Our Blog

Systems Applications Proxy Pwnage

Reading time ~2 min

[2011/9/6 Edited to add Slideshare embed]

I am currently in London at the first ever 44con conference.  It’s been a fantastic experience so far – excellent talks & friendly people.

Yesterday, I presented a paper titled “Systems Applications Proxy Pwnage” .  The talk precis sums it up nicely:

It has been common knowledge for a number of years that SAP GUI communicates using an unencrypted and compressed protocol by default, and numerous papers have been published by security professionals and researchers dealing with decompressing this traffic.

Until now, most of these methods have been time consuming, convoluted and have focussed more on obtaining sensitive information (such as credentials) than a thorough understanding of the protocol used by SAP GUI.

During this presentation, the speaker will focus on the protocol used by SAP GUI. The speaker will demo and release a new tool-set to assist security professionals in parsing, decompressing and understanding this protocol, as well as demonstrate how this formerly sacrosanct protocol makes SAP applications potentially vulnerable to a wide-range of attacks which have plagued web applications for years.

The talk went very well.  All demos worked perfectly.  My newly authored toolset not only seems to have performed admirably during the presentation, but also seems to be in some demand…

As such, I’m pleased to announce the public release of two tools – SApCap and SAPProx.

SApCap is a Java-based packet sniffer, decompressor and protocol analysis tool for SAP GUI.  It makes use of a third-party JNI interface for pCap (get it here) and a custom-built JNI decompression interface for SAP.  You can download it here.

SAPProx is what I believe to be the world’s first ever SAP GUI proxy.  Think of it as WebScarab for SAP.  You can download it here.

The programs are GPL, and the sources are also available from the relevant pages.

The custom JNI library used for decompressing SAP traffic is also available from the previously mentioned download pages in both binary and source formats.  I have, however, only had the opportunity to build binary libraries for Mac OS/X, Linux (32-bit) and Windows (32-bit).  I will add more binary libraries as soon as I get back to ZA and have access to some different build environments again.

If you’re interested, a copy of my 44con presentation is available from here or below.