iDefense Security Advisory 07.30.08 - Local exploitation of an untrusted path vulnerability in the "dbmsrv" program, as distributed with SAP AG's MaxDB, allow attackers to elevate privileges to that of the "sdb" user. When a local user runs the "dbmcli" program, the MaxDB executes a "dbmsrv" process on the user's behalf. The "dbmsrv" process, which is responsible for executing user commands, runs as the user "sdb" with group "sdba". This vulnerability exists due to improper sanitization of the "PATH" environment variable. By prefixing the "PATH" environment variable with a path under the attacker control, one is able to execute arbitrary code iDefense has confirmed the existence of this vulnerability in SAP MaxDB version 7.6.03.15 on Linux. Other versions may also be vulnerable. with "sdb:sdba" privileges.
158672240f8706b9c88752b0eb9e203b6dfa95613bb249e05f3a62e8c726652e