Secunia

Multiple vulnerabilities have been reported in SAP DB, which can be exploited by malicious users to perform a variety of attacks.

1) The file "NETAPI32.DLL" is loaded insecurely with "LoadLibrary()". This can be exploited by a malicious, local user to execute arbitrary code with escalated privileges by placing a malicious "NETAPI32.DLL" file in the current working directory.

Successful exploitation requires that the user has write access on the current working directory.

This vulnerability affects Windows systems only.

2) A boundary error in the "niserver" interface when extracting strings from connect packets can be exploited to cause a buffer overflow. This can be exploited by sending a specially crafted packet, which potentially may allow execution of arbitrary code.

3) An input validation error in the web-tools component can be exploited to conduct directory traversal attacks, which allows retrieval of arbitrary files.

4) Any user with access to web-tools can access Web Agent Administration pages directly without prior authentication. This can be exploited to configure a wide range of options.

5) A boundary error in the Web Agent Administration service can be exploited to cause a buffer overflow by supplying an overly long string to a parameter. Successful exploitation may allow execution of arbitrary code.

6) Errors in various services within Web Agent can be exploited to cause buffer overflows and connect to databases not publicly accessible.

7) The Web Database Manager generates predictable session IDs and includes them in URLs.

Solution
Update to version 7.4.03.30.
Further details available in Customer Area

Provided and/or discovered by
Ollie Whitehouse and Dino Dai Zovi, @stake.

Original Advisory
SAP DB Privilege Escalation/Remote Code Execution
http://www.atstake.com/research/advisories/2003/a111703-1.txt

Multiple Issues with SAP DB Web-tools
http://www.atstake.com/research/advisories/2003/a111703-2.txt

Deep Links
Links available in Customer Area