Vulnerability in the MaxDB database system
A serious vulnerability has been discovered in the relational database management system MaxDB developed by SAP. According to security expert Luigi Auriemma, who discovered the problem, attackers can remotely issue system commands without prior authentication, allowing them to take control of servers. The flaw affects all versions up to and including 7.6.03 build 007.
According to Auriemma, MaxDB executes the cons.exe DATABASE COMMAND through the system() function call in an unsafe fashion when certain commands are called – two examples are the show and exec_sdbinfo queries. This allows attackers to issue arbitrary commands, which are then executed on the system. Auriemma gives the following command as an example: exec_sdbinfo && echo dir c:\ | cmd.exe which does not require authenticated database access.
Auriemma also provides other proof-of-concept exploit code on his website which puts unsecured MaxDB installations at a severe risk of an attack. An updated version of the database has not yet been released by vendor SAP. MaxDB admins should limit network access to the database server to trusted computers until a fix is available.