Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

SAP OS Command Injection

DZone's Guide to

SAP OS Command Injection

Learn how to prevent OS Command Injection attacks on your system, by following the advice laid out in this article by a team of security researchers.

· Security Zone
Free Resource

Discover an in-depth knowledge about the different kinds of iOS hacking tools and techniques with the free iOS Hacking Guide from Security Innovation.

Editorial Note: This article was a collaborative effort by the ERPScan Research Team.

We continue describing categories from the list we discussed in our Introduction to Secure ABAP Development Guide and pursue “Injections,” a type of vulnerabilities that occurs when an application provides no, or bad, user input validation. An attacker can inject malicious data, thus performing non-intended actions in a system. Such a vulnerability may result in major SAP risks (Espionage, Sabotage, and Fraud).

The subject of this post is OS Command Injection. While it is not as spread as SAP SQL Injections (the figure below shows only the number of the vulnerabilities only in software developed by the vendor and doesn't take into account custom applications), it is much more dangerous than other injections. For, when successfully exploited, it may give an attacker unfettered access to the OS of a victim.

Vulnerability types by SAP Platforms

As the name implies, an attacker can use an OS command injection vulnerability for an unauthorized command execution in the OS. In the case of a successful exploitation, the attacker can launch any command, get access to an SAP application with full privileges, and gain access to any file and directory in a file system. So, OS Command injection, in most cases, means a full system compromise. There are two ways to inject OS command in ABAP.

SAP OS Command Injection via the FILTER Statement

The FILTER statement allows you to run an external program that will start when a file is opened. External programs are usually used for file preprocessing.

Example:

PARAMETERS p_input TYPE string.

OPEN DATASET 'input.bin' FOR INPUT IN BINARY MODE FILTER p_input.


In this example, you can see that p_input is controlled by a user and it is possible to inject any command into it. For example, the attacker can pass the following command to the parameter: rm -f important.conf. As a result, the configuration file important.conf will be deleted.

Remediation

You should specify the names of the preprocessing programs (as in the example below) or filter the input to the variable before using it in FILTER properly.

Example:

DATA: FOUT(200).
FOUT = 'D:\OUT.TXT'.

OPEN DATASET FOUT FOR INPUT
    FILTER 'D:\OUTFILTER.BAT'
    IN TEXT MODE ENCODING DEFAULT.


To filter the input, you can use whitelisting, which can be implemented via CHECK_WHITELIST_STR and the CHECK_WHITELIST_TAB methods of the CL_ABAP_DYN_PRG class.

YPES whitelist TYPE HASHED TABLE OF string
  WITH UNIQUE KEY table_line.

  PARAMETERS p_input TYPE string.

  DATA(whitelist) = VALUE whitelist( ( `PATH1` ) ( `PATH2` ) ( `PATH3` ) ).

  TRY.
  p_input = cl_abap_dyn_prg=>check_whitelist_tab(
  val = to_upper( p_input )
  whitelist = whitelist ).
  CATCH cx_abap_not_in_whitelist.
  cl_demo_output=>write(
  `Only the following paths are allowed:` ).
  cl_demo_output=>display( whitelist ).
  LEAVE PROGRAM.
  ENDTRY.

OPEN DATASET 'input.bin' FOR INPUT IN BINARY MODE FILTER p_input.


The whitelist here contains the values 'PATH1', 'PATH2', and 'PATH3' – this is the list of allowed paths.

SAP OS Command Injection via the CALL ‘SYSTEM’ ID ‘COMMAND’ FIELD Statement

The 'SYSTEM' kernel method allows you to execute OS commands, which are not specified in SM49/SM69 transactions. These transactions contain a whitelist of permitted OS commands.

Example

PARAMETERS command(255).

DATA:
      BEGIN OF tabl OCCURS 0,
        line(255),
      END OF tabl.

CALL 'SYSTEM' ID 'COMMAND' FIELD command
              ID 'TAB'     FIELD tabl-line.

In this example, you can see that the parameter command is passing through the Input without any filtration executed by the CALL 'SYSTEM' ID 'COMMAND' statement. For example, if a command variable is ‘ping google.com’, this command will be executed on the server.

Remediation

In this case, it is strictly recommended to avoid user input data in the CALL ‘SYSTEM’ expression. Besides, you can forbid command calls via SYSTEM by setting the rdisp/call_system parameter value to ‘0’. It can be done by means of the RZ11 transaction.

Note: The call barring command is applied to the whole system, which can lead to unpredictable consequences, while SAP uses CALL 'SYSTEM' for the execution of OS commands.

If for some reasons you still need the execution of dynamic generated OS command via CALL ‘SYSTEM’, do not forget about whitelisting. An example of whitelisting will be similar to the example above but will have a list of allowed commands to execute.

That is all for today, and we hope the article clarified all the questions you had about SAP OS Command Injections. Stay tuned and we’ll consider the ABAP Code injections in the next post.

Leveraging Humans to Get the Most Out of Tools

Topics:
security ,injection attack ,vulnerabilities

Published at DZone with permission of alexander polyakov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}