Search...

Oracle GoldenGate Manager < 12.2.0.1.1 OBEY Command ggserr.log File Handling RCE

2017-06-05T00:00:00

ID GOLDEN_GATE_ERR_LOG_EXECUTION.NASL
Type nessus
Reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
Modified 2021-01-02T00:00:00

Description

According to its self-reported version number, the Oracle GoldenGate Manager application running on the remote host is prior to 12.2.0.1.1. It is, therefore, affected by a remote code execution vulnerability due to improper handling of 'OBEY' commands and the ggserr.log file. An unauthenticated, remote attacker can exploit this to execute arbitrary code by entering a 'SHELL' command into the error log and then executing the error log via the 'OBEY' command.

Note that newer versions of Oracle GoldenGate Manager do not fix this issue but instead introduce access controls that disallow use of 'OBEY' by default.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(100620);
  script_version("1.5");
  script_cvs_date("Date: 2018/08/08 12:52:14");

  script_xref(name:"EDB-ID", value:"41978");

  script_name(english:"Oracle GoldenGate Manager &lt; 12.2.0.1.1 OBEY Command ggserr.log File Handling RCE");
  script_summary(english:"Checks the version of the Oracle GoldenGate Manager.");

  script_set_attribute(attribute:"synopsis", value:
"The Oracle GoldenGate Manager application running on the remote host
is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Oracle GoldenGate
Manager application running on the remote host is prior to 12.2.0.1.1.
It is, therefore, affected by a remote code execution vulnerability
due to improper handling of 'OBEY' commands and the ggserr.log file.
An unauthenticated, remote attacker can exploit this to execute
arbitrary code by entering a 'SHELL' command into the error log and
then executing the error log via the 'OBEY' command.

Note that newer versions of Oracle GoldenGate Manager do not fix this
issue but instead introduce access controls that disallow use of
'OBEY' by default.");
  script_set_attribute(attribute:"see_also", value:"https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Oracle GoldenGate Manager version 12.2.0.1.1 and use
appropriate access controls to disallow the use of the 'OBEY' command.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:goldengate");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("golden_gate_manager_detect.nbin");
  script_require_ports("Services/gg_manager", 7809);
  script_require_keys("gg_manager/present");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

if (report_paranoia &lt; 2) audit(AUDIT_PARANOID);
get_kb_item_or_exit('gg_manager/present');

appname = 'Oracle GoldenGate Manager';
port = get_service(svc:'gg_manager', default:7809, exit_on_fail:TRUE);
version = get_kb_item_or_exit('gg_manager/' + port + '/version');

fix = "12.2.0.1.1";
if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)
{
  report =
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix +
    '\n';
  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
}
else audit(AUDIT_LISTEN_NOT_VULN, appname, port, version);

JSON Vulners Source

Initial Source

{"id": "GOLDEN_GATE_ERR_LOG_EXECUTION.NASL", "bulletinFamily": "scanner", "title": "Oracle GoldenGate Manager < 12.2.0.1.1 OBEY Command ggserr.log File Handling RCE", "description": "According to its self-reported version number, the Oracle GoldenGate\nManager application running on the remote host is prior to 12.2.0.1.1.\nIt is, therefore, affected by a remote code execution vulnerability\ndue to improper handling of 'OBEY' commands and the ggserr.log file.\nAn unauthenticated, remote attacker can exploit this to execute\narbitrary code by entering a 'SHELL' command into the error log and\nthen executing the error log via the 'OBEY' command.\n\nNote that newer versions of Oracle GoldenGate Manager do not fix this\nissue but instead introduce access controls that disallow use of\n'OBEY' by default.", "published": "2017-06-05T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/100620", "reporter": "This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.", "references": ["https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/"], "cvelist": [], "type": "nessus", "lastseen": "2021-01-01T03:03:35", "edition": 25, "viewCount": 14, "enchantments": {"dependencies": {"references": [], "modified": "2021-01-01T03:03:35", "rev": 2}, "score": {"value": 0.6, "vector": "NONE", "modified": "2021-01-01T03:03:35", "rev": 2}, "vulnersScore": 0.6}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100620);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/08/08 12:52:14\");\n\n script_xref(name:\"EDB-ID\", value:\"41978\");\n\n script_name(english:\"Oracle GoldenGate Manager < 12.2.0.1.1 OBEY Command ggserr.log File Handling RCE\");\n script_summary(english:\"Checks the version of the Oracle GoldenGate Manager.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Oracle GoldenGate Manager application running on the remote host\nis affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Oracle GoldenGate\nManager application running on the remote host is prior to 12.2.0.1.1.\nIt is, therefore, affected by a remote code execution vulnerability\ndue to improper handling of 'OBEY' commands and the ggserr.log file.\nAn unauthenticated, remote attacker can exploit this to execute\narbitrary code by entering a 'SHELL' command into the error log and\nthen executing the error log via the 'OBEY' command.\n\nNote that newer versions of Oracle GoldenGate Manager do not fix this\nissue but instead introduce access controls that disallow use of\n'OBEY' by default.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle GoldenGate Manager version 12.2.0.1.1 and use\nappropriate access controls to disallow the use of the 'OBEY' command.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:goldengate\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"golden_gate_manager_detect.nbin\");\n script_require_ports(\"Services/gg_manager\", 7809);\n script_require_keys(\"gg_manager/present\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\nget_kb_item_or_exit('gg_manager/present');\n\nappname = 'Oracle GoldenGate Manager';\nport = get_service(svc:'gg_manager', default:7809, exit_on_fail:TRUE);\nversion = get_kb_item_or_exit('gg_manager/' + port + '/version');\n\nfix = \"12.2.0.1.1\";\nif (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n report =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, appname, port, version);\n", "naslFamily": "Misc.", "pluginID": "100620", "cpe": ["cpe:/a:oracle:goldengate"], "scheme": null, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

Oracle GoldenGate Manager &lt; 12.2.0.1.1 OBEY Command ggserr.log File Handling RCE

Description

Oracle GoldenGate Manager < 12.2.0.1.1 OBEY Command ggserr.log File Handling RCE