August 25, 2023




Track 2

From Unknown Parameter to Root: A Story of Unexpected Intrusion Testing Results

In the past thirteen years, SAP still has an endless stream of vulnerabilities patched, some of which are not known to the world, however, they are hidden threats that could lead to disasters.

This time we would like to tell a story. A story where everything starts from a classical pentest against a SAP System running in brand new SAP Cloud environment : “RISE with SAP”. We will explain how we found critical vulnerabilities in the SAP Start Service initially exploitable locally, but because of the “hidden” parameter also exploitable remotely. From the environment setup, to the binaries saposcol.exe and sldreg.exe analysis as well as the network communication between all components. Ultimately ending with the discovery of a memory corruption with libc leak and an OS command injection both leading to RCE as root or NT/SYSTEM.

We plan to show a recorded demonstration of the exploitation of these vulnerabilities. We will provide all recommendations and the *new* documentation about the “not hidden anymore” parameter as well as all related SAP OSS Notes numbers and CVE covered in this talk.