Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Known Attack Vectors
  6. /
  7. OS Command execution
Edit page

OS Command execution

Description

There are various ways to execute os commands via ABAP. When OS commands are executed, S_LOG_COM or S_C_FUNCT is being checked in some of the below cases, depending on the function used to execute OS commands. The execution itself is done through the ABAP kernel and using the OS level authorizations of the user <SID>adm or SAPService<SID> (Windows).

Risk

If an attacker can execute arbitrary OS commands, then this leads to a full compromise of the system because of a.o. the implicit trust relation between the OS user and the Database. This effectively means you can go from the OS user to the Database without providing a password. In SAP Hana DB for example you can use the hdbsql executable on the OS with the -U DEFAULT flag to execute SQL queries (insert, update, select, etc) directly in the SAP Schema without having to provide any additonal authentication details.

Examples:

  • Exfiltrate private SSH keys
  • Overwrite SAP kernel binaries or ACL files
  • Inject code into custom scripts
  • Extract the secure store
  • Via the DB trust relation extract password hashes, create SAP users with SAP_ALL directly in the DB
  • Delete log/trace files

In certain cases user input filtering can be bypassed and in those cases the attack can lead to a full compromise of the system. If the execution is limited to a single command, then the business impact depends on the command or the allowed user input of e.g. the parameter.

Options

  • Transaction SM69 (add, change & execute)
  • Transaction SM49 (execute only)
  • ABAP Report RSBDCOS0
  • Function Modules (remote enabled)
    • SXPG_STEP_XPG_START
    • SXPG_STEP_COMMAND_START
    • SXPG_CALL_SYSTEM
    • SXPG_COMMAND_EXECUTE
  • Custom Code/ Third Party Code (ABAP CALL 'SYSTEM')
  • Vulnerable Components (e.g. SAP RFC Gateway)
  • Schedule Background Jobs as user DDIC
  • Instance profile (executed upon (re)starting SAP): Execute_XX = <your_command_to_execute_here> (XX = number like 01)
  • SAP Kernel call from ABAP coding:
CALL 'ThWpInfo' ID 'OPCODE' FIELD (Linux only)
		REPORT ZTEST.
		DATA OPCODEXEC TYPE X VALUE 9.
		CALL 'ThWpInfo' ID 'OPCODE' FIELD OPCODEXEC
		ID 'SERVER' FIELD ''
		ID 'PROG'   FIELD 'mkdir '
		ID 'ARGC'   FIELD 1
		ID 'ARG1'   FIELD '/tmp/blablabla'.
		WAIT UP TO '0.9' SECONDS.

Mitigation

  • Requires different mitigation approach through authorization object for S_LOG_COM and S_C_FUNCT
  • Disable SYSTEM calls using profile parameter rdisp/call_system
  • Ensure gw/rem_start is set to DISABLED. It can be dynamically changed to this secure value, however for a rollback to an insecure value a system restart will be required. If another value is explicitly needed, then make sure to have a strong ACL.
  • Stregthen/define ACL in secinfo for SAP RFC Gateway security.
  • Audit constantly the usage of calls to OS-level programs via transaction SM21
  • Review custom maintained os commands in transaction SM69

References