lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 Sep 2013 17:06:53 +0200
Subject: Security Vulnerability in German ERP system "Sage
	Office Line"

	Security Vulnerability in German ERP system "Sage office Line"

	Recently, I discovered a Securtiy Security Vulnerability in the
German ERP system "Sage office Line", created by German branch of the
UK-based Sage Group. The Software is sold in Germany, Austria and
Switzerland. According to their website, Sage Germany has more than
250.000 customers.
Affected products:

	- Sage Office Line Evolution 2012 (with newest patches installed)
- Sage Office Line Evolution 2013 (with newest patches installed)
- most likely previous versions (untested)

	- Code execution
- privilege escalation
- Data loss

	The software is based on a Microsoft Access Frontend Client
(available as ADE and ADP) and some server-based tools. Microsoft SQL
Server is used to store all data. A typical client installation on the
computer of each office worker contains the MS Access frontend and
also many .Net assemblies called via COM-interop by the Access client.

	Main entry point for the Vulnerability is the so-called
"mandator-object" which is initiated when a user logs in to the
software. This object holds all information regarding the accessed
database and also about the priviliges of the user. 

	If a user has valid credentials to start the software, even if he has
minimal permissions, he can use local VBScript and COM automation to
gain full access to the mandator object. This object holds, among
other interesting things, an ADO.NET connection object, which was
instantiated with an SQL user with full rights on the affected
database.Using the ADO.NET connection object, the user can give
himself full permissions or even delete all data in the database. 
According to Sage Software, there is a feature called "Erweiterte
Codesicherheit" ("Extended Code Security") which should secure the
system by blocking non-signed code from accessing the System. The
Feature has no effect on the vulnerability described in this post.
Proof of Concept:

	The following code has to be saved local in a VBS file. Maybe it is
necessary to adjust the path to the MS Access ADE file. It grants full
access to the current user and then tries to shutdown the SQL server

	 Set objAccess = GetObject("C:Program Files (x86)SageOffice
 Set goMandant = objAccess.Run("goMandant")
 goMandant.oData.Execute "UPDATE USysSecurityClients SET Rights = 3
WHERE UserName='" &  goMandant.oBenutzer.sName & "'"
 goMandant.oGlobalData.Execute "SHUTDOWN WITH NOWAIT"

Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists