RE: [VulnWatch] SAP DB priv. escalation/remote code execution

From: Rohit Dhamankar (rohitd_at_tippingpoint.com)
Date: 11/20/03

  • Next message: advisory_at_rapid7.com: "[VulnWatch] R7-0016: Sybase ASE 12.5 Remote Password Array Denial of Service"
    To: "'@stake Advisories '" <advisories@atstake.com>, "'vulnwatch@vulnwatch.org '" <vulnwatch@vulnwatch.org>
    Date: Wed, 19 Nov 2003 20:41:25 -0600
    
    

     
    There is a fat fingering error in the advisory regarding the port number
    the sapdbni72 process listens on. In the main advisory it is listed as TCP
    7629 whereas in the workarounds it is listed as 7269.
    The correct number according to SAP documentation seems to be tcp 7269.

    Rohit

    -----Original Message-----
    From: @stake Advisories
    To: vulnwatch@vulnwatch.org
    Sent: 11/17/2003 8:32 AM
    Subject: [VulnWatch] SAP DB priv. escalation/remote code execution

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                  @stake, Inc.
                                www.atstake.com

                               Security Advisory

    Advisory Name: SAP DB priv. escalation/remote code execution
     Release Date: 11/17/2003
      Application: SAP DB 7.4.03.27 (23-June-2003) and before
         Platform: Microsoft Windows NT4/2000/XP [1 and 2]
                   Linux (IA32) [2]
                   SUN Solaris [2]
                   HPUX [2]
                   Compaq True64 [2]
         Severity: local priv escalation to SYSTEM on Windows
                   potential remote code execution
          Authors: Ollie Whitehouse [ollie@atstake.com]
                   Dino Dai Zovi [ddaizovi@atstake.com]
    Vendor Status: Vendor has patches available
    CVE Candidate: CAN-2003-0938 - privilege gain via fake "NETAPI32.DLL"
                   CAN-2003-0939 - buffer overflow in niserver interface
        Reference: www.atstake.com/research/advisories/2003/a111703-1.txt

    Overview:

         SAP's (http://www.sapdb.org) open source database server
    is a project which is sponsored by SAP AG. The database server
    allows for a fast, flexible, high performance and easily administered
    deployment of an enterprise level database solution.

    There exists a number of vulnerabilities in the core SAPDB code that
    allow a local attacker on Windows machines to elevate privileges or
    remotely compromise the SAPDB server unauthenticated on Windows and
    other supported platforms.

    The vulnerabilities outlined below in the advisory are good examples
    of why functionality should be evaluated in terms of new
    vulnerabilities and risks they may introduce before being deployed in
    a production environment.

    Details:

    [1] Local Windows privilege escalation
    Credit: Ollie Whitehouse

    This is a common Windows (http://www.microsoft.com/windows/)
    programming error in the SAP DB core code. Located within
    '/V74_03_27/SAPDB_ORG/sys/src/os/vos24u.c' are the following lines
    of code:

         line 62: #define NET_API_DLL "NETAPI32.DLL"

         Then the following line allows exploitation

         line 143: hinst = LoadLibrary( NET_API_DLL );

    If an attacker has write access to the current working directory of
    the SAP DB (which is the default as SAP does not lock down the file
    permissions on WindowsNT) and can place a fake 'NETAPI32.DLL' SAPDB
    will search working directory first and thus load the fake
    'NETAPI32.DLL' and obtain system access.

    This vulnerability can be exploited via the 'SQLAT' stored procedure
    on SAP DB.

    [2] Remote unauthenticated buffer overflow in 'niserver' interface
    Credit: Dino Dai Zovi

    In the default installation of SAP DB, the 'niserver' (on Unix) or
    'serv.exe' (on Windows) process is listening on TCP port 7629
    (sapdbni72) running as root or LocalSystem. This interface is used
    by the SAP support team to connect to customer SAP installations.
    There is a buffer overflow in the code to extract strings from the
    variable-sized segment of the connect packet.

    The vulnerable code is in the function eo420_GetStringFromVarPart in
    /V74_03_27/SAPDB_ORG/sys/src/eo/veo420.c (all comments are @stake's):

      [Code segment from: eo/veo420.c]

      ulLength = pConnectPacket->ConnectLength -
                 ( sizeof (*pConnectPacket) -
                   sizeof (pConnectPacket->VarPart) );

      ulLength = MIN_EO420 ( ulLength, sizeof (pConnectPacket->VarPart)
                            );

      // @stake comment:
      // Items in variable-sized segment are stored:
      // [1-byte length] [1-byte type] [ data ... ]
      //
     
      for ( ulPos = 0;
            ulPos < ulLength;
            ulPos += pConnectPacket->VarPart[ulPos] & 0xff )
        {
        ...
        if ( pConnectPacket->VarPart[ulPos + 1] == StringID )
          {
          ...
          break;
          }
        }
      ...
      // @stake comment:
      // error checking code removed for brevity checked that declared
      // data length >= 2 and < MaxStringLen and that ulPos < ulLength.
      //
      // The string data from the packet is copied without regard to
      // destination string length leading to a buffer overflow.
      //
      strcpy (szString, (const char*)(pConnectPacket->VarPart + ulPos +
                         2));

    The variable-sized segment is limited to 256 bytes in length and the
    destination string buffer is a 256-byte char array. However, if a
    string in the variable-sized segment is the maximum length and not
    NULL-terminated, the strcpy will copy memory following the end of
    the received packet, overrunning the bounds of the destination
    buffer leading to potential remote code execution.

    Vendor Response:

         @stake have contacted the vendor multiple times during
    September 2003. Below is the time line of the communication:

         03-Sep-2003: @stake informs vendor
         07-Nov-2003: SAP releases version 7.4.03.30 which fixes
                         all of the @stake reported vulnerabilities.
         17-Nov-2003: Release

    The vendor has patches and a new version available.

    - From the vendor release notes:
    http://www.sapdb.org/7.4/new_relinfo.txt

    PTS: 1124004 since: 7.4.03.30

        Bug fixed:
            SECURITY
            1) Preconditions and circumstances
            This is a security fix. It protects against potential
            buffer overflow using a specialized 'intrusion' program,
            that could
            execute code an behalf of the owner of 'niserver' or
            'x_server'.
            The possible attack position is inside common used code
            shared between all platforms.
            2) Probability that the error occurs
            low (no such program was ever known off, but the code would
            allow to write it...). If such a program was written: 100%
            3) Solution to the problem
            The copy routines is modified to check the string for being
            correctly terminated by a zero byte. If not the connection
            packet is rejected.
            4) Visibility
            it depends on the action taken by the intruders coding...
            5) Workaround
            none

    Recommendation:

            If you are running on the Windows platform make sure that the
    permissions for the SAP DB working directory are set so that only
    administrators have write access. This is not the default.

            On all platforms port 7269 should be filtered by a network
    or host based firewall to only allow those machines that need to
    connect to the niserver service to connect.

            Enterprises should look to upgrade to the lastest version
    of SAP DB which fixes these vulnerabilities, version 7.4.03.30. It is
    avaliable at:

    http://www.sapdb.org/7.4/sap_db_software.htm

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

      CAN-2003-0938 - privilege gain via fake "NETAPI32.DLL"
      CAN-2003-0939 - buffer overflow in niserver interface

    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    @stake is currently seeking application security experts to fill
    several consulting positions. Applicants should have strong
    application development skills and be able to perform application
    security design reviews, code reviews, and application penetration
    testing. Please send resumes to jobs@atstake.com.

    Copyright 2003 @stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBP7jbkke9kNIfAm4yEQIvXgCfczpv41Jf32t2U+1Vlbtpgz4U/F4AoMEx
    Wi/q4hKhWsk6U1vk9bQXZyqP
    =fJ8L
    -----END PGP SIGNATURE-----


  • Next message: advisory_at_rapid7.com: "[VulnWatch] R7-0016: Sybase ASE 12.5 Remote Password Array Denial of Service"