English | Deutsch | Español

Dangers in SAP Transport Management Part 6: Transport of prohibited table contents

February 13, 2018 | From Thomas Fritsch, Virtual Forge GmbH

Tabelle.pngThere are well over 100 tables in SAP® whose contents must not be transported. Each transport request is checked for such tables when it is saved and before the export. The relevant tables in the function module SYSTAB_CHECK are hard wired. The tables concerned are almost exclusively system tables that contain partial information about a comprehensive object from the workbench area and whose separate transport can lead to serious inconsistencies in the target system.

However, it also contains security-relevant tables, such as:

  • T000: Client table
    An attacker could use transport to open a production client for changes.

  • E070, E071, E071K: Metadata for transport requests
    An attacker can remove traces by transporting these tables, for example, by removing an object from the object list of the request after importing a transport request.

  • OBJM: Information on Maintenance Objects
    This table contains information about after-import methods (see also the article "Automatic code execution while importing"). By storing and transporting such a method, you can execute coding unnoticed when importing the relevant Customizing data. 

It is interesting to note that the check for all "prohibited" tables can easily be disabled. To do this, it is sufficient to hide the required tables in a maintenance view or a view cluster, for example.

Some tables are also checked by the SAP transport program R3trans. However, this check can be deactivated during export and import of transport requests by using the option "Ignore Invalid Table Class". While this option can even be selected in the user interface during import, the export has to be executed programmatically in order to use it. However, this is not a real obstacle for an attacker.

To sum up, for the order verification process we can say:

  • R3TR TABU <all tables from the function module SYSTAB_CHECK>.
    • Definitive attack attempt
    • Check was bypassed in debug or programmatically
    • One of the prohibited tables could have been hidden in each of these objects. Where applicable, the following applies:
      • Definitive attack attempt
      • Test bypassed by hiding in parent object

Both the number and the fact that the critical tables can be hidden in any object means that checks based on classic critical object checks fail.

The VirtualForge TransportProfiler automatically performs this and over 100 other tests for internal and external transport requests. Take the first step towards a truly secure SAP transport managent and make an appointment today for a non-binding risk assessment and presentation.

In part 7 of this series we will look at security gaps around RFC communication.

Read the blog sequence
Dangers in SAP Transport Management Part 1: Circumventing AUTHORITY CHECKS
Dangers in SAP Transport Management Part 2: Circumventing AUTHORITY CHECKS transaction-specifically
Dangers in SAP Transport Management Part 3: Manipulation of Job Management
Dangers in SAP Transport Management Part 4: Automated Code Execution while Importing 
Dangers in SAP Transport Management Part 5: Logical File Names and OS Commands