exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-11-17.1

Atstake Security Advisory 03-11-17.1
Posted Nov 17, 2003
Authored by Atstake, Ollie Whitehouse, Dino Dai Zovi | Site atstake.com

Atstake Security Advisory A111703-1 - Using the SQLAT stored procedure, a local attacker can obtain system access by swapping the NETAPI32.DLL in the current working directory. There is also a remote buffer overflow in the niserver interface on TCP port 7629.

tags | advisory, remote, overflow, local, tcp
advisories | CVE-2003-0938, CVE-2003-0939
SHA-256 | 3fbb71973327006d5917535cafb01158647356e443df45dc5dcdececc29c125b

Atstake Security Advisory 03-11-17.1

Change Mirror Download
Hash: SHA1

@stake, Inc.

Security Advisory

Advisory Name: SAP DB priv. escalation/remote code execution
Release Date: 11/17/2003
Application: SAP DB (23-June-2003) and before
Platform: Microsoft Windows NT4/2000/XP [1 and 2]
Linux (IA32) [2]
SUN Solaris [2]
HPUX [2]
Compaq True64 [2]
Severity: local priv escalation to SYSTEM on Windows
potential remote code execution
Authors: Ollie Whitehouse [ollie@atstake.com]
Dino Dai Zovi [ddaizovi@atstake.com]
Vendor Status: Vendor has patches available
CVE Candidate: CAN-2003-0938 - privilege gain via fake "NETAPI32.DLL"
CAN-2003-0939 - buffer overflow in niserver interface
Reference: www.atstake.com/research/advisories/2003/a111703-1.txt


SAP's (http://www.sapdb.org) open source database server
is a project which is sponsored by SAP AG. The database server
allows for a fast, flexible, high performance and easily administered
deployment of an enterprise level database solution.

There exists a number of vulnerabilities in the core SAPDB code that
allow a local attacker on Windows machines to elevate privileges or
remotely compromise the SAPDB server unauthenticated on Windows and
other supported platforms.

The vulnerabilities outlined below in the advisory are good examples
of why functionality should be evaluated in terms of new
vulnerabilities and risks they may introduce before being deployed in
a production environment.


[1] Local Windows privilege escalation
Credit: Ollie Whitehouse

This is a common Windows (http://www.microsoft.com/windows/)
programming error in the SAP DB core code. Located within
'/V74_03_27/SAPDB_ORG/sys/src/os/vos24u.c' are the following lines
of code:

line 62: #define NET_API_DLL "NETAPI32.DLL"

Then the following line allows exploitation

line 143: hinst = LoadLibrary( NET_API_DLL );

If an attacker has write access to the current working directory of
the SAP DB (which is the default as SAP does not lock down the file
permissions on WindowsNT) and can place a fake 'NETAPI32.DLL' SAPDB
will search working directory first and thus load the fake
'NETAPI32.DLL' and obtain system access.

This vulnerability can be exploited via the 'SQLAT' stored procedure
on SAP DB.

[2] Remote unauthenticated buffer overflow in 'niserver' interface
Credit: Dino Dai Zovi

In the default installation of SAP DB, the 'niserver' (on Unix) or
'serv.exe' (on Windows) process is listening on TCP port 7629
(sapdbni72) running as root or LocalSystem. This interface is used
by the SAP support team to connect to customer SAP installations.
There is a buffer overflow in the code to extract strings from the
variable-sized segment of the connect packet.

The vulnerable code is in the function eo420_GetStringFromVarPart in
/V74_03_27/SAPDB_ORG/sys/src/eo/veo420.c (all comments are @stake's):

[Code segment from: eo/veo420.c]

ulLength = pConnectPacket->ConnectLength -
( sizeof (*pConnectPacket) -
sizeof (pConnectPacket->VarPart) );

ulLength = MIN_EO420 ( ulLength, sizeof (pConnectPacket->VarPart)

// @stake comment:
// Items in variable-sized segment are stored:
// [1-byte length] [1-byte type] [ data ... ]

for ( ulPos = 0;
ulPos < ulLength;
ulPos += pConnectPacket->VarPart[ulPos] & 0xff )
if ( pConnectPacket->VarPart[ulPos + 1] == StringID )
// @stake comment:
// error checking code removed for brevity checked that declared
// data length >= 2 and < MaxStringLen and that ulPos < ulLength.
// The string data from the packet is copied without regard to
// destination string length leading to a buffer overflow.
strcpy (szString, (const char*)(pConnectPacket->VarPart + ulPos +

The variable-sized segment is limited to 256 bytes in length and the
destination string buffer is a 256-byte char array. However, if a
string in the variable-sized segment is the maximum length and not
NULL-terminated, the strcpy will copy memory following the end of
the received packet, overrunning the bounds of the destination
buffer leading to potential remote code execution.

Vendor Response:

@stake have contacted the vendor multiple times during
September 2003. Below is the time line of the communication:

03-Sep-2003: @stake informs vendor
07-Nov-2003: SAP releases version which fixes
all of the @stake reported vulnerabilities.
17-Nov-2003: Release

The vendor has patches and a new version available.

- From the vendor release notes:

PTS: 1124004 since:

Bug fixed:
1) Preconditions and circumstances
This is a security fix. It protects against potential
buffer overflow using a specialized 'intrusion' program,
that could
execute code an behalf of the owner of 'niserver' or
The possible attack position is inside common used code
shared between all platforms.
2) Probability that the error occurs
low (no such program was ever known off, but the code would
allow to write it...). If such a program was written: 100%
3) Solution to the problem
The copy routines is modified to check the string for being
correctly terminated by a zero byte. If not the connection
packet is rejected.
4) Visibility
it depends on the action taken by the intruders coding...
5) Workaround


If you are running on the Windows platform make sure that the
permissions for the SAP DB working directory are set so that only
administrators have write access. This is not the default.

On all platforms port 7269 should be filtered by a network
or host based firewall to only allow those machines that need to
connect to the niserver service to connect.

Enterprises should look to upgrade to the lastest version
of SAP DB which fixes these vulnerabilities, version It is
avaliable at:


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-0938 - privilege gain via fake "NETAPI32.DLL"
CAN-2003-0939 - buffer overflow in niserver interface

@stake Vulnerability Reporting Policy:

@stake Advisory Archive:

PGP Key:

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

Version: PGP 8.0


Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By