About CVE-2015-8518: SAP Adaptive Server Enterprise Extended Stored Procedure Unauthorized Invocation

SAP released an update for SAP ASE 16.0 and 15.7 that addresses a serious security flaw discovered by Martin Rakhmanov, lead security researcher at Trustwave, that has been around for a long time. Suppose there is a user joe in Adaptive Server Enterprise that can access his database Customers and can create stored procedures within that database. In that case joe can exploit a vulnerability that will create a 'copy' of system extended stored procedure in Customers database and then invoke them. Essentially this means joe can redefine xp_cmdshell system extended stored procedure in Customers for instance and then invoke it. On invocation Adaptive Server Enterprise will trigger execution of real ESP code. Here is a proof-of-concept:

  1. Connect to Adaptive Server Enterprise as joe and switch database context to Customers database

  2. Execute this T-SQL code:

    Create_procedure

  3. Now execute xp_cmdshell with some arguments. Note that even though it might fail due to system configuration setting 'xp_cmdshell context', this is still a vulnerability because the setting might be non-default on some systems. Additionally, joe can redefine any other ESP as well.

What did SAP do in the patch to address this issue? Now if we retry the POC against 16.0 SP02 PL01 HF1 there will be an error message given back for the attempt to create ESP in user database:

Msg 2851, Level 16, State 2:
Server '...', Procedure 'xp_cmdshell', Line 1:
Cannot create or replace system extended stored procedure
'xp_cmdshell' in database 'Customers'. Dynamic linked library
'sybsyesp' may only be referenced in 'xp_cmdshell' and 'xp_freedll'
system extended stored procedures created by the database owner of
'sybsystemprocs'.

Adaptive Server Enterprise versions having a fix for this issue: 15.7 SP136 and 16.0 SP02 PL01 HF1. Note that there will be no fix for unsupported versions (12.5, 15.0, 15.5).

SAP security note: https://websmp230.sap-ag.de/sap/support/notes/2240755

Trustwave security advisory: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-023/?fid=7348

As usual, Trustwave database security products protect your databases against this and many other threats: please update to the latest version of AppDetectivePro/DbProtect knowledgebase to get latest detection logic.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.