Error 1152820: DBMServer
To set a bookmark to this detailed view right-click here

Message Data

Reported

Settlement

Delivered

  
76.03.15 Delivered 76.03.15  

Created

Processed

Completed

Affected OS
2008-01-17 2008-01-17 2008-01-17 All

Message Texts
Description Solution Patch Information Links

Description

 Top
remote exploit The DBMServer gives unchecked arguments to the C runtime call system() which uses the operatings system shell. Using shell control characters as arguments for a affected DBMServer command will open the possiblity to execute something on the server node with the privileges of the DBMServer process. See also http://www.milw0rm.com/exploits/4877 Affected DBMServer commands exec_sdbinfo (without DBM authentification) show db_cons exec_xpu trace_prot exec_lcinit load_lcapps load_tutorial load_systab
 

Solution

 Top
Implemnt a positiv check for the arguments given by the user exec_sdbinfo - check for {"-all", "-help", "-v"}; reject others trace_prot - check for {A...Z,a...z}; reject others exec_xpu - check for {A...Z,a...z,0...9,<space>,-}; reject others show - check for {A...Z,a...z,0...9,_,<space>}; reject others db_cons - check for {A...Z,a...z,0...9,_,<space>}; reject others load_lcapps - check SAP user (stored in UPC or given by arguements) and SYSDBA (stored in UPC) for "simple identifier" (defined by SQL syntax) exec_lcinit - check for ["init", "restart", "register", "slow", "stop", "shutdown", "debug", "-e", "ascii", "unicode", "-uDBM", "-uDBA", "-uSQL", "-ud"} and ignore others (do not reject!) check users (stored in UPC or given by argemeents) for "simple identifier" (defined by SQL syntax) load_tutorial - check SYSDBA (stored in UPC) for "simple identifier" (defined by SQL syntax) load_systab - check SYSDBA (stored in UPC) for "simple identifier" (defined by SQL syntax) The user check of the several users maybe disbaled by adding a line manually to the dbm.cfg in the RUNDIRECTORY of a database. Please add exactly (with 3 spaces) the line SECURITY_NOUSRCHK =1
 

Patch Information

 Top
Appearance: The DBMServer gives an attacker the possibility to execute OS commands via a DBMServer command on the database server. There are also some additional checks which checks names of users and their passwords which will be given to a external call. This check will reject users which does contain shell control characters in their names or passwords. You may disable this check by adding a line manually to the dbm.cfg file in the rundirectory of the database. Pleas add exactly (wit 3 spaces) this line: SECURITY_NOUSRCHK =1 Preconditions and circumstances: The attacker uses an exploit like "exec_sdbinfo && echo dir c:\ | cmd.exe". See also http://www.milw0rm.com/exploits/4877. Workaround: Use a firewall to give only trusted nodes network access to your database server on the MaxDB port (7210). Also you can change the MaxxDB port. But this does not block an attack with scans the open ports before.
 

Links

 Top

Id

Type

Description

Settlement

Planned Delivery
   1152814 Error remote exploit The DBMServer gives unchecked arguments to the C runtime call... 76.05.03 4   
 
  Close Window     Help