|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[sec-adv] SAP DB Development Tools Installation Vulnerability
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Fri Apr 25 2003 - 14:38:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
SAP DB Development Tools Installation Vulnerability
READ ONLINE:
http://www.secunia.com/advisories/8665/
CRITICAL:
Less critical
IMPACT:
Privilege escalation
WHERE:
Local system
SOFTWARE:
SAP Development Tools
DESCRIPTION:
A vulnerability has been identified in SAP Development Tools, which
can be exploited by malicious, local users to escalate their
privileges on a vulnerable system.
After installation of the SAP Development Tools, two insecure suid
binaries ("/usr/DevTool/bin/instdbmsrv" and
"/usr/DevTool/bin/instlserver") are left on the system. The problem
is that both binaries chmod and chown a file as "root", where some of
the path to the file is specified in an environment variable
("$INSTROOT").
A malicious person can exploit this to escalate privileges to "root"
by creating a special file with a certain file name ("pgm/dbmsrv" or
"pgm/lserver"), place it in an arbitrary directory, and input the
path to the file in the environment variable used by the two
binaries. Afterwards one of the binaries can be executed, which will
change ownership of the speciel file to "root" and set the suid-bit.
Execution of the malicious user's file will now be with "root"
privileges.
SOLUTION:
The following fix has been suggested by the vendor:
http://listserv.sap.com/pipermail/sapdb.sources/2003-April/000142.html
REPORTED BY / CREDITS:
KF
ORIGINAL ADVISORY:
http://www.secnetops.com/research/advisories/SRT2003-04-22-1336.txt
----------------------------------------------------------------------
Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Contact details:
Web : http://www.secunia.com/
E-mail : support@secunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]