SAP Debugger’s Power and Danger


             By Christoph Nagy, CEO of SecurityBridge





            It must have been a few years ago that I participated in a webinar where the Service Advertising Protocol
            (“SAP”) representative explained a recently corrected vulnerability. The correction did not remove the
            problematic code but only introduced an additional check. Which, in my opinion, is the normal procedure.
            However, after the explanation by the SAP speaker, an interposed question came from the audience.
            The question was: How does the fix protect against attackers who use SAP Debugger to skip the check?
            In  response,  the  spokesperson  vehemently  emphasized  that  an  SAP  system  in  which  users  have
            debugging  privileges  (coupled  with  changes  to  program  variables);  cannot  be  protected  from
            compromise.

             The combination of the debugger authorization with the said possibility to change the program variables
            is called, in SAP lingo, Debug & Change. To support the statement of the SAP expert, let's look at: What
            is the SAP Debugger? and What can it do to the system?















































                                                                                                              87