ABAP exploit/vulnerability exposed
Firstly, let me just make this disclaimer that I don’t know what the difference between an exploit and a vulnerability is. I don’t know the proper definitions of each, either. I’m pretty sure what I’m about to reveal is not a security flaw though. However, using the information contained herein, a malicious user can wreak a fair bit of havoc on an ABAP system.
Secondly, an even bigger disclaimer: Don’t try this on your system! This article is for informative purposes only, not for you to wreak havoc! OK, here goes:
A colleague of mine has been struggling with a problem that when he tried to syntax-check or activate (which does an implicit syntax check) an ABAP program he was working on, it caused the whole system to stop responding. At first we wouldn’t believe him. Yet his claims proved to be true. Whenever the syntax check was invoked, the process would start consuming system resources to the point that dialog processes all became used up, the system response would suffer tremendously, and the process itself would carry on running until it terminated at OS-level with a ROLL_IN_ERROR visible in the process trace. How is this possible?
I decided to take the code he was working on and paste it into a local program to see if it caused the same problem, and it did. After incrementally adding the lines from the rogue source to find the problem, the bad code turned out to be a recursive data definition; a structure referring to itself. It seems as if this code made the ABAP syntax checker perform an endless, recursive check. The code looks as follows (note the line where the included structure in fact refers to itself):
DATA: BEGIN OF gt_stat OCCURS 0. INCLUDE STRUCTURE vicarsdate. DATA: lv_stat LIKE LINE OF gt_stat. "<-- Problem is here DATA: transf TYPE xfeld. DATA: END OF gt_stat
Because the syntax checker is executed as an ABAP command (SYNTAX-CHECK), I assume that the checker is not written in ABAP, but in a C routine. As such, it was not possible to debug the process to see where the problem was.
Using this, a malicious user with rights to SE37 and access to function group S38E can perform a syntax check with function module EDITOR_SYNTAX_CHECK on such code on a production system, bringing performance to a near standstill and making the system unresponsive for quite a while. While this may not be a big problem, because it is possible to tell who the user is from the process overview, it's nonetheless a real risk, as some companies issue credentials for generic users for administrative tasks to some employees.
We found this problem on a 640 system, and to test whether the problem had perhaps been fixed in later versions, I sent the code to an unsuspecting person (who is hopefully still my friend) to ask if he could see whether the ABAP syntax checker has a problem with this recursive definition on his development system, which I think is 710 or above. He mailed me back to tell me that it had been running for 350 seconds, which was all I needed to know.
So, there you have it. We have reported this problem to SAP, but I'm pretty sure that this must be a known problem. Let's hope they provide a patch for it real soon.