Advisory SAP GUI for Windows 7.40 Local Privilege Escalation (Unquoted Service Path)
SAP GUI for Windows 7.40 Version 9.0.70.0 installiert einen Windows-Service ohne den Anwendungspfad korrekt zu kodieren.
Ein lokaler Angreifer kann diesen Konfigurationsfehler nutzen, um lokale Systemberechtigungen zu erlangen. Benötigt werden hierfür jedoch Schreibrechte in speziellen Ordnern, was das Ausnutzen der Schwachstelle erschwert.
Dieser Konfigurationsfehler wurde in Version 7.40 9.0.85.0 behoben.
Detailed security advisory:
Advisory ID: TO-2019-004
Product: SAP GUI for Windows 7.40
Vendor: SAP SE
Tested Versions: 9.0.70.0
Vulnerability Type: Local privilege escalation
CVSS Risk: 7.5 High
CVSSv3: AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Solution Status: Fixed
Fixed Version: 9.0.85.0
CVE Reference: No CVE assigned by SAP CNA
CWE Reference: CWE-428
Authors of Advisory: Tobias Gyoerfi and Dimitri Lesy, Thinking Objects GmbH
========================================================================
Overview:
SAP GUI for Windows 7.40 version 9.0.70.0 is susceptible to local
privilege escalation because of an unquoted service path.
========================================================================
Vulnerability Details:
The NWSAPAutoWorkstationUpdateSvc service, which is part of the
SAPSetup Automatic Workstation Update Service component contains an
unquoted service path.
In order to successfully exploit this vulnerability, a local attacker
must be able to create arbitrary executables in the parent path
directory that contains whitespaces or other separators.
Furthermore, a machine reboot is required for the service to restart as
regular user accounts are not allowed to start and stop this service and
the service start type is set to automatic.
========================================================================
Proof of Concept for default installation path:
C:\Users\User>sc qc NWSAPAutoWorkstationUpdateSvc
SERVICE_NAME: NWSAPAutoWorkstationUpdateSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SAPSetup Automatic Workstation Update Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
Place arbitrary executable e.g. C:\Program.exe. Accessibility of this
directory is beyond the attacker's control. Since the service is started as SYSTEM, so will Program.exe.
========================================================================
Solution:
The vulnerability is no longer present in version 9.0.85.0, other
versions have not been tested. Updating to the latest version of SAP GUI is recommended.
========================================================================
Disclosure Timeline:
2019-07-12: Vulnerability discovered
2019-07-25: Vulnerability reported to vendor
2019-08-14: Vulnerability rejected by vendor due to application EOL
2019-10-29: Vulnerability disclosed
========================================================================
References:
* Product website: https://www.sap.com/community/topics/gui.html
* Security advisory: https://blog.to.com/advisory-sap-gui-windows-7
========================================================================
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on to.com.
========================================================================
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
