English | Deutsch | Español

Dangers in SAP® Transport Management Part 5: Logical File Names and Operating System Commands

January 8, 2018 | From Thomas Fritsch, Virtual Forge GmbH

TransportProfiler_Blog4.pngIn order for developers to not have to worry about the specifics of the underlying operating system when accessing files or executing OS commands, SAP® uses the concept of logical file names and logical OS commands. For this, a logical file name (and file path) is stored for each physical file name (file path) coming into question. In analogy, platform-specific physical commands are allocated to a collective logical command.

While the different syntax of the platforms regarding to path specifications usually are being dissolved when it comes to logical file names (different separators), completely different physical commands can be stored for logical OS commands for each platform.

From a security perspective, it is a significant fact that the logical entities of the underlying physical information can be easily overwritten or replaced via transport. For logical files this means that sensitive data in a file the attacker has access to can be rerouted or that the data from a file with compromising content can be read. The replacing of physical commands is even more dangerous as the authorization check when accessing the command only occurs with the logical command name (authorization object S_LOG_COM) and not on the basis of the actually executed command. Logical commands can be further protected by allocating a test module. But even this allocation can be easily deactivated via transport.

For the request check can be concluded:

  • R3TR CDAT FILENAME
    • Possibly attack attempt with low probability
    • Changed logical path and file definitions can be recorded in a transport request from the transaction FILE. For this, SAP always uses the view cluster FILENAME
    • The logical file name or path must be checked thoroughly to ensure the purpose. If an existing definition is updated, special care is required. 
  • R3TR TABU PATH, R3TR TABU FILENAMECI
    • Possible attack attempt with higher probability
    • The logical definition has been recorded due to manual maintenance of the transport object list
    • The logical file name or path must be checked thoroughly to ensure the purpose. If an existing definition is updated, special care is required.

  • R3TR TABU SXPGCOSTAB
    • Possibly attack attempt with low probability
    • This is a custom command
    • The logical command must be checked thoroughly to ensure its purpose. If an existing definition is updated, special care is required.
  • R3TR TABU SXPGCOTABE
    • Possible attack attempt with higher probability
    • This is an SAP command
    • SAP's command definitions must not be changed and therefore do not have to be transported.
    • The table has been added to the transport object list following manual maintenance, as SAP commands cannot be added to a transport request with the transaction SM69. 

In order to further mask an attack, entries of the tables PATH, FILENAMECI, SXPGCOSTAB and SXPGCOTABE can be concealed within a superordinate object. These include:

  • View Cluster (R3TR CDAT <random object name <> "FILENAME" >)
  • Maintenance View (R3TR VDAT <random object name>)
  • Customizing Data (R3TR TDAT <random object name>)

In these cases, an entry has to be considered to be a definitive attack attempt! Only checking all transport requests like mentioned above helps against such an attack.

This test and over 100 other ones, Virtual Forge TransportProfiler conducts automatically for internal as well as external transport objects. Take the first step on your path to an actually secure SAP transport management and schedule an appointment today for a non-binding vulnerability assessment and presentation.

The next entry will deal with tables to which SAP prohibits exports of contents (for different reasons) and how attackers can export them unnoticeably anyway.

Read the blog sequence
Dangers in SAP Transport Management Part 1: Circumventing AUTHORITY CHECKS
Dangers in SAP Transport Management Part 2: Circumventing AUTHORITY CHECKS transaction-specifically
Dangers in SAP Transport Management Part 3: Manipulation of Job Management
Dangers in SAP Transport Management Part 4: Automated Code Execution while Importing 



@Virtual_Forge on Social Media:

social_twitter_active.png social_linkedin_active.png social_google_active.png