One Bug Wasn't Enough: Escalating Twice Through SAP's Setuid Landscape

Summary

By Tao Sauvage SAP setuid It's not every day you get a chance to one-up your CTO and co-founder of the company you work for. In 2020, Vincent Berg published a blog post describing a vulnerability he found affecting an SAP setuid binary while preparing for a client project. Combined with an insecure NFS configuration, he was able to compromise a dozen UNIX machines during that client engagement. Last year, I was assigned to a new SAP-related project for the same client. I made it a personal goal to find two 0-day vulnerabilities (one more than Vincent) in the SAP software used by the client. It was a success, with CVE-2024-47595 assigned by SAP for both issues! Along the way, I learned about SAP internals, SAR archives, and even wrote a utility tool that I'm releasing today: SAPCARve. The vulnerabilities I found were also local privilege escalations from sapsys to root affecting setuid binaries. Considering that sapsys is already a privileged SAP user, the impact was rightfully rated as Medium by SAP (CVSS v3.1 score of 6.3). Let's go through this step by step, from initial recon to root shell, and see how the vulnerabilities unfolded. Reconnaissance Following Vincent's trodden path, I enumerated all setuid binaries that my user could access on the client's server. A setuid binary on Linux runs with the privileges of its file owner (in this case, root) rather than the current user, making them attractive targets for privilege escalation. The enumeration revealed four potential targets (after removing the duplicates): -rwsr-x---. 1 root sapsys 4.0M May 9 04:52 /usr/sap/hostctrl/exe/hostexecstart -rwsr-x---. 1 root sapsys 3.7M May 9 04:52 /usr/sap/hostctrl/exe/sapuxuserchk -rwsr-x--- 1 root sapsys 2.4M May 7 2023 /usr/sap/ABC/D00/exe/sapuxuserchk -rwsr-x--- 1 root sapsys 3.1M Jun 21 13:16 /usr/sap/ABC/D00/exe/icmbnd -rwsr-x--- 1 root sapsys 2.7M Jun 11 2020 /usr/sap/DEF/SYS/exe/uc/linuxx86_64/icmbnd -r-sr-x--- 1 root sapsys 63M Dec 18 2023 /usr/sap/ABC/D00/exe/mdc/hdbm...