Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-03-31-1219 Product : SAP DB Version : Version 7.x (RPM Install) Vendor : sapdb.org Class : local Criticality : Medium Operating System(s) : Linux (other unix based?) High Level Explination ************************************************************************ High Level Description : File permissions of 777 on server executables What to do : chmod 755 on vulnerable binaries Technical Details ************************************************************************ Proof Of Concept Status : No PoC needed for this issue. Low Level Description : RPM install leaves world writable lserver and dbmsrv Leaving world writable files around has obvious reprecussions. Download the latest SAP rpm packages from: http://www.sapdb.org/7.4/rpm_linux.htm Login as root and install the rpms vegeta SAP # rpm -ivh *rpm --nodeps Preparing... ########################################### [100%] 1:sapdb-ind ########################################### [14%] 2:sapdb-srv74 ########################################### [28%] 3:sapdb-callif ########################################### [42%] 4:sapdb-precompiler ########################################### [57%] 5:sapdb-scriptif ########################################### [71%] 6:sapdb-testdb74 ########################################### [85%] 7:sapdb-web ########################################### [100%] Login as normal user and locate world writable binaries nobody@vegeta / $ id uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) nobody@vegeta / $ find /opt/sapdb/ -perm -0777 /opt/sapdb/depend74/pgm/dbmsrv /opt/sapdb/depend74/pgm/lserver Verify sanity nobody@vegeta / $ cd /opt/sapdb/depend74/pgm/ nobody@vegeta pgm $ ls -al total 36912 drwxrwxr-x 2 root sapdb 4096 Mar 23 12:59 . drwxrwxr-x 10 root sapdb 4096 Mar 23 12:59 .. -rwxrwxr-x 1 root sapdb 297555 Feb 28 15:42 console -rwxrwxrwx 1 root sapdb 2088040 Feb 28 15:48 dbmsrv -rwxrwxr-x 1 root sapdb 1806053 Feb 28 15:47 diagnose -rwxrwxr-x 1 root sapdb 448402 Feb 28 15:48 dumpcomreg -rwxrwxr-x 1 root sapdb 8475382 Feb 28 18:11 kernel -rwxrwxrwx 1 root sapdb 4722216 Feb 28 18:17 lserver -rwxrwxr-x 1 root sapdb 1032409 Feb 28 18:17 pu -rwxrwxr-x 1 root sapdb 1453842 Feb 28 15:30 python -rwxrwxr-x 1 root sapdb 46471 Feb 28 15:28 regcomp -rwxrwxr-x 1 root sapdb 16389708 Feb 28 18:05 slowknl -rwxrwxr-x 1 root sapdb 845869 Feb 28 18:16 sqlfilter -rwxrwxr-x 1 root sapdb 20939 Feb 28 15:43 sysrc -rwxrwxr-x 1 root sapdb 55138 Feb 28 15:56 tracesort nobody@vegeta pgm $ echo oops > kernel sh: kernel: Permission denied nobody@vegeta pgm $ echo oops > lserver nobody@vegeta pgm $ echo oops I did it again > dbmsrv nobody@vegeta pgm $ cat lserver oops nobody@vegeta pgm $ cat dbmsrv oops I did it again This appears to be caused by the RPM installation when it sets permissions D: fini 100777 1 ( 0, 410) 2088040 /opt/sapdb/depend74/pgm/dbmsrv;3e7df5e7 D: fini 100777 1 ( 0, 410) 4722216 /opt/sapdb/depend74/pgm/lserver;3e7df5e7 Older rpm packages have the same issue sapdb-ind-7.3.0.32-1.i386.rpm and sapdb-srv-7.3.0.32-1.i386.rpm leave: vegeta OLD # find /opt/sapdb/ -perm -0777 /opt/sapdb/depend/pgm/dbmsrv /opt/sapdb/depend/pgm/lserver If instead you installed from sapdb-all-linux-32bit-i386-7_4_3_14.tgz and sapdb-webtools-linux-32bit-i386-7_4_3_10.tgz: vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # ./SDBINST Installation of SAP DB Software ******************************** ... vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # find /opt/sapdb -perm -0777 -print /opt/sapdb/indep_data/wrk you will note there are no world writable server binaries after a .tgz install. Patch or Workaround : chmod 755 /opt/sapdb/depend*/pgm/dbmsrv and /opt/sapdb/depend*/pgm/lserver SAP made it clear that normal users should not have local access to the SAP server when I pointed out the last security issue. The same logic applys here however this does not lessen the result of this problem. Vendor Status : recieved only an email autoresponder Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information.