Standard service - a fixed amount of work that is performed at a fixed price.  Post Service

  

Monday, 21 May 2018 11:50

Native Structured Query Language

Written by 
Rate this item
(0 votes)

One of the ways to interact with a database in SAP systems is Native Structured Query Language (SQL). It allows developers to use specific database statements in their ABAP programs. In

this section, we will discuss a few critical statements that relate to Native SQL.

Potential Backdoor using CLIENT SPECIFIED statement

The CLIENT SPECIFIED parameter of SELECT statement allows turning automatic client determination off and gain access to other clients (other than you currently logged on).

Example

  1. This implementation allows an attacker to assign to sy-mandt the variable thus obtain the data of any client.
  2. 1
    2
    3
    4
    5
    SELECT SINGLE...
    FROM dbtab CLIENT SPECIFIED
    WHERE mandt=@sy-mandt AND
    ...
    INTO
  3. A programmer can leave a similar code intentionally to collect data without being detected.
  4. 1
    2
    3
    4
    SELECT *FROM pa0001
    CLIENT SPECIFIED
    INTO TABLE hr_contents
    WHERE client='007'.

Business Risk

The CLIENT SPECIFIED option allows a malicious person to implement a backdoor by accessing a production client. Attackers can collect data about clients and use it in further attacks or they can get access to business-related information.

Remediation

The only way to avoid the potential danger related to the CLIENT SPECIFIED parameter is not to use this construction as SAP provides the client data separation automatically.

Use of ABAP Managed Database Procedures (AMDP)

ABAP Managed Database Procedures (AMDP) allow using Native SQL code via methods of ABAP class. Then these methods can be used in ABAP programs. When AMDP method is invoked for the first time, the stored procedure is created on a database server. Currently, AMDP only supports the HANA database.

Example

1
2
3
4
5
CLASScl_dyn_amdp IMPLEMENTATION.
METHOD increase_seatsocc BY DATABASE PROCEDURE FORHDB LANGUAGE SQLSCRIPT.
EXEC'UPDATE sflight SET seatsocc = seatsocc + '||:seats;
ENDMETHOD.
ENDCLASS.

Business Risk

The existence of this statement in a program is a potential security hole. The parameter controlled by the user that leads to a SQL injection can get to the SQL query.

Remediation

SAP recommends using AMDP solely in cases specific to HANA database or if there is too much data for the transfer from DBMS to the server of the application. Use OpenSQL in the remaining cases.

Use of critical ADBC call

According to SAP documentation, ADBC (ABAP Database Connectivity) is an API for the Native SQL interface of the AS ABAP that is based on ABAP Objects. The ADBC methods can be used to pass Native SQL statements to the database interface. It is possible through

  • sending database-specific SQL commands to a database system and processing the result;
  • establishing and administering database connections.

In ADBC queries can be executed using the instance methods of the CL_SQL_STATEMENT class:

  • execute_query
  • execute_update
  • execute_ddl
  • execute_procedure

Business Risk

It’s obvious that every function or method that executes SQL query can be the source of security risks, for example, if it contains user input. Then it opens a bunch of possibilities to perform an attack of different types ranging from espionage to sabotage.

Remediation

If you use these statements in your application, make sure that there is no user controlled parameter in SQL query or they are filtered properly.

That’s it for Native SQL. The next ‘Critical Calls’ entry of Secure ABAP Development Guide section will cover SAP Technology Development Statements. Keep in touch and follow us on Twitter, Facebook, and LinkedIn and get more information from our ERPScan Research team.

Read 25 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.