Researchers expose multiple security flaws in SAP CAR platform tool

The vulnerabilities can lead to privilege escalation or denial of service attacks.

Researchers have discovered a number of vulnerabilities in a tool used in SAP's CAR retail platform which can lead to attacks including privilege escalation and information tampering.

screen-shot-2016-08-10-at-09-20-32.jpg

Discovered by Martin Gallo from Core Security, the cybersecurity firm issued a security advisory documenting the security flaws in SAP CAR's extraction tool, a retail data repository system powered by SAP HANA.

The platform is designed to give vendors access to customer, sales, and inventory information on one platform for branding, marketing, promotions and pricing purposes, among others.

The first vulnerability, CVE-2016-5845, is a locally exploitable bug discovered within the custom file format SAP uses to distribute software through the SAP CAR archive platform. If a specially crafted file was extracted in the program, the researchers say this could lead to local denial of service conditions or privilege escalation cyberattacks.

The problem was caused due to the platform's program failing to check the return value of file operations when extracting files and can be exploited by using invalid file names to cause a crash.

The second security flaw, CVE-2016-5847, was also discovered in SAP CAR's file extraction process. According to the team, this issue is a race condition vulnerability prompted though how the SAP CAR platform changes the permissions of extracted files. If a malicious user has local access to a directory where a user is extracting files, they could leverage the security flaw to changing the permissions of arbitrary files.

"There's a time gap between the creating of the file and the change of the permissions," Gallo said. "During this time frame, a malicious local user can replace the extracted file with a hard link to a file belonging to another user, resulting in the SAPCAR program changing the permissions on the hard-linked file to be the same as that of the compressed file."

Core Security says other SAP software and versions may be affected, but were not tested.

The team provided proof-of-concept code (PoC) code demonstrating the vulnerabilities.

Core Security reported the firm's findings to SAP in early April. By the end of the month SAP had confirmed the validity of the flaws, but due to testing issues would not be able to include fixes in the July patch update, but would be able to do so in August. Core Security then published their security notes on August 10.

SAP said in a statement:

"SAP Product Security Response Team collaborates frequently with research companies like Core Security to ensure a responsible disclosure of vulnerabilities. Security patches are available for download on the SAP Service Marketplace.

We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately."

Earlier this week, SAP patched 13 security flaws in products which led to severe issues including cross-site scripting and denial of service.