I am proud to announce the release of a White-paper and an open-source tool, both addressing security of SAP R/3 systems.
The
paper describes vulnerabilities discovered in the SAP RFC interface
implementation and library, as well as some attacks that can be
performed over
SAP systems.
The tool, sapyto (v0.93), is the
first public framework for carrying out Penetration Tests over SAP R/3
deployments. It is shipped with many plugins
to test for vulnerabilities discovered in our research and also launch different types of attacks.
You can find these resources at the following links:
. Paper:
http://www.cybsec.com/upload/CYBSEC-Whitepaper-Exploiting_SAP_Internals.pdf . sapyto:
http://www.cybsec.com/vuln/tools/sapyto.tgz