Dear readers,
a long time passed since my last post and even more, things changed in my life.
My “blue team” perspective has changed to the viewpoint of an internal auditor – and upcoming posts will probably reflect this… life remains exciting. 😎
In the following, we’ll take a look at customer name ranges in SAP and how to use them to move things like malicious code out of the sight of security people and… well… auditors.
First of all:
Customer-created objects in SAP do not always start with Y* and Z*.
There are many more possibilities.
Let’s start with some obvious things: Workbench objects in SAP (custom reports, tables, transaction codes, function modules, and many more) may not be named arbitrarily. They are bound to name ranges, which SAP designated for customer developments.
SAP Note 16466 – “Customer name range for SAP objects” gives a list of allowed name ranges per object type (yes: different types have different allowed name ranges).
In this post, we’ll focus on some of the types, which are interesting for an attacker and allow data manipulation or implementing backdoors, etc.: ABAP reports (obvious!), tables (just because), and transaction codes (e.g. to bypass S_PROGRAM checks).
Let’s see what the above-mentioned SAP note 16466 says about the allowed customer name ranges for these objects:
SAP adds in a strict but benevolent tone:
“It is essential that you always adhere to the SAP naming conventions. Serious problems may otherwise result during the next upgrade (the upgrade overwrites customer objects).“
We’ll come back to that later.
It’s time to dive deeper: when you try to create – for example – a new report in the ABAP workbench, a function module is called in the background that checks the specified name for its compliance with the allowed name ranges.
The relevant FM is TRINT_GET_NAMESPACE and it differentiates between 3 types of object names:
- Customer,
- Partner, and
- SAP-reserved
For objects in the partner and SAP-reserved name ranges, you need an object key to create them – we won’t discuss them here.
The allowed names can be found in the FM’s source code (which is pasta code long and has grown for many years).
I’ll quickly summarize it for our 3 examples (reports, tables, and transaction codes) here:
| Name starts with... | Name range | Remarks by SAP |
|---|---|---|
| Y Z | Customer | Old customer namespace |
| MP9 | Customer | Infotype-dialog module |
| SAPDY SAPDZ DY DZ | Customer | Dialog-module-pools |
| SAPFY SAPFZ FY FZ | Customer | Subroutine-pools |
| SAPMY SAPMZ MY MZ | Customer | Module-pools |
| SAPUY SAPUZ UY UZ | Customer | Update-tasks |
| MENUY MENUZ MENU+ | Customer | Menus |
| MSTY MSTZ MSTP9 MSTT9 MSTHRI9 MSTHRP9 MSTHRT9 MSTPA9 MSTPB9 MSTPS9 MSTPT9 | Customer | Tables 3.0E 3.0E 3.0E 3.0E |
| MC_Y MC_Z MC_....0 MC_....1 MC_....2 MC_....3 MC_....4 MC_....5 MC_....6 MC_....7 MC_....8 MC_....9 | Customer | Modifiable MC programs Customer MCOBs Customer MCOBs Customer MCIDs Customer MCIDs Customer MCIDs Customer MCIDs Customer MCIDs Customer MCIDs Customer MCIDs Customer MCIDs Customer MCIDs Customer MCIDs |
| %H_Y %H_Z | Customer | Modifiable help view program |
| J_ MJ DJ FJ UJ | Partner | Old partner namespace |
| SAPMJ SAPDJ SAPFJ SAPUJ MSTJ_ MSTTJ MENUJ | Partner | Old partner namespace |
| ( all others ) | SAP-reserved |
| Name starts with... | Name range | Remarks by SAP | My remarks |
|---|---|---|---|
| YY ZZ CI_ H_Y H_Z HRI9 HRP9 HRT9 PA9 PB9 PS9 PT9 P9 | Customer | Old customer namespace 3.0E 3.0E 3.0E 3.0E | |
| Y Z T9 | Customer (with exceptions) | Table names in this range are checked against the exception table TDKZ. If no entry is found, the name belongs to the customer name range. Table TDKZ usually contains the entries listed in the second last line of this table. | |
| J_ TJ | Partner | Old partner namespace; TJ-tables only for 2.2-compatibility | |
| T9COM T9DEV T9PRO ZCXCB ZCXCM ZHLB1 ZHLG1 ZHLG2 ZIS_FORM | SAP-reserved | These table names are SAP-reserved as per the exception table TDKZ. | |
| ( all others ) | SAP-reserved |
| Name starts with... | Name range | Remarks by SAP |
|---|---|---|
| Y Z + | Customer | Old customer namespace |
| J | Partner | Old partner namespace |
| ( all others ) | SAP-reserved |
So, we have a whopping 47 name ranges to choose from for the next malicious report! … and hardly any auditor will ever identify a program called MSTHRP9INT as a customer-developed one.
To be even more sure, you could also fake the report’s “creator” easily (more on this in one of the next posts).
Now back to SAP’s stern statement on what happens, when you’re not nice and use name ranges not listed in Note 16466:
First, I doubt it – but didn’t check it myself. Since the FM TRINT_GET_NAMESPACE is used by every workbench-related functionality in the ABAP-stack, I would assume that all ABAP code, which is called during an update also uses the same logic. The command-line tools (tp, R3trans …) are usually synced with their ABAP pendants, so they’ll probably perform very similar checks as well.
And secondly, it doesn’t matter. Most attackers would probably do, what they intended to do, once they have compromised an SAP system in such a way. There’s no need to wait a long time and then come back… and persistence inside a victim’s network can be achieved in more reliable ways and with fewer traces to cover.
Happy hunting and see you! 😀
PS: Just to prevent confusion – this post is about “name ranges“, not “namespaces” like /SNAKEOIL.
