Oracle TimesTen Format String Flaw

January 16, 2009

The TimesTen In-Memory Database product from Oracle is used for real-time data management in performance-critical environments. Amongst other applications, it can be used as a high performance cache for an Oracle Database.

The product includes various services that provide different functionalities and user access points. One of the services is a scaled down HTTP server ran on port 17000/TCP. A typical request that would be sent to the server is shown:

GET evtdump?msg=thisisatest HTTP/1.0rn
The TimesTen Database generates transaction logs of the HTTP connections. The log generation is enabled in the product in default installations. All transactions that fail as well as requests that are in any form invalid are logged by the service.

A format string vulnerability exists in the Oracle TimesTen Database product. The flaw is contained in the transaction logging function. The method that generates the logs does not sufficiently sanitize user input before internally passing it as arguments to printf-like functions. As a request comes in to the HTTP server, the URI is inspected for illegal character sequences such as format specifiers like "%n". If any format specifiers are found in the URI then the request is considered invalid and as such, must be logged. Subsequently, it is passed onto the logging function without being sanitized. The logging function calls the snprintf function, passing the user supplied URI as the string parameter. Since the URI includes format sting specifiers, they get interpreted as such by the snprintf function. This results in memory corruption which may lead to either process flow diversion or a termination of the vulnerable service.

Remote unauthenticated users could exploit this flaw by sending a malicious request to the affected service. Successful exploitation may allow a malicious user to execute arbitrary code on the target host. SonicWALL has released an IPS signature to detect and block limited exploit attempts targeting this vulnerability. The following IPS signature has been released to address this vulnerability:

  • 1318 - Oracle TimesTen In-Memory Database evtdump Format String Attempt