A controversial auction site is trying to sell a vulnerability that affects SAP's MaxDB.


If exploited, the problem would let an attacker access the entire contents of the database, according to Wabisabilabi, which is offering proof-of-concept code and details on its vulnerability auction site. Bidding starts at €3,000 (US$4,407).

"The result can be scary," said Wabisabilabi on its blog.
http://wabisabilabi.blogspot.com/2007/12/focus-on-sap-maxdb-remote-code.html

Wabisabilabi, based in Switzerland, started its vulnerability auction site in July on the premise that security researchers aren't adequately compensated for their work and could sell zero-day vulnerabilities on the black market.

Wabisabilabi's site lets security researchers submit vulnerabilities for auction. Wabisabilabi said it will only sell vulnerabilities to qualified researchers who aren't going to do anything malicious. Nonetheless, the security community has questioned whether Wabisabilabi's business premise is ethical.

According to Wabisabilabi's blog, the MaxDB vulnerability is easy to exploit. It affects Linux machines running the latest version of MaxDB, 7.6.00.37, and Windows machines running version 7.6.00.37. The problem could also affect other versions of the database.

An attacker could send a specially crafted request to the listening port of the vulnerable MaxDB service. The command would be executed with the credentials of the user running the process. Then, an attacker could "dump the content of the whole database," Wabisabilabi wrote.

Wabisabilabi said it's rare to find a database running open on the Internet, but more common within corporate intranets.

The vulnerability appears not to have attracted any bids so far. An SAP official contacted in Germany did not have an immediate comment.