exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

secadv01.txt

secadv01.txt
Posted Apr 9, 2004
Authored by Ioannis Migadakis | Site inaccessnetworks.com

InAccess Networks Security Advisory - A heap overflow vulnerability exists in Oracle 9iAS / 10g Application Server Web Cache that allows for arbitrary code execution.

tags | advisory, web, overflow, arbitrary, code execution
advisories | CVE-2004-0385
SHA-256 | 4e378c70e2ef00bc393079279435003c09bf5895c7e3812c496bd01f0d2d04f9

secadv01.txt

Change Mirror Download



InAccess Networks
www.inaccessnetworks.com

Security Advisory





Advisory Name: Heap Overflow in Oracle 9iAS / 10g Application Server
Web Cache
Release Date: 8 April 2004
Application: Oracle Web Cache - all versions except 9.0.4.0.0 for
Windows, AIX & Tru64 which already contain fixes
Platform: All Oracle supported platforms -
Sun Solaris
HP/UX
HP Tru64
IBM AIX
Linux
Windows
Severity: Critical - Remote Code Execution
Category: Heap Overflow
Exploitation: Remote
Author: Ioannis Migadakis [jmig@inaccessnetworks.com]
[jmig@mail.gr]
Vendor Status: Oracle has released Security Alert #66 and
patches are available for supported products.
See http://otn.oracle.com/deploy/security/alerts.htm

CVE Candidate: CAN-2004-0385
Reference: www.inaccessnetworks.com/ian/services/secadv01.txt




About Web Cache
---------------

>From Oracle's Web Site

"Oracle Web Cache is the software industry's leading application
acceleration solution. Designed for enterprise grid computing, OracleAS
Web Cache leverages state-of-the-art caching and compression
technologies to optimize application performance and more efficiently
utilize low-cost, existing hardware resources."



>From Oracle's 9iAS Web Cache - Technical FAQ

"An integrated component of Oracle's application server infrastructure,
Oracle9iAS Web Cache is an innovative content delivery solution
designed to accelerate dynamic Web-based applications and reduce
hardware costs."


>From Oracle's Security Alert #66 Rev.1

"...a typical Core or Mid-Tier default installation of Oracle
Application Server includes Web Cache."






Vulnerability Summary
---------------------

A heap overflow vulnerability exists in Oracle Web Cache - all
platforms. The vulnerability can be exploited remotely and the attacker
can execute code of his choice. Some firewalls may not protect against
this vulnerability. Patches are available from Oracle's Web Site and
should be applied immediately. The risk to exposure is high.






Vulnerability Details
---------------------

Web Cache application processes HTTP/HTTPS requests from clients and
passes them to Oracle HTTP Server(s).


HTTP/HTTPS ------------- -------------
client ----------> - Web Cache - -----> -HTTP Server-
Request ------------- -------------


By default Web Cache listens for incoming connections on port 7777 for
HTTP and 4443 for HTTPS. These ports are configured by the
administrator of the system and in real world installations they become
the well known ports 80 and 443 and they are available through the
firewall to all.


A heap overflow condition exists in "webcached" process when an invalid
HTTP/HTTPS request is made. The overflow can be triggered by sending an
overly long header as the HTTP Request Method. From RFC 2616 valid
values for the HTTP Request Method are GET, HEAD, POST, PUT, DELETE,
TRACE, CONNECT.


By supplying an HTTP Request Method header of 432 bytes long against
a Windows based Web Cache installation the following exception is
caused within ntdll.RtlAllocateHeap.


77FCBF00 MOV DWORD PTR DS:[ESI], ECX
77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI


ECX and ESI are overwritten with the attacker supplied values. By
controlling the values of the registers ECX and ESI, it is possible to
write an arbitrary dword to any address. It all comes to the WHERE -
WHAT situation described in many security related documents. Also the
buffer is quite large - Oracle9iAS Web Cache uses 4 KB for the HTTP
headers as default buffer size. Using different variations of the exploit
technique it is possible to overwrite different CPU registers.


The vulnerability exists in all Oracle supported platforms. On Windows
the Web Cache is running under the Security Context of Local SYSTEM
account and in a successful exploitation of the vulnerability, a full
remote system compromise is possible. On Unix & Linux the Web Cache
process normally is running as user ORACLE and in a successful
exploitation of the vulnerability a complete compromise of the data
may be possible.


CERT has assigned VU#643985 for this vulnerability.






HTTP/HTTPS Method Heap Overflow & Firewalls
-------------------------------------------

This vulnerability can bypass a large number of firewalls, so a
firewall can not be considered as a measure for protection against this
vulnerability.


If the firewall uses Statefull Packet Inspection / Packet filtering and
operates in layers 3 & 4 (e.g. it can understand the difference between
port 80 and 21 but not between HTTP GET and HTTP POST) then this
firewall does not offer any protection against this vulnerability.


If the firewall uses some proxy features operating in the -so called-
"application" layer (7) (e.g. it can understand the difference between
HTTP GET and HTTP POST) then this firewall does offer protection
against this vulnerability.


The above are true for HTTP where a large number of HTTP proxies /
firewalls exists. Unfortunately for HTTPS the majority of the firewalls
do not offer protection against this vulnerability since HTTPS is
nothing more to them than TCP port 443.


After all, Oracle in Security Alert #66 correctly says "Firewalls
deployed within a corporate Intranet or between a corporate Intranet
and the Internet do not protect against these vulnerabilities."






Credit
------

Discovery: Ioannis Migadakis a.k.a. JMIG






Vulnerability History
---------------------


DATE INFO
------------- ------------------------------------------------------
17 April 2003 Vulnerability Discovered
22 April 2003 Contacted CERT
23 April 2003 Contacted Oracle
23 April 2003 CERT Replied - Assign VU#643985
12 March 2004 Oracle Security Alert #66 Rev.1 Released
2 April 2004 Oracle Security Alert #66 Rev.2 Released with Credits
8 April 2004 Public Advisory Released to
bugtraq@securityfocus.com
vulnwatch@vulnwatch.org
full-disclosure@lists.netsys.com






About inAccess Networks
-----------------------
inAccess Networks designs broadband access systems for the converging
telecommunication market and operates an OEM Design and a Network
Design team.
Network Design team works with Service Providers and Enterprise
customers for large scale network design, network optimization,
security and quality assurance.

















-------------------------------------------------------------
http://www.mail.gr/ - Get Your Private Free Email Address!
http://www.ringtone.gr/ - Ringtones & Logos for your mobile!
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close