SAP, dos, dos, race conditions => rce. Dmitry Chastuhin, Dmitry Yudin
|
|
- Rosa Short
- 5 years ago
- Views:
Transcription
1 SAP, dos, dos, race conditions => rce Dmitry Chastuhin, Dmitry Yudin 1
2 About us Yet another security researcher Business application security expert ERPScan Wiem, jak korzystać z tłumaczami 2
3 About us Reverse engineer Security researcher ERPScan 3
4 About ERPScan The only 360-degree SAP security solution: ERPScan Security Monitoring Suite for SAP Leader by the number of vulnerabilities in SAP and Oracle (500+) 100+ presentations key security conferences worldwide 30+ awards and nominations Research team: 20 experts with experience in different areas of security Headquarters Amsterdam (EU), offices in USA, Australia, Denmark 4 4
5 About what? No blah-blah-blah about how important it is to spend time and money on SAP security (critically important) No blah-blah-blah about best practices No Junk Hacking Just a little story how we got yet another RCE in SAP 5
6 SAP 6
7 Target SAP and WEB? XSS, CSRF, double blind self clickjacking, whatever SAP and ABAP/JAVA? RFC, servlets, ABAP code, transactions SAP and additional services? Log Viewer, SDM, notepad, archives Try to implement some reverse engineering to core binary file 7
8 DISP+WORK.EXE dw - disp+work - Dispatcher & Workprocess - "The complete Kernel" - Here the complete ABAP is processed... 8
9 DISP+WORK.EXE Binary has a considerable size: 51 M 9
10 DISP+WORK.EXE Binary has a considerable size: 51 M Ida db size: 133 M 10
11 DISP+WORK.EXE Binary has a considerable size: 51 M Ida db size: 133 M Difficult debug network communication 11
12 DISP+WORK.EXE Difficulties with debug network communication Even a child can process request: difficult guess the pid of process 12
13 DISP+WORK.EXE 13
14 14
15 Instance profile cfg rdisp/trace = 2 rdisp/trace_resolution = 2 rdisp/trace_logging = on rdisp/trace_hide_sec_data = off rdisp/trace_comps = 2 enque/trace = 2 alert/trace = 2 service/trace = 2 rdisp/configurable_wp_no = 0 rdisp/wp_max_no = 0 rdisp/wp_no_dia = 1 rdisp/wp_no_btc = 0 rdisp/wp_no_vb = 0 rdisp/wp_no_vb2 = 0 rdisp/wp_no_spo = 0 15
16 Instance profile cfg rdisp/trace = 2 rdisp/trace_resolution = 2 rdisp/trace_logging = on rdisp/trace_hide_sec_data = off rdisp/trace_comps = 2 enque/trace = 2 alert/trace = 2 service/trace = 2 rdisp/configurable_wp_no = 0 rdisp/wp_max_no = 0 rdisp/wp_no_dia = 1 rdisp/wp_no_btc = 0 rdisp/wp_no_vb = 0 rdisp/wp_no_vb2 = 0 rdisp/wp_no_spo = 0 Number of configurable work processes 16
17 17
18 Actually it can be processed by one worker. 18
19 By only one worker But 19
20 DISP+WORK.EXE Where is jstart??? 20
21 Before 21
22 After Yoo-hoo, JSTART?!?? 22
23 DISP+WORK.EXE JSTART 23
24 Reverse engineering of DISP+WORK.EXE GOAL 24
25 Reverse engineering of DISP+WORK.EXE But It s too difficult It s too big I m too lazy RCE takes too much time 25
26 Reverse engineering of DISP+WORK.EXE But It s too difficult It s too big I m too lazy RCE takes too much time (maybe) 26
27 SEEK AND DESTROY How about some new targets? 27
28 SEEK AND DESTROY Disp+work here the complete ABAP is processed Gwrd SAP gateway Icman (icm) SAP Web Application Server Jstart SAP AS Java Instance Sapstart SAP starter Igswd_mt SAP IGS (Internet Graphics Service ) Igsmux_mt SAP IGS Igspw_mt SAP IGS 28
29 29
30 SAPSTARTSRV HOW ABOUT SAPSTARTSRV 30
31 SAPSTARTSRV SAP Management Console 31
32 SAPSTARTSRV 15M LISTEN tcp :5NN13 SOAP SAPControl:OSExecute But We need authentication 32
33 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() JsfOpenShm() JsfCheckShmKeyString() JsfCloseShm() 33
34 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() Hardcoded user names {2D4A6FB8-37F1-43d7-88BE-AD279C89DCD7} User name for requests with a temporary local logon tickets. {221BA44F-F88E-4166-BB2B-E B86A} UNDOCUMENTED HARDCODED USER NAME 34
35 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() How about a hardcoded password? 35
36 Reverse engineering of SAPSTARTSRV IsTrustedInternalConnect() How about a hardcoded password? 36
37 SHM IsTrustedInternalConnect() JsfOpenShm() JsfCheckShmKeyString() JsfCloseShm() 37
38 SHM IsTrustedInternalConnect() JsfOpenShm() JsfCheckShmKeyString() JsfCloseShm() 38
39 SHM What is SHM? 39
40 Shared memory SHM - Shared Memory is an efficient means of passing data between programs. One program will create a memory portion which other processes (if permitted) can access. 40
41 Shared memory IsTrustedInternalConnect() JsfOpenShm() JsfCheckShmKeyString() JsfCloseShm() 41
42 Shared memory IsTrustedInternalConnect() JsfOpenShm() - ok JsfCheckShmKeyString() JsfCloseShm() 42
43 Shared memory IsTrustedInternalConnect() JsfOpenShm() - ok JsfCheckShmKeyString() JsfCloseShm() - ok 43
44 Shared memory IsTrustedInternalConnect() JsfOpenShm() - ok JsfCheckShmKeyString() -??? JsfCloseShm() - ok 44
45 Shared memory JsfCheckShmKeyString() What is this key? Is this key static? Can we guess this key (if not static)? Can we brut this key? 45
46 Shared memory JsfCheckShmKeyString() What is this key? password for authentication on SAPSTARTSRV Is this key static? Can we guess key (if not static)? Can we brut this key? 46
47 Shared memory JsfCheckShmKeyString() Is this key static? No Rng_PseudoRandomInit Rng_PseudoRandom Rng_CompleteUpdate Key len 36 bytes Can we guess this key (if not static)? Can we brut this key? 47
48 Shared memory JsfCheckShmKeyString() Is this key static? No Rng_PseudoRandomInit Rng_PseudoRandom Rng_CompleteUpdate Key len 36 bytes Can we guess this key (if not static)? - No Can we brut this key? 48
49 Shared memory JsfCheckShmKeyString() Is this key static? No Rng_PseudoRandomInit Rng_PseudoRandom Rng_CompleteUpdate Key len 36 bytes Can we guess this key (if not static)? - No Can we brut this key? - No 49
50 Shared memory JsfCheckShmKeyString() 50
51 ShmKey BUT 51
52 ShmKey 52
53 ShmKey if we try to debug a little 53
54 authbypassosexec_poc.py 54
55 DEMO 1 55
56 ShmKey Random ShmKeyStrting is xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax 56
57 ShmKey Random ShmKeyStrting is xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax 57
58 ShmKey Random ShmKeyStrting is xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax 58
59 Random ShmKey AWESOME 59
60 ShmKey Why? xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax 60
61 JsfCheckShmKeyString() Read raw (binary) key from shm memory Convert key to readable format Add x to end and x to begin of key (why?) Check key with user input Return result 61
62 SHM 62
63 In our case xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax is a printable presentation of raw key Hex dump:
64 64
65 In our case xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax is a printable presentation of raw key Hex dump: Some shared memory problems? 65
66 Random ShmKey Do you remember 66
67 Random ShmKey Do you remember profile cfg 67
68 Random ShmKey Do you remember profile cfg jstart what never started 68
69 Instance profile cfg rdisp/trace = 1337 rdisp/trace_resolution = 1337 rdisp/trace_logging = on rdisp/trace_hide_sec_data = off rdisp/trace_comps = 7 enque/trace = 7 alert/trace = 7 service/trace = 7 rdisp/configurable_wp_no = 0 rdisp/wp_max_no = 0 rdisp/wp_no_dia = 1 rdisp/wp_no_btc = 0 rdisp/wp_no_vb = 0 rdisp/wp_no_vb2 = 0 rdisp/wp_no_spo = 0 69
70 Instance profile cfg #rdisp/trace = 1337 #rdisp/trace_resolution = 1337 #rdisp/trace_logging = on #rdisp/trace_hide_sec_data = off #rdisp/trace_comps = 7 #enque/trace = 7 #alert/trace = 7 #service/trace = 7 #rdisp/configurable_wp_no = 0 #rdisp/wp_max_no = 0 #rdisp/wp_no_dia = 1 #rdisp/wp_no_btc = 0 #rdisp/wp_no_vb = 0 #rdisp/wp_no_vb2 = 0 #rdisp/wp_no_spo = 0 70
71 Instance profile cfg #rdisp/trace = 1337 #rdisp/trace_resolution = 1337 #rdisp/trace_logging = on #rdisp/trace_hide_sec_data = off #rdisp/trace_comps = 7 #enque/trace = 7 #alert/trace = 7 #service/trace = 7 #rdisp/configurable_wp_no = 0 #rdisp/wp_max_no = 0 #rdisp/wp_no_dia = 1 #rdisp/wp_no_btc = 0 #rdisp/wp_no_vb = 0 #rdisp/wp_no_vb2 = 0 #rdisp/wp_no_spo = 0 + RESTART WHOLE SYSTEM (OS) 71
72 Random ShmKey After restart 72
73 Random ShmKey After restart Jstart started 73
74 Random ShmKey After restart Jstart started Random ShmKeyStrting indeed random 74
75 Random ShmKey After restart Jstart started Random ShmKeyStrting indeed random This key is NOT working xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax 75
76 Random ShmKey 76
77 HOW CONVERT THIS BUG TO REMOTE RCE WITHOUT LOCAL PF MODIFICATION? 77
78 HOW ABOUT JSTART 78
79 79
80 HOW ABOUT JSTART Plan A: Run authbypassosexec_poc.py (with magic key ) 80
81 HOW ABOUT JSTART Plan A: Run authbypassosexec_poc.py (with magic key ) try to kill jstart 81
82 HOW ABOUT JSTART Plan A: Run authbypassosexec_poc.py (with magic key ) try to kill jstart (now only local) 82
83 HOW ABOUT JSTART Plan A: Run authbypassosexec_poc.py (with magic key ) try to kill jstart (now only local) $ killall r jstart -9 83
84 AND 84
85 85
86 PLAN B Ok, time for plan B 86
87 PLAN B Plan B 87
88 PLAN B ICMAN 88
89 PLAN B 89
90 PLAN B Q: How do you think it killed both jstart and icman at the same time? 90
91 PLAN B A: 91
92 PLAN B 92
93 PLAN B ICMAN $ authbypassosexec_poc.py $ killall -r icman -r jstart -9 93
94 DEMO 2 94
95 REMOTE RCE PLAN Run authbypassosexec_poc.py (with a magic key) 95
96 REMOTE RCE PLAN Run authbypassosexec_poc.py (with magic key) Find remote DoS for jstart 96
97 REMOTE RCE PLAN Run authbypassosexec_poc.py (with magic key) Find remote DoS for jstart Find remote DoS for icman 97
98 JSTART JSTART Application server for Java 98
99 JSTART DoS after 3 days 99
100 JSTART DoS DoS after 3 days Possible race condition 100
101 JSTART DoS DoS after 3 days Possible race condition Jstart restart after a crash 101
102 JSTART DoS DoS after 3 days Possible race condition Jstart restart after a crash EASY TARGET ^_^ 102
103 JSTART DoS Multiply request: "\x00\x00\x00\x1cni_rterr\x00y\x04\x00\x00asd\x00\x00\x00\x04daaaaaaa 103
104 ICM ICM 104
105 ICM ICM 105
106 ICM ICM 106
107 ICM ICM in the SAP NetWeaver Application Server. The ICM is a component of the SAP NetWeaver Application Server. It is implemented as a separate process, which is started and monitored by the ABAP dispatcher. One of core component of SAP 107
108 ICM Binary name icman.exe Size 5.7M IDA db ~ 100M One of core components of SAP => thoroughly audited 108
109 ICM ICM (icman) cve details 109
110 ICM ICM (icman) cve details Last DoS found in
111 ICM ICM (icman) cve details Last DoS found in 2014 via unknown vectors 111
112 ICM DoS DoS after Not so easy
113 ICM DoS After 113
114 ICM DoS 35 days 114
115 ICM DoS 35 days + some weekends 115
116 ICM DoS Multiple requests : 'get / HTTP/1.0\r\nhost:\r\ncookie: ;\x0c%s\r\n\r\n' % ("\x0c" * 0x1b58) icman restart after a crash 116
117 PROBLEMS Race conditions If We kill jstart before icman => NO RCE Small gap for a magic key between jstart and icman start 117
118 Video 3 - RCE 118
119 Solutions ICM DoS: SAP note (Dmitry Yudin) Jstart DoS: SAP note (Dmitry Yudin) MC auth bypass: SAP note (Dmitry Chastuhin, Dmitry Yudin) 119
120 Conclusion Don t give up. If you can't exploit vulnerability using one issue try to find another way to trigger it Holistic approach + correlation (code, SOD, vulnerabilities) Probably a lot of vulnerabilities still do exist on a binary level of different SAP services Have fun! 120
121 228 Hamilton Avenue, Fl. 3, Palo Alto, CA USA Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam EU HQ
Roadmap. How to implement GDPR in SAP?
Roadmap 2 How to implement GDPR in SAP? 1. Introduction to GDPR 2. GDPR security-related requirements 3. SAP security controls for GDPR 4. GDPR security implementation plan 5. Follow-up actions Introduction
More informationAbout the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).
About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle). Agenda 3 Building a business case for SAP Vulnerability Management How to start
More informationAbout ERPScan. ERPScan and Oracle. ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008
1 2 About ERPScan 3 ERPScan and Oracle ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008 Totally 100+ Vulnerabilities closed in Oracle Applications o Oracle
More informationT H E P H A N T O M S E C U R I T Y. By Vahagn Vardanyan and Vladimir Egorov
T H E P H A N T O M S E C U R I T Y By Vahagn Vardanyan and Vladimir Egorov Vahagn Vardanyan Master jedy Senior security researcher at ERPScan. Bug hunter, malware and vulnerability researcher for over
More informationERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES
ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES ROADMAP How to implement GDPR in SAP? 1. GDPR security requirements 2. How to discover personal data? 3. How
More informationEAS- SEC: Framework for Securing Enterprise Business Applica;ons
Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationInvest in security to secure investments. Breaking SAP Portal Dmitry Chastuchin Principal Researcher ERPScan
Invest in security to secure investments Breaking SAP Portal Dmitry Chastuchin Principal Researcher ERPScan Dmitry Chastuhin Yet another security researcher Business application security expert ERPScan
More informationwhoami Yet another security Business application security expert
whoami Yet another security researcher: @_chipik Business application security expert whoami Head of Professional Services Areas of research: security architecture, digital signatures, data retention,
More informationMonitoring SAP ENCYCLOPEDIA ... ENCYCLOPEDIA. Monitoring Secrets for SAP. ArgSoft Intellectual Property Holdings, Limited
Monitoring Secrets for SAP ENCYCLOPEDIA ENCYCLOPEDIA Monitoring SAP.... 1991-2010 Contents Argent for SAP Overview 3 Introduction 3 Monitoring With Argent for SAP 4 SAP Instance 4 SAP Processes 4 Work
More informationSAP EXAM - C_TADM51_731. SAP Certified Technology Associate - System Administration (Oracle DB) with SAP NetWeaver 7.31.
SAP EXAM - C_TADM51_731 SAP Certified Technology Associate - System Administration (Oracle DB) with SAP NetWeaver 7.31 Buy Full Product http://www.examskey.com/c_tadm51_731.html Examskey SAP C_TADM51_731
More informationAttacks based on security configurations
SAP Security 2014 Protecting Your SAP Systems Against Attacks based on security configurations Juan Perez-Etchegoyen jppereze@onapsis.com March 18 th, 2014 BIZEC Workshop Disclaimer This publication is
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationexecute the CONNECT TO C11 USER db2c11 USING <password> command. execute the ACTIVATE DATABASE C11 command.
SAP EDUCATION SAMPLE QUESTIONS: C_TADM56_74 SAP Certified Technology Associate - System Administration (DB2 LUW) with SAP NetWeaver 7.4 Disclaimer: These sample questions are for self-evaluation purposes
More informationGeneral Pr0ken File System
General Pr0ken File System Hacking IBM s GPFS Felix Wilhelm & Florian Grunow 11/2/2015 GPFS Felix Wilhelm && Florian Grunow #2 Agenda Technology Overview Digging in the Guts of GPFS Remote View Getting
More informationArchitecture Figure 3.
The popularity of SAP EP and its availability on the Internet makes it a desirable entry point for hackers who are choosing the spot to attack companies of various size and industry. Let s take a look
More informationPreventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE
Preventing vulnerabilities in HANAbased deployments MARCH 2016 - TROOPERS SECURITY CONFERENCE Disclaimer This presentation contains references to the products of SAP SE. SAP, R/3, xapps, xapp, SAP NetWeaver,
More informationMachine Learning for User Behavior Anomaly Detection EUGENE NEYOLOV, HEAD OF R&D
Machine Learning for User Behavior Anomaly Detection EUGENE NEYOLOV, HEAD OF R&D 2 AUTHOR Eugene Neyolov HEAD OF R&D Security engineer and analyst leading applied research projects in security monitoring,
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes October 2015 SAP released a batch of emergency fixes for the Download Manager (SDM) application through Notes 2235412 and 2233617 in October. The Notes
More informationInvest in security to secure investments Oracle PeopleSo, applica.ons are under a3acks!
Invest in security to secure investments Oracle PeopleSo, applica.ons are under a3acks! Alexey Tyurin About ERPScan The only 360- degree SAP Security solu9on - ERPScan Security Monitoring Suite for SAP
More informationLeveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus
Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1 Who We Are Nadav Markus, Gal De-Leon Security researchers @ PaloAltoNetworks Vulnerability research and exploitation Reverse
More informationSAP Certified Technology Associate - System Administration (SAP HANA) with SAP NetWeaver 7.5
SAP EDUCATION SAMPLE QUESTIONS: C_TADM55_75 SAP Certified Technology Associate - System Administration (SAP HANA) with SAP NetWeaver 7.5 Disclaimer: These sample questions are for self-evaluation purposes
More informationLayer Seven Security ADVISORY. SAP Security Notes
Layer Seven Security ADVISORY SAP Security Notes August 2017 Note 2381071 patches a critical cross-site Ajax vulnerability in the Prototype JS library of BusinessObjects. Ajax is a method often used by
More informationQuestion: 1 Which of the programming languages listed below are implemented plat for min dependently? Choose the correct answer(s).
Volume: 200 Questions Question: 1 Which of the programming languages listed below are implemented plat for min dependently? A. Fortran B. ABAP C. Java D. C/C++ Answer: B,C Question: 2 Which of the following
More informationSAP Web Dispatcher 6.40 for SAP Web AS Java. Jochen Rundholz NW RIG APA
SAP Web Dispatcher 6.40 for SAP Web AS Java Jochen Rundholz NW RIG APA RIG Know How Conf Calls Please: All participants will be muted Questions in the Q&A section at the end Important issues via WebEx
More informationBreaking cloud isolation
Breaking cloud isolation HITB, Amsterdam, 30/05/14 research Short BIO bug hunter (Facebook, Google, Nokia, etc) security researcher CEO and lead security expert of Clouds Between business functions and
More informationSAP EDUCATION SAMPLE QUESTIONS: C_TADM50_75. Questions. 1. When is a savepoint triggered for SAP Max DB by default?
SAP EDUCATION SAMPLE QUESTIONS: C_TADM50_75 SAP Certified Technology Associate - System Administration (SAP Max DB) with SAP NetWeaver 7.5 Disclaimer: These sample questions are for self-evaluation purposes
More informationHello? It s Me, Your Not So Smart Device. We Need to Talk.
SESSION ID: SBX1-R2 Hello? It s Me, Your Not So Smart Device. We Need to Talk. Alex Jay Balan Chief Security Researcher Bitdefender @jaymzu IoT is not optional 2 IoT is not optional IoT = hardware + OS
More informationSAP R/3 Architecture. VIT
SAP R/3 Architecture Prof.R.K.Nadesh @ VIT www.nadeshrk.webs.com SAP R/3 System Business Modules Logistical Sales & Distribution Financial Accounting Financial Materials Mgmt. Controlling Production Planning
More informationMan-In-The-Browser Attacks. Daniel Tomescu
Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:
More informationExploiting new default accounts in SAP systems
Exploiting new default accounts in SAP systems Introduction Who is ERP-SEC Company specialized in securing SAP systems and infrastructures SAP Security Research: Reported and credited for > 60 vulnerabilities
More informationSAP NetWeaver Performance and Availability
SAP NetWeaver Performance and SAP NetWeaver Performance and During the discovery process, the mapping of monitored elements is created, based on your SAP landscape. If you have both J2EE and R/3 stacks
More informationThe Way of the Bounty. by David Sopas
The Way of the Bounty by David Sopas (@dsopas) ./whoami Security Consultant for Checkmarx Security Team Leader for Char49 Disclosed more than 50 security advisories Founder of WebSegura.net Love to hack
More informationCluster Server Agent for SAP NetWeaver SAP NetWeaver Installation and Configuration Guide
Cluster Server Agent for SAP NetWeaver SAP NetWeaver Installation and Configuration Guide AIX, Linux, Solaris 7.0 Veritas InfoScale Availability Agents Last updated: 2017-10-05 Legal Notice Copyright 2017
More informationInfecting the Embedded Supply Chain
SESSION ID: PDAC-F01 Infecting the Embedded Supply Chain Zach Miller Security Researcher in8 Solutions (Formerly Somerset Recon) @bit_twidd1er Inspiration Inspiration Countless embedded devices exist Each
More informationDumpsTests. Freely download the valid and latest test dumps for 100% sure pass
DumpsTests http://www.dumpstests.com Freely download the valid and latest test dumps for 100% sure pass Exam : C_TADM54_75 Title : SAP Certified Technology Associate - System Administration (SAP ASE) with
More informationADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day
ADM960 SAP NetWeaver Application Server Security. COURSE OUTLINE Course Version: 15 Course Duration: 5 Day SAP Copyrights and Trademarks 2015 SAP SE. All rights reserved. No part of this publication may
More informationProactive Security: Effective Cyber Risk Mitigation. Dave Shackleford Founder and Principal Consultant, Voodoo Security
Proactive Security: Effective Cyber Risk Mitigation Dave Shackleford Founder and Principal Consultant, Voodoo Security Agenda This talk will really be split into two sections The first will focus on new
More informationEAS- SEC: Framework for Securing Enterprise Business ApplicaCons
SAP in Internet EAS- SEC: Framework for Securing Enterprise Business ApplicaCons Alexander Polyakov CTO ERPScan erpscan.com ERPScan invest in security to secure investments 1 SAP in Internet erpscan.com
More informationInvest in security to secure investments. Breaking SAP Portal. Alexander Polyakov CTO ERPScan Dmitry Chastuchin - Principal Researcher ERPScan
Invest in security to secure investments Breaking SAP Portal Alexander Polyakov CTO ERPScan Dmitry Chastuchin - Principal Researcher ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)
ADM960 SAP NetWeaver Application Server Security. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2013 SAP AG. All rights reserved. No part of this publication
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationConfigure Principal Propagation using Logon tickets in Net weaver Process Integration 7.1
SAP NetWeaver Demo Configure Principal Propagation using Logon tickets in Net weaver Process Integration 7.1 Applied To : SAP Net Weaver Process Integration 7.1x and higher Topic Area: SOA Middleware Capability:
More informationSAP* Administration-Practical Guide
Sebastian Schreckenbach SAP* Administration-Practical Guide., Galileo Press i Bonn 1.1 Tasks of a System Administrator 23 1.2 Guiding Principles for System Administrators 25 1.3 Definitions 32 1.4 Summary
More informationITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!
ITCertMaster Safe, simple and fast. 100% Pass guarantee! http://www.itcertmaster.com Exam : C_AUDSEC_731 Title : SAP Certified Technology Associate - SAP Authorization and Auditing for SAP NetWeaver 7.31
More informationRemote Exploit. compass-security.com 1
Remote Exploit compass-security.com 1 Content Intel Architecture Memory Layout C Arrays Buffer Overflow BoF Exploit Assembler Shellcode Function Calls Debugging Remote Exploit Exploit Mitigations Defeat
More informationTeam Foundation Error Http Code 407 Proxy Authentication Required
Team Foundation Error Http Code 407 Proxy Authentication Required I'm setup for version control using Visual Studio Team Foundation Server I receive error HTTP code 407 Proxy Authentication Required when
More informationProtecting SAP HANA from vulnerabilities and exploits. MARCH TROOPERS Security Conference, Heidelberg
Protecting SAP HANA from vulnerabilities and exploits MARCH 2017 - TROOPERS Security Conference, Heidelberg Disclaimer This presentation contains references to the products of SAP SE. SAP, R/3, xapps,
More informationInception of the SAP Platform's Brain Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Juan Perez-Etchegoyen Etchegoyen jppereze@onapsis.com September 20 th, 2012 Ekoparty, Buenos Aires Disclaimer This publication is copyright
More informationSAP MONITORING WITH PANDORA FMS
SAP MONITORING WITH PANDORA FMS Octubre 2014 Pandora FMS l Pandora FMS for SAP Pandora FMS for SAP Pandora FMS has a specific solution pre-configured to monitor any of the SAP environments (R/3, CRM, SRM,
More informationRootkits and Trojans on Your SAP Landscape
Rootkits and Trojans on Your SAP Landscape SAP Security and the Enterprise Ertunga Arsal SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the
More informationHow to System Copy for ABAP+Java
How to System Copy for ABAP+Java Applies to: SAP NetWeaver 7.0 SR2 ABAP+Java on Oracle+Linux. Summary This is a how-to document for performing a homogeneous system copy for a ABAP with a JAVA-add in. It
More informationExploiting new default accounts in SAP systems
Exploiting new default accounts in SAP systems Agenda Introduction Something about SAP security Unknown default accounts Impact Exploitation: combination with other vulnerabilities Research Solutions Concluding
More informationIn-Memory Fuzzing in JAVA
Your texte here. In-Memory Fuzzing in JAVA 2012.12.17 Xavier ROUSSEL Summary I. What is Fuzzing? Your texte here. Introduction Fuzzing process Targets Inputs vectors Data generation Target monitoring Advantages
More informationFrequently Asked Questions about SAS Environment Manager on SAS 9.4
ABSTRACT Paper SAS0575-2017 Frequently Asked Questions about SAS Environment Manager on SAS 9.4 Zhiyong Li, SAS Institute Inc. SAS Environment Manager is the predominant tool for managing your SAS environment.
More informationBinary Exploitation Lab
SCIENCE PASSION TECHNOLOGY Binary Exploitation Lab Michael Schwarz June 18, 2017 IAIK Spring School 2017 Motivation IoT Bugs 2 Michael Schwarz IAIK Spring School 2017 Top 10 IoT Bugs 3 Michael Schwarz
More informationAn Introduction to IDA and crackmes - Cruehead[MiB] crackme 2 writeup Mitchell Adair 08/14/2011 utdcsg.org
An Introduction to IDA and crackmes - Cruehead[MiB] crackme 2 writeup Mitchell Adair 08/14/2011 utdcsg.org This is a writeup over Cruehead's crackme 2, hopefully providing an intro to IDA and some general
More informationIoT The gift that keeps on giving
IoT The gift that keeps on giving Contributors labs@bitdefender.com Radu Alexandru Basaraba - rbasaraba@bitdefender.com Alexandru Lazar allazar@bitdefender.com Mihai Moldovan - mimoldovan@bitdefender.com
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes July 01 In July, SAP released a crucial update for a vulnerability in the Archiving Workbench originally patched in February 011. Note 1561545 contains
More informationSAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts
SAP Cybersecurity Solution Brief Objectives Solution Benefits Quick Facts Secure your SAP landscapes from cyber attack Identify and remove cyber risks in SAP landscapes Perform gap analysis against compliance
More informationCTF Workshop. Crim Synopsys, Inc. 1
CTF Workshop Crim2018 31.10.2018 2018 Synopsys, Inc. 1 CTF (Capture the Flag) Capture the Flag (CTF) is a computer security competition. CTF are usually designed test and teach computer security skills.
More informationProcedure for SAP IDES 4.7 Install on Win 2003 Server /Windows XP
1 Procedure for SAP IDES 4.7 Install on Win 2003 Server /Windows XP System Requirements. P-III System or Higher 1024 MB or Higher C:\ - 10GB - Windows 2000 Server/ Win XP - NTFS D:\ - 60GB - Oracle & SAP
More informationUncovering SAP vulnerabilities: Reversing and breaking the Diag protocol
Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core Security Defcon 20 July 2012 P A G E Agenda Introduction Motivation and related work SAP Netweaver architecture
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationRemote Exploit. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Remote Exploit Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout C Arrays
More informationThe Customizing Cross-System Viewer
The Customizing Cross-System Viewer Sabine Reich SAP Comparing settings in customizing Development system Setting A Setting B Setting C Corporate headquarters Setting A Setting B Setting C QAS system Setting
More informationSAP Audit Guide for Basis
SAP Audit Guide for Basis This audit guide is designed to assist the review of middleware components that support the administration and integration of SAP applications, commonly referred to as SAP Basis.
More informationLet's cyber: hacking, 0days and vulnerability research. PATROKLOS ARGYROUDIS CENSUS S.A.
Let's cyber: hacking, 0days and vulnerability research PATROKLOS ARGYROUDIS CENSUS S.A. argp@census-labs.com www.census-labs.com Who am I Researcher at CENSUS S.A. - Vulnerability research, reverse engineering,
More informationA crushing blow at the heart of SAP s J2EE Engine.
Invest in security to secure investments A crushing blow at the heart of SAP s J2EE Engine. Alexander Polyakov CTO ERPScan Me CTO of the ERPScan company Head of DSecRG (research subdivision) Architect
More informationYou ve got mail Owning an SAP running business via
You ve got mail Owning an SAP running business via email Agenda Introduction State of SAP security Mail & SAP Vulnerabilities Solutions Introduction Company specialised in securing SAP systems and infrastructures
More informationEnvironment 7.1 SR5 on AIX: Oracle
PUBLIC Installation Guide SAP NetWeaver Composition Environment 7.1 SR5 on AIX: Oracle Production Edition Target Audience Technology consultants System administrators Document version: 1.1 05/16/2008 Document
More informationDocumentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit about a generic way to exploit Linux targets written by Kingcope Introduction In May 2013 a security advisory was announced
More informationibolt Starter Edition for salesforce.com Release Notes
ibolt Starter Edition for salesforce.com Release Notes Welcome to the ibolt Starter Edition for salesforce.com, which is based on ibolt V3.2 SP2a. This edition has been designed to deliver an easy-to-use,
More informationiphone Encryption, Apple, and The Feds David darthnull.org
iphone Encryption, Apple, and The Feds David Schuetz @DarthNull darthnull.org NoVA Hackers October 13, 2014 Background Apple s new privacy page, On devices running ios 8 : Apple cannot bypass your passcode
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationSecure boot under attack: Simulation to enhance fault injection & defenses
Secure boot under attack: Simulation to enhance fault injection & defenses Martijn Bogaard Senior Security Analyst martijn@riscure.com / @jmartijnb Niek Timmers Principal Security Analyst niek@riscure.com
More informationLecture 9a: Sessions and Cookies
CS 655 / 441 Fall 2007 Lecture 9a: Sessions and Cookies 1 Review: Structure of a Web Application On every interchange between client and server, server must: Parse request. Look up session state and global
More informationTable of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine
Table of Contents Overview Containers, Docker, Registries vsphere Integrated Containers Engine Management Portal Registry Roles and Personas 1.1 1.1.1 1.1.2 1.1.2.1 1.1.2.2 1.1.2.3 1.1.2.4 2 Overview of
More informationHow-To Guide SAP NetWeaver Document Version: How To... Configure CM Services in SAP NetWeaver 7.3 and up
How-To Guide SAP NetWeaver Document Version: 1.0-2014-07-03 How To... Configure CM Services in SAP NetWeaver 7.3 and up Document History Document Version Description 1.0 First official release of this
More informationJulia Levedag SAP NetWeaver RIG, SAP AG
tarting and topping EP 6.0 on WebA 6.40 Julia Levedag AP NetWeaver RIG, AP AG Delta EP 6 on 6.20 & EP 6 on 6.40 WebA 6.40 tartup & Control Framework Use Cases: tart & top EP 6.0 olution Landscape What
More informationADM800 AS Java 7.3 Administration
AS Java 7.3 Administration SAP NetWeaver Course Version: 99 Course Duration: 5 Day(s) Publication Date: 07-05-2013 Publication Time: 1141 Copyright Copyright SAP AG. All rights reserved. No part of this
More informationSAP Trial Version for Special Use: Adding Dialog Instance to SAP Trial Version
SAP Trial Version for Special Use: Adding Dialog Instance to SAP Trial Version Applies to: SAP NetWeaver 7.0. For more information, visit the ABAP homepage. Summary This document describes how to use SAP
More informationHoly crap I need to pentest SAP from
Hoy crap I need to pentest SAP from Citrix @_Sn0rkY Joffrey.czarny@airbus.com Whoami Joffrey CZARNY Security researcher at Airbus Group Innovations aka @_Sn0rkY Pentester since 2001 Ambassador of Happiness
More informationCisco TEO Adapter Guide for SAP ABAP
Release 2.3 April 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part
More informationALE Introduction and Administration
ALE Introduction and Administration HELP.BCMIDALEIO Release 4.6C SAP AG Copyright Copyright 2001 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or
More informationOpenDrive Wordpress Plugin Guide
OpenDrive Wordpress Plugin Guide Version 2.0.1 OpenDrive Online storage, backup and cloud content management Contents 1. Drive 3 1.1 Drive... 3 1.2 Working with files... 4 1.2.1 Work with a particular
More informationjk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022
CompTIA Exam Questions jk0-022 CompTIA Academic/E2C Security+ Certification Exam Voucher Only Version:Demo 1.An attacker used an undocumented and unknown application exploit to gain access to a file server.
More informationUser and Installation Guide
The Logic IO RTCU Gateway Professional Version 1.28 User and Installation Guide Table of Contents Table of Contents... 2 Introduction... 3 Contents of package... 4 System requirements... 4 Time Service...
More informationHolistic Database Security
Holistic Database Security 1 Important Terms Exploit: Take advantage of a flaw or feature Attack Surface: Any node on the network that can be attacked. That can be the UI, People, anything that touches
More informationSecuring Apache Tomcat. AppSec DC November The OWASP Foundation
Securing Apache Tomcat AppSec DC November 2009 Mark Thomas Senior Software Engineer & Consultant SpringSource mark.thomas@springsource.com +44 (0) 2380 111500 Copyright The Foundation Permission is granted
More informationOne Click Ownage, Adventures of a lazy pen tester... Ferruh Mavituna Mavituna Security Ltd. AppSec DC The OWASP Foundation
One Click Ownage, Adventures of a lazy pen tester... Ferruh Mavituna Lead developer of netsparker AppSec DC Mavituna Security Ltd. ferruh@mavitunasecurity.com The Foundation http://www.owasp.org 2 Who
More informationDeploying Citrix Access Gateway VPX with Web Interface 5.4
Deploying Citrix Access Gateway VPX with Web Interface 5.4 Ben Piper President Ben Piper Consulting, LLC Copyright 2012 Ben Piper. All rights reserved. Page 1 Introduction Deploying Citrix Access Gateway
More informationSAP Portal: Hacking and forensics Dmitry Chastukhin Director of SAP pentest/research team Evgeny Neyolov Security analyst, (anti)forensics research
Invest in security to secure investments SAP Portal: Hacking and forensics Dmitry Chastukhin Director of SAP pentest/research team Evgeny Neyolov Security analyst, (anti)forensics research ERPScan Developing
More informationTable of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2
Table of Contents Introduction Overview of vsphere Integrated Containers 1.1 1.2 2 Overview of vsphere Integrated Containers This document provides an overview of VMware vsphere Integrated Containers.
More informationThe Application Layer HTTP and FTP
The Application Layer HTTP and FTP File Transfer Protocol (FTP) Allows a user to copy files to/from remote hosts Client program connects to FTP server provides a login id and password allows the user to
More informationBadlock. One Year In Security Hell. Stefan Metzmacher Samba Team / SerNet
Badlock One Year In Security Hell Stefan Metzmacher Samba Team / SerNet 2016-05-11 https://samba.org/~metze/presentations/2016/metze sambaxp2016 badlock-handout.pdf Stefan Metzmacher
More informationTo learn more about Stickley on Security visit You can contact Jim Stickley at
Thanks for attending this session on March 15th. To learn more about Stickley on Security visit www.stickleyonsecurity.com You can contact Jim Stickley at jim@stickleyonsecurity.com Have a great day! Fraud
More informationMASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE. HC Tencent s XuanwuLab
MASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE HC Ma @ Tencent s XuanwuLab whoami Security Researcher@ Used to doing Chemistry; Interested in: Console Hacking; Embedded Device Security; Firmware Reverse
More informationIntroduction into browser hacking. Andrey Kovalev
Introduction into browser hacking Andrey Kovalev (@L1kvID) Who am I Security Engineer at Yandex Browser security enthusiast Public speaker (every ZeroNights since 2015) Author of @br0wsec channel (https://t.me/br0wsec)!3
More informationIntercepting SNC-protected traffic
Intercepting SNC-protected traffic Martin Gallo Penetration Testing SME March 2017 Agenda Introduction Problem SAP Protocols SAP SNC (Secure Network Connections) Attack vectors Vulnerable scenarios Demo
More informationLab 1: Space Invaders. The Introduction
Lab 1: Space Invaders The Introduction Welcome to Lab! Feel free to get started until we start talking! The lab document is located on course website: https://users.wpi.edu/~sjarvis/ece2049_smj/ Be sure
More information