HitB2012AMS: Inception of the SAP Platform’s Brain: Hacking the SAP Solution Manager

Tribute To Guitarist Pat Martino - Scan/Edit 03 07 - a CC NC ND image by Mikey G
By Juan Pablo (Chief Technology Officer, Onapsis)

Onapsis focuses on the security of ERP systems and is constantly researchng the vulnerability of these systems. They also develop systems to secure SAP system.

The information in SAP systems is usually of high value it can be used for espionage, sabotage and fraud. It is therefore therefore surprising that over 95% of the SPA systems tested by Juan Pablo company is exposed to these attacks. Without the need for credentials to perform these attacks.

The SAP Solution manager

The SAP solution manager is required in every SAP implementation. It is the central point of administration for the SAP systems. The solution manager itself does not hold any business information, only technical information and in hosted scenario’s it often connects to multiple SAP solutions of different customers.

The solution manager is used to manager users, download and install patches, etc.

Step 1: Compromised a satellite system

If not compliant with BIZEC TEC/11 an anonymous attacker could easily compromise a satellite SPA system, because many vulnerabilities exist.

Juan Pablo demonstrates an attack abusing default account settings.

Step 2: Escalate from satellite to Solution manager

From the satellite system you can easily connect back to the solution manager by default.

Step 3: Compromise another satellite

The SPA Solution Manager is highly dependent on the Gateway. I fthe attacker kanws/guesses the TPNAME and the Gateway is not protected (by default) then all Gateway attacks are possible.

Some SAP systems use Central User Administration (CUA). The solution manager is the CUA mster. If it is compromised, any user can be created with any privileges.

Another often installed service is the CCSM monitoring services. It too can be used to compromised satellite systems.

This attack is demonstrated by Juan.

Alternative step 1 & 2: Solution Manager Diagnostics

By default SAP installation run SMD which has two vulnerabilities that allow you to make a connection to the SAP solution manager.

Again the attacks are demonstrated by Juan Pablo.


If an attack breaks into the SAP solution manager the game is over.

Trust relationships are needed in most SAP implementations, but are vulnerable

If possible don’t used the same solution manager for different SAP systems with different security requirements

All SAP systems must be secured, a single insecure SAP system can destroy the security of all connected systems.

Do not expose the Solution Manager

Restrict network access to the SAP systems.

Update your SAP system

Presentation materials available from http://conference.hitb.org/hitbsecconf2012ams/materials/


Juan Perez-Etchegoyen is the CTO of Onapsis, leading the Research and Development teams that keep the company in the cutting-edge of the ERP security field. Juan is fully involved in the design, research and development of all the innovative Onapsis software solutions. Responsible for managing the Onapsis Research Labs, Juan has also been actively involved in the coordination and research of critical security vulnerabilities in ERP applications and business-critical infrastructure, such as SAP, Oracle and JD Edwards.

He has extensive experience in the information security field, being involved in large research, penetration testing, vulnerability assessment and security implementations projects, among other kind. As a result of his research work and experience, Juan  has been invited to lecture and train in security conferences such as BlackHat, HITB Malaysia and Ekoparty, as well as to host private trainings on different aspects of information security for Global Fortune-100 organizations.


Not Published

0/1000 characters
Go Top