• Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
No Result
View All Result
Home Security

CVE-2021-27614 – SAP Business One Hana (Chef Cookbook) – Incorrect Permission Assignment for Critical Resources – Root Privilege Escalation Vulnerability

by Sick Codes
June 8, 2021 - Updated on June 12, 2021
in Security
0
SAP Business One Hana Chef Cookbook Vulnerability

SAP Business One Hana Chef Cookbook Vulnerability

Title

SAP Business One Hana (Chef Cookbook) – Incorrect Permission Assignment for Critical Resources – Root Privilege Escalation Vulnerability

CVE ID

CVE-2021-27614

CVSS Score

7.3

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Internal ID

SICK-2021-028

Vendor

SAP

Product

SAP Business One Hana Chef Cookbooks

Product Versions

0.1.9 and below

Software Component Versions

8.82, 9.0, 9.1, 9.2, 9.3, 10.0

Vulnerability Details

A vulnernability in the server setup ruby script for SAP Business One Hana Chef Cookbook versions 0.1.9 and below recursively assigns overpermissive folders for the installation folder as globally read/write. A local authenticated attacker, can read or write to any of the SAP Business One core installation files which are all owned by root. While an earlier command sets the sticky-bit to 0, a subsequent shell command recursively re-permissions all installation files as globally read/write, allowing a local authenticated attacker full access to the SAP Business One HANA installation system.

Vendor: SAP Business One Hana Chef Cookbook, versions – 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One on SAP HANA, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application thereby highly impacting the integrity and availability of the application.

Vendor Response

Vendor has fixed the vulnerability, published a patch, and deprecated the repository.

Proof of Concept

In the ruby installation setup script recipes/server.rb

An installation directory is created:

directory "#{v_installerlocalfolder}" do
  owner "root"
  group "root"
  mode 0777
  recursive true
  not_if { ::File.exist?("#{v_installerlocalfolder}") }
end

The folder and files are subsequently re-permissioned with global read/write privileges.

bash 'set permissions of copied folder' do
  cwd ::File.dirname("#{v_installerlocalfolder}")
  code <<-EOH
    chmod -R 777 .
    EOH
  only_if { ::File.exists?("#{v_installerlocalfolder}") }
end

And again:

bash 'set permissions for extracted files' do
  cwd ::File.dirname("#{v_installerlocalfolder}")
  code <<-EOH
    chmod -R 777 *
    EOH
  only_if { ::File.exists?("#{v_installerlocalfolder}") }
end

One such file is:

./getServerDbVersion.sh

This file is small:

templates/default/getServerDbVersion.sh.erb

s_serverversion="$(rpm -qa | grep B1ServerToolsSLD)"
s_dbversion=${s_serverversion:17:7}
s_dbversion=${s_dbversion/./}
echo "${s_dbversion}" >> SERVER_INSTALLED_"${s_dbversion}"

However, the script is owned by root, and executed by root.

template "#{v_installerlocalfolder}/getServerDbVersion.sh" do

  source "getServerDbVersion.sh.erb"

  mode 0777

end

Although the stick-bit is readable, an attacker can create /SERVER_INSTALLED_#{v_dbversion}" files inside the public directory, which may force the execution of a series of root privileged scripts.

Since this shell file is owned by root, there exists both a race condition whereby a lower privileged user can create ./getServerDbVersion.sh before root which would subsequently be executed by root.

execute "Validate B1 Server Install" do

  cwd "#{v_installerlocalfolder}"

  command "sh ./getServerDbVersion.sh"

  not_if { ::File.exists?("#{v_installerlocalfolder}/SERVER_INSTALLED_#{v_dbversion}")}

end

Disclosure Timeline

  • 2021-04-12 – Researcher discover vulnerabilities
  • 2021-04-15 – Vendor deprecates repository
  • 2021-05-10 – Vendor assigns CVE-2021-27614
  • 2021-05-11 – Vendor publishes advisory
  • 2021-06-08 – Researcher publishes advisory

Links

https://launchpad.support.sap.com/#/notes/3049661

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655

https://github.com/SAP/business-one-hana-chef-cookbook

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-028.md

https://sick.codes/sick-2021-028

Researchers

Sick Codes: https://github.com/sickcodes || https://twitter.com/sickcodes

Miklos Zoltan: https://twitter.com/mzb4455 || https://www.privacyaffairs.com/authors/miklos/

CVE Links

https://sick.codes/sick-2021-028

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27614

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27614

Next Post
SAP Business One Hana Chef Cookbook Vulnerability

CVE-2021-27616 - SAP Business One Hana (Chef Cookbook) - Exposure of Backup File to an Unauthorized Control Sphere via Insecure Temporary File Storage.

Defcon 2021 Sickcodes Live August 5-8th

Sick Codes @ DEF CON 29 August 5-8 2021!

Run Android on Docker - Dock Droid Docker Android Image

[RELEASE] Android Docker Container - Dock Droid - Run QEMU Android in a Docker! X11 Forwarding! CI/CD for Android x86 in Docker!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

No Result
View All Result
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training

© 2017-2021 Sick.Codes

@sickcodes

@sickcodes

@sickcodes

Discord Server

sickcodes.slack.com

t.me/sickcodeschat

./contact_form