SAP Backdoors: A Ghost at the Heart of Your Business

Black Hat USA 2010

Presented by: Mariano Nuñez Di Croce
Date: Wednesday July 28, 2010
Time: 16:45 - 18:00
Location: Milano 1+2+3+4
Track: Programmatic

In any company, the ERP (Enterprise Resource Planning) is the heart of the business technological platform. These systems handle the key business processes of the organization, such as procurement, invoicing, human resources management, billing, stock management and financial planning. Among all the ERPs, SAP is by far the most widely deployed one, having more than 90.000 customers in more than 120 countries and running in Fortune 100 companies, governmental and defense organizations.

The information stored in these systems is of absolute importance to the company, which unauthorized manipulation would result in big economic losses and loss of reputation.

This talk will present an old concept applied to a new paradigm: SAP Backdoors. We will discuss different novel techniques that can be deployed by malicious intruders in order to create and install backdoors in SAP systems, allowing them to retain access or install malicious components that would result in imperceptible-and-ongoing financial frauds.

After the description of these techniques, we will present the countermeasures that should be applied in order to avoid these attacks and protect the business information, effectively reducing financial fraud risks and enforcing compliance.

Furthermore, we will release a new Onapsis free tool that will help security managers to automatically detect unauthorized modifications to SAP systems.

Is your SAP backdoored? If your answer is "I don’t know," you may consider attending to this talk.

Mariano Nuñez Di Croce

ONAPSIS Mariano Nuñez Di Croce is the Director of Research and Development at ONAPSIS. Mariano has a long experience as a Senior Security Consultant, mainly involved in security assessments and vulnerability research. He has discovered critical vulnerabilities in SAP, Microsoft, Oracle and IBM applications. Mariano leads the SAP Security Team at Onapsis, where he works hardening and assessing the security of critical SAP implementations in world-wide organizations. He is the author and developer of the first open-source SAP Penetration Testing Framework and has discovered more than 40 vulnerabilities in SAP applications. Mariano is also the lead author of the "SAP Security In-Depth" publication. Mariano has been invited to hold presentations and trainings in many international security conferences such as Blackhat USA/EU, DeepSec, Sec-T, Hack.lu, Seacure.it, Ekoparty, CIBSI as well as to host private trainings for Fortune-100 companies and defense contractors. Mariano has a degree in Computer Science Engineering from the UTN.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats