SAP logon user exit hack

User exit after logon logo

In SAP there is a user exit just behind the logon of a user. This can be used correctly, but also used for hacking.

Questions that will be answered in this blog are:

  • How to switch on the user exit after logon?
  • What is good use of the user exit after logon?
  • How to use the user exit for hacking?

Activation of the user exit

In transaction SMOD you can call up user exit SUSR0001:

This exit has only one component:

Double click on the exit to go to the Z code include:

To activate the exit, create a project in CMOD and and include this enhancement. Then double click on the include code ZXUSRU01 to activate the code.

Good use of the user exit

The user exit itself is described in OSS note 37724 – Customer exits in SAP logon. Example of good use it to restrict multiple logons in case you cannot switch on parameter login/disable_multi_gui_login. See OSS note 142724 – Prevention of multiple SAPGUI logons.

The exit is also used a lot by GRC and firefighter type of tools.

For ITS webgui the calling of the logon user-exit can be skipped with a URL parameter. See OSS note 1465767 – Logon user exit SUSR0001 not called.

The user exit logon hack

In the user exit code, you can put in your own stuff.

As hacking example: copy function module PASSWORDCHECK and the screen that belongs to it to your own ZPASSWORDCHECK.

Modify the screen logic a bit. This is the original code:

Now change the code: the password is always reported back as ok. And the user input you catch in the field password is yours: you can mail it or store it somewhere for you to pick up later.

Put the altered code in the user-exit with logic:

IF SY-UNAME = 'target user name' and not capture before.    
  CALL Z function ZPASSWORDCHECK.    
  Store capturing.     
  Set capture flag.
ENDIF.

This looks as follows at runtime:

Many end users (and even auditors) will enter their password without thinking twice.

Alternatively you can use function module POPUP_GET_USER_PASSWORD as a basis for your copy: this has also clear text password:

The password field can be stored.

This has the following look and feel:

Detection and protection

It is wise to shield off this user exit from improper use and to yearly check the content of what is inside this user exit.

4 thoughts on “SAP logon user exit hack”

  1. Hi,

    This user exit is a perfect place to log the SAPGUI version that this user has,
    and is valuable info in a upgrade SAPGUI project.

    BUT ! Be very careful that you don’t get a syntax error in this exit,
    otherwise you will no longer be possible to log to this system.

    KR, Dirk

    1. Hi Dirk,

      To get the SAP GUI version, you need to call function module TH_USER_LIST to get list of sessions. The GUI version is in the field GUIVERSION of output table USRLIST. But the problem is with very large systems: every logon you get a huge list, since you cannot target 1 single user with TH_USER_LIST. So your method is usable on small systems only. If executed on big ones, it will slow the system down. To still capture the GUI data on large system, the alternative is to write a program that captures the versions of logged on users and puts it into Z table. Then run this program every hour in batch.

        1. You are right indeed. CL_GUI_FRONTEND_SERVICES=>GET_GUI_VERSION does give the installed GUI version, patch level, hotfix and build number. Thanks for this tip!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.