DanielBerlinonSecurity

InsightonSAPsecurity,developmentstuffandalltherest

HOME

Mar14

ABOUTME

PUBLICATIONS

SubscribeviaRSS

PRIVACY

Lockyourbackdoor:DetectinghardcodedusernamesinABAP
Helloeverybody!
Afewmonthspassedsincemylastpostsoit'sabouttimefornewone!

Usernameasacodecondition
ThesystemfieldSYUNAMEcontainsthenameofthecurrentlyloggedonuserandis
quitefrequentlyusedbydeveloperstofacilitatetestsbyaddingspecialconditionstotheir
code.Theblockofcodethatisexecuteddependingonthecurrentuser'snameisusually
onlyintendedforthedeveloperhim/herself.
Althoughdeveloperguidelinesalmostalwaysincludetheobligationtomakeuseof
AUTHORITYCHECKs,thesechecksmightinterferewithfunctionaltestsandpeople
mightwanttocircumventthem(justforthetests,ofcourse).Nomatterwhattheintention
was,thisapproachleadstoprogramsthatdoauthorizationchecksforallusersexceptfor
thedeveloperofthecode...badthing!
Thefollowingcodesnippetisprobablyoneofthemostprominentexamples:
IFsyuname<>'DEVELOPER'.
AUTHORITYCHECK...
ENDIF.

Rightafterthesuccessfultestphase,thecodeistransportedtoproductionandtheconditionalcodemightneverbemade
universal...
Ifweconsidermaliciousbehavior,suchcodeiscalledabackdoorand/orhiddenfunctionandthismeansthatthereisa
needforaction(atleasttoprotectyourdevelopercolleagues)!

Howtodetectit
Tofindaffectedcode,theSAPstandardreportRS_ABAP_SOURCE_SCANisofgreathelpyoucanuseittosearchfor
plainstringsorexpressionsinreports,classes,etc.
Sincewe'reinterestedinIFconditionsthatcheckthevalueofSYUNAME,I'dsuggesttosearchusing"IF.*syuname"
astheexpressionandtickthecheckbox"Stringisstandardexpression".
Inthesamplebelow,IlimitedthecodetosearchintoprogramswithnameZ*,butyoumightprobablywanttoadjustthis
accordingtoyourneeds(e.g.yourregisterednamespaces).

Recent
ProtectionoftheSecurityAuditLog
againstdeletion
AnoteonSECPOLbehavior
NewGitHubrepositoryforREPOSRC
decompressor
WeakparametertransactionsinSAP
MassusercreationintheJavaUME

Categories
Development(8)
SAPDevelopment(8)
Fun(1)
Miscellaneous(1)
Security(23)
SAPSecurity(23)
WebSecurity(1)

Archive
April2016
October2015
January2015
November2014
October2014
September2014
March2014
September2013
June2013
May2013
March2013
February2013
January2013
December2012
November2012
October2012
September2012
June2012
May2012
April2012
February2012
January2012

TheresultshowstwodifferentconditionsthatuseSYUNAMEinapossiblyevilway:

December2011

Detectiongaps
Thesearchexpressionaboveisratherstraightforward...
Unfortunately,itcanbetrickedeasilybyadeveloper,whoknowsit:
DATA:foobarTYPEsyuname.
foobar=syuname.

*Obfuscatedcondition
IFfoobar<>'MYSELF'.
AUTHORITYCHECK...
ENDIF.

Sowhenyouestablishcontrolstopreventtheusageofuserbasedconditions,thisissomethingtokeepinmind.
Humansareusuallybetteratdetectingfuzzypatternsthatcomputersare...

Countermeasures
CodethatisbypassedbasedonthevalueofSYUNAMEshouldneverbeused!
Allinstancesofhardcodedusernamesincustomercodeusedonproductivesystemsshouldbecorrected.
Controlsshouldbeestablishedtopreventsuchcodefrombeingtransported.
YoumightwanttointegratetheuseoftheSAPcodeinspectorintoyourtransportprocess.
Seeya!
Categories:SAPSecurity

Comments(2)

Trackbacks(0)

2comments

(subscribetocommentsonthispost)

RenvanMil
March17th,201415:53

HiDaniel,nicepost!
ThisunfortunatelyissomethingIseewaytoooftenwhenworkingwithABAPcode,andittendstoendupinproduction
regularly.
ItseasytospotthoughifyouusetheCodeInspectoraspartofyourdevelopmentprocess(Ialwaysruntheinspector
beforereleasingsomethingfortransport).
Youcandetecttheusageofsyunamebycreatingacodeinspectorcheckvariant(transactionSCI)andselectingthe
optionSearchfunctions>SearchofABAPtokensandenter*SYUNAME*asoneofthevalues.Makesuretocheck
bothCommentsandLiteralsoptions.
Itshouldevendetectitinsideobfuscatedcodelikethis:
DATA:FIELDTYPESTRING.
FIELDSYMBOLS:<fs>TYPEANY.
FIELD='SYUNAME'.
ASSIGN(FIELD)TO<fs>.
IF<fs>='DEVELOPER'.
AUTHORITYCHECK...
ENDIF.
(REPLY)

DanielBerlin
March17th,201419:52

ThanksRenthatsveryvaluableandhelpfulinformation!
(REPLY)

Leaveacomment

Name (required)
Email (required)
Website

Submit

Copyright2016DanielBerlin