12/10/2007

Focus on: SAP MaxDB remote code execution

A very interesting vulnerability appeared a while ago on our marketplace and it's now time to give it the visibility it deserves.

Today we are in fact going to focus on a remote command execution vulnerability in SAP MaxDB (you can bid on it here).

The vulnerability has been triggered on Linux machines running SAP MaxDB version 7.6.00.37 (that's the lastest version) and 7.4.3.32, and on Windows machines running SAP MaxDB 7.6.00.37. Other versions may also be affected.

This vulnerability is also pretty easy to exploit: just send a specially crafted request, containining an arbitrary command, to the listening port of the vulnerable MaxDB service and that command will be executed with the credentials of the user running the process (usually 'sdb' on Linux).

Yes, you can figure that a database service is rarely open on the Internet, but in a LAN it's not-so-rare to find so this vulnerability is pefect in a variety of corporate pentesting scenarios.

As you know, SAP AG products run on the majority of intranets of the biggest companies all around the globe and all the products developed by SAP AG are focused on Enterprise Resource Planning (ERP).

Of course, every SAP applications that requires a Database service will use MaxDB RDBMS.

The situation can be really alarming if you sum all of the factors described above: easiness of exploitation + remote access + spread of the product + confidentiality of the data contained into the database. The result can be scary.

Once you can execute commands on a machine running MaxDB, with the credentials of the MaxDB user, it's very easy to dump the content of the whole database.

Together with the vuln you will also buy a fully working and reliable PoC.

Hopefully this post will be able to help both the companies running this vulnerable SAP product by rising their awarness and the security companies looking for better tools.