|
|
|
|
| |
| SAP's MaxDB is "a database software product". MaxDB was released as open source from version 7.5 up to version 7.6.00. Later versions are no longer open source but are available for download from the SAP SDN website (sdn.sap.com) as a community edition with free community support for public use beyond the scope of SAP applications. The "dbmsrv" program is set-uid "sdb", set-gid "sdba", and installed by default. Local exploitation of an untrusted path vulnerability in the "dbmsrv" program, as distributed with SAP AG's MaxDB, allow attackers to elevate privileges to that of the "sdb" user. |
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729
|
| |
Vulnerable Systems:
* SAP MaxDB version 7.6.03.15 on Linux
When a local user runs the "dbmcli" program, the MaxDB executes a "dbmsrv" process on the user's behalf. The "dbmsrv" process, which is responsible for executing user commands, runs as the user "sdb" with group "sdba".
This vulnerability exists due to improper sanitization of the "PATH" environment variable. By prefixing the "PATH" environment variable with a path under the attacker control, one is able to execute arbitrary code with "sdb:sdba" privileges.
Analysis:
Exploitation allows an attacker to execute arbitrary code with privileges of the database owner, usually "sdb". To exploit this vulnerability, an attacker must have the ability to create executables on the system.
Vendor response:
SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1178438.
CVE Information:
CVE-2008-1810
Disclosure timeline:
03/27/2008 - Initial vendor notification
04/01/2008 - Initial vendor response
07/30/2008 - Coordinated public disclosure
|
|
|
|
|
