One Bug Wasn't Enough: Escalating Twice Through SAP's Setuid Landscape

By Tao Sauvage SAP setuid It's not every day you get a chance to one-up your CTO and co-founder of the company you work for. In 2020, Vincent Berg published a blog post describing a vulnerability he found affecting an SAP setuid binary while preparing for a client project. Combined with an insecure NFS configuration, he was able to compromise a dozen UNIX machines during that client engagement. Last year, I was assigned to a new SAP-related project for the same client. I made it a personal goal to find two 0-day vulnerabilities (one more than Vincent) in the SAP software used by the client. It was a success, with CVE-2024-47595 assigned by SAP for both issues! Along the way, I learned about SAP internals, SAR archives, and even wrote a utility tool that I'm releasing today: SAPCARve. The vulnerabilities I found were also local privilege escalations from sapsys to root affecting setuid binaries. Considering that sapsys is already a privileged SAP user, the impact was rightfully rate ... Read full article.