SAPStartSrv – Pre-auth OS Command injection as root or system
Impact On Business
- If parameter service/localconnection = compat :
Remotely, an unauthenticated attacker could use it to execute arbitrary commands on the OS side as system administrator (root or SYSTEM)
- If parameter service/localconnection is not set :
Locally, an authenticated attacker with low privileges could use it to execute arbitrary commands on the OS side as administrator leading to leverage privileges.
- Both scenarios lead to fully compromising all different SAP Systems running on the SAP target system.
Vulnerability Details
The SAP Start Service, listening on port 1128 (http) and 1129 (https) allow unauthenticated users to access several SOAP methods under namespace SAPOsCol or SAPHostControl. One of them, ConfigureOutsideDiscovery doesn’t correctly handle the parameter name where the value is used under an OS command “move” to transfer the configuration file from temporary directory to the final directory. It is possible to inject arbitrary OS commands in this parameter value. The command is executed as an OS administrator user (root or SYSTEM).
Solution
SAP has released SAP Note 3285757 which provides patched versions of the affected components.
The patches can be downloaded from https://me.sap.com/notes/3285757.
Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.
Report Timeline
- 11/21/2022: Onapsis sends details to SAP
- 12/14/2022: SAP disagree the CVSS score
- 12/15/2022: Onapsis provide more explanation
- 02/14/2023: SAP releases SAP Note fixing the issue
References
- Onapsis blogpost: https://onapsis.com/blog/sap-patch-day-february-2023/
- CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24523
- Vendor Patch: https://me.sap.com/notes/3285757
- Hack In The Box, Phuket, 2023 A Story Of Unexpected Intrusion Testing Results https://www.youtube.com/watch?v=jkSaP_KH-yY
Advisory Information
- Public Release Date: 07/23/25
- Security Advisory ID: ONAPSIS-2024-0016
- Researcher(s): Yvan Genuer
Vulnerability Information
- Vendor: SAP
- Affected Components: SAP Host Agent
- SAPHOSTAGENT 7.21
- SAPHOSTAGENT 7.22 SP058 and lower
(Check SAP Note 3285757 for detailed information on affected releases)
- Vulnerability Class: CWE-78 CWE-306
- CVSS v3 score: 9.0 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
- Risk Level: Critical
- Assigned CVE: CVE-2023-24523
- Vendor patch Information: SAP Security NOTE 3285757
About our Research Labs
Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.
Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.
Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories
This advisory is licensed under a Creative Commons 4.0 BY-ND International License