporate infosec practitioners and will provide the audience with valuable practical know-how. We want you to progress with your skills. We want you to fully grasp the implications of future developments in an enriching environment of like-minded people. Your understanding is everything you have to face the upcoming and everyday challenges in the field.
– the Troopers Crew.
Full text of the presentation is available via this link.
ERPScan is an award-winning company honored as the Most innovative security company by Global Excellence Awards, the leading SAP AG partner in discovering and solving security vulnerabilities by number of reported issues. ERPScan is engaged in the research of ERP and business application security, particularly SAP, and the development of SAP system security monitoring, compliance, and cybercrime prevention software. Besides, the company renders consulting services for secure configuration, development, and implementation of SAP systems, which are used by SAP AG and Fortune 500 companies.
TROOPERS is hosted by ERNW GmbH, an independent information security consultancy and assessment company from Heidelberg, Germany. In the past years, speakers from ERNW were invited all around the world to present their latest ITsec research results and to share their knowledge within the global hacking and infosec community. With this global experience in mind, in 2007 ERNW decided to launch an international conference in Germany.