Re: [Full-Disclosure] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
From: Cesar (cesarc56_at_yahoo.com)
Date: 04/08/04
- Previous message: Vincenzo Ciaglia: "LNSA-#2004-0009: GNU Automake symbolic link vulnerability"
- In reply to: Ioannis Migadakis: "[Full-Disclosure] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Thu, 8 Apr 2004 10:36:08 -0700 (PDT)
Here you can see how Oracle is very serious about
security and that Oracle really cares about their
customers, ONE YEAR TO FIX A REMOTE
VULNERABILITY!!!!!!
ORACLE=UNBREAKABLE?
FBI and CIA still running Oracle?
;)
Cesar.
--- Ioannis Migadakis <jmig@mail.gr> wrote:
>
>
>
> InAccess Networks
> www.inaccessnetworks.com
>
> Security Advisory
>
>
>
>
>
> Advisory Name: Heap Overflow in Oracle 9iAS / 10g
> Application Server
> Web Cache
> Release Date: 8 April 2004
> Application: Oracle Web Cache - all versions
> except 9.0.4.0.0 for
> Windows, AIX & Tru64 which already
> contain fixes
> Platform: All Oracle supported platforms -
> Sun Solaris
> HP/UX
> HP Tru64
> IBM AIX
> Linux
> Windows
> Severity: Critical - Remote Code Execution
> Category: Heap Overflow
> Exploitation: Remote
> Author: Ioannis Migadakis
> [jmig@inaccessnetworks.com]
> [jmig@mail.gr]
> Vendor Status: Oracle has released Security Alert
> #66 and
> patches are available for supported
> products.
> See
> http://otn.oracle.com/deploy/security/alerts.htm
>
> CVE Candidate: CAN-2004-0385
> Reference:
> www.inaccessnetworks.com/ian/services/secadv01.txt
>
>
>
>
> About Web Cache
> ---------------
>
> From Oracle's Web Site
>
> "Oracle Web Cache is the software industry's leading
> application
> acceleration solution. Designed for enterprise grid
> computing, OracleAS
> Web Cache leverages state-of-the-art caching and
> compression
> technologies to optimize application performance
> and more efficiently
> utilize low-cost, existing hardware resources."
>
>
>
> From Oracle's 9iAS Web Cache - Technical FAQ
>
> "An integrated component of Oracle's application
> server infrastructure,
> Oracle9iAS Web Cache is an innovative content
> delivery solution
> designed to accelerate dynamic Web-based
> applications and reduce
> hardware costs."
>
>
> From Oracle's Security Alert #66 Rev.1
>
> "...a typical Core or Mid-Tier default installation
> of Oracle
> Application Server includes Web Cache."
>
>
>
>
>
>
> Vulnerability Summary
> ---------------------
>
> A heap overflow vulnerability exists in Oracle Web
> Cache - all
> platforms. The vulnerability can be exploited
> remotely and the attacker
> can execute code of his choice. Some firewalls may
> not protect against
> this vulnerability. Patches are available from
> Oracle's Web Site and
> should be applied immediately. The risk to exposure
> is high.
>
>
>
>
>
>
> Vulnerability Details
> ---------------------
>
> Web Cache application processes HTTP/HTTPS requests
> from clients and
> passes them to Oracle HTTP Server(s).
>
>
> HTTP/HTTPS -------------
> -------------
> client ----------> - Web Cache - -----> -HTTP
> Server-
> Request -------------
> -------------
>
>
> By default Web Cache listens for incoming
> connections on port 7777 for
> HTTP and 4443 for HTTPS. These ports are configured
> by the
> administrator of the system and in real world
> installations they become
> the well known ports 80 and 443 and they are
> available through the
> firewall to all.
>
>
> A heap overflow condition exists in "webcached"
> process when an invalid
> HTTP/HTTPS request is made. The overflow can be
> triggered by sending an
> overly long header as the HTTP Request Method. From
> RFC 2616 valid
> values for the HTTP Request Method are GET, HEAD,
> POST, PUT, DELETE,
> TRACE, CONNECT.
>
>
> By supplying an HTTP Request Method header of 432
> bytes long against
> a Windows based Web Cache installation the following
> exception is
> caused within ntdll.RtlAllocateHeap.
>
>
> 77FCBF00 MOV DWORD PTR DS:[ESI], ECX
> 77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI
>
>
> ECX and ESI are overwritten with the attacker
> supplied values. By
> controlling the values of the registers ECX and ESI,
> it is possible to
> write an arbitrary dword to any address. It all
> comes to the WHERE -
> WHAT situation described in many security related
> documents. Also the
> buffer is quite large - Oracle9iAS Web Cache uses 4
> KB for the HTTP
> headers as default buffer size. Using different
> variations of the exploit
> technique it is possible to overwrite different CPU
> registers.
>
>
> The vulnerability exists in all Oracle supported
> platforms. On Windows
> the Web Cache is running under the Security Context
> of Local SYSTEM
> account and in a successful exploitation of the
> vulnerability, a full
> remote system compromise is possible. On Unix &
> Linux the Web Cache
> process normally is running as user ORACLE and in a
> successful
> exploitation of the vulnerability a complete
> compromise of the data
> may be possible.
>
>
> CERT has assigned VU#643985 for this vulnerability.
>
>
>
>
>
>
> HTTP/HTTPS Method Heap Overflow & Firewalls
> -------------------------------------------
>
> This vulnerability can bypass a large number of
> firewalls, so a
> firewall can not be considered as a measure for
> protection against this
> vulnerability.
>
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway
http://promotions.yahoo.com/design_giveaway/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Vincenzo Ciaglia: "LNSA-#2004-0009: GNU Automake symbolic link vulnerability"
- In reply to: Ioannis Migadakis: "[Full-Disclosure] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
