Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Known Attack Vectors
  6. /
  7. Latteral movement through SAP landscapes
Edit page

Latteral movement through SAP landscapes

Description

In many cases when access has been gotten to one SAP system, you can move laterally through the SAP landscape. Often gaining access to Productive systems while you started e.g. on a Sandbox or Development system. This Lateral movement (or also called RFC Hopping!) can be done for example through prefilled users and password with too extensive privileges in the RFC Type 3 connections.

Risk

RFC Hopping can lead to fully breached SAP Productive systems and their data.

Options

  • RFC Type 3 connections in SM59 with a DIALOG user with too extensive privileges. By pressing the “Remote Logon” button you can simply jump to the configured system
  • RFC Type 3 connections in SM59 with a NON-DIALOG user with too extensive privileges. By pressing using remote-enabled function modules like RFC_READ_TABLE one can read password hashes of the remote system and bruteforce those offline. Of by using BAPI_USER_CREATE one can create their own SAP user worh SAP_ALL rights in the remote system.

Mitigation

  • Do not create RFC connections fron LOW security zones to HIGH security zones (Like fromn Dev to Prd)
  • Do not use SAP_ALL or other high privileges in RFC connections

References