In the classic RFC SDK 7.20, the example programs (for instance, startrfc and rfcexec) are unavailable. As of SAP Kernel Release 720, the program "rfcexec" from the classic Remote Function Call (RFC) Software Development Kit (SDK) is not delivered together with the kernel anymore.
Cause
The example programs from the classic RFC SDK (like the "startrfc" and "rfcexec") were categorized as major security lapses (see SAP doc 1140031) and because of this these are not delivered with the kernel and the classic RFC SDK.
As of SAP Kernel Release 7.41, the programs "startrfc" and "rfcexec" are delivered with the SAP NetWeaver RFC SDK for the IDoc scenario and have been installed in the kernel directory. The security-relevant changes are listed in "Option 1" of the "Symptom" section of SAP doc 1140031.
Solution
The NetWeaver RFC SDK should be installed on the affected host. For more details regarding the download and the system prerequisites of NetWeaver RFC SDK, user should refer to the SAP doc 1025361. On the IBM i platform, user must make sure that the Unicode variant NWRFC_U_x-xx.SAR has been installed in accordance with SAP doc 1097997.
The programs "startrfc" and "rfcexec" are both located in the bin directory of the SDK. The programs "startrfc" and "rfcexec" are to be considered as reference implementations which only support the SAP IDoc scenario and are released for only this scenario. For the other scenarios, a source code modification is essential. The source code of the programs is positioned in the demo directory of the SDK , to enable the user to adjust the programs in line with his specific requirements.
The functions of NetWeaver rfcexec:
For increasing the security, the functions of the new "rfcexec" have been modified a little bit from those of the "rfcexec" listed in the classic RFC SDK. This is listed below:
rfcexec as a registered server
User can start rfcexec as a registered RFC server as follows:
rfcexec -g <gateway host> -a <program ID> -x <gateway service> -f <file name> -s <system ID> -t
- -g, -a and -x are required and address the ABAP system or the gateway to which rfcexec has to be registered.
- -f is optional and specifies the path and the name of the security file; the format and meaning of this file are all explained in this note in the section "Format and meaning of the security file (rfcexec.sec)". If -f is left out, the server functions in a restricted mode in which only the commands from the ALE/IDOC interface SAPLEDI7 of the SAP system can be executed.
- -s is optional and enables the user to enter a system ID. The server then executes commands which only come from this SAP system. If -s is left out, the server executes commands of all of these systems which utilize this gateway. This is only meant for providing additional security in the ALE case (without a specific -f).
- -t is optional and triggers an additional trace output. Please note the following: This is fully independent of the standard RFC trace. For the output, a file with the name rfcexec_<pid>.trc is created in the current work directory.
rfcexec as a started server
If rfcexec is initiated by the gateway, first it searches the current work directory for a file with the name "rfcexec.sec". If the system finds it, then it is utilized as a security file; the format and meaning of this file are all listed in this note in the section "Format and meaning of the security file (rfcexec.sec)".
Else, the system executes only the commands which come from the ALE interface SAPLEDI7 of the SAP system (as listed in the case of a registered server).
Incase, the trace is activated in the appropriate RFC destination in transaction SM59, the program then writes its own trace alongwith the RFC trace. The output takes place in a file known as rfcexec_<pid>.trc in the current work directory.
The current work directory depends on the gateway and varies depending on the installation of the SAP System and the number of instance available in the SAP system (application server). Few values which may be utilized in practice are:
/usr/sap/<sid>/SYS/exe/run
/usr/sap/<sid>/DVEBMGS00/exe
/usr/sap/<sid>/DVEBMGS00/work
/usr/sap/<sid>/D00/work
/home/sidadm (where "sidadm" is the operating system user under which the SAP system is running)
Format and meaning of the security file (rfcexec.sec)
If rfcexec locates a security file (either with the specification of -f in the registered case, or "rfcexec.sec" in the current work directory in the started case), it expects a list of the commands which are allowed in the following line format:
USER=<user ID>,SYSID=<system ID>,CLIENT=<client>,PATH=<command to be executed>
User should adhere to the following rules:
Up to and including Patch Level 35, wildcards are not at all supported.
As of Patch Level 36, wildcards are permissible with restrictions incase, they are at the end of PATH: On of the frequently occurring scenario is the processing of files whose names modifies dynamically from call to call. The file name should be transferred dynamically as a command line parameter to the executing program. For this, the syntax
PATH=/my/program *
can be utilized. It allows the user to start /my/program with any of the command line parameters. Incase, the user wants to allow both any parameters and no parameters, the syntax is
PATH=/my/program*
- However, please note the following: The use of * is considered to be potentially unsafe if an attacker succeeds in covering further commands in the command line parameters. (All depending on the operating system on which rfcexec is operative, then the possibilities of attack may be diverse and can’t be covered expansively in a sample program.) If user has additional security requirements, the they should develop their own version of rfcexec and implement special checks which ensure that the command line parameters in the correct and expected format are only acceptable and they cannot be misused for executing attacks. (The source code of rfcexec is attached to NW RFC SDK and can be modified to meet your requirements.)
- Case sensitivity is applicable.
- File file extension is required to be entered in PATH if the command of the ABAP system encompasses the file extension.
- The file comprises of any amount of lines of this type
- The maximum line length is 1024 characters
- Each line permits the execution of a command (PATH) by only one SAP system user (USER) from one client (CLIENT) and SAP system (SYSID).