Daniel Berlin on Security Insight on SAP security, development stuff… and all the rest

16Mar 14

Lock your backdoor: Detecting hard-coded user names in ABAP

Hello everybody!Lock your backdoor
A few months passed since my last post – so it's about time for new one! 💡

User name as a code condition

The system field SY-UNAME contains the name of the currently logged-on user and is quite frequently used by developers to facilitate tests by adding special conditions to their code. The block of code that is executed depending on the current user's name is usually only intended for the developer him-/herself.
Although developer guidelines almost always include the obligation to make use of AUTHORITY-CHECKs, these checks might interfere with functional tests – and people might want to circumvent them (just for the tests, of course). No matter what the intention was, this approach leads to programs that do authorization checks for all users – except for the developer of the code... bad thing!
The following code snippet is probably one of the most prominent examples:

IF sy-uname <> 'DEVELOPER'.
    AUTHORITY-CHECK ...
ENDIF.

Right after the successful test phase, the code is transported to production and the conditional code might never be made universal...
If we consider malicious behavior, such code is called a backdoor and/or hidden function and this means that there is a need for action (at least to protect your developer colleagues)!

How to detect it

To find affected code, the SAP standard report RS_ABAP_SOURCE_SCAN is of great help — you can use it to search for plain strings or expressions in reports, classes, etc.
Since we're interested in IF conditions that check the value of SY-UNAME, I'd suggest to search using "IF .*sy-uname" as the expression and tick the checkbox "String is standard expression".
In the sample below, I limited the code to search in to programs with name Z*, but you might probably want to adjust this according to your needs (e.g. your registered namespaces).
Search for hard-coded user names in ABAP
The result shows two different conditions that use SY-UNAME in a possibly evil way:
Sample result showing hard-coded user name checks

Detection gaps

The search expression above is rather straight forward...
Unfortunately, it can be tricked easily by a developer, who knows it:

DATA: foobar TYPE syuname.
foobar = sy-uname.
 
* Obfuscated condition
IF foobar <> 'MYSELF'.
    AUTHORITY-CHECK ...
ENDIF.

So – when you establish controls to prevent the usage of user-based conditions, this is something to keep in mind.
Humans are usually better at detecting fuzzy patterns that computers are... 😎

Countermeasures

Code that is bypassed based on the value of SY-UNAME should never be used!

➡ All instances of hard-coded user names in customer code used on productive systems should be corrected.
➡ Controls should be established to prevent such code from being transported.
You might want to integrate the use of the SAP code inspector into your transport process.

See ya!