Oracle Application Server shared library buffer overflow

Tue, 10 Apr 2001 08:47:19 -0700 

$Id: safer0016_oas_advisory.txt,v 1.3 2001/03/27 10:27:16 vanja Exp $
__________________________________________________________

           S.A.F.E.R. Security Bulletin 0016
__________________________________________________________


TITLE    : Oracle Application Server shared library buffer overflow
DATE     : April 10, 2001
NATURE   : Remote execution of code, Denial of Service
AFFECTED : Oracle application server 4.0.8.2 + iWS 4.0/4.1 webserver, running
on Sparc/Solaris 2.7

NOTE:

We have been able to reproduce this on 2 different machines, with very similar
setup. Oracle has been contacted, but they haven't been able to reproduce this
problem. We would appreciate if people using OAS/iWS could test this against
their servers and let both us know the results as other versions of the
software might be vulnerable as well.

Oracle Security Team would appreciate the results to be sent to:
[EMAIL PROTECTED]


PROBLEM:

An exploitable buffer overflow has been identified in a shared library which is
being shipped with Oracle Application Server 4.0.8.2, and used by iPlanet Web
Server if it is configured as external web-listener.


DETAILS:

iWS has to be configured as external `web listener' for Oracle Application
Server, so that iWS will load a shared library ($ORAHOME/ows/4.0/lib/ndwfn4.so)
to handle requests for OAS. Overflow happens when a long string is requested
with prefix that has been `linked' to OAS (by default it is /jsp/). which is
then passed to the library routines to be processed.  Buffer size is around
2050-60 bytes.

Checking if you are vulnerable:

A request similar to:

GET /jsp/<A x 2050> HTTP/1.0

(perl -e 'print "GET /jsp/","A"x2050," HTTP/1.0\n\n"' | nc victim 80)

will trigger the overflow (iWS webserver should core-dump and be restarted by
watchdog; externally it will be seen as a dropped connection).

It is also possible that other versions of OAS/iWS/Solaris are vulnerable.


EXPLOIT:

We have developed a working exploit for this problem which will be publicly
released.


FIXES:

No fixes are available at the time of this writing.


CREDITS:

Fyodor Yarochkin <[EMAIL PROTECTED]>


This advisory will also be made available at
http://www.safermag.com/advisories/

__________________________________________________________

   S.A.F.E.R. - Security Alert For Enterprise Resources
          Copyright (c) 2001 The Relay Group
  http://www.safermag.com  ----  [EMAIL PROTECTED]
__________________________________________________________

Reply via email to