KF
01/04/03, 09:35
--------------000008060703050508040306
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
This data will be available at http://www.secnetops.biz/research/ shortly.
-KF
--------------000008060703050508040306
Content-Type: text/plain;
name="SRT2003-03-31-1219.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="SRT2003-03-31-1219.txt"
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com
Our Mission:
************************************************** **********************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************** **********************
Advisory Number : SRT2003-03-31-1219
Product : SAP DB
Version : Version 7.x (RPM Install)
Vendor : sapdb.org
Class : local
Criticality : Medium
Operating System(s) : Linux (other unix based?)
High Level Explination
************************************************** **********************
High Level Description : File permissions of 777 on server executables
What to do : chmod 755 on vulnerable binaries
Technical Details
************************************************** **********************
Proof Of Concept Status : No PoC needed for this issue.
Low Level Description : RPM install leaves world writable lserver and dbmsrv
Leaving world writable files around has obvious reprecussions.
Download the latest SAP rpm packages from:
http://www.sapdb.org/7.4/rpm_linux.htm
Login as root and install the rpms
vegeta SAP # rpm -ivh *rpm --nodeps
Preparing... ########################################### [100%]
1:sapdb-ind ########################################### [14%]
2:sapdb-srv74 ########################################### [28%]
3:sapdb-callif ########################################### [42%]
4:sapdb-precompiler ########################################### [57%]
5:sapdb-scriptif ########################################### [71%]
6:sapdb-testdb74 ########################################### [85%]
7:sapdb-web ########################################### [100%]
Login as normal user and locate world writable binaries
nobody@vegeta / $ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
nobody@vegeta / $ find /opt/sapdb/ -perm -0777
/opt/sapdb/depend74/pgm/dbmsrv
/opt/sapdb/depend74/pgm/lserver
Verify sanity
nobody@vegeta / $ cd /opt/sapdb/depend74/pgm/
nobody@vegeta pgm $ ls -al
total 36912
drwxrwxr-x 2 root sapdb 4096 Mar 23 12:59 .
drwxrwxr-x 10 root sapdb 4096 Mar 23 12:59 ..
-rwxrwxr-x 1 root sapdb 297555 Feb 28 15:42 console
-rwxrwxrwx 1 root sapdb 2088040 Feb 28 15:48 dbmsrv
-rwxrwxr-x 1 root sapdb 1806053 Feb 28 15:47 diagnose
-rwxrwxr-x 1 root sapdb 448402 Feb 28 15:48 dumpcomreg
-rwxrwxr-x 1 root sapdb 8475382 Feb 28 18:11 kernel
-rwxrwxrwx 1 root sapdb 4722216 Feb 28 18:17 lserver
-rwxrwxr-x 1 root sapdb 1032409 Feb 28 18:17 pu
-rwxrwxr-x 1 root sapdb 1453842 Feb 28 15:30 python
-rwxrwxr-x 1 root sapdb 46471 Feb 28 15:28 regcomp
-rwxrwxr-x 1 root sapdb 16389708 Feb 28 18:05 slowknl
-rwxrwxr-x 1 root sapdb 845869 Feb 28 18:16 sqlfilter
-rwxrwxr-x 1 root sapdb 20939 Feb 28 15:43 sysrc
-rwxrwxr-x 1 root sapdb 55138 Feb 28 15:56 tracesort
nobody@vegeta pgm $ echo oops > kernel
sh: kernel: Permission denied
nobody@vegeta pgm $ echo oops > lserver
nobody@vegeta pgm $ echo oops I did it again > dbmsrv
nobody@vegeta pgm $ cat lserver
oops
nobody@vegeta pgm $ cat dbmsrv
oops I did it again
This appears to be caused by the RPM installation when it sets permissions
D: fini 100777 1 ( 0, 410) 2088040 /opt/sapdb/depend74/pgm/dbmsrv;3e7df5e7
D: fini 100777 1 ( 0, 410) 4722216 /opt/sapdb/depend74/pgm/lserver;3e7df5e7
Older rpm packages have the same issue sapdb-ind-7.3.0.32-1.i386.rpm and
sapdb-srv-7.3.0.32-1.i386.rpm leave:
vegeta OLD # find /opt/sapdb/ -perm -0777
/opt/sapdb/depend/pgm/dbmsrv
/opt/sapdb/depend/pgm/lserver
If instead you installed from sapdb-all-linux-32bit-i386-7_4_3_14.tgz and
sapdb-webtools-linux-32bit-i386-7_4_3_10.tgz:
vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # ./SDBINST
Installation of SAP DB Software
********************************
....
vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # find /opt/sapdb -perm -0777 -print
/opt/sapdb/indep_data/wrk
you will note there are no world writable server binaries after a .tgz install.
Patch or Workaround : chmod 755 /opt/sapdb/depend*/pgm/dbmsrv and /opt/sapdb/depend*/pgm/lserver
SAP made it clear that normal users should not have local access to the SAP server when I
pointed out the last security issue. The same logic applys here however this does not lessen
the result of this problem.
Vendor Status : recieved only an email autoresponder
Bugtraq URL : to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
--------------000008060703050508040306--
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
This data will be available at http://www.secnetops.biz/research/ shortly.
-KF
--------------000008060703050508040306
Content-Type: text/plain;
name="SRT2003-03-31-1219.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="SRT2003-03-31-1219.txt"
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com
Our Mission:
************************************************** **********************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************** **********************
Advisory Number : SRT2003-03-31-1219
Product : SAP DB
Version : Version 7.x (RPM Install)
Vendor : sapdb.org
Class : local
Criticality : Medium
Operating System(s) : Linux (other unix based?)
High Level Explination
************************************************** **********************
High Level Description : File permissions of 777 on server executables
What to do : chmod 755 on vulnerable binaries
Technical Details
************************************************** **********************
Proof Of Concept Status : No PoC needed for this issue.
Low Level Description : RPM install leaves world writable lserver and dbmsrv
Leaving world writable files around has obvious reprecussions.
Download the latest SAP rpm packages from:
http://www.sapdb.org/7.4/rpm_linux.htm
Login as root and install the rpms
vegeta SAP # rpm -ivh *rpm --nodeps
Preparing... ########################################### [100%]
1:sapdb-ind ########################################### [14%]
2:sapdb-srv74 ########################################### [28%]
3:sapdb-callif ########################################### [42%]
4:sapdb-precompiler ########################################### [57%]
5:sapdb-scriptif ########################################### [71%]
6:sapdb-testdb74 ########################################### [85%]
7:sapdb-web ########################################### [100%]
Login as normal user and locate world writable binaries
nobody@vegeta / $ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
nobody@vegeta / $ find /opt/sapdb/ -perm -0777
/opt/sapdb/depend74/pgm/dbmsrv
/opt/sapdb/depend74/pgm/lserver
Verify sanity
nobody@vegeta / $ cd /opt/sapdb/depend74/pgm/
nobody@vegeta pgm $ ls -al
total 36912
drwxrwxr-x 2 root sapdb 4096 Mar 23 12:59 .
drwxrwxr-x 10 root sapdb 4096 Mar 23 12:59 ..
-rwxrwxr-x 1 root sapdb 297555 Feb 28 15:42 console
-rwxrwxrwx 1 root sapdb 2088040 Feb 28 15:48 dbmsrv
-rwxrwxr-x 1 root sapdb 1806053 Feb 28 15:47 diagnose
-rwxrwxr-x 1 root sapdb 448402 Feb 28 15:48 dumpcomreg
-rwxrwxr-x 1 root sapdb 8475382 Feb 28 18:11 kernel
-rwxrwxrwx 1 root sapdb 4722216 Feb 28 18:17 lserver
-rwxrwxr-x 1 root sapdb 1032409 Feb 28 18:17 pu
-rwxrwxr-x 1 root sapdb 1453842 Feb 28 15:30 python
-rwxrwxr-x 1 root sapdb 46471 Feb 28 15:28 regcomp
-rwxrwxr-x 1 root sapdb 16389708 Feb 28 18:05 slowknl
-rwxrwxr-x 1 root sapdb 845869 Feb 28 18:16 sqlfilter
-rwxrwxr-x 1 root sapdb 20939 Feb 28 15:43 sysrc
-rwxrwxr-x 1 root sapdb 55138 Feb 28 15:56 tracesort
nobody@vegeta pgm $ echo oops > kernel
sh: kernel: Permission denied
nobody@vegeta pgm $ echo oops > lserver
nobody@vegeta pgm $ echo oops I did it again > dbmsrv
nobody@vegeta pgm $ cat lserver
oops
nobody@vegeta pgm $ cat dbmsrv
oops I did it again
This appears to be caused by the RPM installation when it sets permissions
D: fini 100777 1 ( 0, 410) 2088040 /opt/sapdb/depend74/pgm/dbmsrv;3e7df5e7
D: fini 100777 1 ( 0, 410) 4722216 /opt/sapdb/depend74/pgm/lserver;3e7df5e7
Older rpm packages have the same issue sapdb-ind-7.3.0.32-1.i386.rpm and
sapdb-srv-7.3.0.32-1.i386.rpm leave:
vegeta OLD # find /opt/sapdb/ -perm -0777
/opt/sapdb/depend/pgm/dbmsrv
/opt/sapdb/depend/pgm/lserver
If instead you installed from sapdb-all-linux-32bit-i386-7_4_3_14.tgz and
sapdb-webtools-linux-32bit-i386-7_4_3_10.tgz:
vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # ./SDBINST
Installation of SAP DB Software
********************************
....
vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # find /opt/sapdb -perm -0777 -print
/opt/sapdb/indep_data/wrk
you will note there are no world writable server binaries after a .tgz install.
Patch or Workaround : chmod 755 /opt/sapdb/depend*/pgm/dbmsrv and /opt/sapdb/depend*/pgm/lserver
SAP made it clear that normal users should not have local access to the SAP server when I
pointed out the last security issue. The same logic applys here however this does not lessen
the result of this problem.
Vendor Status : recieved only an email autoresponder
Bugtraq URL : to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
--------------000008060703050508040306--