CVE-2003-0943
CVSS7.5
发布时间 :2003-12-15 00:00:00
修订时间 :2008-09-05 16:35:37
NMCOP    

[原文]web-tools in SAP DB before 7.4.03.30 installs several services that are enabled by default, which could allow remote attackers to obtain potentially sensitive information or redirect attacks against internal databases via (1) waecho, (2) Web SQL Interface (websql), or (3) Web Database Manager (webdbm).


[CNNVD]SAP DB web-tools多个安全漏洞(CNNVD-200312-043)

        SAP是一款开放源代码的数据库服务程序。数据库服务程序快速、高效、易于管理。
        SAP 7.4.03.30之前版本的WEB服务包含的web-tools解决方案存在多个漏洞,远程攻击者可以利用这些漏洞进行目录遍历、缓冲区溢出等攻击。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0943
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0943
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-043
(官方数据源) CNNVD

- 其它链接及资源

http://www.atstake.com/research/advisories/2003/a111703-2.txt
(VENDOR_ADVISORY)  ATSTAKE  A111703-2

- 漏洞信息

SAP DB web-tools多个安全漏洞
高危
2003-12-15 00:00:00 2012-12-07 00:00:00
远程  
        SAP是一款开放源代码的数据库服务程序。数据库服务程序快速、高效、易于管理。
        SAP 7.4.03.30之前版本的WEB服务包含的web-tools解决方案存在多个漏洞,远程攻击者可以利用这些漏洞进行目录遍历、缓冲区溢出等攻击。
        

- 公告与补丁

        厂商补丁:
        SAP
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载使用SAP 7.4.03.30版本:
        
        http://www.sapdb.org/

- 漏洞信息 (F32206)

Atstake Security Advisory 03-11-17.2 (PacketStormID:F32206)
2003-11-17 00:00:00
Atstake,Ollie Whitehouse  atstake.com
advisory,remote,web,overflow
CVE-2003-0940,CVE-2003-0941,CVE-2003-0942,CVE-2003-0943,CVE-2003-0944,CVE-2003-0945
[点击下载]

Atstake Security Advisory A111703-2 - A directory traversal vulnerability lies in the web-tools component of the SAP database server that enables any remote attacker to gain access to any file on the host due to the server running as SYSTEM. The Web Agent Administration service pages are also open by default, allowing any remote attacker to reconfigure the server as they see fit and the service also has at least one buffer overflow vulnerability. Default services within the Web Agent, such as waecho, contain buffer overflows that can be exploited remotely. The session identification generated is also considered to be unsafe since they are stored in the URL and not kept in a cookie either.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                              @stake, Inc.
                            www.atstake.com

                           Security Advisory

Advisory Name: SAP DB web-tools multiple issues
 Release Date: 11/17/2003
  Application: SAP DB < 7.4.03.30
     Platform: Linux (IA32)
               Microsoft Windows NT4/2000/XP
               SUN Solaris
               HPUX
               Compaq True64
     Severity: Remote file retrieval, administrative
               authentication bypass, authentication
               bypass,remote code execution
       Author: Ollie Whitehouse [ollie@atstake.com]
Vendor Status: Vendor has patches
CVE Candidate: CAN-2003-0940 - web-tools directory traversal
               CAN-2003-0941 - Web Agent Administration available
               CAN-2003-0942 - overflow in Web Agent Administration
               CAN-2003-0943 - default services available in Web
                               Agent
               CAN-2003-0944 - buffer overflow in waecho
               CAN-2003-0945 - Web Database Manager predictable
                               session IDs
    Reference: www.atstake.com/research/advisories/2003/a111703-2.txt


Overview:

      SAP's (http://www.sapdb.org) open source database server
is a project which is sponsored by SAP AG. The database server
allows for a fast, flexible, high performance and easily administered
deployment of an enterprise level database solution. In addition
to the base package, the SAP DB project also ships a 'web-tools'
solution that can either be integrated in to existing web server
solutions (i.e. IIS or iPlanet) or alternatively run it's own native
web server.

There exists a number of vulnerabilities in the native web server
solution that @stake discovered which are outlined below that could
enable an  attacker to perform a number of operations that could be
used to mount an attack against the host in question and/or other
database servers which the web server can communicate with.

The vulnerabilities outlined below in the advisory are good examples
of why default functionality should be evaluated in terms of new
vulnerabilities and risks they may introduce before being deployed in
a production environment.


Details:

[1] Directory Traversal

Within the web-tools component their exists a directory traversal
vulnerability that enables and attacker to retrieve any file off
the host drive on which the web-tools component resides upon. Also
it should be noted that by default the SAP web servers runs as
Local SYSTEM by default on Windows NT/2000/XP Platforms so all files
are retrievable.

During a request no URL decoding occurs, simply put the request
is passed to the 'sqlopenc' function which checks the file requested
does indeed exist. If it is then the entire URI is simply supplied to
the 'FileFound' function which in turn returns the file to the user.
Contained below is the code, which is at fault:

     -----[Start: sqlfopenc Function]
     sqlfopenc (path, SP5VF_BINARY, SP5VF_READ, SP5BK_BUFFERED,
                   &fin, &err);
      if (err.sp5fe_result != vf_ok)
            rtc = FileNotFound(req->uri, host, port, as, rep);
      else
      {
           rtc = FileFound(path, as, req, rep, fin);
           sqlfclosec (fin, SP5VF_CLOSE_NORMAL, &err);
      }
      -----[End: sqlfopenc Function]

To successfully exploit this vulnerability an attacker simply needs
to perform a tried and tested double-dot attack to retrieve the file
of choice (i.e. 'http://127.0.0.1:85/../../../../../../boot.ini').


[2] Web Agent Administration open by default

By default any user who has access to the SAP DB web-tools can access
the Web Agent Administration pages without prior authentication by
simply requesting a URL similar to 'http://127.0.0.1:85/waadmin.wa'.

- - From within the WAA an attacker can configure a large range of
options such as but not limited to:

     - Global Settings
     Configure such items as the SAP DB WWW document root.
    
     - Services
     Configure a URL which will call a certain function out of a
     library of choice (i.e. from DLL such as Kernel32 on Windows)

     - COM Services
     Configure a service than can call any class ID which is
     installed on the local machine.


[3] Web Agent Administration service contains buffer overflow

In addition the Web Agent Administration pages contain at least one
buffer overflow as well as the vulnerabilities mentioned above. By
entering a overly long URL such as:

   http://127.0.0.1:85/waadmin.wa?Service=Service&Name=AAAAAA....

An attacker can cause a buffer overflow to occur within, from
@stake's testing we were able to overwrite EIP (IA32) with EBX
pointing to our malicious buffer. If successfully exploited an
attacker can obtain 'SYSTEM' level access on Windows.


[4] Default services within Web Agent / WAECHO buffer overflow

Within the default installation of the SAP DB web-tools their
contains a number of default services. These services can be used
by an attacker to launch a mired of attacks against either the host
upon which they are installed or against other database servers with
which the SAP DB web-agent host has connectivity to.

     - waecho
     Within the SAP DB WWW (SAP Native, IIS or NES) there is a
     default service called waecho which is requested as via a URL
     similar to:

     http://127.0.0.1:85/waecho

     In response it simply spits out a number of variables the
     first of which is requestURI an example of which is contained
     below:

     requestURI = /waecho/

     By passing an overly long string on the URL such as:

     http://127.0.0.1:85/waecho/AAAAAAA....

     Will cause a buffer overflow to occur, EIP is over written
     (IA32) and EDI points to about 120 bytes before our buffer.
     If successfully exploited an attacker can execute code as
     'SYSTEM' on Windows platforms. The offending library
     (waecho.dll on Windows or vwd83echo.c within the source tree)
     contains the following offending code:

     -----[Start: wd83ShowVal function from vwd83echo.c]
     void wd83ShowVal( sapdbwa_HttpReplyP rep, const char *name,
                       const char *val )
     {
     char textBuffer[1024];
     if (val != NULL) {
          sprintf( textBuffer, name, val );
     } else {
          sprintf( textBuffer, name, "NULL" );
     }; /* else */
     strcat( textBuffer, "\n" );
     sapdbwa_SendBody( rep, textBuffer, strlen( textBuffer
                                  ) );
     } /* wd83ShowVal */
   
     -----[End: wd83ShowVal function from vwd83echo.c]

     - websql / webdbm
     Another two default services are the 'websql' and 'webdbm'
     functions rhese allow a remote user to either connect to and
     execute queries or manage a database if the database name,
     username and password are known. The issue here is that this
     can be utilized potentially by someone outside of the
     enterprise to connect to other databases which are not to be
     publicly accessible via web applications.

     Web SQL Interface: http://127.0.0.1:85/websql
     Web Database Manager: http://127.0.0.1:85/webdbm


[5] Web Database Manager session ID generation

Within the Web Database Manager there is the possibility of
performing a number of actions. To keep track of the session these an
ID is generated, but not kept in cookie as per the norm. Instead
these session ID's are stored in the URL. The manner in which these
session ID's are generated can be considered unsafe, below is sample
which @stake took:

     http://127.0.0.1:85/webdbm/014000000000
     http://127.0.0.1:85/webdbm/015000000000
     http://127.0.0.1:85/webdbm/016000000000
     http://127.0.0.1:85/webdbm/017000000000
     http://127.0.0.1:85/webdbm/018000000000
     http://127.0.0.1:85/webdbm/019000000000
     http://127.0.0.1:85/webdbm/020000000000
 
As you can see these session ID's simply increment by 1000000000 each
time.


Vendor Response:

     @stake have contacted the vendor multiple times since August
2002 until May 2003. below is the time line of the communication:


29-Aug-2002:    @stake confirms e-mail contact details of for
                security issues
29-Aug-2002:    @stake confirms SAP doesn't support encrypted
                e-mail
29-Aug-2002:    SAP confirms they have received it and passed
                it on to the developer who wrote the code.
03-Dec-2002:    @stake gets e-mail from SAP concerning another
                security issue they have resolved and a link
                to a URL.
Dec-2002:       @stake asks for status update from SAP.
Jan-2003:       @stake asks for status update from SAP.
24-Jan-2003:    Send e-mail to SAP asking if they received
                @stake's communications.
24-Jan-2003:    @stake gets confirmation e-mail back stating
                they are still trying to get a timeline
                together.
Mar-2003:       @stake asks for time line on when these issues
                will be fixed.
31-Mar-2003:    Get e-mail saying the priority for removing
                these flaws has been shifted down again.
18-Apr-2003:    @stake sends e-mail to SAP informing them of
                our advisory policy and it has been nearly 8
                months since initial communication on the
                vulnerabilities. @stake informs SAP of four
                (4) weeks notice until we release unless
                advised of an update schedule and that @stake is
                happy to delay release until a fix is available
                if they an supply a solid date/time frame
                by which the issues will be resolved.
21-Apr-2003:    Receive confirmation e-mail that my message
                has been passed on to the people developing
                the project plan. In addition @stake is
                informed they have been notified of all of
                @stake's past e-mails.
18-May-2003:    @stake e-mails contact saying no response has
                been heard.
??-May-2003:    Inform vendor we are releasing advisory and
                supply final @stake draft with time line in.
??-Jun-2003:    SAP reestablish contact
29-Aug-2003:    1 year since vendor notified
07-Nov-2003:    SAP releases version 7.4.03.30 which fixes all
                of the @stake reported vulnerabilities.
17-Nov-2003:    Release



Recommendation:

     If the SAP DB WWW service is not required then it should be removed
or disabled on the host in question. In addition to these as part of the
build procedures enterprises should look to remove all default services
if not required in production systems or adequately protect those that are
required.

In addition enterprises should look to deploy vendor patches for the above
vulnerabilities. Version 7.4.03.30 contains fixes for all vulnerabilities.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0940 - web-tools directory traversal
  CAN-2003-0941 - Web Agent Administration available
  CAN-2003-0942 - overflow in Web Agent Administration
  CAN-2003-0943 - default services available in Web Agent
  CAN-2003-0944 - buffer overflow in waecho
  CAN-2003-0945 - Web Database Manager predictable session IDs

@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP7jcrUe9kNIfAm4yEQLmXQCg3ZwHwQalIrqXH2WeFWUgpptP3AsAoPGO
r2HEJgEKh+0OFxi/pPYTgUns
=PiCf
-----END PGP SIGNATURE-----


    

- 漏洞信息

11654
SAP DB web-tools Default Services Information Disclosure
Information Disclosure
Loss of Confidentiality

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-11-17 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站