A classic OS command injection vulnerability
Posted by Joris van de Vis, SAP Security researcher and co-founder at Protect4S
In the SAP patch round of May 2021, an OS command injection vulnerability was patched. This vulnerability was discovered by the Protect4S research team and has a CVSS score of 8.2. The vulnerability discussed in this article is:
|2021-27611||3046610||8.2||Code Injection vulnerability in SAP NetWeaver AS ABAP|
The above finding might lead to a full compromise of your SAP ABAP systems and its data, only combined with valid credentials and needed authorisations.
Our research on SAP systems in the past has been focusing a lot on the traditional SAP ABAP based systems and as part of that research, we typically looked for OS command injections, SQL injections, ABAP code injections, etc. We do this by indexing the ABAP code and search through the code for specific statements. One ABAP statement we are typically interested in is the “CALL SYSTEM” statement as it executes Operating System commands via the SAP kernel. Bugs there often lead to critical vulnerabilities.
When looking at some specific SAP versions and system types, in this case, SAP IDES (which is a sort of DEMO system SAP shipped loaded with prefilled data), we found a vulnerability in the ABAP report, RDDPUTJR. This is where the user can control data that is used as input for the earlier mentioned CALL SYSTEM statement in this report. This has effectively led to free OS command execution. The OS command injection vulnerability is fixed by note 3046610 – [CVE-2021-27611] Code Injection vulnerability in SAP NetWeaver AS ABAP.
Risk / exploitation
The report RDDPUTJR was not supposed to be shipped to customers’ systems and was therefore deleted in Netweaver systems as of Netweaver 7.40 onwards. Yet, SAP systems based on Netweaver 7.00 to 7.31 had this report included and were therefore vulnerable. To exploit the vulnerability, you need to inject an OS command in the input parameter field PV_LOGD. Executing the ABAP report with the following selection will execute the command ipconfig on an SAP system running on Windows:
A valid user with proper authorizations to execute the report is needed, but if that is in place you can execute any OS command on the server, under the context of the SAPService<SID> / <SID>adm user. This gives full access to all data in the DB or full access to the Operating System of the SAP system.
To fix this vulnerability please apply the SAP Security note 3046610 that will delete the report in your SAP system.
Want to know more about SAP Security? Please get in touch for more information or request an SAP security assessment here and find out how vulnerable your SAP systems are.