Tried, Tested and Proven

Vulnerability title: SetUID/SetGID Program Allows Privilege Escalation Via Tainted PATH In SAP ECC

CVE: CVE-2015-3621
Vendor: SAP
Product: ECC
Affected version: 6.x
Fixed version: Latest
Reported by: Tim Brown

Details:

It has been identified that binaries that are executed with elevated privileges (SetGID and SetUID programs) have been compiled in manner that means they searched for executables in insecure locations.

$ ls -la /sapmnt/SI4/exeU/saposcol 
-rws--x---. 1 root sapsys 562715 Aug 18  2004 /sapmnt/SI4/exeU/saposcol

$ GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying" 
and "show warranty" for details.
This GDB was configured as "i686-redhat-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /sapmnt/SI4/exeU/saposcol...done.
(gdb) b popen
Breakpoint 1 at 0x8049ef8
(gdb) run -f
Starting program: /sapmnt/SI4/exeU/saposcol -f
[Thread debugging using libthread_db enabled]
10:47:41 12.06.2014   LOG: Effective User Id is root
Collector (PID 5814) already running: Force start...

Breakpoint 1, 0x08049ef8 in popen@plt ()
(gdb) x/1s $ebx
0xbfcdc200:     "/sbin/sysctl -a 2>/dev/null | expand -t 4" 

Impact:

An attacker could place a malicious executable in a location that is referenced in their PATH which would then be executed when the affected program is run, leading to privilege escalation in instances where the program runs with privileges that the attacker does not have. For example, if the program is SetUID root, the attacker would obtain root privileges upon exploiting this vulnerability.

Exploit:

The proof of concept exploit is available.

Remediation:

The vendor has released a patch.


Vendor status:

12/06/2014 Advisory created
16/06/2014 Vendor contacted
11/11/2014 Fix released
20/01/2015 CVE applied for
01/05/2015 CVE obtained
25/06/2015 Published
Copyright:

Copyright © Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.