Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

SRT2003-03-31-1219 - SAP world writable server binaries
From: KF <dotslash () snosoft com>
Date: Mon, 31 Mar 2003 07:33:48 -0500
This data will be available at http://www.secnetops.biz/research/ shortly.

-KF


Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research () secnetops com
Team Lead Contact                                 kf () secnetops com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-03-31-1219
Product                 : SAP DB
Version                 : Version 7.x (RPM Install)
Vendor                  : sapdb.org
Class                   : local
Criticality             : Medium 
Operating System(s)     : Linux (other unix based?)


High Level Explination
************************************************************************
High Level Description  : File permissions of 777 on server executables
What to do              : chmod 755 on vulnerable binaries 


Technical Details
************************************************************************
Proof Of Concept Status : No PoC needed for this issue. 
Low Level Description   : RPM install leaves world writable lserver and dbmsrv

Leaving world writable files around has obvious reprecussions.

Download the latest SAP rpm packages from:
http://www.sapdb.org/7.4/rpm_linux.htm

Login as root and install the rpms

vegeta SAP # rpm -ivh *rpm --nodeps
Preparing...                ########################################### [100%]
   1:sapdb-ind              ########################################### [14%]
   2:sapdb-srv74            ########################################### [28%]
   3:sapdb-callif           ########################################### [42%]
   4:sapdb-precompiler      ########################################### [57%]
   5:sapdb-scriptif         ########################################### [71%]
   6:sapdb-testdb74         ########################################### [85%]
   7:sapdb-web              ########################################### [100%]

Login as normal user and locate world writable binaries

nobody () vegeta / $ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

nobody () vegeta / $ find /opt/sapdb/ -perm -0777
/opt/sapdb/depend74/pgm/dbmsrv
/opt/sapdb/depend74/pgm/lserver

Verify sanity

nobody () vegeta / $ cd /opt/sapdb/depend74/pgm/
nobody () vegeta pgm $ ls -al
total 36912
drwxrwxr-x    2 root     sapdb        4096 Mar 23 12:59 .
drwxrwxr-x   10 root     sapdb        4096 Mar 23 12:59 ..
-rwxrwxr-x    1 root     sapdb      297555 Feb 28 15:42 console
-rwxrwxrwx    1 root     sapdb     2088040 Feb 28 15:48 dbmsrv
-rwxrwxr-x    1 root     sapdb     1806053 Feb 28 15:47 diagnose
-rwxrwxr-x    1 root     sapdb      448402 Feb 28 15:48 dumpcomreg
-rwxrwxr-x    1 root     sapdb     8475382 Feb 28 18:11 kernel
-rwxrwxrwx    1 root     sapdb     4722216 Feb 28 18:17 lserver
-rwxrwxr-x    1 root     sapdb     1032409 Feb 28 18:17 pu
-rwxrwxr-x    1 root     sapdb     1453842 Feb 28 15:30 python
-rwxrwxr-x    1 root     sapdb       46471 Feb 28 15:28 regcomp
-rwxrwxr-x    1 root     sapdb    16389708 Feb 28 18:05 slowknl
-rwxrwxr-x    1 root     sapdb      845869 Feb 28 18:16 sqlfilter
-rwxrwxr-x    1 root     sapdb       20939 Feb 28 15:43 sysrc
-rwxrwxr-x    1 root     sapdb       55138 Feb 28 15:56 tracesort

nobody () vegeta pgm $ echo oops > kernel
sh: kernel: Permission denied
nobody () vegeta pgm $ echo oops > lserver
nobody () vegeta pgm $ echo oops I did it again > dbmsrv
nobody () vegeta pgm $ cat lserver
oops
nobody () vegeta pgm $ cat dbmsrv
oops I did it again

This appears to be caused by the RPM installation when it sets permissions

D: fini      100777  1 (   0, 410)   2088040 /opt/sapdb/depend74/pgm/dbmsrv;3e7df5e7
D: fini      100777  1 (   0, 410)   4722216 /opt/sapdb/depend74/pgm/lserver;3e7df5e7

Older rpm packages have the same issue sapdb-ind-7.3.0.32-1.i386.rpm and
sapdb-srv-7.3.0.32-1.i386.rpm leave:

vegeta OLD # find /opt/sapdb/ -perm -0777
/opt/sapdb/depend/pgm/dbmsrv
/opt/sapdb/depend/pgm/lserver

If instead you installed from sapdb-all-linux-32bit-i386-7_4_3_14.tgz and
sapdb-webtools-linux-32bit-i386-7_4_3_10.tgz:

vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # ./SDBINST
        Installation of SAP DB Software
        ********************************
...

vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # find /opt/sapdb -perm -0777 -print 
/opt/sapdb/indep_data/wrk

you will note there are no world writable server binaries after a .tgz install. 

Patch or Workaround     : chmod 755 /opt/sapdb/depend*/pgm/dbmsrv and /opt/sapdb/depend*/pgm/lserver

SAP made it clear that normal users should not have local access to the SAP server when I
pointed out the last security issue. The same logic applys here however this does not lessen 
the result of this problem.

Vendor Status           : recieved only an email autoresponder
Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research () secnetops com for information on how
to obtain exploit information.

  By Date           By Thread  

Current thread:
  • SRT2003-03-31-1219 - SAP world writable server binaries KF (Mar 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]