CVE-2003-1033

Name of the Vulnerable Software and Affected Versions SAP DB Development Tools versions 7.x

Description The issue concerns the instdbmsrv and instlserver programs in SAP DB Development Tools, which trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program. This allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program.

Recommendations For SAP DB Development Tools versions 7.x, consider restricting access to the INSTROOT environment variable to prevent malicious modifications. As a temporary workaround, restrict the execution of the lserver program to trusted users only until a patch is available.