|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669
|
| |
Vulnerable Systems:
* SAP AG's MaxDB version 7.6.0.37 (on Linux)
After accepting a connection, the "vserver" process forks and reads parameters from the client into various structures. When doing so, it trusts values sent from the client to be valid. By sending a specially crafted request, an attacker can cause heap corruption. This leads to a potentially exploitable memory corruption condition.
Analysis:
Exploitation allows an attacker to execute arbitrary code in the context of the running service. In order to exploit this vulnerability, an attacker must be able to establish a TCP session on port 7210 with the target host. Additionally, the attacker must know the name of an active database on the server.
Since this service uses the fork() system call once a connection has been accepted, an attacker can repeatedly attempt to exploit this vulnerability. Some exploitation attempts may result in the database process ceasing to run, in which case further exploitation attempts will not be possible.
Vendor response:
SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135.
CVE Information:
CVE-2008-0307
Disclosure timeline:
12/06/2007 - Initial vendor notification
12/10/2007 - Initial vendor response
03/10/2008 - Coordinated public disclosure
|
|
|
|
|
