Editorial Note: This article was a collaborative effort by the ERPScan Research Team.
We continue describing categories from the list we discussed in our Introduction to Secure ABAP Development Guide and pursue “Injections,” a type of vulnerabilities that occurs when an application provides no, or bad, user input validation. An attacker can inject malicious data, thus performing non-intended actions in a system. Such a vulnerability may result in major SAP risks (Espionage, Sabotage, and Fraud).
The subject of this post is OS Command Injection. While it is not as spread as SAP SQL Injections (the figure below shows only the number of the vulnerabilities only in software developed by the vendor and doesn't take into account custom applications), it is much more dangerous than other injections. For, when successfully exploited, it may give an attacker unfettered access to the OS of a victim.
Vulnerability types by SAP Platforms
As the name implies, an attacker can use an OS command injection vulnerability for an unauthorized command execution in the OS. In the case of a successful exploitation, the attacker can launch any command, get access to an SAP application with full privileges, and gain access to any file and directory in a file system. So, OS Command injection, in most cases, means a full system compromise. There are two ways to inject OS command in ABAP.
SAP OS Command Injection via the FILTER Statement
The FILTER statement allows you to run an external program that will start when a file is opened. External programs are usually used for file preprocessing.
PARAMETERS p_input TYPE string.
OPEN DATASET 'input.bin' FOR INPUT IN BINARY MODE FILTER p_input.
In this example, you can see that
p_input is controlled by a user and it is possible to inject any command into it. For example, the attacker can pass the following command to the parameter:
rm -f important.conf. As a result, the configuration file
important.conf will be deleted.
You should specify the names of the preprocessing programs (as in the example below) or filter the input to the variable before using it in
DATA: FOUT(200). FOUT = 'D:\OUT.TXT'. OPEN DATASET FOUT FOR INPUT FILTER 'D:\OUTFILTER.BAT' IN TEXT MODE ENCODING DEFAULT.
To filter the input, you can use whitelisting, which can be implemented via
CHECK_WHITELIST_STR and the
CHECK_WHITELIST_TAB methods of the
YPES whitelist TYPE HASHED TABLE OF string WITH UNIQUE KEY table_line. PARAMETERS p_input TYPE string. DATA(whitelist) = VALUE whitelist( ( `PATH1` ) ( `PATH2` ) ( `PATH3` ) ). TRY. p_input = cl_abap_dyn_prg=>check_whitelist_tab( val = to_upper( p_input ) whitelist = whitelist ). CATCH cx_abap_not_in_whitelist. cl_demo_output=>write( `Only the following paths are allowed:` ). cl_demo_output=>display( whitelist ). LEAVE PROGRAM. ENDTRY. OPEN DATASET 'input.bin' FOR INPUT IN BINARY MODE FILTER p_input.
The whitelist here contains the values
'PATH3' – this is the list of allowed paths.
SAP OS Command Injection via the CALL ‘SYSTEM’ ID ‘COMMAND’ FIELD Statement
'SYSTEM' kernel method allows you to execute OS commands, which are not specified in
SM49/SM69 transactions. These transactions contain a whitelist of permitted OS commands.
PARAMETERS command(255). DATA: BEGIN OF tabl OCCURS 0, line(255), END OF tabl. CALL 'SYSTEM' ID 'COMMAND' FIELD command ID 'TAB' FIELD tabl-line.
In this example, you can see that the parameter command is passing through the Input without any filtration executed by the
CALL 'SYSTEM' ID 'COMMAND' statement. For example, if a command variable is
‘ping google.com’, this command will be executed on the server.
In this case, it is strictly recommended to avoid user input data in the
CALL ‘SYSTEM’ expression. Besides, you can forbid command calls via
SYSTEM by setting the
rdisp/call_system parameter value to ‘0’. It can be done by means of the
Note: The call barring command is applied to the whole system, which can lead to unpredictable consequences, while SAP uses
CALL 'SYSTEM' for the execution of OS commands.
If for some reasons you still need the execution of dynamic generated OS command via
CALL ‘SYSTEM’, do not forget about whitelisting. An example of whitelisting will be similar to the example above but will have a list of allowed commands to execute.
That is all for today, and we hope the article clarified all the questions you had about SAP OS Command Injections. Stay tuned and we’ll consider the ABAP Code injections in the next post.