IMHO the fact that they were even able to find the virus shows that it either was indeed just a proof of concept or the author wasn't aware of all the hidden R/3 features, like i.e. hiding ABAP source codes entirely through special character sequences. There are alot of programs (like i.e. SAPMSYST, the logon programs) delivered by SAP that have been hidden before the customers this way. Its very easy to i.e. write some code that will modify this program and log i.e. all users/passwords that will be typed in the logon screen. No customer will even have the chance to see that this program has been modified this way.
All you need to do and modify about everything in the system is the right to debug ABAP programs with the right to change values in the debugger. Given these rights (most regular developers should have them) you can modify any table in the system and circumvent any further authorization checks so practically you have full control, not only over the R/3 system itself but you have also direct access to the operating system where you can execute programs through the SAP kernel. To gain these right you can i.e. access the R/3 system database directly. Customers hardly tend to change the default passwords for the database user the R/3 system uses to log on to the database (sapr3/sap). That way you can modify any table in the sytem and gain access to everything you want...just like above. You can modify the user table and assign whatever authorization or profile you need to your user. There are ways to write ABAP programs that call C kernel functions for comparing passwords (taken from SAPMSYST) to brute force crack passwords, which is VERY easy since passwords can have a maximum of 8 characters and are case-insensitive. Even the warning message when using this function in a custom program introduced with 4.6B can be avoided. You can use the buildin transport mechanisms on one infected machine to transport virus code or table entries automatically to other SAP systems in the transport environment without having to have a logon to these machines, and you can even have your code remove all traces and logs of this transport. After several years of SAP R/2 and R/3 developing and administration experience I came to the conclusion that the SAP system security is weak. You can theoretically protect systems to a high degree with some effort, but on most customer systems I have worked on this is just not the case. And there were huge companies among them. Just noone tried to write harmful and/or spy programs so far, so noone is sensible to the matter. However you will hardly find a network with enough SAP R/3 systems making it worth to write a virus that spreads itself. With the exception of SAP Walldorf itself maybe. In my opinion however, theres alot of ways to write harmful or spy code through undocumented features no customer will even know of. The article says: "ABAP also requires a skill set that goes beyond that of most hackers,"" Thats simply wrong. There is no way ABAP requires a skill set that goes beyond writing some c/c++/assembler and sql code. All it requires is is a book about ABAP and some SQL/Database knowledge. Hackers don't need the "skill" to write business applications. ----- Original Message ----- From: "Thomas Fuhrmann" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, April 29, 2020 8:22 AM Subject: WG: Newsbytes Story: Another Computing Platform Gets Its First Virus > Hi, > is someone capable to say, that is dangerous or not? > From my point of view, the person how can do this, must get rigths to the > R/3 system as an developer and and and. > > Regards > Thomas > > > The entire article may be viewed at > http://www.newsbytes.com/news/02/175855.html > > Another Computing Platform Gets Its First Virus > > By Brian McWilliams, Newsbytes > BARCELONA, SPAIN, > 12 Apr 2002, 1:11 PM CST > > SAPvir, the first virus to infect programs and reports > used by the high-end SAP R/3 business information system, was posted > to an online virus library this week. > > Experts said the proof-of-concept code, which does not appear to > be present in the wild, is the latest effort by virus writers to target > "exotic" computing platforms. > > The 24-line program, written in SAP's Advanced Business Application > Programming (ABAP) language, is designed to spread to other programs > on the local SAP system but does not appear to be destructive or > network-aware, according to a preliminary analysis of the code by > Jochen Hein, an independent SAP consultant based in Germany. > > SAP R/3 is an integrated system used by many large corporations for > functions such as supply-chain management, business intelligence, > and financials, according to its developer, Germany-based SAP AG. > > Bill Wall, a spokesman for SAP in the U.S., said the company does > not believe any customers have been infected by the code. > > "What protects our customers is very deep security and very limited > access to these mission-critical systems. ABAP also requires a skill > set that goes beyond that of most hackers," said Wall. > > According to its Web site, SAP is the third-largest software company > in the world. > > The program was posted to VX Heavens, a large online library of > viruses, on Tuesday. According to the virus site's operator, he > received an email this week with a link to a Web page containing the > source code to SAPvir. > > The page, which appears to be operated by Alex Bergonzini of > Barcelona, Spain, was last modified in October 2001, according to the > page's header. Bergonzini did not respond to interview requests. > > A copyright notice in the code does not identify its author but > suggests SAPvir may have been written in 2000. > > While SAPvir may contain bugs that prevent it from working on all > SAP platforms, according to Hein, the source code could easily be > modified by programmers who know ABAP to perform more malicious acts. > > "An ABAP program can do anything in the SAP system, including > modifying data and leaving no trace," said Hein, who noted that a > line of programming comments in SAPvir states in Spanish, "Here the > code of destruction or effects of the virus goes." > > While most computer viruses are written for Microsoft's Windows and > Word applications, in recent months, virus writers have created > programs that target Microsoft's new .NET platform, Macromedia's > Flash format, and Adobe's Acrobat software. > > According to Patrick Hinojosa, chief technology officer for > anti-virus firm Panda Software, SAPvir is "academic" since an > attacker would need special authorization to plant the code on an > SAP system. > > "It looks like it would have to be an inside job," said Hinojosa, > who added that a person with such rights would already have the > ability to modify or destroy data without the need for a virus. > > SAPvir is on the Web at > http://www.geocities.com/cbergalex/sap/sapvir.htm . > > SAP AG is at http://www.sap.com . > > Reported by Newsbytes, http://www.newsbytes.com . > > 13:11 CST > Reposted 14:50 CST > > (20020412/WIRES ONLINE, LEGAL, PC, BUSINESS/VIRUS/PHOTO) > > � 2001 Post Newsweek Tech Media Group > _______________________________________________ > sapdb.general mailing list > [EMAIL PROTECTED] > http://listserv.sap.com/mailman/listinfo/sapdb.general > _______________________________________________ sapdb.general mailing list [EMAIL PROTECTED] http://listserv.sap.com/mailman/listinfo/sapdb.general
