[UNIX] SAP MaxDB sdbstarter Privilege Escalation Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



SAP MaxDB sdbstarter Privilege Escalation Vulnerability
------------------------------------------------------------------------


SUMMARY

SAP's <https://www.sdn.sap.com/irj/sdn/maxdb> MaxDB is "a database
software product. MaxDB was released as open source from version 7.5 up to
version 7.6.00. Later versions are no longer open source but are available
for download from the SAP SDN website (sdn.sap.com) as a community edition
with free community support for public use beyond the scope of SAP
applications. The "sdbstarter" program is set-uid root and installed by
default". Local exploitation of a design error in the "sdbstarter"
program, as distributed with SAP AG's MaxDB, could allow attackers to
elevate privileges to root.

DETAILS

Vulnerable Systems:
* SAP AG's MaxDB version 7.6.0.37

This vulnerability exists due to a design error in the handling of certain
environment variables. These variables are used to specify the
configuration settings to be used by various MaxDB components. Since the
"sdbstarter" program honors these settings, an attacker can execute
arbitrary code with root privileges.

Analysis:
Exploitation allows an attacker to execute arbitrary code with root
privileges. To exploit this vulnerability, an attacker must be able to
execute the "sdbstarter" program. In a default installation, this requires
that the attacker be a member of the "sdba" group.

It is important to note that this vulnerability is not architecture
dependent. This vulnerability is trivially exploitable on any
Unix-based SAP MaxDB installation.

Vendor response:
SAP AG has addressed this vulnerability by releasing a new version of
MaxDB. For more information, consult SAP note 1140135.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0306>
CVE-2008-0306

Disclosure timeline:
12/05/2007 - Initial vendor notification
12/06/2007 - Initial vendor response
03/10/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages