Wabisabilabi selling remote exploit for SAP
A vulnerability that affects SAP's MaxDB hasn't garnered
any bids yet on a controversial auction site for computer vulnerabilities.
If exploited, the problem would let an attacker access the entire contents
of the database, according to Wabisabilabi, which is offering proof-of-concept
code and details on its vulnerability auction site. Bidding starts at €3,000
(US$4,407).
"The result can be scary," said Wabisabilabi on its blog.
Wabisabilabi, based in Switzerland, started its vulnerability auction site
in July on the premise that security researchers aren't adequately compensated
for their work and could sell zero-day vulnerabilities on the black market.
Wabisabilabi's site lets security researchers submit vulnerabilities for auction.
Wabisabilabi said it will only sell vulnerabilities to qualified researchers
who aren't going to do anything malicious. Nonetheless, the security community
has questioned whether Wabisabilabi's business premise is ethical.
According to Wabisabilabi's blog, the MaxDB vulnerability is easy to exploit.
It affects Linux machines running the latest version of MaxDB, 7.6.00.37, and
Windows machines running version 7.6.00.37. The problem could also affect other
versions of the database.
An attacker could send a specially crafted request to the listening port of
the vulnerable MaxDB service. The command would be executed with the credentials
of the user running the process. Then, an attacker could "dump the content
of the whole database," Wabisabilabi wrote.
Wabisabilabi said it's rare to find a database running open on the Internet,
but more common within corporate intranets.
An SAP official contacted in Germany did not have an immediate comment.
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
