Related information

SAP RFC library multiple security vulnerabilities

CYBSEC Security Pre-Advisory: SAP RFC_SET_REG_SERVER_PR OPERTY RFC Function Denial Of Service

CYBSEC Security Pre-Advisory: SAP SYSTEM_CREATE_INSTANC E RFC Function Buffer Overflow

CYBSEC Security Pre-Advisory: SAP RFC_START_GUI RFC Function Buffer Overflow

CYBSEC Security Pre-Advisory: SAP RFC_START_PROGRAM RFC Function Multiple Vulnerabilities

From:	Mariano Nuсez Di Croce <mnunez_(at)_cybsec.com>
Date:	05.04.2007
Subject:	CYBSEC Release: SAP Security - Paper & Tool release

I am proud to announce the release of a White-paper and an open-source tool, both addressing security of SAP R/3 systems.
The paper describes vulnerabilities discovered in the SAP RFC interface implementation and library, as well as some attacks that can be performed over
SAP systems.
The tool, sapyto (v0.93), is the first public framework for carrying out Penetration Tests over SAP R/3 deployments. It is shipped with many plugins
to test for vulnerabilities discovered in our research and also launch different types of attacks.

You can find these resources at the following links:

       . Paper: http://www.cybsec.com/upload/CYBSEC-Whitepaper-Exploiting_SAP_Internals.pdf
       . sapyto: http://www.cybsec.com/vuln/tools/sapyto.tgz


Don't hesitate to send me any comments/suggestions!

Best Regards,

--
-----------------------------------------
Mariano Nunez Di Croce

CYBSEC S.A. Security Systems
Email: mnunez@cybsec.com
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
-----------------------------------------