CVE-2003-0938
CVSS7.2
发布时间 :2003-12-15 00:00:00
修订时间 :2008-09-05 16:35:36
NMCOP    

[原文]vos24u.c in SAP database server (SAP DB) 7.4.03.27 and earlier allows local users to gain SYSTEM privileges via a malicious "NETAPI32.DLL" in the current working directory, which is found and loaded by SAP DB before the real DLL, as demonstrated using the SQLAT stored procedure.


[CNNVD]SAP DB权限提升及缓冲区溢出漏洞(CNNVD-200312-035)

        SAP是一款开放源代码的数据库服务程序。数据库服务程序快速,高效,易于管理。
        SAP的核心SAP DB 7.4.03.27和早期版本存在多个漏洞,攻击者可以利用这些漏洞提升权限或者远程破坏SAPDB服务器,获取未授权访问。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0938
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0938
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-035
(官方数据源) CNNVD

- 其它链接及资源

http://www.atstake.com/research/advisories/2003/a111703-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A111703-1
http://xforce.iss.net/xforce/xfdb/13765
(VENDOR_ADVISORY)  XF  sapdb-NETAPI32-gain-privileges(13765)

- 漏洞信息

SAP DB权限提升及缓冲区溢出漏洞
高危
2003-12-15 00:00:00 2012-12-07 00:00:00
本地  
        SAP是一款开放源代码的数据库服务程序。数据库服务程序快速,高效,易于管理。
        SAP的核心SAP DB 7.4.03.27和早期版本存在多个漏洞,攻击者可以利用这些漏洞提升权限或者远程破坏SAPDB服务器,获取未授权访问。

- 公告与补丁

        厂商补丁:
        SAP
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载使用SAP 7.4.03.30版本:
        
        http://www.sapdb.org/

- 漏洞信息 (F32205)

Atstake Security Advisory 03-11-17.1 (PacketStormID:F32205)
2003-11-17 00:00:00
Atstake,Ollie Whitehouse,Dino Dai Zovi  atstake.com
advisory,remote,overflow,local,tcp
CVE-2003-0938,CVE-2003-0939
[点击下载]

Atstake Security Advisory A111703-1 - Using the SQLAT stored procedure, a local attacker can obtain system access by swapping the NETAPI32.DLL in the current working directory. There is also a remote buffer overflow in the niserver interface on TCP port 7629.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                              @stake, Inc.
                            www.atstake.com

                           Security Advisory

Advisory Name: SAP DB priv. escalation/remote code execution
 Release Date: 11/17/2003
  Application: SAP DB 7.4.03.27 (23-June-2003) and before
     Platform: Microsoft Windows NT4/2000/XP [1 and 2]
               Linux (IA32)                  [2]
               SUN Solaris                   [2]
               HPUX                          [2]
               Compaq True64                 [2]
     Severity: local priv escalation to SYSTEM on Windows
               potential remote code execution
      Authors: Ollie Whitehouse [ollie@atstake.com]
               Dino Dai Zovi    [ddaizovi@atstake.com]
Vendor Status: Vendor has patches available
CVE Candidate: CAN-2003-0938 - privilege gain via fake "NETAPI32.DLL"
               CAN-2003-0939 - buffer overflow in niserver interface
    Reference: www.atstake.com/research/advisories/2003/a111703-1.txt


Overview:

     SAP's (http://www.sapdb.org) open source database server
is a project which is sponsored by SAP AG. The database server
allows for a fast, flexible, high performance and easily administered
deployment of an enterprise level database solution.

There exists a number of vulnerabilities in the core SAPDB code that
allow a local attacker on Windows machines to elevate privileges or
remotely compromise the SAPDB server unauthenticated on Windows and
other supported platforms.

The vulnerabilities outlined below in the advisory are good examples
of why functionality should be evaluated in terms of new
vulnerabilities and risks they may introduce before being deployed in
a production environment.


Details:

[1] Local Windows privilege escalation
Credit: Ollie Whitehouse

This is a common Windows (http://www.microsoft.com/windows/)
programming error in the SAP DB core code. Located within
'/V74_03_27/SAPDB_ORG/sys/src/os/vos24u.c' are the following lines
of code:

     line 62: #define NET_API_DLL       "NETAPI32.DLL"

     Then the following line allows exploitation

     line 143:   hinst = LoadLibrary( NET_API_DLL );

If an attacker has write access to the current working directory of
the SAP DB (which is the default as SAP does not lock down the file
permissions on WindowsNT) and can place a fake 'NETAPI32.DLL' SAPDB
will search working directory first and thus load the fake
'NETAPI32.DLL' and obtain system access.

This vulnerability can be exploited via the 'SQLAT' stored procedure
on SAP DB.


[2] Remote unauthenticated buffer overflow in 'niserver' interface
Credit: Dino Dai Zovi

In the default installation of SAP DB, the 'niserver' (on Unix) or
'serv.exe' (on Windows) process is listening on TCP port 7629
(sapdbni72) running as root or LocalSystem.  This interface is used
by the SAP support team to connect to customer SAP installations.
There is a buffer overflow in the code to extract strings from the
variable-sized segment of the connect packet.

The vulnerable code is in the function eo420_GetStringFromVarPart in
/V74_03_27/SAPDB_ORG/sys/src/eo/veo420.c (all comments are @stake's):

  [Code segment from: eo/veo420.c]

  ulLength = pConnectPacket->ConnectLength  -
             ( sizeof (*pConnectPacket) -
               sizeof (pConnectPacket->VarPart) );

  ulLength = MIN_EO420 ( ulLength, sizeof (pConnectPacket->VarPart)
                        );

  // @stake comment:
  // Items in variable-sized segment are stored:
  // [1-byte length] [1-byte type] [ data ... ]
  //
 
  for ( ulPos =  0;
        ulPos <  ulLength;
        ulPos += pConnectPacket->VarPart[ulPos] & 0xff )
    {
    ...
    if ( pConnectPacket->VarPart[ulPos + 1] == StringID )
      {
      ...
      break;
      }
    }
  ...
  // @stake comment:
  // error checking code removed for brevity checked that declared
  // data length >= 2 and < MaxStringLen and that ulPos < ulLength.
  //
  // The string data from the packet is copied without regard to
  // destination string length leading to a buffer overflow.
  //
  strcpy (szString, (const char*)(pConnectPacket->VarPart + ulPos +
                     2));

The variable-sized segment is limited to 256 bytes in length and the
destination string buffer is a 256-byte char array.  However, if a
string in the variable-sized segment is the maximum length and not
NULL-terminated, the strcpy will copy memory following the end of
the received packet, overrunning the bounds of the destination
buffer leading to potential remote code execution.

Vendor Response:

     @stake have contacted the vendor multiple times during
September 2003. Below is the time line of the communication:


     03-Sep-2003:    @stake informs vendor
     07-Nov-2003:    SAP releases version 7.4.03.30 which fixes
                     all of the @stake reported vulnerabilities.
     17-Nov-2003:    Release


The vendor has patches and a new version available.

- From the vendor release notes:
http://www.sapdb.org/7.4/new_relinfo.txt

PTS: 1124004    since: 7.4.03.30

    Bug fixed:
        SECURITY
        1) Preconditions and circumstances
        This is a security fix. It protects against potential
        buffer overflow using a specialized 'intrusion' program,
        that could
        execute code an behalf of the owner of 'niserver' or
        'x_server'.
        The possible attack position is inside common used code
        shared between all platforms.
        2) Probability that the error occurs
        low (no such program was ever known off, but the code would
        allow to write it...). If such a program was written: 100%
        3) Solution to the problem
        The copy routines is modified to check the string for being
        correctly terminated by a zero byte. If not the connection
        packet is rejected.
        4) Visibility
        it depends on the action taken by the intruders coding...
        5) Workaround
        none


Recommendation:

        If you are running on the Windows platform make sure that the
permissions for the SAP DB working directory are set so that only
administrators have write access.  This is not the default.

        On all platforms port 7269 should be filtered by a network
or host based firewall to only allow those machines that need to
connect to the niserver service to connect.

        Enterprises should look to upgrade to the lastest version
of SAP DB which fixes these vulnerabilities, version 7.4.03.30. It is
avaliable at:

http://www.sapdb.org/7.4/sap_db_software.htm


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0938 - privilege gain via fake "NETAPI32.DLL"
  CAN-2003-0939 - buffer overflow in niserver interface


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP7jbkke9kNIfAm4yEQIvXgCfczpv41Jf32t2U+1Vlbtpgz4U/F4AoMEx
Wi/q4hKhWsk6U1vk9bQXZyqP
=fJ8L
-----END PGP SIGNATURE-----


    

- 漏洞信息

3081
SAP DB NETAPI32.DLL Elevated Privileges

- 漏洞描述

SAP DB versions 7.4.03.27 contains a flaw that may allow a malicious user to gain access to unauthorized privileges. A local attacker, with write privileges to the SAP DB's current working directory, could load a fake NETAPI32.DLL file to gain elevated privileges on the system using the 'SQLAT' stored procedure.

- 时间线

2003-11-17 2003-11-17
Unknow Unknow

- 解决方案

Upgrade to version 7.4.03.30 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站