SBN

Dynamic Code Execution

This short article continues the discussion on the second section of Secure ABAP Development Guide called ‘Critical Calls’. Dynamic code execution in ABAP is possible via ASSIGN, PERFORM or CREATE OBJECT statements. These statements may contain a potentially harmful variable input from variable content leading to full system compromise which can be hard to investigate.

An example is provided below.

PARAMETERS sname TYPE string.
DATA: sname TYPE string.

PERFORM rname IN PROGRAM pname.

‘sname’ parameter is used in PERFORM statement which allows callin a subroutine (form) from any program. So an attacker can execute any subroutine from ‘pname’ program. If ‘pname’ is also set as a parameter, then ANY subroutine from ANY program can be called.

Business Risks

As any program can be executed, the consequences of insecure usage of these statements can be extensive. Business risks of SAP systems (espionage, sabotage, fraud or their combination) depend on the functionality of a vulnerable program.

Remediation

To prevent the dynamic execution of malicious code, validate all user input data that passes to statements described above. Use CHECK_WHITELIST_STR and CHECK_WHITELIST_TAB methods of CL_ABAP_DYN_PRG class.

TYPES whitelist TYPE HASHED TABLE OF string
  WITH UNIQUE KEY table_line.
 
PARAMETERS sname TYPE string.
DATA: pname TYPE string.
 
  DATA(whitelist) = VALUE whitelist( ( `subrotine1` ) ( `subroutine2` ) ( `subroutine3` ) ).
 
  TRY.
  prg_name = cl_abap_dyn_prg=>check_whitelist_tab(
  val = to_upper( sname )
  whitelist = whitelist ).
  CATCH cx_abap_not_in_whitelist.
  cl_demo_output=>write(
  `Only the following reports are allowed:` ).
  cl_demo_output=>display( whitelist ).
  LEAVE PROGRAM.
  ENDTRY.
 
PERFORM sname IN PROGRAM pname.

In the example provided above, user-controlled variable ‘sname’ that contains subroutine (form) name is checked by using the whitelist that contains ‘subroutine1’, ‘subroutine2’, ‘subroutine3’ values. Thus user allowed to call only one of this three subroutines from ‘pname’ program.

That’s it for Dynamic Code Execution. The next entry of ‘Critical Calls’ section will cover Native SQL.

Keep in touch and follow us on Twitter, Facebook, and LinkedIn and get more information from our ERPScan Research team.

The post Dynamic Code Execution appeared first on ERPScan.