'SRT2003-03-31-1219 - SAP world writable server binaries'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    SRT2003-03-31-1219 - SAP world writable server binaries
From:       KF <dotslash () snosoft ! com>
Date:       2003-03-31 12:33:48
[Download RAW message or body]

This data will be available at http://www.secnetops.biz/research/ shortly.

-KF


["SRT2003-03-31-1219.txt" (text/plain)]

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team	            research@secnetops.com
Team Lead Contact		                  kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number		: SRT2003-03-31-1219
Product			: SAP DB
Version			: Version 7.x (RPM Install)
Vendor			: sapdb.org
Class			: local
Criticality             : Medium 
Operating System(s)	: Linux (other unix based?)


High Level Explination
************************************************************************
High Level Description	: File permissions of 777 on server executables
What to do		: chmod 755 on vulnerable binaries 


Technical Details
************************************************************************
Proof Of Concept Status : No PoC needed for this issue. 
Low Level Description	: RPM install leaves world writable lserver and dbmsrv

Leaving world writable files around has obvious reprecussions.

Download the latest SAP rpm packages from:
http://www.sapdb.org/7.4/rpm_linux.htm

Login as root and install the rpms

vegeta SAP # rpm -ivh *rpm --nodeps
Preparing...                ########################################### [100%]
   1:sapdb-ind              ########################################### [14%]
   2:sapdb-srv74            ########################################### [28%]
   3:sapdb-callif           ########################################### [42%]
   4:sapdb-precompiler      ########################################### [57%]
   5:sapdb-scriptif         ########################################### [71%]
   6:sapdb-testdb74         ########################################### [85%]
   7:sapdb-web              ########################################### [100%]

Login as normal user and locate world writable binaries

nobody@vegeta / $ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

nobody@vegeta / $ find /opt/sapdb/ -perm -0777
/opt/sapdb/depend74/pgm/dbmsrv
/opt/sapdb/depend74/pgm/lserver

Verify sanity

nobody@vegeta / $ cd /opt/sapdb/depend74/pgm/
nobody@vegeta pgm $ ls -al
total 36912
drwxrwxr-x    2 root     sapdb        4096 Mar 23 12:59 .
drwxrwxr-x   10 root     sapdb        4096 Mar 23 12:59 ..
-rwxrwxr-x    1 root     sapdb      297555 Feb 28 15:42 console
-rwxrwxrwx    1 root     sapdb     2088040 Feb 28 15:48 dbmsrv
-rwxrwxr-x    1 root     sapdb     1806053 Feb 28 15:47 diagnose
-rwxrwxr-x    1 root     sapdb      448402 Feb 28 15:48 dumpcomreg
-rwxrwxr-x    1 root     sapdb     8475382 Feb 28 18:11 kernel
-rwxrwxrwx    1 root     sapdb     4722216 Feb 28 18:17 lserver
-rwxrwxr-x    1 root     sapdb     1032409 Feb 28 18:17 pu
-rwxrwxr-x    1 root     sapdb     1453842 Feb 28 15:30 python
-rwxrwxr-x    1 root     sapdb       46471 Feb 28 15:28 regcomp
-rwxrwxr-x    1 root     sapdb    16389708 Feb 28 18:05 slowknl
-rwxrwxr-x    1 root     sapdb      845869 Feb 28 18:16 sqlfilter
-rwxrwxr-x    1 root     sapdb       20939 Feb 28 15:43 sysrc
-rwxrwxr-x    1 root     sapdb       55138 Feb 28 15:56 tracesort

nobody@vegeta pgm $ echo oops > kernel
sh: kernel: Permission denied
nobody@vegeta pgm $ echo oops > lserver
nobody@vegeta pgm $ echo oops I did it again > dbmsrv
nobody@vegeta pgm $ cat lserver
oops
nobody@vegeta pgm $ cat dbmsrv
oops I did it again

This appears to be caused by the RPM installation when it sets permissions

D: fini      100777  1 (   0, 410)   2088040 /opt/sapdb/depend74/pgm/dbmsrv;3e7df5e7
D: fini      100777  1 (   0, 410)   4722216 /opt/sapdb/depend74/pgm/lserver;3e7df5e7

Older rpm packages have the same issue sapdb-ind-7.3.0.32-1.i386.rpm and
sapdb-srv-7.3.0.32-1.i386.rpm leave:

vegeta OLD # find /opt/sapdb/ -perm -0777
/opt/sapdb/depend/pgm/dbmsrv
/opt/sapdb/depend/pgm/lserver

If instead you installed from sapdb-all-linux-32bit-i386-7_4_3_14.tgz and
sapdb-webtools-linux-32bit-i386-7_4_3_10.tgz:

vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # ./SDBINST
        Installation of SAP DB Software
        ********************************
...

vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # find /opt/sapdb -perm -0777 -print 
/opt/sapdb/indep_data/wrk

you will note there are no world writable server binaries after a .tgz install. 

Patch or Workaround	: chmod 755 /opt/sapdb/depend*/pgm/dbmsrv and /opt/sapdb/depend*/pgm/lserver

SAP made it clear that normal users should not have local access to the SAP server when I
pointed out the last security issue. The same logic applys here however this does not lessen 
the result of this problem.

Vendor Status		: recieved only an email autoresponder
Bugtraq URL		: to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic