[NEWS] SAP DB Privilege Escalation/Remote Code Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 11/17/03

  • Next message: SecuriTeam: "[TOOL] DansGuardian - Web Content Filter" 
    To: list@securiteam.com
Date: 17 Nov 2003 18:07:34 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SAP DB Privilege Escalation/Remote Code Execution
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.sapdb.org> SAP's open source database server is a project
    which is sponsored by SAP AG. The database server allows for a fast,
    flexible, high performance and easily administered deployment of an
    enterprise level database solution.

    There exists a number of vulnerabilities in the core SAPDB code that allow
    a local attacker on Windows machines to elevate privileges or remotely
    compromise the SAPDB server unauthenticated on Windows and other supported
    platforms.

    The vulnerabilities outlined below in the advisory are good examples of
    why functionality should be evaluated in terms of new vulnerabilities and
    risks they may introduce before being deployed in a production
    environment.

    DETAILS

    Vulnerable systems:
     * SAP DB versions prior to 7.4.03.30

    Immune systems:
     * SAP DB version 7.4.03.30

    Local Windows privilege escalation
    This is a common Windows ( <http://www.microsoft.com/windows/>
    http://www.microsoft.com/windows/) programming error in the SAP DB core
    code. Located within '/V74_03_27/SAPDB_ORG/sys/src/os/vos24u.c' are the
    following lines of code:

     line 62: #define NET_API_DLL "NETAPI32.DLL"

    Then the following line allows exploitation

     line 143: hinst = LoadLibrary( NET_API_DLL );

    If an attacker has write access to the current working directory of the
    SAP DB (which is the default as SAP does not lock down the file
    permissions on Windows NT) and can place a fake 'NETAPI32.DLL' SAPDB will
    search working directory first and thus load the fake 'NETAPI32.DLL' and
    obtain system access.

    This vulnerability can be exploited via the 'SQLAT' stored procedure on
    SAP DB.

    Remote unauthenticated buffer overflow in 'niserver' interface
    In the default installation of SAP DB, the 'niserver' (on UNIX) or
    'serv.exe' (on Windows) process is listening on TCP port 7629 (sapdbni72)
    running as root or LocalSystem. This interface is used by the SAP support
    team to connect to customer SAP installations.

    There is a buffer overflow in the code to extract strings from the
    variable-sized segment of the connect packet.

    The vulnerable code is in the function eo420_GetStringFromVarPart in
    /V74_03_27/SAPDB_ORG/sys/src/eo/veo420.c (all comments are @stake's):

      [Code segment from: eo/veo420.c]

      ulLength = pConnectPacket->ConnectLength -
                 ( sizeof (*pConnectPacket) -
                   sizeof (pConnectPacket->VarPart) );

      ulLength = MIN_EO420 ( ulLength, sizeof (pConnectPacket->VarPart)
                            );

      // @stake comment:
      // Items in variable-sized segment are stored:
      // [1-byte length] [1-byte type] [ data ... ]
      //
      
      for ( ulPos = 0;
            ulPos < ulLength;
            ulPos += pConnectPacket->VarPart[ulPos] & 0xff )
        {
        ...
        if ( pConnectPacket->VarPart[ulPos + 1] == StringID )
          {
          ...
          break;
          }
        }
      ...
      // @stake comment:
      // error checking code removed for brevity checked that declared
      // data length >= 2 and < MaxStringLen and that ulPos < ulLength.
      //
      // The string data from the packet is copied without regard to
      // destination string length leading to a buffer overflow.
      //
      strcpy (szString, (const char*)(pConnectPacket->VarPart + ulPos +
                         2));

    The variable-sized segment is limited to 256 bytes in length and the
    destination string buffer is a 256-byte char array. However, if a string
    in the variable-sized segment is the maximum length and not
    NULL-terminated, the strcpy will copy memory following the end of the
    received packet, overrunning the bounds of the destination buffer leading
    to potential remote code execution.

    Vendor Response:
    @stake has contacted the vendor multiple times during September 2003.
    Below is the time line of the communication:
         03-Sep-2003: @stake informs vendor
         07-Nov-2003: SAP releases version 7.4.03.30 which fixes all of the
    @stake reported vulnerabilities.
         17-Nov-2003: Release

    The vendor has patches and a new version available.

    From the vendor release notes: <http://www.sapdb.org/7.4/new_relinfo.txt>
    http://www.sapdb.org/7.4/new_relinfo.txt

    PTS: 1124004 since: 7.4.03.30
    Bug fixed:
     SECURITY
    1) Preconditions and circumstances
    This is a security fix. It protects against potential buffer overflow
    using a specialized 'intrusion' program that could execute code on behalf
    of the owner of 'niserver' or 'x_server'. The possible attack position is
    inside common used code shared between all platforms.

    2) Probability that the error occurs
    Low (no such program was ever known off, but the code would allow to write
    it...). If such a program was written: 100%

    3) Solution to the problem
    The copy routines are modified to check the string for being correctly
    terminated by a zero byte. If not the connection packet is rejected.

    4) Visibility
    It depends on the action taken by the intruders coding...

    5) Workaround
    none

    Recommendation:
    If you are running on the Windows platform make sure that the permissions
    for the SAP DB working directory are set so that only administrators have
    write access. This is not the default.

    On all platforms port 7269 should be filtered by a network or host based
    firewall to only allow those machines that need to connect to the niserver
    service to connect.

    Enterprises should look to upgrade to the latest version of SAP DB which
    fixes these vulnerabilities, version 7.4.03.30. It is available at:
    <http://www.sapdb.org/7.4/sap_db_software.htm>
    http://www.sapdb.org/7.4/sap_db_software.htm.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
    <http://www.atstake.com/research/advisories/2003/a111703-1.txt>
    http://www.atstake.com/research/advisories/2003/a111703-1.txt.

    The information has been provided by Ollie Whitehouse and Dino Dai Zovi of
    @Stake.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] DansGuardian - Web Content Filter"

    Relevant Pages