Sap solution tools plugin st-pi

This blog post outlines previously unreleased technical details of CVE and showcases its potential impact on mission-critical business systems. The user can utilize these tables to supply import and export parameter names, types, as well as values for the import parameters themselves see Figure 1 and Figure 2.

In this manner, some restrictions on the choice of the RFM are applied. Hereby, the source code of the subroutine pool gets changed lines Following the successful initialization of the subroutine pool, the generated code segment is executed. Within the program logic, this in turn leads to the specified RFM being invoked.

Acting as a proxy module, it allows the restricted execution of other RFMs. In consequence, an attacker can break out of the desired syntactic instructions.

Injecting ABAP code in the VALUE field allows the attacker to manipulate the source code of the generated subroutine pool and thereby the execution logic of the entire module. Since the attacker can freely choose the characters that can be used in this field, arbitrary ABAP code can be injected.

Afterwards an attacker can simply specify any semantically valid ABAP code that gets executed by the application server see Figure 5 and Figure 6. Keeping the number of authorizations required for successful exploitation as low as possible, suitable RFMs were searched for as input parameters, which meet the requirements mentioned above and do not need further authorizations. Additional authorization checks within the selected RFM are irrelevant since the injected payload will be executed before the application logic of the RFM is reached.

Especially system or service users will usually be equipped with full authorizations for this object as a preventive measure to avoid potential occurring complications in the productive use of remote and background services. To assess the impact of this vulnerability several payloads have been tested. The following examples illustrate how an authenticated attacker can compromise all three security goals Integrity, Availability, and Confidentially using different payloads and bypassing existing restrictions.

Please note that the provided screenshots demonstrate the exploitation throughout the transaction SE Nevertheless, Figure 12 is intended to show that the exploitation can be scripted and be performed via RFC over the network.

The following proof-of-concept demonstrates how an attacker can assign himself the reference user DDIC by injecting an OpenSQL query and thus gaining unlimited authorizations on the affected SAP system see figure 8. The following proof-of-concept demonstrates how an attacker can disrupt the functionality of an SAP system by deleting essential system tables e.

The following proof-of-concept demonstrates how an attacker can exfiltrate data e. However, for extensive exfiltration of data, it is necessary to combine payload substrings throughout different importing parameters see also Figure 10 and Figure You would find a lot of useful information there.

It's a really detailed doc. As I know - maybe wrongly - there is a way to upgrade from centrally to spread to all systems.

There you can check all your child systems, and distribute the Service Tools Plugins -it is also one by one, but it is faster, and it works with a transport request that is moved automatically. Skip to Content. Brindavan Mookaiah. November 5, 2 minute read. Alert Moderator. Alerting is not available for unauthorized users. Assigned Tags. Similar Blog Posts. Related Questions. You must be Logged on to comment or reply to a post. Manas Behra.

Like 0 Share. Right click and copy the link to share this comment. Brindavan Mookaiah Blog Post Author.