97270 2003-04-01  01:14  /5 rader/ KF <dotslash@snosoft.com>
Importerad: 2003-04-01  01:14  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: full-disclosure@lists.netsys.com
Mottagare: Bugtraq (import) <4261>
Ärende: SRT2003-03-31-1219 - SAP world writable server binaries
------------------------------------------------------------
This data will be available at http://www.secnetops.biz/research/
shortly.
-KF
(97270) /KF <dotslash@snosoft.com>/-------(Ombruten)
Bilaga (text/plain) i text 97271
97271 2003-04-01  01:14  /134 rader/ KF <dotslash@snosoft.com>
Bilagans filnamn: "SRT2003-03-31-1219.txt"
Importerad: 2003-04-01  01:14  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: full-disclosure@lists.netsys.com
Mottagare: Bugtraq (import) <4262>
Bilaga (text/plain) till text 97270
Ärende: Bilaga (SRT2003-03-31-1219.txt) till: SRT2003-03-31-1219 - SAP world writable server binaries
------------------------------------------------------------
Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team	            research@secnetops.com
Team Lead Contact		                  kf@secnetops.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************************************
Advisory Number		: SRT2003-03-31-1219
Product			: SAP DB
Version			: Version 7.x (RPM Install)
Vendor			: sapdb.org
Class			: local
Criticality             : Medium 
Operating System(s)	: Linux (other unix based?)
High Level Explination
************************************************************************
High Level Description	: File permissions of 777 on server executables
What to do		: chmod 755 on vulnerable binaries 
Technical Details
************************************************************************
Proof Of Concept Status : No PoC needed for this issue.  Low Level
Description	: RPM install leaves world writable lserver and dbmsrv
Leaving world writable files around has obvious reprecussions.
Download the latest SAP rpm packages from:
http://www.sapdb.org/7.4/rpm_linux.htm
Login as root and install the rpms
vegeta SAP # rpm -ivh *rpm --nodeps
Preparing...                ########################################### [100%]
   1:sapdb-ind              ########################################### [14%]
   2:sapdb-srv74            ########################################### [28%]
   3:sapdb-callif           ########################################### [42%]
   4:sapdb-precompiler      ########################################### [57%]
   5:sapdb-scriptif         ########################################### [71%]
   6:sapdb-testdb74         ########################################### [85%]
   7:sapdb-web              ########################################### [100%]
Login as normal user and locate world writable binaries
nobody@vegeta / $ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
nobody@vegeta / $ find /opt/sapdb/ -perm -0777
/opt/sapdb/depend74/pgm/dbmsrv
/opt/sapdb/depend74/pgm/lserver
Verify sanity
nobody@vegeta / $ cd /opt/sapdb/depend74/pgm/
nobody@vegeta pgm $ ls -al
total 36912
drwxrwxr-x    2 root     sapdb        4096 Mar 23 12:59 .
drwxrwxr-x   10 root     sapdb        4096 Mar 23 12:59 ..
-rwxrwxr-x    1 root     sapdb      297555 Feb 28 15:42 console
-rwxrwxrwx    1 root     sapdb     2088040 Feb 28 15:48 dbmsrv
-rwxrwxr-x    1 root     sapdb     1806053 Feb 28 15:47 diagnose
-rwxrwxr-x    1 root     sapdb      448402 Feb 28 15:48 dumpcomreg
-rwxrwxr-x    1 root     sapdb     8475382 Feb 28 18:11 kernel
-rwxrwxrwx    1 root     sapdb     4722216 Feb 28 18:17 lserver
-rwxrwxr-x    1 root     sapdb     1032409 Feb 28 18:17 pu
-rwxrwxr-x    1 root     sapdb     1453842 Feb 28 15:30 python
-rwxrwxr-x    1 root     sapdb       46471 Feb 28 15:28 regcomp
-rwxrwxr-x    1 root     sapdb    16389708 Feb 28 18:05 slowknl
-rwxrwxr-x    1 root     sapdb      845869 Feb 28 18:16 sqlfilter
-rwxrwxr-x    1 root     sapdb       20939 Feb 28 15:43 sysrc
-rwxrwxr-x    1 root     sapdb       55138 Feb 28 15:56 tracesort
nobody@vegeta pgm $ echo oops > kernel
sh: kernel: Permission denied
nobody@vegeta pgm $ echo oops > lserver
nobody@vegeta pgm $ echo oops I did it again > dbmsrv
nobody@vegeta pgm $ cat lserver
oops
nobody@vegeta pgm $ cat dbmsrv
oops I did it again
This appears to be caused by the RPM installation when it sets
permissions
D: fini      100777  1 (   0, 410)   2088040 /opt/sapdb/depend74/pgm/dbmsrv;3e7df5e7
D: fini      100777  1 (   0, 410)   4722216 /opt/sapdb/depend74/pgm/lserver;3e7df5e7
Older rpm packages have the same issue sapdb-ind-7.3.0.32-1.i386.rpm
and sapdb-srv-7.3.0.32-1.i386.rpm leave:
vegeta OLD # find /opt/sapdb/ -perm -0777
/opt/sapdb/depend/pgm/dbmsrv
/opt/sapdb/depend/pgm/lserver
If instead you installed from sapdb-all-linux-32bit-i386-7_4_3_14.tgz
and sapdb-webtools-linux-32bit-i386-7_4_3_10.tgz:
vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # ./SDBINST
        Installation of SAP DB Software
        ********************************
...
vegeta sapdb-all-linux-32bit-i386-7_4_3_14 # find /opt/sapdb -perm
-0777 -print  /opt/sapdb/indep_data/wrk
you will note there are no world writable server binaries after a
.tgz install.
Patch or Workaround	: chmod 755 /opt/sapdb/depend*/pgm/dbmsrv and /opt/sapdb/depend*/pgm/lserver
SAP made it clear that normal users should not have local access to
the SAP server when I pointed out the last security issue. The same
logic applys here however this does not lessen  the result of this
problem.
Vendor Status		: recieved only an email autoresponder
Bugtraq URL		: to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
(97271) /KF <dotslash@snosoft.com>/-------(Ombruten)