Exploiting SAP Internals – Security Analysis

SAP security is still a dark world. Very little information can be found on the net and almost all questions relating to the safety assessment of these applications remains unanswered. This paper intends to bring some light into that world, the results of a safety analysis performed on the interface for implementing SAP RFC.

SAP RFC interface is the heart of the communication between SAP systems, and between SAP and external software. Almost all systems that want to interact with SAP systems is using the RFC interface. As indicated by SAP: “The RFC Library is the most commonly used and installed in the existing SAP software”.

This document describes the vulnerabilities discovered in the RFC library and the security impact. In addition, advanced attacks, exploitation of errors default configurations and design flaws in the interface implementation, are presented and explained. Finally, it provides solutions and proposed configurations away from the description of attacks and vulnerabilities.

Download/view the ebook (2231 downloads) .