(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Local_Privilege_Escalation_in_SAP_sapdba_Command.pdf
CYBSEC S.A.
www.cybsec.com
Pre-Advisory Name: Local Privilege Escalation in SAP sapdba Command
Vulnerability Class: Insecure Environment Variable Handling
Release Date: 05/18/2006
Affected Applications:
Unaffected Applications:
Affected Platforms:
Local / Remote: Local
Severity: Medium
Author: Leandro Meiners.
Vendor Status:
Reference to Vulnerability Disclosure Policy:
http://www.cybsec.com/vulnerability_policy.pdf
The sapdba command is a utility provided by SAP for database
administration. Two different versions are available, one for Informix
and another for Oracle databases.
The sapdba command for Informix Databases was found to allow any UNIX
user to run arbitrary commands with informix rights at the shell level,
due to improper handling of environment variables.
Technical details will be released three months after publication of
this pre-advisory. This was agreed upon with SAP to allow their clients
to upgrade affected software prior to the technical knowledge been
publicly available.
Any user with login access to the SAP database server having a
vulnerable version of the sapdba command can escalate privileges to
execute arbitrary commands with the rights of the informix user.
SAP released a patch regarding this issue. Details can be found in SAP
note 944585.
For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com. Please bear in mind that technical
details will be disclosed three months after the release of this
pre-advisory, so such questions won't be answered until then.
For more information regarding CYBSEC: www.cybsec.com
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: [email protected]
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index