Date: 13 Apr 2004 12:11:05 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [NEWS] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
------------------------------------------------------------------------
SUMMARY
Oracle Web Cache is "the software industry's leading application
acceleration solution. Designed for enterprise grid computing, OracleAS
Web Cache leverages state-of-the-art caching and compression technologies
to optimize application performance and more efficiently utilize low-cost,
existing hardware resources". A heap overflow vulnerability exists in
Oracle Web Cache - all platforms. The vulnerability can be exploited
remotely and the attacker can execute code of his choice. Some firewalls
may not protect against this vulnerability. Patches are available from
Oracle's Web Site and should be applied immediately.
DETAILS
Vulnerable Systems:
* Oracle Web Cache - all versions except 9.0.4.0.0 for Windows, AIX &
Tru64 which already contain fixes
Web Cache application processes HTTP/HTTPS requests from clients and
passes them to Oracle HTTP Server(s).
HTTP/HTTPS ------------- -------------
client ----------> - Web Cache - -----> -HTTP Server-
Request ------------- -------------
By default Web Cache listens for incoming connections on port 7777 for
HTTP and 4443 for HTTPS. These ports are configured by the administrator
of the system and in real world installations they become the well-known
ports 80 and 443 and they are available through the firewall to all.
A heap overflow condition exists in "webcached" process when an invalid
HTTP/HTTPS request is made. Sending an overly long header as the HTTP
Request Method can trigger the overflow. From RFC 2616 valid values for
the HTTP Request Method are GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT.
By supplying an HTTP Request Method header of 432 bytes long against a
Windows based Web Cache installation the following exception is caused
within ntdll.RtlAllocateHeap.
77FCBF00 MOV DWORD PTR DS:[ESI], ECX
77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI
ECX and ESI are overwritten with the attacker-supplied values. By
controlling the values of the registers ECX and ESI, it is possible to
write an arbitrary DWORD to any address. It all comes to the WHERE - WHAT
situation described in many security related documents. Also the buffer is
quite large - Oracle9iAS Web Cache uses 4 KB for the HTTP headers as
default buffer size. Using different variations of the exploit technique
it is possible to overwrite different CPU registers.
The vulnerability exists in all Oracle supported platforms. On Windows the
Web Cache is running under the Security Context of Local SYSTEM account
and in a successful exploitation of the vulnerability, a full remote
system compromise is possible. On UNIX & Linux the Web Cache process
normally is running as user ORACLE and in a successful exploitation of the
vulnerability a complete compromise of the data may be possible.
CERT has assigned VU#643985 for this vulnerability.
Disclosure Timeline:
17 April 2003 Vulnerability Discovered
22 April 2003 Contacted CERT
23 April 2003 Contacted Oracle
23 April 2003 CERT Replied - Assign VU#643985
12 March 2004 Oracle Security Alert #66 Rev.1 Released
2 April 2004 Oracle Security Alert #66 Rev.2 Released with Credits
8 April 2004 Public Advisory Released
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]>
Ioannis Migadakis a.k.a. JMIG.
The original article can be found at:
<http://www.inaccessnetworks.com/ian/services/secadv01.txt>;
http://www.inaccessnetworks.com/ian/services/secadv01.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
