Advisory SAP GUI for Windows 7.40 Local Privilege Escalation (Unquoted Service Path)
Ein lokaler Angreifer kann diesen Konfigurationsfehler nutzen, um lokale Systemberechtigungen zu erlangen. Benötigt werden hierfür jedoch Schreibrechte in speziellen Ordnern, was das Ausnutzen der Schwachstelle erschwert.
Dieser Konfigurationsfehler wurde in Version 7.40 9.0.85.0 behoben.
Detailed security advisory:
Advisory ID: TO-2019-004 Product: SAP GUI for Windows 7.40 Vendor: SAP SE Tested Versions: 9.0.70.0 Vulnerability Type: Local privilege escalation CVSS Risk: 7.5 High CVSSv3: AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Solution Status: Fixed Fixed Version: 9.0.85.0 CVE Reference: No CVE assigned by SAP CNA CWE Reference: CWE-428 Authors of Advisory: Tobias Gyoerfi and Dimitri Lesy, Thinking Objects GmbH ======================================================================== Overview: SAP GUI for Windows 7.40 version 9.0.70.0 is susceptible to local privilege escalation because of an unquoted service path. ======================================================================== Vulnerability Details: The NWSAPAutoWorkstationUpdateSvc service, which is part of the SAPSetup Automatic Workstation Update Service component contains an unquoted service path. In order to successfully exploit this vulnerability, a local attacker must be able to create arbitrary executables in the parent path directory that contains whitespaces or other separators. Furthermore, a machine reboot is required for the service to restart as regular user accounts are not allowed to start and stop this service and the service start type is set to automatic. ======================================================================== Proof of Concept for default installation path: C:\Users\User>sc qc NWSAPAutoWorkstationUpdateSvc SERVICE_NAME: NWSAPAutoWorkstationUpdateSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SAPSetup Automatic Workstation Update Service DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem Place arbitrary executable e.g. C:\Program.exe. Accessibility of this directory is beyond the attacker's control. Since the service is started as SYSTEM, so will Program.exe. ======================================================================== Solution: The vulnerability is no longer present in version 9.0.85.0, other versions have not been tested. Updating to the latest version of SAP GUI is recommended. ======================================================================== Disclosure Timeline: 2019-07-12: Vulnerability discovered 2019-07-25: Vulnerability reported to vendor 2019-08-14: Vulnerability rejected by vendor due to application EOL 2019-10-29: Vulnerability disclosed ======================================================================== References: * Product website: https://www.sap.com/community/topics/gui.html * Security advisory: https://blog.to.com/advisory-sap-gui-windows-7 ======================================================================== Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on to.com. ======================================================================== Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en