Researchers have discovered a number of vulnerabilities in SAP’s CAR retail platform which can lead to attacks including privilege escalation and information tampering.
The platform is designed to give vendors access to customer, sales, and inventory information on one platform for branding, marketing, promotions and pricing purposes, among others.
The first vulnerability, CVE-2016-5845, is a locally exploitable bug discovered within the custom file format SAP uses to distribute software through the SAP CAR archive platform. If a specially crafted file was extracted in the program, the researchers say this could lead to local denial of service conditions or privilege escalation cyberattacks.
The problem was caused due to the program failing to check the return value of file operations when extracting files and can be exploited by using invalid file names to cause a crash.
The second security flaw, CVE-2016-5847, was also discovered in SAP CAR’s file extraction process. According to the team, this issue is a race condition vulnerability prompted though how the SAP CAR platform changes the permissions of extracted files. If a malicious user has local access to a directory where a user is extracting files, they could leverage the security flaw to changing the permissions of arbitrary files.
“There’s a time gap between the creating of the file and the change of the permissions,” Gallo said. “During this time frame, a malicious local user can replace the extracted file with a hard link to a file belonging to another user, resulting in the SAPCAR program changing the permissions on the hard-linked file to be the same as that of the compressed file.”
Core Security says other SAP software and versions may be affected, but were not tested.
The team provided proof-of-concept code (PoC) code demonstrating the vulnerabilities.
Core Security reported the firm’s findings to SAP in early April. By the end of the month SAP had confirmed the validity of the flaws, but due to testing issues would not be able to include fixes in the July patch update, but would be able to do so in August. Core Security then published their security notes on 10 August.
Earlier this week, SAP patched 13 security flaws in products which led to severe issues including cross-site scripting and denial of service.