Skip to main content

Practical exploitation of SAP vulnerability CVE-2021-44231

By 13 September 2022No Comments

Operating System Command injection in SAP NetWeaver ABAP


In SAP’s patch round of December 2021 an SAP Security patch was released with a CVSS score of 9.9/10 named “Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools)”. This particular type of vulnerability is quite common in SAP systems (we have till date reported more than 30 similar vulnerabilities to SAP) and can easily lead to a full system compromise. Our Protect4S SAP Security research led to finding this vulnerability and in close cooperation and via responsible disclosure, the SAP Security response team resolved it.

As stated in the SAP note, the vulnerability we discovered is introduced in SAP systems by accidently releasing internal programs to customers. Also, many SAP systems are vulnerable as the bug is part of the SAP_BASIS software component, a key component in every SAP ABAP system. But what does “vulnerable” mean in this case and how could attackers take advantage of this vulnerability? As stated by SAP, the vulnerability can lead to controlling the behavior of the application and all its data:

image - Practical exploitation of SAP vulnerability CVE-2021-44231

Therefore, these vulnerabilities are powerful in the hands of malicious parties. The only good thing here, is that this vulnerability requires some level of authentication and authorisation. Yet, any user with the rights to execute ABAP report RS_LXE_EXTRACT_WORK_LIST2CSV can abuse it to escalate privileges and go for the jackpot. The specific issue is in the CALL ‘SYSTEM’ command that does OS command execution and can be altered by input from the selection screen:

image - Practical exploitation of SAP vulnerability CVE-2021-44231

Practical exploitation

In order to exploit this vulnerability, one only has to execute report RS_LXE_EXTRACT_WORK_LIST2CSV via e.g. transaction SE38 in the background and specify any file (which does not have to exist) followed by a “;” sign followed by ANY FREE TO CHOOSE OS COMMAND like in below case the “mkdir” command to create a directory.

image - Practical exploitation of SAP vulnerability CVE-2021-44231

This in turn will write some data to the chosen file, but additionally execute that OS command on the SAP system as can be seen here (the directory W00T has been created which means the freely chosen command was executed successfully):

image - Practical exploitation of SAP vulnerability CVE-2021-44231

Why is this a bad thing?

If you are allowed to execute any OS command, you could do things on the operating system you are not supposed to do, like stopping a SAP system for example. Which is a bad thing for the availability of the system. But it does not stop there since the OS user (typically named <sid>adm for non-windows systems) has an implicit trust relation with the database. What this means is that via OS commands you can directly speak to the database and read all data or alter it. What makes things worse is that this is NOT being logged from the SAP application layer. If you would for example execute an OS command like below, you could retrieve password hashes for all users and try to bruteforce these offline to gain access to other SAP accounts. See a previous blog on this topic here.

/tmp/a ; hdbsql -U DEFAULT “select PWDSALTEDHASH from USR02”

How to fix this?

Just import the SAP Security note 3119365 via transaction SNOTE. This will introduce proper validation on the input from the selection screen and provide an error message when you try to exploit the vulnerability:

image - Practical exploitation of SAP vulnerability CVE-2021-44231

The above vulnerability can be easily patched, having a proper Vulnerability Management process in place helps there. It cannot be stated enough that a Vulnerability Management process should be in place to address and fix these vulnerabilities in a timely, efficient and effective manner for SAP customers to prevent abuse. 

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!