|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SA10251] SAP DB Multiple Vulnerabilities
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Tue Nov 18 2003 - 09:40:33 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
SAP DB Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA10251
VERIFY ADVISORY:
http://www.secunia.com/advisories/10251/
CRITICAL:
Moderately critical
IMPACT:
Hijacking, Security Bypass, Exposure of system information, Exposure
of sensitive information, Privilege escalation
WHERE:
From remote
SOFTWARE:
SAP DB 7.x
DESCRIPTION:
Multiple vulnerabilities have been reported in SAP DB, which can be
exploited by malicious users to perform a variety of attacks.
1) The file "NETAPI32.DLL" is loaded insecurely with "LoadLibrary()".
This can be exploited by a malicious, local user to execute arbitrary
code with escalated privileges by placing a malicious "NETAPI32.DLL"
file in the current working directory.
Successful exploitation requires that the user has write access on
the current working directory.
This vulnerability affects Windows systems only.
2) A boundary error in the "niserver" interface when extracting
strings from connect packets can be exploited to cause a buffer
overflow. This can be exploited by sending a specially crafted
packet, which potentially may allow execution of arbitrary code.
3) An input validation error in the web-tools component can be
exploited to conduct directory traversal attacks, which allows
retrieval of arbitrary files.
4) Any user with access to web-tools can access Web Agent
Administration pages directly without prior authentication. This can
be exploited to configure a wide range of options.
5) A boundary error in the Web Agent Administration service can be
exploited to cause a buffer overflow by supplying an overly long
string to a parameter. Successful exploitation may allow execution of
arbitrary code.
6) Errors in various services within Web Agent can be exploited to
cause buffer overflows and connect to databases not publicly
accessible.
7) The Web Database Manager generates predictable session IDs and
includes them in URLs.
SOLUTION:
Update to version 7.4.03.30.
http://www.sapdb.org/7.4/sap_db_software.htm
REPORTED BY / CREDITS:
Ollie Whitehouse and Dino Dai Zovi, stake.
ORIGINAL ADVISORY:
SAP DB Privilege Escalation/Remote Code Execution
http://www.atstake.com/research/advisories/2003/a111703-1.txt
Multiple Issues with SAP DB Web-tools
http://www.atstake.com/research/advisories/2003/a111703-2.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://www.secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://www.secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]