Job Management in SAP® poses a big attack surface for external manipulation. The possibilities reach from abusing the vulnerabilities of certain SAP standard jobs over changing critical job attributes to completely defining and including jobs via transport request.
Every SAP Basis administrator knows the job SAP_COLLECTOR_FOR_PERFMONITOR. It collects statistical data from files and inserts them into tables, which can be read and processed by transactions such as ST03 and ST03N. For this, the job uses several reports, which it reads from the table TCOLL. Though there is an inspection of added reports against the set values of the domain COLL_RNAME while manually maintaining this table, impeding an abuse, one can add random reports via transport. In that case, the reports to be executed from the table TCOLL are not checked against the set domain values when the job is executed. Furthermore, the job SAP_COLLECTOR_FOR_PERFMONITOR is run in the context of the user DDIC or an equal user, meaning that attackers will rarely encounter authorization issues. Though the job runs in the client 000, this is no real limitation for an attack.
In general, as long as an attacker knows the internal job number, any job can be used as a Trojan horse for attacks. Examples for this are:
- Adding/editing/deleting job steps
- Changing the executing user of a job step
- Changing the status of a job
If the job number is unknown, an attacker can define and included a complete job in a productive system via transport though. For this, the 3 tables TBTCO, TBTCP and TBTCS are sufficient.
For the request check can be concluded:
- R3TR TABU TCOLL
- Possible attack attempt
- If it is not a report, which is defined as a set value of the domain COLL_RNAME, an attack attempt is highly probable!
- Transports to the content of the table TCOLL should be prohibited in general.
- R3TR TABU TBTC*
- Certain attack attempt!
Someone is trying to circumvent the job management system from the outside in order to manipulate existing jobs or to define and include new jobs.
- Certain attack attempt!
In order to further mask an attack, entries of the tables mentioned above can be concealed within a superordinate object. These include:
- View Cluster (R3TR CDAT <random object name>)
- Maintenance View (R3TR VDAT <random object name>)
- Customizing Data (R3TR TDAT <random object name>)
In these cases, an entry also has to be considered to be a definitive attack attempt! Only checking all transport requests like mentioned in our previous blogposts helps against such an attack.
This test and over 100 other ones, Virtual Forge TransportProfiler conducts automatically for internal as well as external transport objects. Take the first step on your path to an actually secure SAP transport management and schedule an appointment today for a non-binding vulnerability assessment and presentation.
The next entry will deal with the automated execution of reports and function modules after an import.
Read the blog sequence
Dangers in SAP Transport Management Part 1: Circumventing AUTHORITY CHECKS
Dangers in SAP Transport Management Part 2: Circumventing AUTHORITY CHECKS transaction-specifically
Dangers in SAP Transport Management Part 4: Automated Code Execution while Importing
Dangers in SAP Transport Management Part 5: Logical File Names and Operating System Commands