Category: Security

security

STUSERTRACE: User trace for authorization checks

ST01 and STAUTHTRACE transactions can be used for short term in-depth authorization traces. The problem is that these traces are very detailed and generate a lot of data.

For some use cases, you need to know what authorizations are needed for a user for longer period of time. Example: you have some background users with too many authorizations and your are tasked to reduce this. Then you want to enable a long term trace that records which authorizations are used by this user ID. You are not interested in how many times and when, but just need a complete list over a very long time (for example 2 months). Another example is when you are tasked to S_TABU_NAM full * authorization with actual table names. How to find out which tables are actually needed?

This is the goal of the STUSERTRACE: long term recording of authorization checks called including detailed table level.

STUSERTRACE enabling settings

The activation is described in OSS note 2220030 – STUSERTRACE: User trace for authorization checks. The first step is to switch parameter to value F. There is an option to set to Y for full, but don’t do this. F is the value where filtering happens.

As explained in OSS note 2220030 there is a minor performance impact. To limit the impact, use filtering.

Now start transaction STUSERTRACE to set the filters:

Choose the Change Filter button to add filters:

In this case we add the standard SAP workflow user to trace.

STUSERTRACE results

After you let the trace run, you can use the STUSERTRACE transaction to see which authorization checks were executed for this user ID:

STUSERTRACE will also capture detailed table access down to actual table level:

This means this transaction STUSERTRACE can also be used help replace * values in S_TABU_NAM with the actual tables.

Reorganization of data

Reorganization of data to clean up can be done using menu function Goto/Reorganize:

Relevant OSS notes

SUIM_CHDOC_USER: new transaction to show user changes

In SUIM there is a function to show changes for users, but this transaction can be performing very poor with higher data volumes.

SAP has developed successor transaction SUIM_CHDOC_USER that is giving the same data, but faster.

How to get transaction SUIM_CHDOC_USER?

It is import to know transaction SUIM_CHDOC_USER only works on HANA database. If you are not running on HANA, don’t continue.

Implementation steps:

  1. Apply OSS note 3399100 – SUIM | change history calculation for user/profile assignment
  2. Apply OSS note 3418682 – SUIM_CHDOC_USER | Implementation prerequisite for SAP Note 3405921. Run the generation program.
  3. Apply OSS note 3405921 – SUIM | Read Change Documents for User. Important here: do execute the manual steps here first. These final steps are NOT covered in the previous note.

Transaction SUIM_CHDOC_USER

Now you can start transaction SUIM_CHDOC_USER:

Input is the same as you were used to. Output as well. The new transaction is simply faster.

PFCGMASSDELETE: mass deletion of roles

To get the function for mass role deletion, you first need to apply OSS note 3360981 – PFCGMASSDELETE: Mass deletion of roles.

Mass deletion of roles

After the note is applied transaction code PFCGMASSDELETE can be started:

The I information button provides the description of the functions of the program:

The SCC4 functions are described in OSS note 1723881 – Application of client-specific customizing settings to role maintenance.

New way of activating super user SAP*

In SAP note 3303172 – Activating a Super-User SAP* SAP is describing a new alternative to activate user SAP*.

The SAP* activation is required in some cases. Systems that are protected well have the parameter login/no_automatic_user_sapstar set to 1 which will forbid the logon with SAP* (see also blog on SAP standard users). To use SAP* this parameter has to be set to 0, followed by system restart to activate it (the parameter is not dynamic). Often after using SAP* it is forgotten to undo the SAP* activation or to set the parameter login/no_automatic_user_sapstar to the secure 1 status again.

The new way described is available as of kernel release 790 and a separate tool with a short lived password only.

SAP Focused Run security notes validation

In the blog on security and configuration validation overview, we have explained to run a validation of ABAP security notes against your systems using Focused Run configuration and security validation.

Questions that will be answered in this blog are:

  • How can I quickly run an entire year of security OSS notes versus my systems?

SAP github with security policy source files

SAP publishes files for the ABAP security notes each month on the SAP Focused Run Best Practices GitHub:

Here the policy files for the ABAP security notes are stored per year and per month.

Not all security notes for ABAP stack are in these files: only the ABAP notes which can be applied via SNOTE. Security notes for ABAP stacks which require parameter changes or patches are not part of this check!

For convenience I have collected the files per year.

2020-security-OSS-notesDownload
2021-security-OSS-notesDownload
2022-security-OSS-notesDownload
2023-security-OSS-notesDownload
These files are for convenience only. It can be I made a mistake in assembling them.

Uploading the files

Goto the Configuration validation policy maintenance Fiori tile:

Create new policy and copy paste the text from the file:

Do this by choosing Edit and copy and paste the text in the editing section:

Now Save the policy. Check the XML. Generate the policy and check it by pressing Test Policy. Note that these are large files with many checks, so the testing can take some time. Run can be done via the Validate button or by following the instructions below.

Running the Security notes checks against the connected systems

To run the checks, goto the Configuration and Security Analytics Fiori tile:

Select the policy file to run:

Now be patient until the results are ready.

Make sure you expand the amount of columns.

If an ABAP notes is not applied it does not mean your system is not safe. You have define for which CVSS score and which systems you want to apply the security OSS notes, within which timeframe.

More on CVSS score see OSS note 2463332 – Security Note CVSS vector computation – SAP Solution Manager 7.1 and 7.2 and this SAP blog explaining the CVSS scoring in general.

<< This blog was originally posted on SAP Focused Run Guru by Frank Umans. Repost done with permission. >>

SAP password hash hacking Part VI: extended wordlists

As explained in the previous blogs many people use a word followed by a rule like add special and digit. Or use a word and replace character with digit or special character.

In the first blog the 10.000 word list was used.

This blog will make you aware of the existence of far more word lists and how to counter these.

Wordlists

Wordlists available:

  • Dictionaries for each language, like Webster for English. Each language has their own preferred dictionary
  • Keyboard walk list: contains fragments like QWER, UIOP, ASDF etc. These fragments are used in so-called combination attacks by using multiple fragments like: Qwer1234!@#$ (which is 3 keyboard walks)
  • Wikipedia list; this list is huge and simply contains a list of ALL words ever used on Wikipedia
  • Public site or intranet site keywords; comparable to Wikipedia, but targeted towards a single organization. Many people use the company name, department name, project name or another internal name as part of their password
  • All placenames (cities, provinces, states, countries, rivers, etc) in the world
  • All movies, actors, actrices, characters
  • Sport names and sports players
  • Lists from previous password hacks: like the LinkedIn list, RockYou list, etc.

The creator of John The Ripper offers them for money on their site (for cracking, still use hascat…).

Counter measures for attacks done by word lists

Counter measures:

  • User education to use not a single word, but two or more words in the password
  • Use single sign on in stead of passwords
  • Use generated passwords in secure storage

Call transaction security

An ABAP developer can call a different transaction from a custom build program or transaction. This can be very helpful for certain user requirements and can save an end user time when the system is helping him with jumping from one transaction to the next logical transaction.

Example

For authorization this can be a bit messy.
What for example will happen with this coding:

CALL TRANSACTION 'SU01'.

Will the SU01 transaction now be called successfully or not?

SE97 TCDCOUPLES

Suppose the user does not have rights to call SU01. The coding is still trying to go to this transaction.

Depending on the value of system parameter auth/check/calltransaction a couple of things can happen:

  • No check
  • Always check
  • Lookup if check is needed in table TCDCOUPLES

Table TCDCOUPLES links the calling transaction to the jumped to transaction and determines if the transaction authorization for the new transaction is required or not.

But what in case there is no entry or the entry in TCDCOUPLES is vague? Then it again determines on the value of parameter auth/check/calltransaction to be strict or not strict.

Entries in table TCDCOUPLES are maintained via transaction SE97:

Standard SAP example output:

Formal OSS note of SE97: 358122 – Description of functions of transaction SE97.

Updating TCDCOUPLES is a lot of work and no longer SAP best practice. See this SAP blog.

Correct way of coding

The correct way of coding is more simple: always indicate that the authority check is mandatory:

CALL TRANSACTION 'SU01' WITH AUTHORITY-CHECK.

In this way the coding forces the check independent of the system parameter and entries in TCDCOUPLES.

Finding incorrectly coded CALL TRANSACTIONS

The fastest way of finding incorrectly coded call transactions is by running the SAP CVA (code vulnerability analysis) tool. This tool scans for CALL TRANSACTIONS with missing authority checks. It also scans for other variations like dynamic use of CALL TRANSCATION.

Alternatively you can use CODE_SCANNER (see blog on usage) with this special input:

Basically you tell the program to look for any program with CALL TRANSACTION and not having WITH AUTHORITY-CHECK in it. Do realize it can potentially miss programs in case there are 2 calls (1 correct and 1 incorrect). The CVA tool will not miss this case.

LEAVE TO TRANSACTION

You might wonder: what is the situation for the LEAVE TO TRANSACTION statement? That is more simple. LEAVE TO TRANSACTION will always check the user rights for object S_TCODE for the transaction.

SE16N_BATCH program

SE16N_BATCH is a very powerful and dangerous program. You can use it to run SE16 queries for large datasets in batch mode and later pick up the results from the spool.

But it can also be misused to fetch data that you are not authorized to see, but a batch user can see.

Good use

For example you need a lot of records from BSEG:

This might fail online. If you run it in batch mode, you can simply pick up the spool later with the needed data:

Misuse

The program can be used for hacking purposes as well. Suppose you want to get all user password hashes. SE16N for USR02 is blocked. Now run the program in batch (not with your own user, but with a batch job user with rights to read USR02 data). Now all data is available in the spool for the hacker….

OSS notes

3443282 – “submit se16n_batch exporting list to memory” doesn’t work in background run

Information disclosure

Information disclosure is a potential security risk. Most IT software has a way to show the exact software version. This detailed information can be useful for an end user submitting an incident. Or for an administrator to know if certain patching is needed for an IT system.

But the detailed version information can also be used by a hacker to know if the system is vulnerable for some known attacks (and the system is not yet patches with the fix).

Hence for IT systems one should be careful and conscious about showing detailed version information: this is called information disclosure.

Known information disclosure items

ABAP System / Status

In ABAP stack, you can reduce the information in System/Status via authorizations. See OSS note 2658772 – System -> Status: Restriction of the available information.

Web administration interface

The web administration interface is a very known one. How to solve, read this blog.

Information disclosure security notes

Every month SAP release security notes (see blog). For the SAP systems that are internet facing (like portals, Netweaver Gateways, PI systems), check and apply the information disclosure notes as soon as possible. For the other systems, apply them at your normal security cycle speed.

List all user documenation

On the SU01 user maintenance screen there is a nice tab to capture documentation for that user. But how to list all documentation for all users?

List of all user documentation

To get the user documentation listing program, apply OSS note 3113345 – SUIM | Reporting for User Documentation. This will deliver program SUIM_SHOW_USDOCU:

Run the program for your selection to get the result list:

Click on a documentation line to see all the history.