| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: cesarc56 at yahoo.com (Cesar) Subject: Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache Here you can see how Oracle is very serious about security and that Oracle really cares about their customers, ONE YEAR TO FIX A REMOTE VULNERABILITY!!!!!! ORACLE=UNBREAKABLE? FBI and CIA still running Oracle? ;) Cesar. --- Ioannis Migadakis <jmig@...l.gr> wrote: > > > > InAccess Networks > www.inaccessnetworks.com > > Security Advisory > > > > > > Advisory Name: Heap Overflow in Oracle 9iAS / 10g > Application Server > Web Cache > Release Date: 8 April 2004 > Application: Oracle Web Cache - all versions > except 9.0.4.0.0 for > Windows, AIX & Tru64 which already > contain fixes > Platform: All Oracle supported platforms - > Sun Solaris > HP/UX > HP Tru64 > IBM AIX > Linux > Windows > Severity: Critical - Remote Code Execution > Category: Heap Overflow > Exploitation: Remote > Author: Ioannis Migadakis > [jmig@...ccessnetworks.com] > [jmig@...l.gr] > Vendor Status: Oracle has released Security Alert > #66 and > patches are available for supported > products. > See > http://otn.oracle.com/deploy/security/alerts.htm > > CVE Candidate: CAN-2004-0385 > Reference: > www.inaccessnetworks.com/ian/services/secadv01.txt > > > > > About Web Cache > --------------- > > From Oracle's Web Site > > "Oracle Web Cache is the software industry's leading > application > acceleration solution. Designed for enterprise grid > computing, OracleAS > Web Cache leverages state-of-the-art caching and > compression > technologies to optimize application performance > and more efficiently > utilize low-cost, existing hardware resources." > > > > From Oracle's 9iAS Web Cache - Technical FAQ > > "An integrated component of Oracle's application > server infrastructure, > Oracle9iAS Web Cache is an innovative content > delivery solution > designed to accelerate dynamic Web-based > applications and reduce > hardware costs." > > > From Oracle's Security Alert #66 Rev.1 > > "...a typical Core or Mid-Tier default installation > of Oracle > Application Server includes Web Cache." > > > > > > > Vulnerability Summary > --------------------- > > A heap overflow vulnerability exists in Oracle Web > Cache - all > platforms. The vulnerability can be exploited > remotely and the attacker > can execute code of his choice. Some firewalls may > not protect against > this vulnerability. Patches are available from > Oracle's Web Site and > should be applied immediately. The risk to exposure > is high. > > > > > > > Vulnerability Details > --------------------- > > Web Cache application processes HTTP/HTTPS requests > from clients and > passes them to Oracle HTTP Server(s). > > > HTTP/HTTPS ------------- > ------------- > client ----------> - Web Cache - -----> -HTTP > Server- > Request ------------- > ------------- > > > By default Web Cache listens for incoming > connections on port 7777 for > HTTP and 4443 for HTTPS. These ports are configured > by the > administrator of the system and in real world > installations they become > the well known ports 80 and 443 and they are > available through the > firewall to all. > > > A heap overflow condition exists in "webcached" > process when an invalid > HTTP/HTTPS request is made. The overflow can be > triggered by sending an > overly long header as the HTTP Request Method. From > RFC 2616 valid > values for the HTTP Request Method are GET, HEAD, > POST, PUT, DELETE, > TRACE, CONNECT. > > > By supplying an HTTP Request Method header of 432 > bytes long against > a Windows based Web Cache installation the following > exception is > caused within ntdll.RtlAllocateHeap. > > > 77FCBF00 MOV DWORD PTR DS:[ESI], ECX > 77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI > > > ECX and ESI are overwritten with the attacker > supplied values. By > controlling the values of the registers ECX and ESI, > it is possible to > write an arbitrary dword to any address. It all > comes to the WHERE - > WHAT situation described in many security related > documents. Also the > buffer is quite large - Oracle9iAS Web Cache uses 4 > KB for the HTTP > headers as default buffer size. Using different > variations of the exploit > technique it is possible to overwrite different CPU > registers. > > > The vulnerability exists in all Oracle supported > platforms. On Windows > the Web Cache is running under the Security Context > of Local SYSTEM > account and in a successful exploitation of the > vulnerability, a full > remote system compromise is possible. On Unix & > Linux the Web Cache > process normally is running as user ORACLE and in a > successful > exploitation of the vulnerability a complete > compromise of the data > may be possible. > > > CERT has assigned VU#643985 for this vulnerability. > > > > > > > HTTP/HTTPS Method Heap Overflow & Firewalls > ------------------------------------------- > > This vulnerability can bypass a large number of > firewalls, so a > firewall can not be considered as a measure for > protection against this > vulnerability. > > === message truncated === __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/
Powered by blists - more mailing lists