Re: Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache

[Cesar <cesarc56 () yahoo com>]

Here you can see how Oracle is very serious about
security and that Oracle really cares about their
customers, ONE YEAR TO FIX A REMOTE
VULNERABILITY!!!!!!

ORACLE=UNBREAKABLE?
FBI and CIA still running Oracle?
;)

Cesar.

--- Ioannis Migadakis <jmig () mail gr> wrote:
>                         InAccess Networks
>                      www.inaccessnetworks.com
>
>                         Security Advisory
>
>
>
>
>
> Advisory Name: Heap Overflow in Oracle 9iAS / 10g
> Application Server 
>                Web Cache 
>  Release Date: 8 April 2004
>   Application: Oracle Web Cache - all versions
> except 9.0.4.0.0 for 
>                Windows, AIX & Tru64 which already
> contain fixes
>      Platform: All Oracle supported platforms - 
>                Sun Solaris
>                HP/UX
>                HP Tru64
>                IBM AIX
>                Linux
>                Windows
>      Severity: Critical - Remote Code Execution
>      Category: Heap Overflow 
>  Exploitation: Remote
>        Author: Ioannis Migadakis
> [jmig () inaccessnetworks com]
>                                  [jmig () mail gr]
> Vendor Status: Oracle has released Security Alert
> #66 and 
>                patches are available for supported
> products. 
>                See
> http://otn.oracle.com/deploy/security/alerts.htm
>
> CVE Candidate: CAN-2004-0385                  
>     Reference:
> www.inaccessnetworks.com/ian/services/secadv01.txt 
>
>
>
>
> About Web Cache
> ---------------
>
> From Oracle's Web Site 
>
> "Oracle Web Cache is the software industry's leading
> application 
> acceleration solution. Designed for enterprise grid
> computing, OracleAS 
> Web Cache leverages state-of-the-art caching and
> compression 
> technologies  to optimize application performance
> and more efficiently 
> utilize low-cost, existing hardware resources."
>
>
>
> From Oracle's 9iAS Web Cache - Technical FAQ 
>
> "An integrated component of Oracle's application
> server infrastructure, 
> Oracle9iAS Web Cache is an innovative content
> delivery solution 
> designed  to accelerate dynamic Web-based
> applications and reduce 
> hardware costs."
>
>
> From Oracle's Security Alert #66 Rev.1
>
> "...a typical Core or Mid-Tier default installation
> of Oracle 
> Application  Server includes Web Cache."
>
>
>
>
>
>
> Vulnerability Summary
> ---------------------
>
> A heap overflow vulnerability exists in Oracle Web
> Cache - all 
> platforms. The vulnerability can be exploited
> remotely and the attacker
> can execute code of his choice. Some firewalls may
> not protect against 
> this vulnerability. Patches are available from
> Oracle's Web Site and 
> should be applied immediately. The risk to exposure
> is high.
>
>
>
>
>
>
> Vulnerability Details
> ---------------------
>
> Web Cache application processes HTTP/HTTPS requests
> from clients and 
> passes them to Oracle HTTP Server(s).  
>
>
>         HTTP/HTTPS     -------------         
> ------------- 
>  client ---------->    - Web Cache -  ----->  -HTTP
> Server-    
>          Request       -------------         
> -------------
>        
>
> By default Web Cache listens for incoming
> connections on port 7777 for 
> HTTP and 4443 for HTTPS. These ports are configured
> by the 
> administrator of the system and in real world
> installations they become
> the well known ports 80 and 443 and they are
> available through the 
> firewall to all. 
>
>
> A heap overflow condition exists in "webcached"
> process when an invalid
> HTTP/HTTPS request is made. The overflow can be
> triggered by sending an
> overly long header as the HTTP Request Method. From
> RFC 2616 valid 
> values for the HTTP Request Method are GET, HEAD,
> POST, PUT, DELETE, 
> TRACE, CONNECT.   
>
>
> By supplying an HTTP Request Method header of 432
> bytes long against 
> a Windows based Web Cache installation the following
> exception is 
> caused within ntdll.RtlAllocateHeap. 
>
>
> 77FCBF00   MOV DWORD PTR DS:[ESI], ECX
> 77FCBF02   MOV DWORD PTR DS:[ECX+4], ESI
>
>
> ECX and ESI are overwritten with the attacker
> supplied values. By 
> controlling the values of the registers ECX and ESI,
> it is possible to 
> write an arbitrary dword to any address. It all
> comes to the WHERE - 
> WHAT situation described in many security related
> documents. Also the
> buffer is quite large - Oracle9iAS Web Cache uses 4
> KB for the HTTP 
> headers as default buffer size. Using different
> variations of the exploit 
> technique it is possible to overwrite different CPU
> registers.
>
>
> The vulnerability exists in all Oracle supported
> platforms. On Windows
> the Web Cache is running under the Security Context
> of Local SYSTEM 
> account and in a successful exploitation of the
> vulnerability, a full 
> remote system compromise is possible. On Unix &
> Linux the Web Cache 
> process normally is running as user ORACLE and in a
> successful 
> exploitation of the vulnerability a complete
> compromise of the data 
> may be possible.  
>
>
> CERT has assigned VU#643985 for this vulnerability. 
>
>
>
>
>
>
> HTTP/HTTPS Method Heap Overflow & Firewalls 
> -------------------------------------------
>
> This vulnerability can bypass a large number of
> firewalls, so a 
> firewall can not be considered as a measure for
> protection against this
> vulnerability.
=== message truncated ===


__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html