Accessing filesystem (write)

There are various ways to access the filesystem via ABAP. When the filesystem is being accessed, S_DATASET and optionally S_PATH are being checked, depending on the settings in table SPTH. The access itself is done through the ABAP kernel and using on the OS level the filesystem authorizations of the user <SID>adm or SAPService<SID> (Windows).

This process can lead to overwriting sensitive files covering both business and security assets. Examples for business assets are file shares with business data to be imported (file interface) and examples for security assets are cryptographic & private keys (e.g. authorized keys), security configuration files (reginfo/secinfo), kernel & application binaries, libraries, admin scripts, etc. This lead in most cases to a full compromise of the system if the entire uploaded file content can be controlled by the attacker. The risk is downrated towards a business process disruption / denial of service scenario if only the file destination but not the file content can be controlled.

• Transaction CG3Z or report RC1TCG3Z
• Directory Traversal write in ABAP third-party or Custom Code (e.g. OPEN dataset FOR OUTPUT, TRANSFER)
• Function Modules (local) (Transaction SE37)
  • C13Z_FILE_UPLOAD_BINARY
• OS Commands (Transaction SM49/SM69, custom code, ABAP code CALL SYSTEM, RFC Gateway vulnerability, Report RSBDCOS0, etc)

• Control S_DATASET
• Control S_PATH
• Control and maintain SPTH
• OS Commands: Requires different mitigation approach through authorization object for S_LOG_COM and S_C_FUNCT
• Best practices for OS User Security from SAP