Full Disclosure mailing list archives
SRT2003-03-31-1219 - SAP world writable server binaries
From: KF <dotslash () snosoft com>
Date: Mon, 31 Mar 2003 07:33:48 -0500
This data will be available at http://www.secnetops.biz/research/ shortly. -KF
Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research () secnetops com Team Lead Contact kf () secnetops com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-03-31-1219 Product : SAP DB Version : Version 7.x (RPM Install) Vendor : sapdb.org Class : local Criticality : Medium Operating System(s) : Linux (other unix based?) High Level Explination ************************************************************************ High Level Description : File permissions of 777 on server executables What to do : chmod 755 on vulnerable binaries Technical Details ************************************************************************ Proof Of Concept Status : No PoC needed for this issue. Low Level Description : RPM install leaves world writable lserver and dbmsrv Leaving world writable files around has obvious reprecussions. Download the latest SAP rpm packages from: http://www.sapdb.org/7.4/rpm_linux.htm Login as root and install the rpms vegeta SAP # rpm -ivh *rpm --nodeps Preparing... ########################################### [100%] 1:sapdb-ind ########################################### [14%] 2:sapdb-srv74 ########################################### [28%] 3:sapdb-callif ########################################### [42%] 4:sapdb-precompiler ########################################### [57%] 5:sapdb-scriptif ########################################### [71%] 6:sapdb-testdb74 ########################################### [85%] 7:sapdb-web ########################################### [100%] Login as normal user and locate world writable binaries nobody@vegeta / $ id uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) nobody@vegeta / $ find /opt/sapdb/ -perm -0777 /opt/sapdb/depend74/pgm/dbmsrv /opt/sapdb/depend74/pgm/lserver Verify sanity nobody@vegeta / $ cd /opt/sapdb/depend74/pgm/ nobody@vegeta pgm $ ls -al total 36912 drwxrwxr-x 2 root sapdb 4096 Mar 23 12:59 . drwxrwxr-x 10 root sapdb 4096 Mar 23 12:59 .. -rwxrwxr-x 1 root sapdb 297555 Feb 28 15:42 console -rwxrwxrwx 1 root sapdb 2088040 Feb 28 15:48 dbmsrv -rwxrwxr-x 1 root sapdb 1806053 Feb 28 15:47 diagnose -rwxrwxr-x 1 root sapdb 448402 Feb 28 15:48 dumpcomreg -rwxrwxr-x 1 root sapdb 8475382 Feb 28 18:11 kernel -rwxrwxrwx 1 root sapdb 4722216 Feb 28 18:17 lserver -rwxrwxr-x 1 root sapdb 1032409 Feb 28 18:17 pu -rwxrwxr-x 1 root sapdb 1453842 Feb 28 15:30 python -rwxrwxr-x 1 root sapdb 46471 Feb 28 15:28 regcomp -rwxrwxr-x 1 root sapdb 16389708 Feb 28 18:05 slowknl -rwxrwxr-x 1 root sapdb 845869 Feb 28 18:16 sqlfilter -rwxrwxr-x 1 root sapdb 20939 Feb 28 15:43 sysrc -rwxrwxr-x 1 root sapdb 55138 Feb 28 15:56 tracesort nobody@vegeta pgm $ echo oops > kernel sh: kernel: Permission denied nobody@vegeta pgm $ echo oops > lserver nobody@vegeta pgm $ echo oops I did it again > dbmsrv nobody@vegeta pgm $ cat lserver oops nobody@vegeta pgm $ cat dbmsrv oops I did it again This appears to be caused by the RPM installation when it sets permissions D: fini 100777 1 ( 0, 410) 2088040 /opt/sapdb/depend74/pgm/dbmsrv;3e7df5e7 D: fini 100777 1 ( 0, 410) 4722216 /opt/sapdb/depend74/pgm/lserver;3e7df5e7 Older rpm packages have the same issue sapdb-ind-7.3.0.32-1.i386.rpm and sapdb-srv-7.3.0.32-1.i386.rpm leave: vegeta OLD # find /opt/sapdb/ -perm -0777 /opt/sapdb/depend/pgm/dbmsrv /opt/sapdb/depend/pgm/lserver If instead you installed from sapdb-all-linux-32bit-i386-7_4_3_14.tgz and sapdb-webtools-linux-32bit-i386-7_4_3_10.tgz: vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # ./SDBINST Installation of SAP DB Software ******************************** ... vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # find /opt/sapdb -perm -0777 -print /opt/sapdb/indep_data/wrk you will note there are no world writable server binaries after a .tgz install. Patch or Workaround : chmod 755 /opt/sapdb/depend*/pgm/dbmsrv and /opt/sapdb/depend*/pgm/lserver SAP made it clear that normal users should not have local access to the SAP server when I pointed out the last security issue. The same logic applys here however this does not lessen the result of this problem. Vendor Status : recieved only an email autoresponder Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research () secnetops com for information on how to obtain exploit information.
Current thread:
- SRT2003-03-31-1219 - SAP world writable server binaries KF (Apr 01)