| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040408194019.GA29241@symantec.bugtraq.org>
From: jdyson at bugtraq.org (Jay D. Dyson)
Subject: Re: [VulnWatch] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
Quick question - from your advisory . . .
On Thu, Apr 08, 2004 at 02:48:43PM +0200, Ioannis Migadakis wrote:
> Platform: All Oracle supported platforms -
> Sun Solaris
> HP/UX
> HP Tru64
> IBM AIX
> Linux
> Windows
> Severity: Critical - Remote Code Execution
> Category: Heap Overflow
> Exploitation: Remote
>
bracket dot dot dot bracket
> 77FCBF00 MOV DWORD PTR DS:[ESI], ECX
> 77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI
>
>
> ECX and ESI are overwritten with the attacker supplied values. By
> controlling the values of the registers ECX and ESI, it is possible to
> write an arbitrary dword to any address. It all comes to the WHERE -
> WHAT situation described in many security related documents. Also the
> buffer is quite large - Oracle9iAS Web Cache uses 4 KB for the HTTP
> headers as default buffer size. Using different variations of the exploit
> technique it is possible to overwrite different CPU registers.
>
Have you attempted to verify exploitability on anything other than windows?
. . . or, are the other architectures just listed as vulnerable to hype up
your ego?
--
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee"-. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@...traq.org ------<) | = |-'
`--' `--' `-------- Si latinam satis simiis doces, --------' `------'
`--- quandoque unus aliquid profundum dicet ---'
Powered by blists - more mailing lists