Title
SAP Business One Hana (Chef Cookbook) – Incorrect Permission Assignment for Critical Resources – Root Privilege Escalation Vulnerability
CVE ID
CVE-2021-27614
CVSS Score
7.3
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Internal ID
SICK-2021-028
Vendor
SAP
Product
SAP Business One Hana Chef Cookbooks
Product Versions
0.1.9 and below
Software Component Versions
8.82, 9.0, 9.1, 9.2, 9.3, 10.0
Vulnerability Details
A vulnernability in the server setup ruby script for SAP Business One Hana Chef Cookbook versions 0.1.9 and below recursively assigns overpermissive folders for the installation folder as globally read/write. A local authenticated attacker, can read or write to any of the SAP Business One core installation files which are all owned by root. While an earlier command sets the sticky-bit to 0, a subsequent shell command recursively re-permissions all installation files as globally read/write, allowing a local authenticated attacker full access to the SAP Business One HANA installation system.
Vendor: SAP Business One Hana Chef Cookbook, versions – 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One on SAP HANA, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application thereby highly impacting the integrity and availability of the application.
Vendor Response
Vendor has fixed the vulnerability, published a patch, and deprecated the repository.
Proof of Concept
In the ruby installation setup script recipes/server.rb
An installation directory is created:
directory "#{v_installerlocalfolder}" do
owner "root"
group "root"
mode 0777
recursive true
not_if { ::File.exist?("#{v_installerlocalfolder}") }
endThe folder and files are subsequently re-permissioned with global read/write privileges.
bash 'set permissions of copied folder' do
cwd ::File.dirname("#{v_installerlocalfolder}")
code <<-EOH
chmod -R 777 .
EOH
only_if { ::File.exists?("#{v_installerlocalfolder}") }
endAnd again:
bash 'set permissions for extracted files' do
cwd ::File.dirname("#{v_installerlocalfolder}")
code <<-EOH
chmod -R 777 *
EOH
only_if { ::File.exists?("#{v_installerlocalfolder}") }
endOne such file is:
./getServerDbVersion.sh
This file is small:
templates/default/getServerDbVersion.sh.erb
s_serverversion="$(rpm -qa | grep B1ServerToolsSLD)"
s_dbversion=${s_serverversion:17:7}
s_dbversion=${s_dbversion/./}
echo "${s_dbversion}" >> SERVER_INSTALLED_"${s_dbversion}"However, the script is owned by root, and executed by root.
template "#{v_installerlocalfolder}/getServerDbVersion.sh" do
source "getServerDbVersion.sh.erb"
mode 0777
endAlthough the stick-bit is readable, an attacker can create /SERVER_INSTALLED_#{v_dbversion}" files inside the public directory, which may force the execution of a series of root privileged scripts.
Since this shell file is owned by root, there exists both a race condition whereby a lower privileged user can create ./getServerDbVersion.sh before root which would subsequently be executed by root.
execute "Validate B1 Server Install" do
cwd "#{v_installerlocalfolder}"
command "sh ./getServerDbVersion.sh"
not_if { ::File.exists?("#{v_installerlocalfolder}/SERVER_INSTALLED_#{v_dbversion}")}
endDisclosure Timeline
- 2021-04-12 – Researcher discover vulnerabilities
- 2021-04-15 – Vendor deprecates repository
- 2021-05-10 – Vendor assigns CVE-2021-27614
- 2021-05-11 – Vendor publishes advisory
- 2021-06-08 – Researcher publishes advisory
Links
https://launchpad.support.sap.com/#/notes/3049661
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655
https://github.com/SAP/business-one-hana-chef-cookbook
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-028.md
https://sick.codes/sick-2021-028
Researchers
Sick Codes: https://github.com/sickcodes || https://twitter.com/sickcodes
Miklos Zoltan: https://twitter.com/mzb4455 || https://www.privacyaffairs.com/authors/miklos/
CVE Links
https://sick.codes/sick-2021-028
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27614
