[Full-Disclosure] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache

From: Ioannis Migadakis (jmig_at_mail.gr)
Date: 04/08/04

  • Next message: Nico Golde: "[Full-Disclosure] have you seen such a spam?"
    To: full-disclosure@lists.netsys.com
    Date: Thu, 08 Apr 2004 14:50:42 EET
    
    
    ('binary' encoding is not supported, stored as-is)

                            InAccess Networks
                         www.inaccessnetworks.com

                            Security Advisory

    Advisory Name: Heap Overflow in Oracle 9iAS / 10g Application Server
                   Web Cache
     Release Date: 8 April 2004
      Application: Oracle Web Cache - all versions except 9.0.4.0.0 for
                   Windows, AIX & Tru64 which already contain fixes
         Platform: All Oracle supported platforms -
                   Sun Solaris
                   HP/UX
                   HP Tru64
                   IBM AIX
                   Linux
                   Windows
         Severity: Critical - Remote Code Execution
         Category: Heap Overflow
     Exploitation: Remote
           Author: Ioannis Migadakis [jmig@inaccessnetworks.com]
                                     [jmig@mail.gr]
    Vendor Status: Oracle has released Security Alert #66 and
                   patches are available for supported products.
                   See http://otn.oracle.com/deploy/security/alerts.htm

    CVE Candidate: CAN-2004-0385
        Reference: www.inaccessnetworks.com/ian/services/secadv01.txt

    About Web Cache
    ---------------

    From Oracle's Web Site

    "Oracle Web Cache is the software industry's leading application
    acceleration solution. Designed for enterprise grid computing, OracleAS
    Web Cache leverages state-of-the-art caching and compression
    technologies to optimize application performance and more efficiently
    utilize low-cost, existing hardware resources."

    From Oracle's 9iAS Web Cache - Technical FAQ

    "An integrated component of Oracle's application server infrastructure,
    Oracle9iAS Web Cache is an innovative content delivery solution
    designed to accelerate dynamic Web-based applications and reduce
    hardware costs."

    From Oracle's Security Alert #66 Rev.1

    "...a typical Core or Mid-Tier default installation of Oracle
    Application Server includes Web Cache."

    Vulnerability Summary
    ---------------------

    A heap overflow vulnerability exists in Oracle Web Cache - all
    platforms. The vulnerability can be exploited remotely and the attacker
    can execute code of his choice. Some firewalls may not protect against
    this vulnerability. Patches are available from Oracle's Web Site and
    should be applied immediately. The risk to exposure is high.

    Vulnerability Details
    ---------------------

    Web Cache application processes HTTP/HTTPS requests from clients and
    passes them to Oracle HTTP Server(s).

            HTTP/HTTPS ------------- -------------
     client ----------> - Web Cache - -----> -HTTP Server-
             Request ------------- -------------
           

    By default Web Cache listens for incoming connections on port 7777 for
    HTTP and 4443 for HTTPS. These ports are configured by the
    administrator of the system and in real world installations they become
    the well known ports 80 and 443 and they are available through the
    firewall to all.

    A heap overflow condition exists in "webcached" process when an invalid
    HTTP/HTTPS request is made. The overflow can be triggered by sending an
    overly long header as the HTTP Request Method. From RFC 2616 valid
    values for the HTTP Request Method are GET, HEAD, POST, PUT, DELETE,
    TRACE, CONNECT.

    By supplying an HTTP Request Method header of 432 bytes long against
    a Windows based Web Cache installation the following exception is
    caused within ntdll.RtlAllocateHeap.

    77FCBF00 MOV DWORD PTR DS:[ESI], ECX
    77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI

    ECX and ESI are overwritten with the attacker supplied values. By
    controlling the values of the registers ECX and ESI, it is possible to
    write an arbitrary dword to any address. It all comes to the WHERE -
    WHAT situation described in many security related documents. Also the
    buffer is quite large - Oracle9iAS Web Cache uses 4 KB for the HTTP
    headers as default buffer size. Using different variations of the exploit
    technique it is possible to overwrite different CPU registers.

    The vulnerability exists in all Oracle supported platforms. On Windows
    the Web Cache is running under the Security Context of Local SYSTEM
    account and in a successful exploitation of the vulnerability, a full
    remote system compromise is possible. On Unix & Linux the Web Cache
    process normally is running as user ORACLE and in a successful
    exploitation of the vulnerability a complete compromise of the data
    may be possible.

    CERT has assigned VU#643985 for this vulnerability.

    HTTP/HTTPS Method Heap Overflow & Firewalls
    -------------------------------------------

    This vulnerability can bypass a large number of firewalls, so a
    firewall can not be considered as a measure for protection against this
    vulnerability.

    If the firewall uses Statefull Packet Inspection / Packet filtering and
    operates in layers 3 & 4 (e.g. it can understand the difference between
    port 80 and 21 but not between HTTP GET and HTTP POST) then this
    firewall does not offer any protection against this vulnerability.

    If the firewall uses some proxy features operating in the -so called-
    "application" layer (7) (e.g. it can understand the difference between
    HTTP GET and HTTP POST) then this firewall does offer protection
    against this vulnerability.

    The above are true for HTTP where a large number of HTTP proxies /
    firewalls exists. Unfortunately for HTTPS the majority of the firewalls
    do not offer protection against this vulnerability since HTTPS is
    nothing more to them than TCP port 443.

    After all, Oracle in Security Alert #66 correctly says "Firewalls
    deployed within a corporate Intranet or between a corporate Intranet
    and the Internet do not protect against these vulnerabilities."

    Credit
    ------

    Discovery: Ioannis Migadakis a.k.a. JMIG

    Vulnerability History
    ---------------------

        DATE INFO
    ------------- ------------------------------------------------------
    17 April 2003 Vulnerability Discovered
    22 April 2003 Contacted CERT
    23 April 2003 Contacted Oracle
    23 April 2003 CERT Replied - Assign VU#643985
    12 March 2004 Oracle Security Alert #66 Rev.1 Released
     2 April 2004 Oracle Security Alert #66 Rev.2 Released with Credits
     8 April 2004 Public Advisory Released to
                     bugtraq@securityfocus.com
                     vulnwatch@vulnwatch.org
                     full-disclosure@lists.netsys.com

    About inAccess Networks
    -----------------------
    inAccess Networks designs broadband access systems for the converging
    telecommunication market and operates an OEM Design and a Network
    Design team.
    Network Design team works with Service Providers and Enterprise
    customers for large scale network design, network optimization,
    security and quality assurance.
         
                     

                         

    -------------------------------------------------------------
    http://www.mail.gr/ - Get Your Private Free Email Address!
    http://www.ringtone.gr/ - Ringtones & Logos for your mobile!

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Nico Golde: "[Full-Disclosure] have you seen such a spam?"

    Relevant Pages