How to exploit SAP ASE security vulnerability to invade database server

A series of new serious vulnerabilities exist in SAP's Sybase database software. Attackers without permissions can use these vulnerabilities to completely control the target database and, in some scenarios, even completely control the underlying operating system.

The six security vulnerabilities discovered by cybersecurity firm Trustware exist in Sybase Adaptive Server Enterprise (ASE), a relational database management software for transaction-based applications.

The cybersecurity company said the vulnerabilities specifically affect the operating system and the entire platform and were discovered during a security test of the product.

CVE-2020-6248 is the most serious vulnerability among them, with a CVSS score of 9.1. An attacker can use this vulnerability to execute malicious commands during database backup.

Trustware researchers noted in the report that "there are no security checks for overwriting critical configuration files during database backup operations, meaning that anyone who can run the DUMP command (such as the database owner) Can perform very dangerous tasks."

The second vulnerability (CVE-2020-6252) affects ASE Cockpit, a web-based management console used to monitor the status and availability of ASE servers. This vulnerability only affects the ASE 16 Windows version. Local attackers can use this vulnerability to obtain user account credentials, overwrite operating system files, and even execute malicious code with LocalSystem permissions.

Two other vulnerabilities (CVE-2020-6241 and CVE-2020-6253) allow an authenticated attacker to execute specially crafted database query statements via SQL injection to escalate privileges to users who do not have special privileges. This can be used to gain database administrator access.

In the exploitation scenario of CVE-2020-6253, an attacker can first control an ASE database dump file and modify the file with malicious data before loading the file into the target ASE server.

The fifth vulnerability (CVE-2020-6243) occurs when the server fails to perform necessary checks for an authenticated user when executing a stored procedure ("dummy_esp") ). This vulnerability allows Windows users to execute their own code and delete data on the ASE server.

Finally, CVE-2020-6250 is an information disclosure vulnerability affecting the ASE Linux/UNIX version. An authenticated attacker can use this vulnerability to read the system administrator password from the installation log.

Researchers pointed out that "these logs are only readable by SAP accounts, but combined with other vulnerabilities, attackers can gain access to the file system and completely invade SAP ASE."

In Trustwave After the company responsibly disclosed its findings on Sybase, SAP pushed out a patch last month that fixed the security vulnerabilities.

Trustwave said, "Organizations often store their most critical data in databases, and in turn, databases are often exposed to untrusted environments or publicly exposed."

"So It is critical to quickly fix and test these vulnerabilities because they not only threaten the data in the database, but may threaten the entire host on which the database is running."

The latest version of ASE has fixed these security vulnerabilities, and users are advised to upgrade as soon as possible to this version.

The above is the detailed content of How to exploit SAP ASE security vulnerability to invade database server. For more information, please follow other related articles on the PHP Chinese website!