The world of profile parameters in SAP is vast and complicated as a user can change the entire behavior of the SAP by modifying some of these parameters.
But just when we thought that we knew everything about profile parameters, we recently discovered something very interesting.
SAP Security Note 1979454 is related to a vulnerability in transaction SHDB (a very sensitive transaction since it’s used to create recordings) which introduced a new profile parameter called “bdc/shdb/auth_check”.
The problem with SHDB is that it wasn’t checking any authorization object besides from the S_TCODE, and a user with access only to the transaction could see any recording made by any user. If the user recorded a user creation the password would be shown in plain text. To mitigate this risk an authority check was introduced inside the programs, which would check for the authorization object S_BDC_MONI. However to enable this check, the parameter bdc/shdb/auth_check needs to be set to TRUE.
While going through the correction instructions for this note, we noticed that there wasn’t an update for the SAP Kernel (whenever a new profile parameter is introduced, there should be an update to the Kernel), so we decided to test the correction instructions to see how this parameter worked.
The first step was to install the SAP note from the SNOTE transaction to download the corrections. Once the installation was completed, we executed transaction RZ10 to add the parameter bdc/shdb/auth_check with the value TRUE in the DEFAULT profile.
We added the parameter, even though we got the warning “Unknown parameter”, since the SAP kernel didn’t seem to recognize it.
Before executing SHDB to see if the correction was working, we turned on the ST01 trace to have evidence of the authorization checks being performed.
Once we executed SHDB, we checked the trace and validated that the authorization check was being performed.
After performing some other checks we found that any parameter would be accepted in the profile file and then potentially read by an SAP function.
In conclusion, the kernel doesn’t need to recognize the profile parameter being added to the profile file. ABAP programs can read anything from that file, so when updating the SAP Profile files be aware that the “Unknown Parameter” warnings could be potentially bypassed.
Also, if you aren’t already doing so be sure to follow @Onapsis on twitter to stay up to date on the latest research, events, and information.
