Documente Academic
Documente Profesional
Documente Cultură
InsightonSAPsecurity,developmentstuffandalltherest
HOME
Mar14
ABOUTME
PUBLICATIONS
SubscribeviaRSS
PRIVACY
Lockyourbackdoor:DetectinghardcodedusernamesinABAP
Helloeverybody!
Afewmonthspassedsincemylastpostsoit'sabouttimefornewone!
Usernameasacodecondition
ThesystemfieldSYUNAMEcontainsthenameofthecurrentlyloggedonuserandis
quitefrequentlyusedbydeveloperstofacilitatetestsbyaddingspecialconditionstotheir
code.Theblockofcodethatisexecuteddependingonthecurrentuser'snameisusually
onlyintendedforthedeveloperhim/herself.
Althoughdeveloperguidelinesalmostalwaysincludetheobligationtomakeuseof
AUTHORITYCHECKs,thesechecksmightinterferewithfunctionaltestsandpeople
mightwanttocircumventthem(justforthetests,ofcourse).Nomatterwhattheintention
was,thisapproachleadstoprogramsthatdoauthorizationchecksforallusersexceptfor
thedeveloperofthecode...badthing!
Thefollowingcodesnippetisprobablyoneofthemostprominentexamples:
IFsyuname<>'DEVELOPER'.
AUTHORITYCHECK...
ENDIF.
Rightafterthesuccessfultestphase,thecodeistransportedtoproductionandtheconditionalcodemightneverbemade
universal...
Ifweconsidermaliciousbehavior,suchcodeiscalledabackdoorand/orhiddenfunctionandthismeansthatthereisa
needforaction(atleasttoprotectyourdevelopercolleagues)!
Howtodetectit
Tofindaffectedcode,theSAPstandardreportRS_ABAP_SOURCE_SCANisofgreathelpyoucanuseittosearchfor
plainstringsorexpressionsinreports,classes,etc.
Sincewe'reinterestedinIFconditionsthatcheckthevalueofSYUNAME,I'dsuggesttosearchusing"IF.*syuname"
astheexpressionandtickthecheckbox"Stringisstandardexpression".
Inthesamplebelow,IlimitedthecodetosearchintoprogramswithnameZ*,butyoumightprobablywanttoadjustthis
accordingtoyourneeds(e.g.yourregisterednamespaces).
Recent
ProtectionoftheSecurityAuditLog
againstdeletion
AnoteonSECPOLbehavior
NewGitHubrepositoryforREPOSRC
decompressor
WeakparametertransactionsinSAP
MassusercreationintheJavaUME
Categories
Development(8)
SAPDevelopment(8)
Fun(1)
Miscellaneous(1)
Security(23)
SAPSecurity(23)
WebSecurity(1)
Archive
April2016
October2015
January2015
November2014
October2014
September2014
March2014
September2013
June2013
May2013
March2013
February2013
January2013
December2012
November2012
October2012
September2012
June2012
May2012
April2012
February2012
January2012
TheresultshowstwodifferentconditionsthatuseSYUNAMEinapossiblyevilway:
December2011
Detectiongaps
Thesearchexpressionaboveisratherstraightforward...
Unfortunately,itcanbetrickedeasilybyadeveloper,whoknowsit:
DATA:foobarTYPEsyuname.
foobar=syuname.
*Obfuscatedcondition
IFfoobar<>'MYSELF'.
AUTHORITYCHECK...
ENDIF.
Sowhenyouestablishcontrolstopreventtheusageofuserbasedconditions,thisissomethingtokeepinmind.
Humansareusuallybetteratdetectingfuzzypatternsthatcomputersare...
Countermeasures
CodethatisbypassedbasedonthevalueofSYUNAMEshouldneverbeused!
Allinstancesofhardcodedusernamesincustomercodeusedonproductivesystemsshouldbecorrected.
Controlsshouldbeestablishedtopreventsuchcodefrombeingtransported.
YoumightwanttointegratetheuseoftheSAPcodeinspectorintoyourtransportprocess.
Seeya!
Categories:SAPSecurity
Comments(2)
Trackbacks(0)
2comments
(subscribetocommentsonthispost)
RenvanMil
March17th,201415:53
HiDaniel,nicepost!
ThisunfortunatelyissomethingIseewaytoooftenwhenworkingwithABAPcode,andittendstoendupinproduction
regularly.
ItseasytospotthoughifyouusetheCodeInspectoraspartofyourdevelopmentprocess(Ialwaysruntheinspector
beforereleasingsomethingfortransport).
Youcandetecttheusageofsyunamebycreatingacodeinspectorcheckvariant(transactionSCI)andselectingthe
optionSearchfunctions>SearchofABAPtokensandenter*SYUNAME*asoneofthevalues.Makesuretocheck
bothCommentsandLiteralsoptions.
Itshouldevendetectitinsideobfuscatedcodelikethis:
DATA:FIELDTYPESTRING.
FIELDSYMBOLS:<fs>TYPEANY.
FIELD='SYUNAME'.
ASSIGN(FIELD)TO<fs>.
IF<fs>='DEVELOPER'.
AUTHORITYCHECK...
ENDIF.
(REPLY)
DanielBerlin
March17th,201419:52
ThanksRenthatsveryvaluableandhelpfulinformation!
(REPLY)
Leaveacomment
Name (required)
Email (required)
Website
Submit
Copyright2016DanielBerlin