From Unknown Parameter to Root: A Story of Unexpected Intrusion Testing Results

Date

August 25, 2023

Time

16:30

Track

Track 2

In the past thirteen years, SAP still has an endless stream of vulnerabilities patched, some of which are not known to the world, however, they are hidden threats that could lead to disasters.

This time we would like to tell a story. A story where everything starts from a classical pentest against a SAP System running in brand new SAP Cloud environment : “RISE with SAP”. We will explain how we found critical vulnerabilities in the SAP Start Service initially exploitable locally, but because of the “hidden” parameter also exploitable remotely. From the environment setup, to the binaries saposcol.exe and sldreg.exe analysis as well as the network communication between all components. Ultimately ending with the discovery of a memory corruption with libc leak and an OS command injection both leading to RCE as root or NT/SYSTEM.

We plan to show a recorded demonstration of the exploitation of these vulnerabilities. We will provide all recommendations and the *new* documentation about the “not hidden anymore” parameter as well as all related SAP OSS Notes numbers and CVE covered in this talk.

Senior Security Researcher

Onapsis

Yvan Genuer is a Sr. Security Researcher at Onapsis. He has over 18 years of SAP experience. He has been delivering consultancy services around SAP Security as well as researching for vulnerabilities into SAP products, resulting in SAP AG official acknowledgements he has received, for 100+ vulnerabilities he originally reported. Furthermore, he has also conducted both trainings and talks about this topic in conferences.