Local PrivilegeEscalation in SAP sapdba Command

2006.05.25
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Local_Privilege_Escalation_in_SAP_sapdba_Command.pdf ) CYBSEC S.A. www.cybsec.com Pre-Advisory Name: Local Privilege Escalation in SAP sapdba Command Vulnerability Class: Insecure Environment Variable Handling Release Date: 05/18/2006 Affected Applications: * sapdba command for Informix version prior to 700 * sapdba command for Informix version 700 up to patch number 100 Unaffected Applications: * sapdba command for Oracle Databases Affected Platforms: * SAP with Informix on HP-UX, Solaris, AIX, TRUE64 or Linux Local / Remote: Local Severity: Medium Author: Leandro Meiners. Vendor Status: * Confirmed, patch released Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Product Overview: ================= The sapdba command is a utility provided by SAP for database administration. Two different versions are available, one for Informix and another for Oracle databases. Vulnerability Description: ========================== The sapdba command for Informix Databases was found to allow any UNIX user to run arbitrary commands with informix rights at the shell level, due to improper handling of environment variables. Technical Details: ================== Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their clients to upgrade affected software prior to the technical knowledge been publicly available. Impact: ======= Any user with login access to the SAP database server having a vulnerable version of the sapdba command can escalate privileges to execute arbitrary commands with the rights of the informix user. Solutions: ========== SAP released a patch regarding this issue. Details can be found in SAP note 944585. Vendor Response: ================ * 04/20/2006: Initial Vendor Contact and technical details for the vulnerabilities sent to vendor. * 04/26/2006: Solution provided by vendor. * 05/18/2006: Coordinate release of pre-advisory without technical details. * 08/18/2006: Coordinate release of advisory with technical details. Contact Information: ==================== For more information regarding the vulnerability feel free to contact the author at lmeiners<at>cybsec.com. Please bear in mind that technical details will be disclosed three months after the release of this pre-advisory, so such questions won't be answered until then. For more information regarding CYBSEC: www.cybsec.com ---------------------------- Leandro Meiners CYBSEC S.A. Security Systems E-mail: lmeiners at cybsec.com Tel/Fax: [54-11] 4382-1600 Web: http://www.cybsec.com PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060518/2222c14a/attachment.bin


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top