Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0794 -- @stake, Inc Security Advisory SAP DB priv. escalation/remote code execution 18 November 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SAP DB Publisher: @stake, Inc. Operating System: Linux Solaris Windows XP Windows 2000 Windows NT HP Tru64 UNIX Impact: Execute Arbitrary Code/Commands Increased Privileges Access Required: Existing Account CVE Names: CAN-2003-0938 CAN-2003-0939 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: SAP DB priv. escalation/remote code execution Release Date: 11/17/2003 Application: SAP DB 7.4.03.27 (23-June-2003) and before Platform: Microsoft Windows NT4/2000/XP [1 and 2] Linux (IA32) [2] SUN Solaris [2] HPUX [2] Compaq True64 [2] Severity: local priv escalation to SYSTEM on Windows potential remote code execution Authors: Ollie Whitehouse [ollie@atstake.com] Dino Dai Zovi [ddaizovi@atstake.com] Vendor Status: Vendor has patches available CVE Candidate: CAN-2003-0938 - privilege gain via fake "NETAPI32.DLL" CAN-2003-0939 - buffer overflow in niserver interface Reference: www.atstake.com/research/advisories/2003/a111703-1.txt Overview: SAP's (http://www.sapdb.org) open source database server is a project which is sponsored by SAP AG. The database server allows for a fast, flexible, high performance and easily administered deployment of an enterprise level database solution. There exists a number of vulnerabilities in the core SAPDB code that allow a local attacker on Windows machines to elevate privileges or remotely compromise the SAPDB server unauthenticated on Windows and other supported platforms. The vulnerabilities outlined below in the advisory are good examples of why functionality should be evaluated in terms of new vulnerabilities and risks they may introduce before being deployed in a production environment. Details: [1] Local Windows privilege escalation Credit: Ollie Whitehouse This is a common Windows (http://www.microsoft.com/windows/) programming error in the SAP DB core code. Located within '/V74_03_27/SAPDB_ORG/sys/src/os/vos24u.c' are the following lines of code: line 62: #define NET_API_DLL "NETAPI32.DLL" Then the following line allows exploitation line 143: hinst = LoadLibrary( NET_API_DLL ); If an attacker has write access to the current working directory of the SAP DB (which is the default as SAP does not lock down the file permissions on WindowsNT) and can place a fake 'NETAPI32.DLL' SAPDB will search working directory first and thus load the fake 'NETAPI32.DLL' and obtain system access. This vulnerability can be exploited via the 'SQLAT' stored procedure on SAP DB. [2] Remote unauthenticated buffer overflow in 'niserver' interface Credit: Dino Dai Zovi In the default installation of SAP DB, the 'niserver' (on Unix) or 'serv.exe' (on Windows) process is listening on TCP port 7629 (sapdbni72) running as root or LocalSystem. This interface is used by the SAP support team to connect to customer SAP installations. There is a buffer overflow in the code to extract strings from the variable-sized segment of the connect packet. The vulnerable code is in the function eo420_GetStringFromVarPart in /V74_03_27/SAPDB_ORG/sys/src/eo/veo420.c (all comments are @stake's): [Code segment from: eo/veo420.c] ulLength = pConnectPacket->ConnectLength - ( sizeof (*pConnectPacket) - sizeof (pConnectPacket->VarPart) ); ulLength = MIN_EO420 ( ulLength, sizeof (pConnectPacket->VarPart) ); // @stake comment: // Items in variable-sized segment are stored: // [1-byte length] [1-byte type] [ data ... ] // for ( ulPos = 0; ulPos < ulLength; ulPos += pConnectPacket->VarPart[ulPos] & 0xff ) { ... if ( pConnectPacket->VarPart[ulPos + 1] == StringID ) { ... break; } } ... // @stake comment: // error checking code removed for brevity checked that declared // data length >= 2 and < MaxStringLen and that ulPos < ulLength. // // The string data from the packet is copied without regard to // destination string length leading to a buffer overflow. // strcpy (szString, (const char*)(pConnectPacket->VarPart + ulPos + 2)); The variable-sized segment is limited to 256 bytes in length and the destination string buffer is a 256-byte char array. However, if a string in the variable-sized segment is the maximum length and not NULL-terminated, the strcpy will copy memory following the end of the received packet, overrunning the bounds of the destination buffer leading to potential remote code execution. Vendor Response: @stake have contacted the vendor multiple times during September 2003. Below is the time line of the communication: 03-Sep-2003: @stake informs vendor 07-Nov-2003: SAP releases version 7.4.03.30 which fixes all of the @stake reported vulnerabilities. 17-Nov-2003: Release The vendor has patches and a new version available. - - From the vendor release notes: http://www.sapdb.org/7.4/new_relinfo.txt PTS: 1124004 since: 7.4.03.30 Bug fixed: SECURITY 1) Preconditions and circumstances This is a security fix. It protects against potential buffer overflow using a specialized 'intrusion' program, that could execute code an behalf of the owner of 'niserver' or 'x_server'. The possible attack position is inside common used code shared between all platforms. 2) Probability that the error occurs low (no such program was ever known off, but the code would allow to write it...). If such a program was written: 100% 3) Solution to the problem The copy routines is modified to check the string for being correctly terminated by a zero byte. If not the connection packet is rejected. 4) Visibility it depends on the action taken by the intruders coding... 5) Workaround none Recommendation: If you are running on the Windows platform make sure that the permissions for the SAP DB working directory are set so that only administrators have write access. This is not the default. On all platforms port 7269 should be filtered by a network or host based firewall to only allow those machines that need to connect to the niserver service to connect. Enterprises should look to upgrade to the lastest version of SAP DB which fixes these vulnerabilities, version 7.4.03.30. It is avaliable at: http://www.sapdb.org/7.4/sap_db_software.htm Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2003-0938 - privilege gain via fake "NETAPI32.DLL" CAN-2003-0939 - buffer overflow in niserver interface @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc @stake is currently seeking application security experts to fill several consulting positions. Applicants should have strong application development skills and be able to perform application security design reviews, code reviews, and application penetration testing. Please send resumes to jobs@atstake.com. Copyright 2003 @stake, Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP7jbkke9kNIfAm4yEQIvXgCfczpv41Jf32t2U+1Vlbtpgz4U/F4AoMEx Wi/q4hKhWsk6U1vk9bQXZyqP =fJ8L - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBP7lgFCh9+71yA2DNAQGdNwQAmZ+74djXBRCLX4MAUtlIjuXrERZuf2lF gzj7knynCnY+1gz5gaSg9ji8GpYrmDnJbZe5GseSjd9bSECalV26BgB7m/wBqD4s YjH5pYoINdgHBKjbAa8p0dtLfG3BqBNyS93bmgFR+a6VugvdU/tdzROuyWgBGfDX XoRHAGLReoM= =QSQe -----END PGP SIGNATURE-----