5.3.2 Remove mail related ESPs

Information

On Windows systems, Sybase ASE installs a number of powerful ESPs that allow access to
email via the Adaptive Server inbox. These are xp_sendmail, xp_readmail, xp_deletemail,
xp_findnextmsg, xp_startmail and xp_stopmail.

By default, execution of these ESPs is restricted to users with the sa_role. It is
recommended they are removed as a defense in depth measure if they are not in use.
Furthermore the DLL that houses each of these ESPs, sybmail.dll, should be deleted from
the file system to prevent them from being recreated by an attacker.

Rationale:

The email ESPs provide an attacker with suitable privileges additional means of
communicating with other systems on the network and exfiltrating data. Given that ESPs
have previously had a number of associated security flaws it is prudent to remove those
that are not in use.

Solution

1. Connect to the ASE server with a user that has the sa_role and execute the
following query:

exec sp_dropextendedproc 'xp_sendmail'

exec sp_dropextendedproc 'xp_readmail'

exec sp_dropextendedproc 'xp_deletemail'

exec sp_dropextendedproc 'xp_findnextmsg'

exec sp_dropextendedproc 'xp_startmail'

exec sp_dropextendedproc 'xp_stopmail'

2. From a command prompt execute the following command to delete sybsyesp.dll:

del %SYBASE%\%SYBASE_ASE%\dll\sybmail.dll

3. If the above statement returns Access is denied, stop the ASE server and repeat the
command.

See Also

https://workbench.cisecurity.org/files/1612