[Full-Disclosure] SRT2003-03-31-1219 - SAP world writable server binaries

From: KF (dotslash@snosoft.com)
Date: 03/31/03

  • Next message: KF: "[Full-Disclosure] SRT2003-03-31-1219 - SAP world writable server binaries"
    From: KF <dotslash@snosoft.com>
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    Date: Mon, 31 Mar 2003 07:33:48 -0500
    

    This data will be available at http://www.secnetops.biz/research/ shortly.

    -KF

    
    

    Secure Network Operations, Inc. http://www.secnetops.com
    Strategic Reconnaissance Team research@secnetops.com
    Team Lead Contact kf@secnetops.com

    Our Mission:
    ************************************************************************
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    Quick Summary:
    ************************************************************************
    Advisory Number : SRT2003-03-31-1219
    Product : SAP DB
    Version : Version 7.x (RPM Install)
    Vendor : sapdb.org
    Class : local
    Criticality : Medium
    Operating System(s) : Linux (other unix based?)

    High Level Explination
    ************************************************************************
    High Level Description : File permissions of 777 on server executables
    What to do : chmod 755 on vulnerable binaries

    Technical Details
    ************************************************************************
    Proof Of Concept Status : No PoC needed for this issue.
    Low Level Description : RPM install leaves world writable lserver and dbmsrv

    Leaving world writable files around has obvious reprecussions.

    Download the latest SAP rpm packages from:
    http://www.sapdb.org/7.4/rpm_linux.htm

    Login as root and install the rpms

    vegeta SAP # rpm -ivh *rpm --nodeps
    Preparing... ########################################### [100%]
       1:sapdb-ind ########################################### [14%]
       2:sapdb-srv74 ########################################### [28%]
       3:sapdb-callif ########################################### [42%]
       4:sapdb-precompiler ########################################### [57%]
       5:sapdb-scriptif ########################################### [71%]
       6:sapdb-testdb74 ########################################### [85%]
       7:sapdb-web ########################################### [100%]

    Login as normal user and locate world writable binaries

    nobody@vegeta / $ id
    uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

    nobody@vegeta / $ find /opt/sapdb/ -perm -0777
    /opt/sapdb/depend74/pgm/dbmsrv
    /opt/sapdb/depend74/pgm/lserver

    Verify sanity

    nobody@vegeta / $ cd /opt/sapdb/depend74/pgm/
    nobody@vegeta pgm $ ls -al
    total 36912
    drwxrwxr-x 2 root sapdb 4096 Mar 23 12:59 .
    drwxrwxr-x 10 root sapdb 4096 Mar 23 12:59 ..
    -rwxrwxr-x 1 root sapdb 297555 Feb 28 15:42 console
    -rwxrwxrwx 1 root sapdb 2088040 Feb 28 15:48 dbmsrv
    -rwxrwxr-x 1 root sapdb 1806053 Feb 28 15:47 diagnose
    -rwxrwxr-x 1 root sapdb 448402 Feb 28 15:48 dumpcomreg
    -rwxrwxr-x 1 root sapdb 8475382 Feb 28 18:11 kernel
    -rwxrwxrwx 1 root sapdb 4722216 Feb 28 18:17 lserver
    -rwxrwxr-x 1 root sapdb 1032409 Feb 28 18:17 pu
    -rwxrwxr-x 1 root sapdb 1453842 Feb 28 15:30 python
    -rwxrwxr-x 1 root sapdb 46471 Feb 28 15:28 regcomp
    -rwxrwxr-x 1 root sapdb 16389708 Feb 28 18:05 slowknl
    -rwxrwxr-x 1 root sapdb 845869 Feb 28 18:16 sqlfilter
    -rwxrwxr-x 1 root sapdb 20939 Feb 28 15:43 sysrc
    -rwxrwxr-x 1 root sapdb 55138 Feb 28 15:56 tracesort

    nobody@vegeta pgm $ echo oops > kernel
    sh: kernel: Permission denied
    nobody@vegeta pgm $ echo oops > lserver
    nobody@vegeta pgm $ echo oops I did it again > dbmsrv
    nobody@vegeta pgm $ cat lserver
    oops
    nobody@vegeta pgm $ cat dbmsrv
    oops I did it again

    This appears to be caused by the RPM installation when it sets permissions

    D: fini 100777 1 ( 0, 410) 2088040 /opt/sapdb/depend74/pgm/dbmsrv;3e7df5e7
    D: fini 100777 1 ( 0, 410) 4722216 /opt/sapdb/depend74/pgm/lserver;3e7df5e7

    Older rpm packages have the same issue sapdb-ind-7.3.0.32-1.i386.rpm and
    sapdb-srv-7.3.0.32-1.i386.rpm leave:

    vegeta OLD # find /opt/sapdb/ -perm -0777
    /opt/sapdb/depend/pgm/dbmsrv
    /opt/sapdb/depend/pgm/lserver

    If instead you installed from sapdb-all-linux-32bit-i386-7_4_3_14.tgz and
    sapdb-webtools-linux-32bit-i386-7_4_3_10.tgz:

    vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # ./SDBINST
            Installation of SAP DB Software
            ********************************
    ...

    vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # find /opt/sapdb -perm -0777 -print
    /opt/sapdb/indep_data/wrk

    you will note there are no world writable server binaries after a .tgz install.

    Patch or Workaround : chmod 755 /opt/sapdb/depend*/pgm/dbmsrv and /opt/sapdb/depend*/pgm/lserver

    SAP made it clear that normal users should not have local access to the SAP server when I
    pointed out the last security issue. The same logic applys here however this does not lessen
    the result of this problem.

    Vendor Status : recieved only an email autoresponder
    Bugtraq URL : to be assigned

    ------------------------------------------------------------------------
    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Exploit source code is no longer released
    in our advisories. Contact research@secnetops.com for information on how
    to obtain exploit information.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: KF: "[Full-Disclosure] SRT2003-03-31-1219 - SAP world writable server binaries"