Techly NewsGet the app

Get the latest tech news

One Bug Wasn't Enough: Escalating Twice Through SAP's Setuid Landscape


Principal Security Engineer Tao Sauvage discovered two SAP flaws on a client project, resulting in a CVE and a custom tool.

In 2020, Vincent Berg published a blog post describing a vulnerability he found affecting an SAP setuid binary while preparing for a client project. I downloaded the SAP HANA Express VM and configured a local environment where I could more easily analyze and debug the binaries, without risking damage to the client's infrastructure. This kind of work (digging deep, getting lost in rabbit holes, solving puzzles, and building tools) is my favorite part of being a security engineer.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of bug

bug

Photo of SAP

SAP

Photo of setuid landscape

setuid landscape

Related news:

News photo

New AirPods Max Firmware Unavailable Due to iOS 18.4 Bug, Apple Says Update 'Coming Soon'

News photo

iOS 18.4 Bug Seemingly Resurrects Previously Deleted iPhone Apps

News photo

InZoi developer resolves to strengthen internal review processes following bug which allowed players to run over and kill children

« Phasmophobia turns to its community to make this Easter event the most terrifying yet
Apple was getting bid up like crazy yesterday, don't tell me this wasn't leaked »