Detections
Analytics
5.3.1 Remove operating system related ESPs
Information
Sybase ASE installs a number of powerful ESPs that allow interaction with the operatingsystem. A common target for an attacker is the xp_cmdshell ESP, which executes a native
operating system command on the host system running Sybase ASE.
The operating system user context under which the command executes is controlled by the
xp_cmdshell context configuration parameter. Though by default, this is set to only
permit execution by users with System Administration privileges at the operating system
level, it should be noted that this is insufficient since an attacker who compromised an
account with the sa_role could reconfigure the configuration parameter so that
xp_cmdshell executes commands under the user context that the database server itself is
running as.
By default, execution of the xp_cmdshell ESP is restricted to users with the sa_role. It is
recommended that it is removed, along with the other operating system related ESPs;
xp_freedll, xp_logevent (Windows only) and xp_enumgroups (Windows only).
Furthermore the library that houses each of these ESPs, sybsyesp.dll (Windows) or
sybsyesp.so (Unix), should be deleted from the file system to prevent them from being
recreated by an attacker.
Rationale:
The xp_cmdshell ESP provides a clear path for privilege escalation from the database to the
operating system. An attacker could use this functionality in conjunction with a SQL
injection attack to gain a foothold on the database host using it as a launch pad to
compromise other systems. If this ESP is not used, it is prudent to therefore remove it.
Solution
1. Connect to the ASE server with a user that has the sa_role and execute thefollowing statements:
exec sp_dropextendedproc 'xp_cmdshell'
exec sp_dropextendedproc 'xp_freedll'
In addition, the following statements should be executed on Windows systems:
exec sp_dropextendedproc 'xp_logevent'
exec sp_dropextendedproc 'xp_enumgroups'
If the above statements return Access is denied, stop the ASE server and repeat the
command.
2. On Windows systems, execute the following command from a command prompt to
delete sybsyesp.dll. It is prudent to keep a copy of the file offline in case it needs
the xp_cmdshell functionality needs to be restored.
del %SYBASE%\%SYBASE_ASE%\dll\sybsyesp.dll
On Unix systems, execute the following command from a command shell (assuming
the SYBASE environment variables have been set):
rm $SYBASE\$SYBASE_ASE\lib\sybsyesp.so
On Unix systems it may be necessary to stop and restart the ASE server for the
changes to take effect.
See Also
Item Details
Audit Name: CIS Sybase 15.0 L2 DB v1.1.0
Plugin: SybaseDB
Control ID: 98171491ea2b1692639fabe74cb6d21ecf052a458dd34004e5a0febf0328fea1