SAP Debugger, powerful yet dangerous! 

SAP Debugger

It must have been a few years ago that I participated in a webinar organized by the German-speaking SAP user group (DSAG). In that webinar, the SAP representative explained a recently corrected vulnerability. The correction did not remove the problematic code but only introduced an additional check. Which, in my opinion, is the normal procedure. However, after the explanation by the SAP speaker, an interposed question came from the audience. The question was: How does the fix protect against attackers who use SAP Debugger to skip the check? In response, the spokesperson vehemently emphasized that an SAP system in which users have debugging privileges (coupled with changes to program variables); cannot be protected from compromise. 

The combination of the debugger authorization with the said possibility to change the program variables is called, in SAP lingo, Debug & Change. To support the statement of the SAP expert, let’s look at: What is the SAP Debugger? and What can it do to the system? 

What is the SAP Debugger?

The SAP Debugger, also known as the ABAP Debugger, is one of the most important development tools offered by SAP. An ABAP developer or a technical SAP consultant uses it to analyze problems or to simulate program flows. Usually, the debugger is simply used to understand a certain behavior in SAP ERP and to identify or understand customizing options. Provided that a user has the appropriate authorizations, the debugger can be called from all ABAP screen-based transactions using function code /h. The SAP ABAP Debugger can also be used in OData, WebDynpro for ABAP, etc.   

What can I do in the SAP Debugger?

In addition to the generally known functions such as the step-by-step processing of source code and the analysis of values of program variables, there are still some hidden features not known by everyone. 

Did you know that you can start a remote debug session with the SAP Debugger, where you can analyze – or influence – a user’s SAP session? The feature is not new, by the way, as evidenced by this blog from 2013: Remote ABAP Debugging.

Alternatively, you can let the cursor jump from line 1 to n without executing the source code in-between. 

So-called breakpoints can also be set dynamically. Breakpoints stop the debugger, or to be more precise, the cursor at a certain point in the program flow. 

Additionally, to the ability to view the values of a program variable, there is also the option to change values.SAP offers the possibility to authorize this function granularly. More about this in the section: How can I protect myself? 

What risks arise from the SAP Debugger?

It was rightly pointed out by the speaker of the SAP webinar mentioned at the beginning of this article that the debugger can be used to compromise the system, provided that the attacker holds or acquires the authorization to do so. 

Some examples spotted in the wild: 

  • Bypass authorization checks by resetting the return code (SY-SUBRC) or setting the cursor. 
  • Changing values in program variables to infiltrate or manipulate the database 
  • Modification of the program flow to obtain an abort or a change of the end result. 

Now you must know that if an attacker accesses the coveted Debug & Change permission, he typically does not base the attack on the debugger only but uses it in the Reconnaissance phase or in the Gaining Access section. The SAP Debugger can also be a helpful tool in wiping the evidence of the SAP attack since everyone knows the SE16 trick: How to edit SAP tables in Debug Mode using SE16.

This, of course, makes it more important to recognize an anomaly in usage behavior, as described in the recently published article: The easy way to spot anomalies in SAP. It is even better if so-called indicators of compromise are detected at an early stage in order to be able to identify attacks. 

How can you protect yourself?

Although these functions of the SAP Debugger can be restricted via authorizations, you will quickly notice that developers cannot work without extensive authorizations. Of course, the work of the SAP developer is mainly done in the development system. Therefore, there is no need to allow SAP Debug authorization, especially in combination with change permission of program variables in a system with productive data. So, you should ensure that this critical authorization combination is or will never be assigned in a productive SAP environment. 

Use the authorization object “S_DEVELOP” and prevent object type “DEBUG” in combination with activity: 

  • ‘02’ – Changing values of fields and (as of Release 6.10) the function >Goto statement, and 
  • ‘90’ Debugging of sessions of other users. 

You can achieve additional protection by regularly and promptly analyzing the activities in the associated SAP logs, in this case the SAP Security Audit Log (SAL). 

However, this can be very time-consuming. In particular, the reliable detection of anomalies or an indicator of compromise for the SAP system requires additional analyses. If you do not have time to do this manually, I recommend trying SecurityBridge Threat Detection. 

Posted by

Ivan Mans
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SecurityBridge joins NTT Data’s Cybersecurity for SAP Webinar

Whether your business critical SAP landscape is traditional on-prem, in one or more clouds, or even the latest RISE with SAP, you are accountable for ensuring it is secured against rapidly increasing cyber threats. Join this webinar to learn why SAP application security is critical and how you can stay in control and protect your business.

Meet us at SAPINSIDER 2022 – in Las Vegas

June 19-21, 2022 the US team of SecurityBridge will be at the SAPinsider Event in Las Vegas. You will find our booth in the Cybersecurity area.
SAP security Patch day
August 9, 2022, is the time for the SAP Security Patch Day, this time in parallel to the black 2022 cyber security conference, the SAP Response team has released 7 patches this Tuesday.
SAP Security Solutions
Security News
The application security market is obscure and holds one or two surprises for those looking for an SAP security solution. Cybersecurity solutions for SAP help customers understand the ever-growing threat landscape and protect themselves effectively. In this article, we would like to discuss some points you should focus on when looking for a security solution for SAP.
cbs and securitybridge for SAP
cbs Corporate Business Solutions, a premium management consultancy, and cloud services provider with a focus on the manufacturing industry, and SecurityBridge, the leading provider of an SAP Security platform solution, have announced a partnership to meet the growing demand for comprehensive and reliable service offerings in the field of SAP Security for international SAP clients.
Microsoft Azure for SAP
Azure is a hyper-scaler like Amazon AWS or Google Cloud. These big three have recognized the opportunity to offer computing power for the computer-intensive business applications of SAP. SAP virtualization is now easier in the cloud than in your own data center.