Accessing filesystem (read)

There are various ways to access the filesystem via ABAP. When the filesystem is being accessed, S_DATASET and optionally S_PATH is being checked, depending on the settings in table SPTH. The access itself is done through the ABAP kernel and using on the OS level the filesystem authorizations of the user <SID>adm or SAPService<SID> (Windows).

This process can lead to access to sensitive files covering both business and security assets. Examples for business assets are file shares with exported business data and examples for security assets are cryptographic & private keys, security configuration files, passwords, etc. In certain cases this can lead to a full compromise of the system.

• Transaction AL11, AL11_old
• Directory Traversal read in ABAP third-party or Custom Code (OPEN dataset FOR INPUT)
• Function Modules (local) (Transaction SE37)
  • C13Z_FILE_DOWNLOAD_ASCII
  • C13Z_FILE_DOWNLOAD_BINARY
• OS Commands (Transaction SM49/SM69, custom code, ABAP code CALL SYSTEM, RFC Gateway vulnerability, Report RSBDCOS0, etc via cat,ls, Get-FileContent, … commands)
• ICM misconfiguration via parameter icm/HTTP/file_access_<nr> allows to create an alias from which you browse the entire filesystem via a URL. Authentication can be setup via profile parameter icm/HTTP/auth_<nr>.

• Control S_DATASET
• Control S_PATH
• Control and maintain SPTH
• OS Commands: Requires different mitigation approach through authorization object for S_LOG_COM and S_C_FUNCT
• Best practices for OS User Security from SAP
• Setup authentication for ICM if needed (icm/HTTP/auth_<nr>)

• SAP Help docs for icm/HTTP/auth_<nr>
• SAP Help docs for icm/HTTP/file_access_<nr>