SAP sapdba Command for Informix Environment Variable Bug Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1016122|
SecurityTracker URL: http://securitytracker.com/id/1016122
(Links to External Site)
Updated: Sep 1 2009|
Original Entry Date: May 18 2006
Execution of arbitrary code via local system, User access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): sapdba command for Informix version 700 up to patch number 100; and prior versions|
Leandro Meiners of CYBSEC reported a vulnerability in SAP in the sapdba command. A local user can gain elevated privileges.|
The sapdba command for Informix does not properly process environment variables. A local user to execute arbitrary commands with 'informix' user privileges.
The vendor was notified on April 20, 2006.
The original advisory is available at:
A local user can gain 'informix' user privileges.|
The vendor has issued a patch. Information is available in SAP note 944585.|
Vendor URL: www.sap.com/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64)|
Source Message Contents
Subject: CYBSEC - Security Pre-Advisory: Local Privilege Escalation in SAP|
(The following advisory is also available in PDF format for download at:
Pre-Advisory Name: Local Privilege Escalation in SAP sapdba Command
Vulnerability Class: Insecure Environment Variable Handling
Release Date: 05/18/2006
* sapdba command for Informix version prior to 700
* sapdba command for Informix version 700 up to patch number 100
* sapdba command for Oracle Databases
* SAP with Informix on HP-UX, Solaris, AIX, TRUE64 or Linux
Local / Remote: Local
Author: Leandro Meiners.
* Confirmed, patch released
Reference to Vulnerability Disclosure Policy:
The sapdba command is a utility provided by SAP for database
administration. Two different versions are available, one for Informix
and another for Oracle databases.
The sapdba command for Informix Databases was found to allow any UNIX
user to run arbitrary commands with informix rights at the shell level,
due to improper handling of environment variables.
Technical details will be released three months after publication of
this pre-advisory. This was agreed upon with SAP to allow their clients
to upgrade affected software prior to the technical knowledge been
Any user with login access to the SAP database server having a
vulnerable version of the sapdba command can escalate privileges to
execute arbitrary commands with the rights of the informix user.
SAP released a patch regarding this issue. Details can be found in SAP
* 04/20/2006: Initial Vendor Contact and technical details for the
vulnerabilities sent to vendor.
* 04/26/2006: Solution provided by vendor.
* 05/18/2006: Coordinate release of pre-advisory without technical
* 08/18/2006: Coordinate release of advisory with technical details.
For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com. Please bear in mind that technical
details will be disclosed three months after the release of this
pre-advisory, so such questions won't be answered until then.
For more information regarding CYBSEC: www.cybsec.com
CYBSEC S.A. Security Systems
Tel/Fax: [54-11] 4382-1600