Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Known Attack Vectors
  6. /
  7. Attack SAP GUI clients through an SAP server
Edit page

Attack SAP GUI clients through an SAP server

Description

SAP GUI is a fat client that can be controlled with certain restrictions from the SAP server. Any developer of an SAP system can build and develop ABAP code. This ABAP code can then be used to send commands to the connected SAP GUI clients. Typical examples are to provide file up- and download functionality, start excel or the integrated browser control. Access is restricted through security rules that are configured within SAP GUI.

Risk

If an attacker has development authorizations in a SAP system then those can be used to attack all connected SAP GUI clients. Note: if an attacker has development authorizations, he can already compromise the SAP system itself, this risk relates to attacking the connected client device. The impact depends on the used attack option and the related capabilities. In certain cases, user interaction is required as a popup may occur (e.g. Do you want to execute application $attackerapp), which is configured through security rules in SAP GUI.

Expert attackers may also use HTTP containers to inject malicious files into the easy access menu or in other places. The easy access menu relates to the start application after a successful SAP logon through SAP GUI. The content of UI control on the right side can be configured through customizing. This can be also used to include rich formats such as PDF documents that do allow a separate class of client attack vectors and may result in a compromise of the client devices if a vulnerable PDF viewer is present.

Options

All options require S_DEVELOP create or change authorizations or the ability to import a transport.

  • Develop ABAP custom code using CALL METHOD cl_gui_frontend_services=>execute to execute OS commands on the client

  • Easy Access Menu

    • Upload media via transaction SMW0
    • Set START_IMAGE in table SSM_CUST

  • Transaction SE80

    • Upload media via transaction SMW0
    • Set WB_PICTURE in table SEWB_SETTINGS

  • Custom Code HTML Containers with images

    • Exchange media via transaction SMW0

  • Import of a malicious transport

Mitigation

  • Restrict S_DEVELOP create/change authorizations in any non-development system
  • Restrict transport import authorizations
  • Restrict access to Transaction SMW0, SM30 and change authorizations for tables SSM_CUST and SEWB_SETTINGS
  • Configure and use the antivirus interface to check any uploaded media
  • Use up-to-date endpoint protection

References