lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: cesarc56 at yahoo.com (Cesar)
Subject: Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache

Here you can see how Oracle is very serious about
security and that Oracle really cares about their
customers, ONE YEAR TO FIX A REMOTE
VULNERABILITY!!!!!!

ORACLE=UNBREAKABLE?
FBI and CIA still running Oracle?
;)

Cesar.

--- Ioannis Migadakis <jmig@...l.gr> wrote:
> 
> 
> 
>                         InAccess Networks
>                      www.inaccessnetworks.com
> 
>                         Security Advisory
> 
> 
> 
> 
> 
> Advisory Name: Heap Overflow in Oracle 9iAS / 10g
> Application Server 
>                Web Cache 
>  Release Date: 8 April 2004
>   Application: Oracle Web Cache - all versions
> except 9.0.4.0.0 for 
>                Windows, AIX & Tru64 which already
> contain fixes
>      Platform: All Oracle supported platforms - 
>                Sun Solaris
>                HP/UX
>                HP Tru64
>                IBM AIX
>                Linux
>                Windows
>      Severity: Critical - Remote Code Execution
>      Category: Heap Overflow 
>  Exploitation: Remote
>        Author: Ioannis Migadakis
> [jmig@...ccessnetworks.com]
>                                  [jmig@...l.gr]
> Vendor Status: Oracle has released Security Alert
> #66 and 
>                patches are available for supported
> products. 
>                See
> http://otn.oracle.com/deploy/security/alerts.htm
> 
> CVE Candidate: CAN-2004-0385                  
>     Reference:
> www.inaccessnetworks.com/ian/services/secadv01.txt 
> 
> 
> 
> 
> About Web Cache
> ---------------
> 
> From Oracle's Web Site 
> 
> "Oracle Web Cache is the software industry's leading
> application 
> acceleration solution. Designed for enterprise grid
> computing, OracleAS 
> Web Cache leverages state-of-the-art caching and
> compression 
> technologies  to optimize application performance
> and more efficiently 
> utilize low-cost, existing hardware resources."
> 
> 
> 
> From Oracle's 9iAS Web Cache - Technical FAQ 
> 
> "An integrated component of Oracle's application
> server infrastructure, 
> Oracle9iAS Web Cache is an innovative content
> delivery solution 
> designed  to accelerate dynamic Web-based
> applications and reduce 
> hardware costs."
> 
> 
> From Oracle's Security Alert #66 Rev.1
> 
> "...a typical Core or Mid-Tier default installation
> of Oracle 
> Application  Server includes Web Cache."
> 
> 
> 
> 
> 
> 
> Vulnerability Summary
> ---------------------
> 
> A heap overflow vulnerability exists in Oracle Web
> Cache - all 
> platforms. The vulnerability can be exploited
> remotely and the attacker
> can execute code of his choice. Some firewalls may
> not protect against 
> this vulnerability. Patches are available from
> Oracle's Web Site and 
> should be applied immediately. The risk to exposure
> is high.
> 
> 
> 
> 
> 
> 
> Vulnerability Details
> ---------------------
> 
> Web Cache application processes HTTP/HTTPS requests
> from clients and 
> passes them to Oracle HTTP Server(s).  
> 
> 
>         HTTP/HTTPS     -------------         
> ------------- 
>  client ---------->    - Web Cache -  ----->  -HTTP
> Server-    
>          Request       -------------         
> -------------
>        
> 
> By default Web Cache listens for incoming
> connections on port 7777 for 
> HTTP and 4443 for HTTPS. These ports are configured
> by the 
> administrator of the system and in real world
> installations they become
> the well known ports 80 and 443 and they are
> available through the 
> firewall to all. 
> 
> 
> A heap overflow condition exists in "webcached"
> process when an invalid
> HTTP/HTTPS request is made. The overflow can be
> triggered by sending an
> overly long header as the HTTP Request Method. From
> RFC 2616 valid 
> values for the HTTP Request Method are GET, HEAD,
> POST, PUT, DELETE, 
> TRACE, CONNECT.   
> 
> 
> By supplying an HTTP Request Method header of 432
> bytes long against 
> a Windows based Web Cache installation the following
> exception is 
> caused within ntdll.RtlAllocateHeap. 
> 
> 
> 77FCBF00   MOV DWORD PTR DS:[ESI], ECX
> 77FCBF02   MOV DWORD PTR DS:[ECX+4], ESI
> 
> 
> ECX and ESI are overwritten with the attacker
> supplied values. By 
> controlling the values of the registers ECX and ESI,
> it is possible to 
> write an arbitrary dword to any address. It all
> comes to the WHERE - 
> WHAT situation described in many security related
> documents. Also the
> buffer is quite large - Oracle9iAS Web Cache uses 4
> KB for the HTTP 
> headers as default buffer size. Using different
> variations of the exploit 
> technique it is possible to overwrite different CPU
> registers.
> 
> 
> The vulnerability exists in all Oracle supported
> platforms. On Windows
> the Web Cache is running under the Security Context
> of Local SYSTEM 
> account and in a successful exploitation of the
> vulnerability, a full 
> remote system compromise is possible. On Unix &
> Linux the Web Cache 
> process normally is running as user ORACLE and in a
> successful 
> exploitation of the vulnerability a complete
> compromise of the data 
> may be possible.  
> 
> 
> CERT has assigned VU#643985 for this vulnerability. 
> 
> 
> 
> 
> 
> 
> HTTP/HTTPS Method Heap Overflow & Firewalls 
> -------------------------------------------
> 
> This vulnerability can bypass a large number of
> firewalls, so a 
> firewall can not be considered as a measure for
> protection against this
> vulnerability.
> 
> 
=== message truncated ===


__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/


Powered by blists - more mailing lists