SAP & Onapsis Webinar: How to Secure Your SAP Applications Against Modern Ransomware

The Onapsis Blog

The world of business-critical application security is dynamic, with new developments happening on a continuous basis. Check out our blog for recommendations, insights and observations on the latest news for securing your SAP®, Oracle® and Salesforce applications.

Dangers in SAP® Transport Management Part 5

Dangers in SAP® Transport Management Part 5

Welcome to the final installment of our series on the Dangers in SAP Transport Management. Throughout this series, we’ve covered various security gaps that can be exploited by hackers and other threat actors to gain unauthorized access to a system. From authority checks, to job management, to code execution on import, there are multiple areas of concern which highlight the need for better SAP Transport Management security. In our final part, we’ll focus on how an attacker could leverage logical file names and logical OS commands within SAP transports to access, modify and exfiltrate data. 

Logical File Names and Operating System Commands

In order for developers to not have to worry about the specifics of the underlying operating system when accessing files or executing OS commands, SAP® uses the concept of logical file names and logical OS commands. For this, a logical file name (and file path) is stored for each physical file name (file path) coming into question. In other words, platform-specific physical commands are mapped to a collective logical command.

While the different syntax of the platforms regarding path specifications are usually dissolved when it comes to logical file names (different separators), completely different physical commands can be stored for logical OS commands for each platform.

From a security perspective, it is a significant fact that the logical entities of the underlying physical information can be easily overwritten or replaced via transport. For logical files, this means that sensitive data in a file can be rerouted or that the data from a file with compromising content can be read. The replacing of physical commands is even more dangerous as the authorization check when accessing the command only occurs with the logical command name (authorization object S_LOG_COM) and not on the basis of the actually executed command. Logical commands can be further protected by allocating a check module. But even this allocation can be easily deactivated via transport.


For the request check, the following can be concluded:

  • R3TR CDAT FILENAME
    • Possibly attack attempt with low probability
    • Changed logical path and file definitions can be recorded in a transport request from the transaction FILE. For this, SAP always uses the view cluster FILENAME
    • The logical file name or path must be checked thoroughly to ensure the purpose and if an existing definition is updated, special care is required 
  • R3TR TABU PATH, R3TR TABU FILENAMECI
    • Possible attack attempt with higher probability
    • The logical definition has been recorded due to manual maintenance of the transport object list
    • The logical file name or path must be checked thoroughly to ensure the purpose and if an existing definition is updated, special care is required
  • R3TR TABU SXPGCOSTAB
    • Possibly attack attempt with low probability
    • This is a custom command
    • The logical command must be checked thoroughly to ensure its purpose and if an existing definition is updated, special care is required
  • R3TR TABU SXPGCOTABE
    • Possible attack attempt with higher probability
    • This is an SAP command
    • SAP's command definitions must not be changed and therefore do not have to be transported
    • The table has been added to the transport object list following manual maintenance, as SAP commands cannot be added to a transport request with the transaction SM69

In order to further mask an attack, entries of the tables PATH, FILENAMECI, SXPGCOSTAB and SXPGCOTABE can be concealed within a superordinate object. These include:

  • View Cluster (R3TR CDAT <random object name <> "FILENAME" >)
  • Maintenance View (R3TR VDAT <random object name>)
  • Customizing Data (R3TR TDAT <random object name>)

In these cases, an entry has to be considered to be a definitive attack attempt! Only checking all transport requests like mentioned above helps against such an attack.


*This check, and over 100 others, are conducted automatically in The Onapsis Platform for both internal and external transport objects. Read the SAP Transport Inspection Application note (PDF) for additional details on how the technology works and how it can be integrated into your business process with The Onapsis Platform.

Secure your 
business-critical SAP,
Oracle, Salesforce
and SaaS apps

Get a firsthand look at the visibility, reporting and automation capabilities provided by The Onapsis Platform by scheduling a personalized demo with our application security experts.

Request a demo