infosec-news January 2011 archive
Main Archive Page > Month Archives  > infosec-news archives
infosec-news: [ISN] Exploits Target SAP Applications

[ISN] Exploits Target SAP Applications

From: InfoSec News <alerts_at_nospam>
Date: Wed Jan 12 2011 - 08:34:38 GMT

By Kelly Jackson Higgins
Jan 11, 2011

A researcher at next week's Black Hat DC will show how attackers can
target an enterprise's Web-enabled SAP applications by exploiting the
way enterprises have misconfigured them, as well as some inherent design
issues in the enterprise resource management (ERP) apps.

Mariano Nunez Di Croce, director of research and development for
Onapsis, will demonstrate bypassing authentication in SAP Enterprise
Portal, injecting a backdoor into a compromised SAP Enterprise Portal,
internal port-scanning via SAP Web services, and exploiting vulnerable
SAP Web services.

Because SAP apps are becoming more Internet-connected, they are also
becoming more of a target for cyberespionage, sabotage, and fraud
purposes, he says. SAP's Web-based apps include Enterprise Portal,
Internet Communication Manager (ICM), and Internet Transaction Server
(ITS), which come with security features. But Onapsis has found via
penetration tests that most of its own customers, which include Fortune
100 firms, have not properly locked down their SAP apps, which typically
run sensitive business processes, such as finance, sales, production,
expenditures, billing, and payroll.

"Most customers don't change the default [user and password] settings
[for SAP]," Nunez Di Croce says. "Ninety-five percent of them are
susceptible to being compromised and to possible espionage and fraud"
due to these default settings remaining unchanged, he says.


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.