SAP OS Command Injection

We continue describing categories from the list we discussed in our Introduction to Secure ABAP Development Guide and pursue “Injections”, a type of vulnerabilities occurring when an application provides no or bad user input validation. An attacker can inject malicious data, thus performing non-intended actions in a system. A suchlike vulnerability may result in the major SAP risks ( Espionage, Sabotage, and Fraud).

An object for the current post is OS Command Injection. While it is not as spread as SAP SQL Injections (the figure below shows only the number of the vulnerabilities only in software developed by the vendor and doesn’t take into account custom applications), it is much more dangerous than other injections as if successfully exploited it may give an attacker an unfettered access to OS of a victim.

Vulnerability types by SAP Platforms

As the name implies, an attacker can use an OS Command Injection vulnerability for an unauthorized command execution in OS. In case of a successful exploitation, the attacker can launch any command, get access to an SAP application with full privileges, and gain access to any file and directory in a file system. So, OS Command injection in most cases means a full system compromise. There are two ways to inject OS command in ABAP.

SAP OS Command Injection via FILTER statement

FILTER statement allows running an external program that will be started when opening a file. External programs are usually used for file preprocessing.

Example:

PARAMETERS p_input TYPE string.

OPEN DATASET 'input.bin' FOR INPUT IN BINARY MODE FILTER p_input.

In this example, you can see that p_input is controlled by a user and it is possible to inject any command. For example, the attacker can pass the following command to the parameter: rm -f important.conf. As a result, configuration file important.conf will be deleted.

Remediation

You should specify the names of the preprocessing programs (as in an example below) or filter the input to the variable before using it in FILTER properly.

Example:

To filter the input, you can use whitelisting, which can be implemented via CHECK_WHITELIST_STR and CHECK_WHITELIST_TAB methods of CL_ABAP_DYN_PRG class.

The whitelist here contains values 'PATH1', 'PATH2', 'PATH3' – the list of allowed paths.

SAP OS Command Injection via CALL ‘SYSTEM’ ID ‘COMMAND’ FIELD statement

The 'SYSTEM' kernel method allows executing OS commands, which are not specified in SM49/SM69 transactions. These transactions contain a whitelist of permitted OS commands.

Example

In this example, you can see that the parameter command is passing through the Input without any filtration executed by the CALL 'SYSTEM' ID 'COMMAND' statement. For example, if a command variable is ‘ping google.com’, this command will be executed on the server.

Remediation

In this case, it is strictly recommended to avoid user input data in CALL ‘SYSTEM’ expression. Besides, you can forbid command calls via SYSTEM by setting the rdisp/call_system parameter value to ‘0’. It can be done by means of the RZ11 transaction.

Note: The call barring command is applied to the whole system, which can lead to unpredictable consequences, while SAP uses CALL 'SYSTEM' for the execution of OS commands.

If for some reasons you still need the execution of dynamic generated OS command via CALL ‘SYSTEM’, do not forget about whitelisting. An example of whitelisting will be similar with the mentioned above, but having a list of allowed commands to execute.

That is all for today, and we hope the article clarified all the questions you would like to learn about SAP OS Command Injections. Stay tuned and we’ll consider the ABAP Code Injections in the next post.

Do you want more?

Subscribe me to your mailing list