Oracle Secure Backup Buffer Overflow (Jan 22, 2010)
Oracle Secure Backup is a centralized tape backup management suite. It comprises of a server that allows an administrator to centrally manage data on network-attached storage devices and distributed multi-platform hosts. The transfer of data to and from its host systems is SSL encrypted in order to prevent unauthorized hosts from participating in the procedure.
Oracle Secure Backup uses the NDMP protocol to administer and perform backup tasks for all clients. The NDMP server, implemented by the binary executable observiced.exe, listens on TCP port 10000 by default. Upon a client connection, the NDMP server performs a reverse DNS lookup of the client host’s IP. After the client’s domain name is determined, communication with the client over the NDMP connection ensues.
The reverse DNS lookup is implemented through standard networking libraries which result in a regular UDP DNS message exchange over port 53. The DNS message consists of a 12 byte header and multiple Resource Records (RR), which are in turn classified as Question RR, Answer RR, Authority RR, and Additional RR.
A vulnerability exists in some versions of Oracle Secure Backup. It is due to insufficient string length checks of the domain name fields in reverse DNS lookup responses. Exploitation of the flaw manifests itself as a stack buffer overflow. Internally, the affected code copies the client supplied domain name string to a fixed size buffer without verifying its length beforehand.
An overly long DNS domain name string could overrun the destination buffer corrupting critical data on the stack. Consequently, this may lead to the diversion of the process flow of the vulnerable server. Remote unauthenticated attackers could exploit this vulnerability by initiating a connection to the NDMP server and supplying a malicious DNS response. This type of attack is trivial to execute, however, numerous timing conditions must be met for successful exploitation. The attacker must be able to spoof a DNS response that is accepted by the target server.
Successful exploitation allows for the injection and execution of arbitrary code on the target server. An unsuccessful attack could terminate the affected service.
SonicWALL has released an IPS signature that addresses this issue. The following signature has been released:
- 1054 – Malicious DNS Response Traffic
Mitre has assigned this vulnerability the ID CVE-2010-0072