Hi Julius,

I´m not sure whether the next hack could be consider "exceptional, spectacular and funny " since is quite old but when I read it the first time I used those adjectives to describe it.

As I said, is something that I found in the web (...) and the article describes how to gain shell access to your SAP ABAP system when SAP lives in a Unix server. The procedure used is via injection code.

The article is short and very clear so the best for a person that doesn´t know it is read it but roughly the idea is to find a FM that has a weak security and where you can insert code. The candidate is TH_GREP that launchs the unix command grep.

Hack:

Try to see if your user can execute the FM TH_GREP via SE37 or SM51. If so, open x windows and get fun with your sidadm session

Solution:

I think that I SAP created a Support Package in order to solve the problem (the SP restricted the permission needed to execute TH_GREP)

Note: The method is so simple that I tried in my lab systems but I didn´t succeed. Since the method is injection code I tried to insert a `touch file` command but it didn´t work. Hoping is not consider cross-posting I would like to know if someone else managed to make it work.

Best regards,

Félix

Edited by: Frank Koehntopp on Apr 11, 2011 4:01 PM

Hi Martin,

I tried with "" || HOSTNAME || "" (and some variations of it) but didn´t manage neither. Since I have also access to OS with sidadm I tried the command grep directly executed by sidadm and the nearest thing that worked was:

#grep `|hostname|` file

OS is HP-UX 11.23 and SHELL of sidadm is /usr/bin/csh. For sure I´m missing something but don´t what.

Best regards,

Félix

 Solution:
I think that I SAP created a Support Package in order to solve the problem (the SP restricted the permission needed to execute TH_GREP)

What you are looking for is [SAP Note 1433101 - Misuse of the search function in transaction SM51|https://service.sap.com/sap/support/notes/1433101] which "normalizes" the input for systems on UNIX.

Cheers,

Julius

BTW you can also bypass the S_ADMI_FCD check, but then this happens:

if use_sxpg = th_true.
      call function 'SXPG_COMMAND_EXECUTE'
        exporting COMMANDNAME = 'SAPGREP'
                  additional_parameters = grep_params
                  operatingsystem = opsys
        importing status = status
                  exitcode = exitcode
        tables exec_protocol = findlist
        exceptions others = 1.

    else.
      perform call_system tables result
                          using grep_params opsys.
    endif.

The "call 'system'" form does not prior check whether this c-call is infact allowed, but the kernel function itself does!

So if you take a closer look at RZ11 param rdisp/call_system then you will see that you can turn it off, and divert well written code to the SXPG application function module (which makes all the S_LOG_COM and S_RZLADM checks beyond the boundary of the function module's interface...).

By default installation value, rdisp/call_system is not disabled and is a dynamic parameter.

If you disable it and set your secinfo gateway controls to "local" or "identical" hosts, then you force the caller to pass via well written application code (such as the SXPG functions) and have a documentable concept to work with.

Cheers,

Julius

PS: Note that before diabling call 'system' you must check your custom Z* and Y* programs for use of this technique. It is quite popular and tempting in some "cowboy coding"...

Have you tried setting your breakpoint just ahead of the the RFC call and then switch to "/HS" and F5 the function. You should be able to step into it.

I suspect the variable is (re)set by one of the c-calls in forms executed before the "call 'system'", such as for example when sy-index = 0 in the local "wpinfo".

Via secure config, up-to-date patch levels and correct (and well built) authorizations it can however be contained IMO.

Cheers,

Julius

I found out why I wasn´t able to inject code. I knew that my system was patched with 1433101 but i didn´t care so much because my user had SAP_ALL and the patch just added extra control with role "S_ADMI_FCD".

What I didn´t realise is that they changed also TH_GREP itself so everything you write in the text box will go between '' so now is sure that just will go text and not possible (as far as I know) to execute commands. I tried in a system not patched and worked perfectly

• if this is UNIX

*

• Avoid bad termination of the search pattern. This could lead to uncontrolled execution

• of any OS command! We enclose the given search pattern with a single quote (').

• - Therefore the shell will not expand this string. As a consequence we don't need a special

• handling for backward quotes >`<.

• - to allow (') as a part of the search pattern and to avoid bad termination of the

• search pattern we expand it to '"'"'. This means we

• - terminate the previous part of the search pattern

• - concatenate this with search pattern "'".

• - open a following part of the search pattern.

replace all occurrences of '''' in local_string with '''"''"'''.

concatenate '''' local_string '''' filename into grep_params

So per above, Julius, what you mention, would it work? I tried to understand it but my background is technical and ABAP skills are between zero and none

Martin: This code won´t affect to Windows and I think is the only piece of code they changed so I guess that if you have permissions or you do what Julius says then you will be able to inject code.

BTW: my next step is to try it thru ICM but that will be after vacations

Best regards,

Félix

Actually the note mentions S_ADMI_FCD as a "role" although it is an "authorization object".

The note did not add new checks. It is the ALV program behind SM51 which makes a check on this object before calling the TH_GREP command function. Other programs might not. The note mentions that the risk is mitigated as only admins should have roles which contain this object S_ADMI_FCD....

What was done is that the input was "normalized" such that the command passed to the SXPG or the c-function 'SYSTEM' could not include additional (random...) commands in the string.

Actually the code should never reach this c-function call, unless it is performed by another external calling program using the extention IN PROGRAM or variants of it.

There is also a blog about it. Search for "('(".

but that will be after vacations 

You can read about these variants using [ABAP programming security|http://www.sap-press.de/2037]. Make sure you are wearing lots of sun-cream, socks, sandals and a hat with propeller on the top when reading this book on the beach....

Cheers,

Julius

Well, back from holidays. Julius, unfortunately the weather in my region wasn´t warm enough and didn´t have a chance to use sun-lotion. Luckly I had your link for enjoying the mornings (just joking, no so crazy)

As I told you, I´ve continued with ICM approach. Using a web service client (soapUI) , a non-patch SAP system and a user with SAP_ALL rights is easy to get also a unix session of sidadm.

The last step would be to try to use user EARLYWATCH (with standard roles and profiles) in 066. I read somewhere that it should work too. I checked that with sapgui EARLYWATCH can execute TH_GREP thru SM51 but can´t do it thru SE37. But when I try using the web service client I get error 401 unauthorized.

So the question is: do you think it should work?

I think you should check your own authorizations and trace them...

One of my favorite was the SUPRN function that allowed SAP_ALL to be assigned without a trace.

It did create change documents. Now it also makes authority checks... but as the function is not remote enabled this means you have strong enough auths to do anything anyway in SE37.

This is a backdoor to SE80-functionality. 

There are many such navigation paths. Since a few years now there is an SE80 tcode check in them (except fror the debugger - also in display mode...).

And guess how mad the end user was when he understood we have stopped his backdoor to SAP_ALL.

End user with authorizations to execute arbitrary function modules?

This is however also a symptom of other problems at times, most notably bad programming... --> It is not only insubordination of the security concept, but sometimes a reaction to it when security admins allow themselves SAP_ALL type of access but the application roles are insufficiently built and attempts are made to restrict developers and basis folks at tcode "type of" level in development systems.

You will crack your scull trying to do this!

If you restrict developers and basis folks in DEV but your roles are crap in PROD (for them to use the available control mechanisms of!), then what other option do they have than hard-coding?

Sure, developers are often the "guilty ones" but I also sympathise with them very often when I see the options they are given to use the implemented authorization concept.

Cheers,

Julius

Here is another one to watch out for...

Consultants create SoD compliant roles at the object level and all hell breaks loose in GRC when the assignments are made.

So... they create variant and parameter transactions per org. level which call the standard transactions.

I have seen them trying to maintain the org. levels in Su24 as well.....

Personally I would recommend that customers take legal action against such consulting "workarounds" ...

Cheers,

Julius

If you use the report RSUSUR008_009_NEW with your own rule set, due to the usage of the "OR" operand in the authorization ID, there would be quite a few 'false positives" shown. (this is nothing different from the few tools tested in the market)

to avoid false positive, create different variants for execution (1) for Critical transactions (2) For Critical authorizations.

download both and use VLOOKUP in Excel. This gives a terrific result

Is this a workaround?....Well, I think so

The "hack" is to use the "Group" field within the Authorization IDs...

Julius - I've never heard of a variant or parameter transaction before. Is there a way to scan for this "workaround" to see if it has been implemented in our systems? What are these?

Very good question. I will add it to the list of tricky interview questions (other sticky thread about "some fun to tickle your brain").

Cheers,

Julius

Edited by: Julius Bussche on Sep 30, 2011 11:45 PM

Ok - I learned about these transactions - basically they are custom tcodes that call a standard tcode using a screen or parameter variant. But what is the connection to Org.fields and SU24?

You cannot maintain org. fields in SU24, but you can pass them as parameters to transactions.

If you do not maintain SU24 for the parameter transaction, it pulls the proposals for the core transaction which the parameters are passed to.

That is one of the reasons why S_TABU_DIS always pesters you - (until recently).

Cheers,

Julius