VAR-200404-0022
Vulnerability from variot - Updated: 2023-12-18 12:14The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program. SAP is an integrated enterprise resource planning system based on client/server architecture and open systems, including database open tools when installed. The SAP database program instlserver has problems handling environment variables. Local attackers can exploit this vulnerability for privilege escalation attacks and gain root user privileges. The instlserver program uses the user-supplied data and still runs with ROOT privileges when chmod and chown some files. When running the 'DevTool/bin/instlserver' program, according to the environment variable 'INSTROOT', the specified file will be chowned and chmoded. The attacker builds a malicious file and stores it in the location specified by the environment variable, and gets a suid root. Properties of the program, thereby increasing permissions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200404-0022",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "db",
"scope": "eq",
"trust": 2.2,
"vendor": "sap",
"version": "7.4"
},
{
"model": "db",
"scope": "eq",
"trust": 2.2,
"vendor": "sap",
"version": "7.3.00"
},
{
"model": "db",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.4.03.27"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "NVD",
"id": "CVE-2003-1033"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:sap_db:7.3.00:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sap_db:7.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2003-1033"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Discovery credited to Secure Network Operations, Inc.",
"sources": [
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
}
],
"trust": 0.6
},
"cve": "CVE-2003-1033",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.1,
"id": "CNVD-2003-1115",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "SINGLE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.1,
"id": "53d9620e-204b-11e6-abef-000c29c66e3d",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.9 [IVD]"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2003-1033",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2003-1115",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200404-057",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "NVD",
"id": "CVE-2003-1033"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program. SAP is an integrated enterprise resource planning system based on client/server architecture and open systems, including database open tools when installed. The SAP database program instlserver has problems handling environment variables. Local attackers can exploit this vulnerability for privilege escalation attacks and gain root user privileges. The instlserver program uses the user-supplied data and still runs with ROOT privileges when chmod and chown some files. When running the \u0027DevTool/bin/instlserver\u0027 program, according to the environment variable \u0027INSTROOT\u0027, the specified file will be chowned and chmoded. The attacker builds a malicious file and stores it in the location specified by the environment variable, and gets a suid root. Properties of the program, thereby increasing permissions",
"sources": [
{
"db": "NVD",
"id": "CVE-2003-1033"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "7408",
"trust": 2.5
},
{
"db": "NVD",
"id": "CVE-2003-1033",
"trust": 2.4
},
{
"db": "BID",
"id": "7407",
"trust": 1.9
},
{
"db": "CNVD",
"id": "CNVD-2003-1115",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057",
"trust": 0.8
},
{
"db": "MLIST",
"id": "[SAP DB DEV] 20030422 SECURITY ALERT: DEVELOPMENT TOOLS",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20030422 SRT2003-04-22-1336 - SAP DB DEVELOPMENT TOOLS INSTALL FLAW",
"trust": 0.6
},
{
"db": "XF",
"id": "11842",
"trust": 0.6
},
{
"db": "IVD",
"id": "53D9620E-204B-11E6-ABEF-000C29C66E3D",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "NVD",
"id": "CVE-2003-1033"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
]
},
"id": "VAR-200404-0022",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
}
],
"trust": 0.08
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
}
]
},
"last_update_date": "2023-12-18T12:14:16.312000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2003-1033"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.6,
"url": "http://listserv.sap.com/pipermail/sapdb.sources/2003-april/000143.html"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/7407"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/7408"
},
{
"trust": 1.2,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=105103613727471\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=105103613727471\u0026w=2"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11842"
},
{
"trust": 0.6,
"url": "http://listserv.sap.com/pipermail/sapdb.sources/2003-april/000142.html"
},
{
"trust": 0.6,
"url": "/archive/1/319409"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/11842"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "NVD",
"id": "CVE-2003-1033"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "NVD",
"id": "CVE-2003-1033"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-04-22T00:00:00",
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"date": "2003-04-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"date": "2003-04-22T00:00:00",
"db": "BID",
"id": "7407"
},
{
"date": "2003-04-22T00:00:00",
"db": "BID",
"id": "7408"
},
{
"date": "2004-04-15T04:00:00",
"db": "NVD",
"id": "CVE-2003-1033"
},
{
"date": "2003-04-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-04-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"date": "2009-07-11T21:07:00",
"db": "BID",
"id": "7407"
},
{
"date": "2009-07-11T21:07:00",
"db": "BID",
"id": "7408"
},
{
"date": "2017-07-11T01:29:40.777000",
"db": "NVD",
"id": "CVE-2003-1033"
},
{
"date": "2005-10-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
],
"trust": 1.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP database development tool INSTLSERVER INSTROOT environment variable vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-1115"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Input validation",
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
],
"trust": 0.8
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…