[ERPSCAN-16-023] Potential backdoor via hardcoded system ID
Application: SAP NetWeaver AS ABAP
Vendor URL: http://sap.com
Bugs: Hardcoded credentials
Vendor response: 02.02.2016
Date of Public Advisory: 10.05.2016
Reference: SAP Security Note 2292487
Author: Vahagn Vardanyan(ERPScan)
Class: Hardcoded credentials
Impact: If access is allowed on the system with a particular system ID, it could be a backdoor left by developers or this is debug code.
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Base Score v3: 3.1 / 10
CVSS Base Vector:
|AV : Attack Vector (Related exploit range)||Network (N)|
|AC : Attack Complexity (Required attack complexity)||High (H)|
|PR : Privileges Required (Level of privileges needed to exploit)||High (H)|
|UI : User Interaction (Required user participation)||Required (R)|
|S : Scope (Change in scope due to impact caused to components beyond the vulnerable component)||Unchanged (U)|
|C : Impact to Confidentiality||None (N)|
|I : Impact to Integrity||Low (L)|
|A : Impact to Availability||Low (L)|
An attacker can use hardcoded data to get unauthorized access and perform various actions in the system. In addition, it is likely that the code will be implemented into the system as a backdoor.
Some functionality in the test environment of code page conversion tool contains code with hard-coded system ID.
SAP ABAP BASIS 7.4
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2292487
Proof of Concept
if expdown = ' ' and
disponly = ' ' and
( sy-sysid = 'UI3' or sy-sysid = 'NI3' ).
if so_scen-low(3) <> 'ZZZ'.
message 'Uploading prohibited in UI3 or NI3' type 'I' display like 'E'. "#EC NOTEXT
call function 'POPUP_TO_CONFIRM_STEP' "#EC *
exporting defaultoption = 'N'
textline1 = 'Really want to upload an expected result?'
titel = 'Confirmation'
cancel_display = ' '
importing answer = l_do_changes.
if l_do_changes <> 'J'. exit. endif.