System Takeover Through New SAP ASE Vulnerabilities
For the last several years there have been relatively few security patches for SAP Adaptive Server Enterprise (ASE). New security research conducted by Trustwave revealed a bunch of vulnerabilities in the current version of SAP’s flagship relational database product. Historically, SAP ASE is widely used by the financial sector in the US and other countries. SAP claimed once that SAP Sybase ASE powers mission-critical applications for 24 of the world’s top 25 banks. As discussed further, the vulnerabilities allow unprivileged users to gain complete control of the database and even underlying operating system in some cases.
Trustwave did look for vulnerabilities in SAP ASE in the past and has multiple advisories published on that:
- Improper Input Validation Vulnerability in SAP Adaptive Server Enterprise
- SQL Injection Vulnerability in SAP Adaptive Server Enterprise
- Unrestricted File Creation vulnerability in SAP Adaptive Server Enterprise
- Information Disclosure vulnerability in SAP ASE Installer
- SQL injection vulnerability in SAP ASE
- Missing authorization check in SAP Adaptive Server Enterprise
- Multiple Vulnerabilities in SAP Adaptive Server Enterprise
- "probe" login access vulnerability in SAP ASE
- Privilege Escalation Vulnerability and Potential Remote Code Execution in SAP Adaptive Server Enterprise
Recently we decided to look into new functions of the product and performed another round of security testing. Detailed research of the product running on Windows and Linux systems discovered several issues, some unique to each operating system as well as some applicable to any underlying platform. We've focused on the latest version which was ASE 16 SP03 PL08 but it should be noted that older versions are also vulnerable to many of the flaws mentioned below: for details see respective SAP Security Notes. Overall the latest update published by SAP includes fixes for seven security vulnerabilities in Adaptive Server Enterprise, six of which were discovered by us and will be discussed in detail in this post. The most critical one has a CVSS score of 9.1.
Let's go over the issues found.
Arbitrary code execution via Backup Server flaws by database owners
CVE-2020-6248 : CVSS 9.1
During database backup operations, there are no security checks for overwriting critical configuration files. That means anyone who can run the DUMP command (e.g. database owners) can perform very dangerous tasks. One specific example is corrupting the Backup Server configuration file with a simple command (Windows variant, replace the path for Linux/UNIX):
dump database mydb to 'C:\SAP\ASESERVER_BS.cfg' with init
What does this allow us to do? On the next Backup Server restart, the corruption of configuration file will be detected by the server and it will replace the configuration with the default one. And the default configuration allows anyone to connect to the Backup Server using the
sa login and an empty password! The next step would be to change the
sybmultbuf_binary Backup Server setting to point to an executable of the attacker’s choice with:
C:\SAP\OCS-16_0\bin\isql.exe -S ASESERVER_BS -U sa
SET sybmultbuf_binary C:\WINDOWS\notepad.exe
Subsequent DUMP commands will now trigger the execution of the attacker’s executable. If SAP ASE is running on Windows, the code will run as LocalSystem by default. Here’s the attack in action:
Default installation of SAP ASE 16 with Cockpit on Windows leaves critical SQL Anywhere configuration file world-readable
CVE-2020-6252 : CVSS 9.0
This one is very simple, yet it only affects Windows installations of the SAP ASE 16. In short, there is a small helper database (SQL Anywhere) used by the Cockpit component of SAP ASE installation and that helper runs as LocalSystem by default. The problem is that the password to login into the helper database is in a configuration file that is readable by Everyone on Windows:
NT AUTHORITY\Authenticated Users:(I)(M)
This means any valid Windows user can grab the file and recover the password to login to the helper SQL Anywhere database as the special user
utility_db and then issue commands like
CREATE ENCRYPTED FILE to overwrite operating system files (remember, the helper database runs as LocalSystem by default!) and possibly cause code execution with LocalSystem privileges.
CVE-2020-6241 : CVSS 8.8
Global temporary tables were introduced in an update to ASE 16 and unfortunately have a flaw in handling DDL statements around it. This means any valid database user (i.e. anyone who can connect to the server, regardless of the privileges granted to that user, even a user with no special privileges) can quickly gain database administrator access as shown below (example assumes the attacker uses login
CREATE GLOBAL TEMPORARY TABLE [g add m int null grant role sa_role to james--] (id int)
INSERT INTO [g add m int null grant role sa_role to james--] VALUES (1337)
ALTER TABLE [g add m int null grant role sa_role to james--] SET TRANSFER TABLE ON
-- Observe the sa_role granted
Arbitrary code execution as LocalSystem via XP Server flaw
CVE-2020-6243 : CVSS 8.0
Playing with different commands to launch the XP Server from within an unprivileged database connection, the following was discovered:
No matter what privileges are granted to the database user executing the above statement and the fact that there is no extended stored procedure named
dummy_esp registered, the XP Server will try to load and execute the file
C:\SAP\.DLL in case of default installation on Windows! We also would like to point out that this location is writable by default to authenticated users:
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
In the end, this flaw allows authenticated Windows users to gain arbitrary code execution as LocalSystem if they can connect to the SAP ASE.
Privilege escalation via SQL injection in DROP SERVICE handling code
CVE-2020-6253 : CVSS 7.2
Another internal SQL injection, this time in the WebServices handling code. This can only be leveraged by database owners since the flaw involves loading a database dump, but in the end, we get database administrator access. The attack is two-stage: first on an attacker-controlled ASE, a dump is created so that it contains malicious system table entry. Next, the dump is loaded on ASE being attacked so that the internal SQL injection happens during the processing of the malformed entry from the dump. For detailed POC please see Trustwave’s advisory since it’s quite long.
Adaptive Server Enterprise server build logs contain cleartext passwords
CVE-2020-6250 : CVSS 6.8
The last one is cleartext passwords found in the installation logs believe it or not! It only affects Linux/UNIX installations:
[sap@HOST ~]$ ls -l $SYBASE/$SYBASE_ASE/init/logs/srvbuild0325.*
-rw-------. 1 sap sap 10587 Mar 25 12:22 /opt/sap/ASE-16_0/init/logs/srvbuild0325.005
Wed Mar 25 12:22:05 2020: (SQL command) exec sp_addexternlogin loopback, sa, sa, 'TopSecretPassword'
do_configure_baldr = yes
baldr_management_password = TopSecretPassword
saptoolsdb_device_physical_name = /opt/sap/data/saptoolsdata.dat
The logs are only readable to the SAP account, but will completely compromise the SAP ASE when joined with some other issue that allows filesystem access.
Organizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments. This makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on.
Trustwave responsibly disclosed the findings to the vendor and SAP released patches for both ASE 15.7 and 16.0 at the end of April 2020. There is no question those patches should be applied immediately if you haven't already.
Trustwave database security products will receive updates to look for the SAP patches shortly.
Trustwave Advisory TWSL2020-002: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=27168