Dynamic Code Execution

This short article continues the discussion on the second section of Secure ABAP Development Guide called ‘Critical Calls’. Dynamic code execution in ABAP is possible via ASSIGN, PERFORM or CREATE OBJECT statements. These statements may contain a potentially harmful variable input from variable content leading to full system compromise which can be hard to investigate.

An example is provided below.

‘sname’ parameter is used in PERFORM statement which allows callin a subroutine (form) from any program. So an attacker can execute any subroutine from ‘pname’ program. If ‘pname’ is also set as a parameter, then ANY subroutine from ANY program can be called.

Business Risks

As any program can be executed, the consequences of insecure usage of these statements can be extensive. Business risks of SAP systems (espionage, sabotage, fraud or their combination) depend on the functionality of a vulnerable program.

Remediation

To prevent the dynamic execution of malicious code, validate all user input data that passes to statements described above. Use CHECK_WHITELIST_STR and CHECK_WHITELIST_TAB methods of CL_ABAP_DYN_PRG class.

In the example provided above, user-controlled variable ‘sname’ that contains subroutine (form) name is checked by using the whitelist that contains ‘subroutine1’, ‘subroutine2’, ‘subroutine3’ values. Thus user allowed to call only one of this three subroutines from ‘pname’ program.

That’s it for Dynamic Code Execution. The next entry of ‘Critical Calls’ section will cover Native SQL.

Keep in touch and follow us on Twitter, Facebook, and LinkedIn and get more information from our ERPScan Research team.

Do you want more?

Subscribe me to your mailing list