[The problem in this messages is only if you're installing SAP DB from RPM. Please fix permissions, or use a newer RPM -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------000008060703050508040306" Message-ID: <[EMAIL PROTECTED]> From: KF <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: SRT2003-03-31-1219 - SAP world writable server binaries Date: Mon, 31 Mar 2003 07:33:48 -0500 --------------000008060703050508040306 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit This data will be available at http://www.secnetops.biz/research/ shortly. -KF --------------000008060703050508040306 Content-Type: text/plain; name="SRT2003-03-31-1219.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="SRT2003-03-31-1219.txt" Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team [EMAIL PROTECTED] Team Lead Contact [EMAIL PROTECTED] Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-03-31-1219 Product : SAP DB Version : Version 7.x (RPM Install) Vendor : sapdb.org Class : local Criticality : Medium Operating System(s) : Linux (other unix based?) High Level Explination ************************************************************************ High Level Description : File permissions of 777 on server executables What to do : chmod 755 on vulnerable binaries Technical Details ************************************************************************ Proof Of Concept Status : No PoC needed for this issue. Low Level Description : RPM install leaves world writable lserver and dbmsrv Leaving world writable files around has obvious reprecussions. Download the latest SAP rpm packages from: http://www.sapdb.org/7.4/rpm_linux.htm Login as root and install the rpms vegeta SAP # rpm -ivh *rpm --nodeps Preparing... ########################################### [100%] 1:sapdb-ind ########################################### [14%] 2:sapdb-srv74 ########################################### [28%] 3:sapdb-callif ########################################### [42%] 4:sapdb-precompiler ########################################### [57%] 5:sapdb-scriptif ########################################### [71%] 6:sapdb-testdb74 ########################################### [85%] 7:sapdb-web ########################################### [100%] Login as normal user and locate world writable binaries [EMAIL PROTECTED] / $ id uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) [EMAIL PROTECTED] / $ find /opt/sapdb/ -perm -0777 /opt/sapdb/depend74/pgm/dbmsrv /opt/sapdb/depend74/pgm/lserver Verify sanity [EMAIL PROTECTED] / $ cd /opt/sapdb/depend74/pgm/ [EMAIL PROTECTED] pgm $ ls -al total 36912 drwxrwxr-x 2 root sapdb 4096 Mar 23 12:59 . drwxrwxr-x 10 root sapdb 4096 Mar 23 12:59 .. -rwxrwxr-x 1 root sapdb 297555 Feb 28 15:42 console -rwxrwxrwx 1 root sapdb 2088040 Feb 28 15:48 dbmsrv -rwxrwxr-x 1 root sapdb 1806053 Feb 28 15:47 diagnose -rwxrwxr-x 1 root sapdb 448402 Feb 28 15:48 dumpcomreg -rwxrwxr-x 1 root sapdb 8475382 Feb 28 18:11 kernel -rwxrwxrwx 1 root sapdb 4722216 Feb 28 18:17 lserver -rwxrwxr-x 1 root sapdb 1032409 Feb 28 18:17 pu -rwxrwxr-x 1 root sapdb 1453842 Feb 28 15:30 python -rwxrwxr-x 1 root sapdb 46471 Feb 28 15:28 regcomp -rwxrwxr-x 1 root sapdb 16389708 Feb 28 18:05 slowknl -rwxrwxr-x 1 root sapdb 845869 Feb 28 18:16 sqlfilter -rwxrwxr-x 1 root sapdb 20939 Feb 28 15:43 sysrc -rwxrwxr-x 1 root sapdb 55138 Feb 28 15:56 tracesort [EMAIL PROTECTED] pgm $ echo oops > kernel sh: kernel: Permission denied [EMAIL PROTECTED] pgm $ echo oops > lserver [EMAIL PROTECTED] pgm $ echo oops I did it again > dbmsrv [EMAIL PROTECTED] pgm $ cat lserver oops [EMAIL PROTECTED] pgm $ cat dbmsrv oops I did it again This appears to be caused by the RPM installation when it sets permissions D: fini 100777 1 ( 0, 410) 2088040 /opt/sapdb/depend74/pgm/dbmsrv;3e7df5e7 D: fini 100777 1 ( 0, 410) 4722216 /opt/sapdb/depend74/pgm/lserver;3e7df5e7 Older rpm packages have the same issue sapdb-ind-7.3.0.32-1.i386.rpm and sapdb-srv-7.3.0.32-1.i386.rpm leave: vegeta OLD # find /opt/sapdb/ -perm -0777 /opt/sapdb/depend/pgm/dbmsrv /opt/sapdb/depend/pgm/lserver If instead you installed from sapdb-all-linux-32bit-i386-7_4_3_14.tgz and sapdb-webtools-linux-32bit-i386-7_4_3_10.tgz: vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # ./SDBINST Installation of SAP DB Software ******************************** ... vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # find /opt/sapdb -perm -0777 -print /opt/sapdb/indep_data/wrk you will note there are no world writable server binaries after a .tgz install. Patch or Workaround : chmod 755 /opt/sapdb/depend*/pgm/dbmsrv and /opt/sapdb/depend*/pgm/lserver SAP made it clear that normal users should not have local access to the SAP server when I pointed out the last security issue. The same logic applys here however this does not lessen the result of this problem. Vendor Status : recieved only an email autoresponder Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact [EMAIL PROTECTED] for information on how to obtain exploit information. --------------000008060703050508040306-- ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ It is the mind that moves ================================================ To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header. Check archives at http://www.mail-archive.com/ilugd%40wpaa.org
