SAP systems use of custom archive file formats in several different places, such as for distributing software components and in the code transport mechanism. While the compression algorithms used by SAP has been known for a few years, it was only target of security analysis recently. Additionally, the file formats are proprietary and there's no much information about how to properly interpret such files.
This talk will shed some light over the compression algorithms and the CAR and SAR file formats, at the time at demonstrating some potential attack vectors involving this type of files. Moreover, we'll discuss how to dissect and examine this files for both offensive and defensive purposes, using an open source python library.