CVE-2023-36922 - SAP NetWeaver ABAP (IS-OIL) Command Injection – Exploit Details, Risks, and Defense

*Published: June 2024 | by InfosecPost*

Overview

CVE-2023-36922 is a dangerous command injection vulnerability discovered in SAP NetWeaver ABAP – particularly the IS-OIL industry solution component – which affects a wide range of versions: 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 804, 805, 806, 807. If an attacker has authentication to an impacted SAP system, they can abuse this flaw to run operating system commands with the permissions of the ABAP system user. This can lead to manipulation, theft, or deletion of data and, in worst cases, complete system shutdown.

Below, we break down the vulnerability, show how it can be exploited (with sample code snippets), suggest remediations, and provide essential resources. This post is written in simple terms, without jargon that might confuse people new to SAP security.

What Is the Vulnerability?

SAP NetWeaver ABAP is a foundational platform used by thousands of enterprise systems worldwide. IS-OIL is a standard industry extension for the oil & gas sector. In the affected versions, a coding error in a report or function module accidentally exposes a parameter that is passed directly into an OS execution command, without input sanitization.

Why is this dangerous?

Attackers with a basic SAP user account (they need to be authenticated) can submit manipulated inputs, causing NetWeaver to run OS commands of their choice.

- Read/modify system data: Attackers can extract sensitive config files, change data, or even plant backdoors.
- Shut down the system: By injecting commands like shutdown, attackers can knock out critical ERP operations.

Root Cause

The flaw comes from passing user-controlled input directly to the ABAP Statement CALL 'SYSTEM' or similar OS command without proper checks. Here’s a simplified example:

PARAMETERS: p_cmd TYPE string.

START-OF-SELECTION.
  CALL 'SYSTEM' ID 'COMMAND' FIELD p_cmd.

Above: If this parameter is exposed through a wide-usage report or function (like in IS-OIL extensions shipped by SAP), any authenticated user can insert shell commands.

Real-World Example

Let's say a legit parameter is supposed to accept a file path for a backup script, but the function doesn't sanitize input:

PARAMETERS: p_file TYPE string.

START-OF-SELECTION.
  COMMAND = 'cp ' && p_file && ' /tmp/'
  CALL 'SYSTEM' ID 'COMMAND' FIELD COMMAND.

If you submit as p_file the value:  
/etc/passwd; rm -rf /
… it would execute cp /etc/passwd; rm -rf / /tmp/
Dangerous!

Exploit Scenario

Requirements:

Log in to SAP GUI or browser (e.g., SAP Fiori)

2. Launch the vulnerable report/module (for example, via transaction SA38, run the specific IS-OIL ABAP report)

Submit the task – the backend ABAP code runs the OS command with SYSTEM privileges.

Result:

Here is a simulated code PoC (do NOT use this on production systems!)

PARAMETERS: p_cmd TYPE string.

START-OF-SELECTION.
  DATA: result TYPE abap_bool.

  CALL 'SYSTEM' ID 'COMMAND' FIELD p_cmd ID 'RESULT' FIELD result.

  WRITE: / 'Command executed:', p_cmd.

If the user sets p_cmd to id; whoami; cat /etc/passwd, SAP passes the entire value to the Linux shell.

Patch Immediately:

SAP has released a security note (SAP Note 3350297) that patches all affected versions. Install it urgently.

Input Validation:

Always validate and sanitize input parameters before using them in OS commands. Never pass raw user input.

ELSE.

WRITE: / 'Invalid command parameter.'.

Restrict Access:

Limit user access to sensitive reports/function modules to trusted users only.

Monitor Logs:

Watch transaction logs for POST requests or input patterns like ;, &&, or suspicious shell commands.

Links & References

- SAP Security Note 3350297 (login required)
- SAP NetWeaver ABAP Platform
- SAP Product Security Response
- Common Vulnerability Scoring System (CVSS)

Final Thoughts

CVE-2023-36922 is a textbook example of why input validation is so important, even for “internal only” SAP modules. Attackers *love* lateral movement, so an internal SAP account means little protection if reports are not coded safely. If you’re an SAP admin, patch immediately and review your custom ABAP reports for similar mistakes.

Keep your NetWeaver landscape secure – always validate, sanitize, and PATCH!

Questions? Comments?  
Feel free to reach out or comment below!


*This article is exclusive to InfosecPost. Do not reproduce without credit.*

Timeline

Published on: 07/11/2023 03:15:00 UTC
Last modified on: 07/18/2023 18:28:00 UTC