var-200404-0022
Vulnerability from variot
The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program. SAP is an integrated enterprise resource planning system based on client/server architecture and open systems, including database open tools when installed. The SAP database program instlserver has problems handling environment variables. Local attackers can exploit this vulnerability for privilege escalation attacks and gain root user privileges. The instlserver program uses the user-supplied data and still runs with ROOT privileges when chmod and chown some files. When running the 'DevTool/bin/instlserver' program, according to the environment variable 'INSTROOT', the specified file will be chowned and chmoded. The attacker builds a malicious file and stores it in the location specified by the environment variable, and gets a suid root. Properties of the program, thereby increasing permissions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200404-0022",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "db",
"scope": "eq",
"trust": 2.2,
"vendor": "sap",
"version": "7.4"
},
{
"model": "db",
"scope": "eq",
"trust": 2.2,
"vendor": "sap",
"version": "7.3.00"
},
{
"model": "db",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.4.03.27"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
},
{
"db": "NVD",
"id": "CVE-2003-1033"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Discovery credited to Secure Network Operations, Inc.",
"sources": [
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
}
],
"trust": 0.6
},
"cve": "CVE-2003-1033",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CVE-2003-1033",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.0,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.1,
"id": "CNVD-2003-1115",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "SINGLE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.1,
"id": "53d9620e-204b-11e6-abef-000c29c66e3d",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.9 [IVD]"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2003-1033",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2003-1115",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200404-057",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
},
{
"db": "NVD",
"id": "CVE-2003-1033"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program. SAP is an integrated enterprise resource planning system based on client/server architecture and open systems, including database open tools when installed. The SAP database program instlserver has problems handling environment variables. Local attackers can exploit this vulnerability for privilege escalation attacks and gain root user privileges. The instlserver program uses the user-supplied data and still runs with ROOT privileges when chmod and chown some files. When running the \u0027DevTool/bin/instlserver\u0027 program, according to the environment variable \u0027INSTROOT\u0027, the specified file will be chowned and chmoded. The attacker builds a malicious file and stores it in the location specified by the environment variable, and gets a suid root. Properties of the program, thereby increasing permissions",
"sources": [
{
"db": "NVD",
"id": "CVE-2003-1033"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "7408",
"trust": 2.5
},
{
"db": "NVD",
"id": "CVE-2003-1033",
"trust": 2.4
},
{
"db": "BID",
"id": "7407",
"trust": 1.9
},
{
"db": "CNVD",
"id": "CNVD-2003-1115",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057",
"trust": 0.8
},
{
"db": "MLIST",
"id": "[SAP DB DEV] 20030422 SECURITY ALERT: DEVELOPMENT TOOLS",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20030422 SRT2003-04-22-1336 - SAP DB DEVELOPMENT TOOLS INSTALL FLAW",
"trust": 0.6
},
{
"db": "XF",
"id": "11842",
"trust": 0.6
},
{
"db": "IVD",
"id": "53D9620E-204B-11E6-ABEF-000C29C66E3D",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
},
{
"db": "NVD",
"id": "CVE-2003-1033"
}
]
},
"id": "VAR-200404-0022",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
}
],
"trust": 0.08
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
}
]
},
"last_update_date": "2024-08-14T15:04:48.119000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2003-1033"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/7407"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/7408"
},
{
"trust": 1.6,
"url": "http://listserv.sap.com/pipermail/sapdb.sources/2003-april/000143.html"
},
{
"trust": 1.2,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=105103613727471\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=105103613727471\u0026w=2"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11842"
},
{
"trust": 0.6,
"url": "http://listserv.sap.com/pipermail/sapdb.sources/2003-april/000142.html"
},
{
"trust": 0.6,
"url": "/archive/1/319409"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/11842"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
},
{
"db": "NVD",
"id": "CVE-2003-1033"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
},
{
"db": "NVD",
"id": "CVE-2003-1033"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-04-22T00:00:00",
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"date": "2003-04-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"date": "2003-04-22T00:00:00",
"db": "BID",
"id": "7407"
},
{
"date": "2003-04-22T00:00:00",
"db": "BID",
"id": "7408"
},
{
"date": "2003-04-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200404-057"
},
{
"date": "2004-04-15T04:00:00",
"db": "NVD",
"id": "CVE-2003-1033"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-04-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2003-1115"
},
{
"date": "2009-07-11T21:07:00",
"db": "BID",
"id": "7407"
},
{
"date": "2009-07-11T21:07:00",
"db": "BID",
"id": "7408"
},
{
"date": "2005-10-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200404-057"
},
{
"date": "2017-07-11T01:29:40.777000",
"db": "NVD",
"id": "CVE-2003-1033"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "7407"
},
{
"db": "BID",
"id": "7408"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
],
"trust": 1.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP database development tool INSTLSERVER INSTROOT environment variable vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-1115"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Input validation",
"sources": [
{
"db": "IVD",
"id": "53d9620e-204b-11e6-abef-000c29c66e3d"
},
{
"db": "CNNVD",
"id": "CNNVD-200404-057"
}
],
"trust": 0.8
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…