Editorial Note: This article was a collaborative effort by the ERPScan Research Team. We continue describing categories from the list we discussed in our and pursue “Injections,” a type of vulnerabilities that occurs when an application provides no, or bad, user input validation. An attacker can inject malicious data, thus performing non-intended actions in a system. Such a vulnerability may result in major (,, and ). The subject of this post is OS Command Injection. While it is not as spread as (the figure below shows only the number of the vulnerabilities only in software developed by the vendor and doesn't take into account custom applications), it is much more dangerous than other injections. For, when successfully exploited, it may give an attacker unfettered access to the OS of a victim.

Vulnerability types by SAP Platforms As the name implies, an attacker can use an OS command injection vulnerability for an unauthorized command execution in the OS. In the case of a successful exploitation, the attacker can launch any command, get access to an SAP application with full privileges, and gain access to any file and directory in a file system. So, OS Command injection, in most cases, means a full system compromise.

If you cannot reach the system for operating system level which your SAP system works, then you can use the following way to execute operation system commands from the SAPgui without any OS connection.

There are two ways to inject OS command in ABAP. SAP OS Command Injection via the FILTER Statement The FILTER statement allows you to run an external program that will start when a file is opened.

External programs are usually used for file preprocessing. Example: PARAMETERS p_input TYPE string. OPEN DATASET 'input.bin' FOR INPUT IN BINARY MODE FILTER p_input.

In this example, you can see that p_input is controlled by a user and it is possible to inject any command into it. For example, the attacker can pass the following command to the parameter: rm -f important.conf. As a result, the configuration file important.conf will be deleted. Remediation You should specify the names of the preprocessing programs (as in the example below) or filter the input to the variable before using it in FILTER properly.

Example: DATA: FOUT(200). FOUT = 'D: OUT.TXT'. OPEN DATASET FOUT FOR INPUT FILTER 'D: OUTFILTER.BAT' IN TEXT MODE ENCODING DEFAULT. To filter the input, you can use whitelisting, which can be implemented via CHECK_WHITELIST_STR and the CHECK_WHITELIST_TAB methods of the CL_ABAP_DYN_PRG class. YPES whitelist TYPE HASHED TABLE OF string WITH UNIQUE KEY table_line. PARAMETERS p_input TYPE string. DATA(whitelist) = VALUE whitelist( ( `PATH1` ) ( `PATH2` ) ( `PATH3` ) ).

P_input = cl_abap_dyn_prg=>check_whitelist_tab( val = to_upper( p_input ) whitelist = whitelist ). CATCH cx_abap_not_in_whitelist. Cl_demo_output=>write( `Only the following paths are allowed:` ).

Cl_demo_output=>display( whitelist ). LEAVE PROGRAM. OPEN DATASET 'input.bin' FOR INPUT IN BINARY MODE FILTER p_input. The whitelist here contains the values 'PATH1', 'PATH2', and 'PATH3' – this is the list of allowed paths. SAP OS Command Injection via the CALL ‘SYSTEM’ ID ‘COMMAND’ FIELD Statement The 'SYSTEM' kernel method allows you to execute OS commands, which are not specified in SM49/SM69 transactions. These transactions contain a whitelist of permitted OS commands.

Example PARAMETERS command(255). DATA: BEGIN OF tabl OCCURS 0, line(255), END OF tabl.

CALL 'SYSTEM' ID 'COMMAND' FIELD command ID 'TAB' FIELD tabl-line. In this example, you can see that the parameter command is passing through the Input without any filtration executed by the CALL 'SYSTEM' ID 'COMMAND' statement.

Download Tetris APK file v3.0.10 (com.ea.game.tetris2011_na.apk). Tetris re-imagined. Use one touch and swipe controls. Try the mode you love. Travel a multi-level galaxy under the revamped galaxy mode. Tetris full apk free download. Download the latest version of TETRIS® APK 1.6.00 free Puzzle Android Game (com.ea.game.tetris2011_row.apk). Full new and old versions of TETRIS® APK for Android by ELECTRONIC ARTS.

For example, if a command variable is ‘ping google.com’, this command will be executed on the server. Remediation In this case, it is strictly recommended to avoid user input data in the CALL ‘SYSTEM’ expression. Besides, you can forbid command calls via SYSTEM by setting the rdisp/call_system parameter value to ‘0’.

It can be done by means of the RZ11 transaction. Note: The call barring command is applied to the whole system, which can lead to unpredictable consequences, while SAP uses CALL 'SYSTEM' for the execution of OS commands. If for some reasons you still need the execution of dynamic generated OS command via CALL ‘SYSTEM’, do not forget about whitelisting. An example of whitelisting will be similar to the example above but will have a list of allowed commands to execute. That is all for today, and we hope the article clarified all the questions you had about SAP OS Command Injections. Stay tuned and we’ll consider the ABAP Code injections in the next post.