SAP and backdoors?
SAP building backdoors for the NSA. Far fetched?
Yes, strongly denied by SAP and in my believe also
But what if there are backdoors SAP or customers
are no aware of…. A practical example…
In order to effectively secure an SAP platform, you need to understand and secure all of its
systems, components, infrastructure layers and related vulnerabilities and threats.
To break a SAP platform you only need one flaw/vulnerability!
If you are the good guy, you have to work harder!
But first… The challenge
A backdoor into SAP; you need one of these 3
So, to fully compromise an SAP system we need at least
one of the following:
• Gain SAP_ALL rights on application layer
• Get access to the Operating system as <sid>adm
• Get access to the Database, in particular the SAP scheme
Getting access to one of the above means you have access to all
A backdoor into SAP…
In this scenario we will combine 3 vulnerabilities:
1. A Default user with default password for Diagnostics purposes
2. A Remote wrapper to execute local function modules remotely
without authorization check
3. A Local function module to execute native SQL without
Business risk: Leads to a full compromise
of your business critical data
Some details on the 3 vulnerabilities
1. Default user with default password for Diagnostics purposes
• User SMDAGENT_<SID> is used by the Wily host agent for gathering diagnostics
• It gets created via the Solution Manager “Managed System Configuration” in solman 7.0
• Exists not only in Solution Manager, but also in backend systems
2. Local function to execute native SQL without authorization check
• Function Module /SDF/RBE_NATSQL_SELECT can be used to execute native SQL
• Lacks authorization check
3. Remote wrapper without authorization check
• Function Module /SDF/GEN_PROXY can be used to execute local Function Modules remotely
• Lacks authorization check
Select password hashes from the database
Brute force privileged SAP accounts
Gain access to the SAP Solution Manager
• Use (trusted) RFC’s to the world
• Use your imagination
• And take over the world
Try and take over the world!
How to protect?
Change password or delete user SMDAGENT_<SID>
Apply OSS note 1774432 (CVSS score 4.6)
Apply OSS note 1727914 (CVSS score 7.5)
Monitoring / logging
Also see the SAP Whitepaper
Something about Hana Security…
SAP HANA Security notes
With great power comes great responsibility
SAP Security baseline
SAP Security baseline template
• Helps you when defining a SAP Security baseline
• Contains many settings to check
• Not only on SAP application level, but also includes Database, Operating System, network and
The baseline can be accessed
on the SAP Support site at
-> Media Library
-> Security Baseline Template.
What I hope you learned today:
• SAP Security can be sexy
• Defenders have to work harder
• Don’t forget the systems of the ‘techies’ as the SAP Solution Manager is a critical component when
it comes to security
• Patch, patch, patch
• Check the SAP Teched Materials!
• Read and make use of the SAP Security Baseline document