• Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
No Result
View All Result
Home Security

CVE-2021-33669 – SAP Mobile SDK Certificate Provider – Insecure Temporary File Storage – Potential Symlink Attack & Denial of Service

by Sick Codes
October 4, 2021
in Security
0
CVE-2021-33669_SAP Mobile SDK Certificate Provider - Insecure Temporary File Storage - Potential Symlink Attack & Denial of Service

CVE-2021-33669_SAP Mobile SDK Certificate Provider - Insecure Temporary File Storage - Potential Symlink Attack & Denial of Service

Title

CVE-2021-33669 – SAP Mobile SDK Certificate Provider – Insecure Temporary File Storage – Potential Symlink Attack & Denial of Service

CVE ID

CVE-2021-33669

CVSS Score

7.8

Internal ID

SICK-2021-032

Vendor

SAP

Product

SAP Mobile SDK Certificate Provider

Product Versions

3.0.7 and below

Vulnerability Details

A vulnernability in the SAP Mobile SDK Certificate Provider version 3.0.7 and below causes a race condition in the execSync() function through the use of single-threaded file creation within the global read/write temporary folders for Windows, RiscOS, Linux. A local unprivileged attacker can read and potentially write to files created in almost every known insecure temporary directory: C:\TEMP, C:\TMP, \TEMP, \TMP, /tmp, /var/tmp, /usr/tmp. An attacker can abuse the execSync function by read/writing to either the stdoutFile or codeFile, as well as execute arbitrary code if any scriptFile is created, and used as well as potential Denial of Service via the sleepFile lockfile.

Vendor Response

SAP Internal ID: SR-21-00474

Fixed in: https://github.com/SAP/mobilesdk-certificateprovider/commit/88af36beb7c8081f3713a6ad53d6396f6ec825ee

Proof of Concept

./iOS/X509KapselSample/platforms/ios/cordova/node_modules/shelljs/shell.js

Note this may also affect “KapselSDK”

Insecure filename generation (readable by all, potentially writable)

// e.g. 'shelljs_a5f185d0443ca...'
function randomFileName() {
  function randomHash(count) {
    if (count === 1)
      return parseInt(16*Math.random(), 10).toString(16);
    else {
      var hash = '';
      for (var i=0; i<count; i++)
        hash += randomHash(1);
      return hash;
    }
  }

  return 'shelljs_'+randomHash(20);
}

Exploit is exactly explained below in the commented code below:

// Hack to run child_process.exec() synchronously (sync avoids callback hell)
// Uses a custom wait loop that checks for a flag file, created when the child process is done.
// (Can't do a wait loop that checks for internal Node variables/messages as
// Node is single-threaded; callbacks and other internal state changes are done in the
// event loop).
function execSync(cmd, opts) {
  var stdoutFile = path.resolve(tempDir()+'/'+randomFileName()),
      codeFile = path.resolve(tempDir()+'/'+randomFileName()),
      scriptFile = path.resolve(tempDir()+'/'+randomFileName()),
      sleepFile = path.resolve(tempDir()+'/'+randomFileName());

  var options = extend({
    silent: config.silent
  }, opts);

Known exploitable directories:

// Cross-platform method for getting an available temporary directory.
// Follows the algorithm of Python's tempfile.tempdir
// http://docs.python.org/library/tempfile.html#tempfile.tempdir
function tempDir() {
  if (state.tempDir)
    return state.tempDir; // from cache

  state.tempDir = writeableDir(process.env['TMPDIR']) ||
                  writeableDir(process.env['TEMP']) ||
                  writeableDir(process.env['TMP']) ||
                  writeableDir(process.env['Wimp$ScrapDir']) || // RiscOS
                  writeableDir('C:\\TEMP') || // Windows
                  writeableDir('C:\\TMP') || // Windows
                  writeableDir('\\TEMP') || // Windows
                  writeableDir('\\TMP') || // Windows
                  writeableDir('/tmp') ||
                  writeableDir('/var/tmp') ||
                  writeableDir('/usr/tmp') ||
                  writeableDir('.'); // last resort

  return state.tempDir;
}

Disclosure Timeline

  • 2021-04-13 – Researcher discover vulnerabilities
  • 2021-06-08 – Vendor assigns CVE-2021-33669 & publishes advisory
  • 2021-10-04 – Researcher publishes their advisory 3 months later, according to SAP rules

Links

https://github.com/SAP/mobilesdk-certificateprovider/security/advisories/GHSA-r2j9-h6q9-cq8g

https://github.com/SAP/mobilesdk-certificateprovider

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-032.md

https://sick.codes/sick-2021-032

Researchers

Sick Codes: https://github.com/sickcodes || https://twitter.com/sickcodes

CVE Links

https://sick.codes/sick-2021-032

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33669

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33669

Next Post
“Accidentally Deleted” udev rules.d: Restore udev Rules in /etc/udev/rules.d/ or /lib/udev/hwdb.d/

"Accidentally Deleted" udev rules.d: Restore udev Rules in /etc/udev/rules.d/ or /lib/udev/hwdb.d/

How to downgrade linux-lts back to 5.10 on Arch Linux/Manjaro from 5.15, and keep it there!

How to downgrade linux-lts back to 5.10 on Arch Linux/Manjaro from 5.15, and keep it there!

Fix DIVD-2022-00002 - Grafana Upgrade Mitigation

Fix DIVD-2022-00002: Grafana versions 8.0.0-beta1 through 8.3.0 installed via dpkg/deb package. Mitigation:

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

No Result
View All Result
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training

© 2017-2021 Sick.Codes

@sickcodes

@sickcodes

@sickcodes

Discord Server

sickcodes.slack.com

t.me/sickcodeschat

./contact_form