Sybase Vulnerability Assessment

To carry out a penetration test on a Sybase server a good starting place would be to utilise hydra to try and password crack the main sa account. If, however, the Sybase server is set to Integrated Authentication mode, you could be in trouble as you may have to go after a valid OS user account instead.  The following is not everything you can do interactively with a Sybase server, but its a good start.  Further information is available from the Sybase site, or try our old favourite Google.

Note: You require ‘sso_role’ and ‘sa_role’ roles to carry out the following on the targeted Sybase Application Server.  All the commands have been tested on Sybase ASE 15.  I have divided the check down into 5 specific areas:

•   General  Security Settings

•   Database Configuration

•   User Based Security Settings

•   Sybase Auditing Settings

•   Network Security Settings

General  Security Settings:

Databases present on target server:

exec sp_helpdb

Another good starting point is to list what other servers the tested Sybase server is able to execute Remote Procedure Calls on:

exec sp_helpserver

Points to note from this are;

    No net password encryption - i.e. passwords sent across the network in clear text as opposed to the more secure encrypted format.

    RPC Security Model A    i.e. No security mechanisms (RPC Security Model B provides a plethora of Security Mechanisms for added security.)

What mode of Authentication is being used:

• Standard - Default, Sybase internal authentication ONLY utilised.

• Integrated - Reliant on host OS for authentication.

• Mixed - OS Authentication tried, if not successful will revert back to Sybase internal mode.

To evaluate what version and some patching information about the targeted server:

You will notice from the above the Emergency Bug Fix (EBF) 12783 has been applied and you are dealing with a Windows 2000 install of Sybase ASE15.  You may also see Electronic Software Delivery (ESD), Interim Release (IR) noted in this information.

Database Configuration Settings:

Sybase ASE Server configuration details can be found by:

exec sp_configure

User Based Security Settings:

Enumerating groups on a Server

use DB_Name

exec sp_helpgroup

Further enumerating who is a member of which group

use DB_Name

exec sp_helpgroup Group_Name

Enumerating if password roles have "Null" passwords assigned to them.

select name from syssrvroles where password = NULL

Enumerating roles present on the server

select name, password, pwdate, status from syssrvroles

Obtaining more detailed information about the roles of a particular user

exec sp_displayroles User_Name, expand_down

Enumerating user accounts from a database

exec sp_helpuser

Obtaining password hashes for user accounts

select name, password from syslogins

Enumerating login information relating to a particular account

sp_displaylogin sa

You should be able to determine the following details:

• Account Lockout status

• Auto login script

• Default Login Name

• Default Database

• Failed Login attempts

• Maximum Failed login parameter

• Password change status

• Password expiry details

• Password length

• Roles assigned

Password settings can be obtained by:

exec sp_configure "password expiration interval"

exec sp_configure "check password for digit"     Enforce a single digit in password (Complexity rules)

exec sp_configure "minimum password length"

You should also ensure default system Sybase passwords are not present on the system.  Account details I have found to date may be found here.

Sybase Auditing Settings:

Check to see if auditing has been set on the system

exec sp_configure auditing

Check to see if failed login attempts are logged by the system

exec sp_configure "log audit logon failure"

As the value set in this example is 0 (default) failed attempts are not recorded.  It should be set to 1.

Check to see if successful login attempts are logged by the system.

exec sp_configure "log audit logon success"

As the value set in this example is 0 (default) successful attempts are not recorded.  It should be set to 1.

Check to see if auditing ceases if the logs become full

exec sp_configure "suspend audit when device full"

Network Security Settings:

You should also really check if Remote Server Access is allowed by Sybase

use master

exec sp_configure "allow remote access"

By default this is set to 1 and allowed.  If this is the case you may want to check all credentials that remote users utilise, to make sure appropriate rules are applied to them.