SAPのMaxDBに脆弱性が存在して万度が実行できるみたい。

Local exploitation of an untrusted path vulnerability in the "dbmsrv" program, as distributed with SAP AG's MaxDB, allow attackers to elevate privileges to that of the "sdb" user.

When a local user runs the "dbmcli" program, the MaxDB executes a "dbmsrv" process on the user's behalf. The "dbmsrv" process, which is responsible for executing user commands, runs as the user "sdb" with group "sdba".

This vulnerability exists due to improper sanitization of the "PATH" environment variable. By prefixing the "PATH" environment variable with a path under the attacker control, one is able to execute arbitrary code with "sdb:sdba" privileges.

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729