A Crushing Blow At The Heart of SAP J2EE Engine

Black Hat USA 2011

Presented by: Alexander Polyakov
Date: Thursday August 04, 2011
Time: 15:15 - 16:30
Location: Augustus III + IV
Track: Enterprise Concerns

Nowadays SAP NetWeaver platform is the most widespread platform for developing enterprise business applications. It's becoming a popular security topic but still not covered well.

This talk will be focused on one of the black holes called SAP J2EE engine. Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other applications lay on J2EE engine which is apart from ABAP engine is less discussed but also critical.

I will explain architecture of SAP's J2EE engine and give a complete tour into its internals. After that I will show a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, xml/soap attacks to insecure encryption algorithms and cross-system vulnerabilities in J2EE platform.

Finally it will be presented chained attack which use multiple logic vulnerabilities and give a full control on any version of SAP's J2EE Engine on any platform. A free tool will be presented to automatically scan custom applications against this attack

Alexander Polyakov

Alexander Polyakov aka @sh2kerr, CTO at ERPSCAN, head of DSecRG and architect of ERPSCAN Security scanner for SAP. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, RDBMS, banking and processing software. He is the manager of OWASP-EAS ( OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors. He is the writer of multiple whitepapers devoted to information security research, and the author of the book "Oracle Security from the Eye of the Auditor:Attack and Defense" (in Russian). He is also one of the contributors to Oracle with Metasploit project. Alexander spoke at the international conferences like BlackHat, HITB (EU/ASIA), Source, DeepSec, CONFidence, Troopers.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats