Local privilege escalation in SAP® Sybase sybctrl
Title
Local privilege escalation
Product
SAP® Sybase sybctrl
Vulnerable Version
see section "Vulnerable / tested versions"
Fixed Version
see SAP® security note 3155571
CVE Number
CVE-2022-31594
Impact
low
Homepage
https://www.sap.com/about.htmlFound
18.02.2022
By
Mingshuo Li (Office Munich) | SEC Consult Vulnerability Lab

Vendor description
"Sybase solutions strategic for data management Combining the strength of in-memory technology with Sybase solutions, SAP® offers the most robust data platform to achieve business agility."
Source: https://www.sap.com/germany/acquired-brands/what-is-sybase.html
Business recommendation
SEC Consult recommends to implement the security note 3155571, where the documented issue is fixed according to the vendor. We advise installing the corrections as a matter of priority to keep business-critical data secure.
Vulnerability overview/description
1) Local privilege escalation (CVE-2022-31594)
The SUID-root program sybctrl by SAP® Sybase follows the symbolic link to log error messages during the execution. As member of the group sapsys, a user can therefore escalate his/her privileges to root on a local Unix system.
Proof of Concept
1) Local privilege escalation (CVE-2022-31594)
As shown below is the owner, group and its permission bits of sybctrl of a standard installation.
A sapsys group user first creates a symbolic link pointing to the passwd file.
Then run the following python script, which outputs the error messages into the target file pointed to by the dev_sybctrl. The command line to execute includes one line of user account information surrounded by the new line, and the password hash has been pre-calculated with openssl.
As a result, the /etc/passwd was appended with the error messages, among them the second last line grants a valid privileged account, while others are simply ignored for the purpose of the exploit.
A login with the credential sapmatt/sappass ensues to complete the escalation.
Vulnerable / tested versions
The following version of the binary was found to be vulnerable during our tests:
- version 021 (753 03/23/2018 14:04:00)
According to the vendor the following products are affected by the discovered vulnerability:
SAP® Adaptive Server Enterprise (ASE), Versions:
- KERNEL 7.22, 7.49, 7.53
- KRNL64NUC 7.22, 7.22EXT, 7.49
- KRNL64UC 7.22, 7.22EXT, 7.49, 7.53
Please refer to the vendor patch day post: https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
Vendor contact timeline
2022-02-22 | Contacting vendor through vulnerability submission web form. |
2022-02-24 | Vendor confirms receipt and assigns SAP® security incident number #2280077785. |
2022-03-30 | Vendor requires an elaboration on CVSS vector. |
2022-04-07 | Requesting the original CVSS vector. |
2022-04-22 | Vendor responds to the request. |
2022-04-29 | Explaining the rationale behind the CVSS rating. |
2022-06-14 | Vendor releases patches with SAP® security note 3155571. |
2022-06-15 | Requesting the confirmation of the security note on the issue. |
2022-08-11 | Vendor sends the link to the Acknowledgements to Security Researchers. |
2022-09-02 | Requesting the confirmation of the fix. |
2022-09-03 | Vendor confirms the issue has been fixed on June Patch Day. |
2022-09-16 | Public release of security advisory. |
Solution
The following security note needs to be implemented: https://launchpad.support.sap.com/#/notes/3155571
Workaround
You can remove the SUID-bit from sapuxuserchk as temporary mitigation.
Advisory URL
https://sec-consult.com/vulnerability-lab/
EOF Mingshuo Li / @2022
Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices