Oracle golden gate critical vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201787699
Type myhack58
Reporter 佚名
Modified 2017-07-08T00:00:00


In this article, we will once again prove over-reliance on automation tool will allow people to ignore off a lot of potential danger, at the same time, we will also discuss some of the relevant Oracle Golden Gate technical level of the important weaknesses vulnerability, and to show you yet another information security industry in product quality, but off the case. Things the cause of Shortly before, in an internal vulnerability assessment, we noted that Nmap shows a section similar to the following figure, the unrecognized code. ! Experienced people can easily recognize for a standard service request standard service request, the above without the recognize of the code will result in“MGR Did Not Recognize the Command”such an error message is generated. A simple web search can find people in some of the discussion posts on the Complain of the above error message appears in the Oracle Golden Gate error log. After further study found that the TCP/7809 port is the Oracle Golden Gate's default port, the results of this survey with the previous results are consistent, this results to the our study brought great confidence. Reference Vendor company website description:“Oracle Golden Gate is a diverse IT environment to make real-time data integration and make the appropriate reaction of the package.” This also means that the user can program to define in a mode of the data how to conversion to another mode of the data, and then even in the HA switch-over(should be the professional term), or other complex environment of the Oracle Golden Gate can also be these data will be safely transferred, and ensure data accuracy. In addition, once Nessus for vulnerability scanning showed that: Golden Gate is still not recognized. So we are again in the top of Google in-depth investigation, and found some scary ZDI report: ZDI-16-022 ZDI-16-023 CVSS(common weakness evaluation systems) 10.0 demonstrate these weaknesses without authorization, you can via the Internet is easily utilized, and in the report mentioned in the will of the affected Port also and our investigation is consistent. This is why we will build a test system or a similar version, and then attack his weaknesses to detect this weakness whether true existence. But this time, although our test processing some important data, but the next“cold”before the onset of the US and there is not enough space to test even the well-established test system. We can now do is to in our report covers the issues described, and to pray in a short period of time can someone solve this problem, or the erection of some of the passive surveillance measures. For the present, this vulnerability has not been widespread use, but we have started the erection of the test system, because of this vulnerability continues to haunt us. Vulnerabilities and their associated characteristics This is one of the few to obtain and erection of the products than to find the first vulnerability takes time, Kung Fu longer the case, in part because of this software of Linux(a computeroperating system, such as Windows is also a PCoperating system)version with full debug(and they certainly understand what meaning, is the Elimination of an error)information, and these information can also be compiled into binary stored in the software. Therefore, we will not be too much discussion of this part, it will not more attention to a certain individual specific issues, but will focus more on universal issues. Manager process simulates an HTTP server and implementation of a custom Protocol. As a result, although we perform some access control on this point we will mention, but do not require any authorization. The HTTP Server Interface leak, including version number, including a large number on the server to build the information, these information can help us confirm this whether the target has been hit by the patch. Of course we want to know much more than that. We built an HTTP server with a custom Protocol is very simple. One of the most important details can be collected from since the initial establishment phase of the test host in the packet dump to scrutiny out: ! A two-byte prefix of the encoding of these information length, followed by a TAB key, Word software for each section of the starting fault after two bytes of the key, here refers to the pictures in the second paragraph of coding than the first period of fault after the two bytes separately, people will be able to understand the instructions. And on this section the encoding of the reply is the same format. This sample is sufficient in check_messages() the program to quickly locate the implementation in which the binary information analysis program, the message parser function of binary). In determining the process to create the logic of the process creation logic can in some way inspire execv()the equations to prevent the not important of the instruction after the input, we turn our gaze toward the OBEY command. In addition to that catchy name outside of official documentation(official documents)show GG can be scripted, and the script file name is usually“OBEY files”. These files can contain”SHELL“instruction-this instruction may be in the OS interpretation of process performs its own parameters, and this makes the OS become a perfect attack target. ! Now, the only question is, how to target the file system is placed in a suitable OBEY file? A very ancient method can help us solve this problem: the Manager process will put all the invalid instruction is recorded in the ggserr. log directory file. Now that we can send to the management port of the instruction to embed a line break, and the script parser is not in the invalid line above stops, then we can in the directory added line to”SHELL”at the beginning of the instruction, so that the Manager will have it's own log file interpretation of the OBEY file, in order to achieve the execution of the instruction. While Claudio has published another vulnerability ZDI-16-022 –CVE-2016-0451 some of the details. This vulnerability will cause the file to feel free to be uploaded, resulting in people can more easily take advantage of this vulnerability. (The script is running slow is that we approach a limit, which leads to we need to spend a lot of time searching is to add the instructions If you wish to see more related information, please see our published exploit it. On a Windows System Single-shot exploitation as the reader of a little practice. Conservative protective Golden Gate by in the information syntax in the analysis of the activation MGRSEC_check_client_access() program to check access(right to use the way in). This program by running a series of ready-made rules to check the connection of whether the customer is allowed to send information, for the defective version also the same. In Oracle release patch, it also adds some default provisions, so that only from and ::1de information can be accepted.

[1] [2] next