In the past, SAP made some decisions in the architecture of its solutions that may be important for reliably running them, but that have severe adverse impact on security. In this episode we focus on control.
As already explained in episode 3, SAP ships all ABAP code as source code to its customers. The source code is only compiled on the customer's system, since the actual byte code depends on the operating system in use at the customer side. We also explained that the ABAP development environment itself is written in ABAP. To make this possible, SAP decided to integrate the necessary commands to read, create, modify, store, compile delete and execute ABAP code into the ABAP language itself.
What does that mean from an ABAP Malware perspective?
Not only is all ABAP code - including administrative tools - accessible as source code, but also the capability to modify this code is practically handed to an ABAP Malware on a silver plate. As a consequence, ABAP Malware can easily re-write arbitrary programs on the SAP server. It could for example re-write the ABAP development environment and hide/block all access to its source code in order to prevent discovery/analysis. It could also re-write code of SAP security tools, especially code scanners (See blog post "ABAP Code Scanners are useless against ABAP Malware" for details).
Programming languages with such powerful capabilities usually run in a sandbox where specific dangerous features can be disabled. However, ABAP does not run in a sandbox. This means that an ABAP Malware can re-write all critical programs on a SAP server within seconds and take total control over the server. And there is no way to prevent such hostile takeover once a Malware reaches an ABAP server.
And once the ABAP Malware is in control, it is next to impossible to remove it. Especially considering the Malware's persistence in the database, as explained in episode 3.
To be continued...
This is the sixth article in our malware series that provides you with insights into ABAP malware research, ABAP malware capabilities and ABAP malware defensive strategies.
If you'd like to know more about ABAP malware risks, please contact us.