Summary of "Hacking SAP - Common Exploits and How to Protect Against Them"

Hacking SAP - Common Exploits and How to Protect Against Them

---

Overview

This webinar focuses on common exploits within the SAP application layer, emphasizing risks that can be exploited by end users without needing database, OS, or external network access. The session is aimed primarily at SAP security professionals (SNA), internal audit/compliance teams, project managers, and anyone responsible for protecting sensitive data (e.g., GDPR, HR, Finance). The goal is to raise awareness of these loopholes, demonstrate their impact, and empower decision-makers to mitigate risks effectively.

---

Key Technological Concepts and Exploits Covered

1. End User Exploits in SAP Application Layer Exploits do not require database or OS access, making them harder to detect and mitigate by traditional security teams. The focus is on roles, authorizations, and transaction/program access within SAP.

2. SAP Best Practice Methodology for Security and Authorizations Following SAP best practice methodology in roles and authorizations is crucial to closing loopholes. Lack of best practice implementation significantly increases risk of exploit.

3. User Password and Access Checks (RSUSR003 Report)

   • This transaction reveals standard users and their passwords (often default and publicly known).
   • Default passwords for privileged users like SAP* or DDIC pose a significant risk.
   • Failed login attempts can cause user lockouts, leading to denial-of-service (DoS) effects on batch jobs and RFC connections.
   • Importance of monitoring failed login attempts and locking down access to sensitive reports.

4. Reference User Exploit SAP allows assigning a “reference user” whose authorizations are inherited. A loophole exists where a non-reference type user (e.g., DDIC) can be assigned as a reference user, effectively granting elevated privileges (e.g., SAP_ALL) without triggering typical alerts. Mitigation: Customize the PRGN_CUST table parameter REF_USER_CHECK to enforce error on invalid reference user assignments. Auditors and security teams should monitor change documents for reference user assignments.

5. Direct Program Execution (SE38/SA38) vs. Transaction Codes Users can bypass transaction code restrictions by executing underlying ABAP programs directly via SE38 or SA38. This bypasses transaction-level security checks, relying instead on authorization checks within the program.

   • SE38 requires the powerful S_DEVELOP authorization, making SA38 a safer alternative.
   • Best practice: restrict direct program execution by limiting authorized programs or program groups.
   • Prefer creating custom transaction codes for specific programs rather than granting broad SE38/SA38 access.
   • Use audited firefighter users for temporary elevated access.

6. Function Module Execution (SE37) Function modules are building blocks of SAP applications and can be executed directly. Some function modules (e.g., OPER_USER_CHANGE) replicate SU01 functionality, allowing user changes without SU01 transaction access. Removing SE37 access from end users is critical. Developers needing access should use heavily audited firefighter accounts.

7. RFC Connection Misuse Stored RFC connections using privileged users like DDIC or DDIC-type users (e.g., DDIC user in client 000) pose a risk. Such connections allow privilege escalation and cross-client access. Best practices:

   • Minimize end user access to SM59 (RFC connection maintenance).
   • Use dedicated technical users with minimal privileges for RFC connections.
   • Prefer “same user” connections where the calling user must have corresponding rights on the called system.
   • Regularly audit RFC connections and stored users.

8. Security Monitoring and Auditing

   • Regularly run and monitor reports like RSUSR003 for password weaknesses and failed logins.
   • Audit change documents for suspicious user changes, especially reference user assignments.
   • Use SAP best practice methodologies to structure roles and authorizations.
   • Employ firefighter users for temporary elevated access with audit trails.

---

Product Features and Tools Demonstrated

• RSUSR003: Password check for standard SAP users across clients.
• SU01: User maintenance and reference user assignment.
• SM30: Table maintenance for customizing parameters (PRGN_CUST).
• SE38/SA38: Direct ABAP program execution.
• SE37: Function module execution.
• SM59: RFC connection configuration.
• SE16N: Table display and data access.

---

Analysis and Recommendations

• Default SAP users with default passwords represent a critical risk and must be locked or have passwords changed immediately.
• The reference user loophole is subtle and can be exploited to gain SAP_ALL privileges without triggering typical alerts.
• Direct program and function module execution bypasses transaction code restrictions; internal authorization checks and best practice role design are essential to mitigate this.
• RFC connections using privileged users should be minimized and tightly controlled.
• Removing access to sensitive transactions like RSUSR003 and SE37 should be prioritized.
• Access to SE38/SA38 and SE16N should be carefully managed and preferably granted via custom transactions or firefighter accounts.
• Continuous monitoring, auditing, and adherence to SAP best practices are crucial to closing these loopholes.
• Security teams should expand audit scope to include reference user assignments and monitor failed login attempts proactively.

---

Guides and Tutorials Provided

• How to use RSUSR003 to identify weak passwords and locked users.
• Demonstration of assigning a reference user and how to block improper assignments via PRGN_CUST.
• Executing programs directly via SE38/SA38 to bypass transaction code security.
• Using function modules (SE37) to change user attributes without SU01.
• Checking and misusing RFC connections to escalate privileges.
• Polling audience on perceived risks between direct program execution and table display transactions.

---

Main Speakers / Sources

• Will Dunkley: SAP Security Specialist, main presenter and demonstrator.
• Mike Nicklin: Introduction to TCT team and company background.
• Lucy: Webinar host and poll facilitator.
• Other TCT security and basis team members briefly mentioned: Laurel Christa, Craig Middleton, Andy Bailey (team lead).

---

Summary: This webinar provides an in-depth exploration of common SAP application layer exploits, focusing on user and authorization loopholes that can lead to privilege escalation and data exposure. It highlights the importance of SAP best practice methodologies, continuous monitoring, and strict access controls on sensitive transactions, programs, and RFC connections. Practical demonstrations and real-world examples emphasize how these vulnerabilities manifest and how to close them effectively.

Category

Technology

Share this summary

Share on X/Twitter Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Share on Telegram

Video