SAP SAPDBA命令 本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1194891 漏洞类型
发布时间 2006-05-23 更新时间 2006-05-24
CVE编号 CVE-2006-2547 CNNVD-ID CNNVD-200605-442
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2006050135
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-442
|漏洞详情
SAP的sapdba命令是用于数据库管理的工具。由于没有正确的处理环境变量,Informix数据库的sapdba命令可能允许任意UNIX用户在shell级别以informix权限运行任意命令。
|漏洞EXP
(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Local_Privilege_Escalation_in_SAP_sapdba_Command.pdf )

CYBSEC S.A.
www.cybsec.com

Pre-Advisory Name: Local Privilege Escalation in SAP sapdba Command

Vulnerability Class: Insecure Environment Variable Handling

Release Date: 05/18/2006

Affected Applications:  
* sapdba command for Informix version prior to 700
* sapdba command for Informix version 700 up to patch number 100

Unaffected Applications: 
* sapdba command for Oracle Databases

Affected Platforms: 
* SAP with Informix on HP-UX, Solaris, AIX, TRUE64 or Linux

Local / Remote: Local

Severity: Medium

Author:  Leandro Meiners.

Vendor Status:  
* Confirmed, patch released

Reference to Vulnerability Disclosure Policy: 
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

The sapdba command is a utility provided by SAP for database
administration. Two different versions are available, one for Informix
and another for Oracle databases.

Vulnerability Description:
==========================

The sapdba command for Informix Databases was found to allow any UNIX
user to run arbitrary commands with informix rights at the shell level,
due to improper handling of environment variables.

Technical Details:
==================

Technical details will be released three months after publication of
this pre-advisory. This was agreed upon with SAP to allow their clients
to upgrade affected software prior to the technical knowledge been
publicly available. 

Impact:
=======

Any user with login access to the SAP database server having a
vulnerable version of the sapdba command can escalate privileges to
execute arbitrary commands with the rights of the informix user.  

Solutions:
==========

SAP released a patch regarding this issue. Details can be found in SAP
note 944585.

Vendor Response:
================
* 04/20/2006: Initial Vendor Contact and technical details for the
vulnerabilities sent to vendor.
* 04/26/2006: Solution provided by vendor.
* 05/18/2006: Coordinate release of pre-advisory without technical
details.
* 08/18/2006: Coordinate release of advisory with technical details.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com. Please bear in mind that technical
details will be disclosed three months after the release of this
pre-advisory, so such questions won't be answered until then. 

For more information regarding CYBSEC: www.cybsec.com

----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners at cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060518/2222c14a/attachment.bin





















|参考资料

来源:XF
名称:sap-sapdba-privilege-escalation(26526)
链接:http://xforce.iss.net/xforce/xfdb/26526
来源:MISC
链接:http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Local_Privilege_Escalation_in_SAP_sapdba_Command.pdf
来源:FULLDISC
名称:20060518CYBSEC-SecurityPre-Advisory:LocalPrivilegeEscalationinSAPsapdbaCommand
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046130.html
来源:BID
名称:18028
链接:http://www.securityfocus.com/bid/18028
来源:VUPEN
名称:ADV-2006-1861
链接:http://www.frsirt.com/english/advisories/2006/1861
来源:SECTRACK
名称:1016122
链接:http://securitytracker.com/id?1016122
来源:SECUNIA
名称:20180
链接:http://secunia.com/advisories/20180
来源:BUGTRAQ
名称:20060519CYBSEC-SecurityPre-Advisory:LocalPrivilegeEscalationinSAPsapdbaCommand
链接:http://www.securityfocus.com/archive/1/archive/1/434534/30/4890/threaded
来源:SREASON
名称:941
链接:http://securityreason.com/securityalert/941