$Id: safer0016_oas_advisory.txt,v 1.3 2001/03/27 10:27:16 vanja Exp $ __________________________________________________________ S.A.F.E.R. Security Bulletin 0016 __________________________________________________________ TITLE : Oracle Application Server shared library buffer overflow DATE : April 10, 2001 NATURE : Remote execution of code, Denial of Service AFFECTED : Oracle application server 4.0.8.2 + iWS 4.0/4.1 webserver, running on Sparc/Solaris 2.7 NOTE: We have been able to reproduce this on 2 different machines, with very similar setup. Oracle has been contacted, but they haven't been able to reproduce this problem. We would appreciate if people using OAS/iWS could test this against their servers and let both us know the results as other versions of the software might be vulnerable as well. Oracle Security Team would appreciate the results to be sent to: [EMAIL PROTECTED] PROBLEM: An exploitable buffer overflow has been identified in a shared library which is being shipped with Oracle Application Server 4.0.8.2, and used by iPlanet Web Server if it is configured as external web-listener. DETAILS: iWS has to be configured as external `web listener' for Oracle Application Server, so that iWS will load a shared library ($ORAHOME/ows/4.0/lib/ndwfn4.so) to handle requests for OAS. Overflow happens when a long string is requested with prefix that has been `linked' to OAS (by default it is /jsp/). which is then passed to the library routines to be processed. Buffer size is around 2050-60 bytes. Checking if you are vulnerable: A request similar to: GET /jsp/<A x 2050> HTTP/1.0 (perl -e 'print "GET /jsp/","A"x2050," HTTP/1.0\n\n"' | nc victim 80) will trigger the overflow (iWS webserver should core-dump and be restarted by watchdog; externally it will be seen as a dropped connection). It is also possible that other versions of OAS/iWS/Solaris are vulnerable. EXPLOIT: We have developed a working exploit for this problem which will be publicly released. FIXES: No fixes are available at the time of this writing. CREDITS: Fyodor Yarochkin <[EMAIL PROTECTED]> This advisory will also be made available at http://www.safermag.com/advisories/ __________________________________________________________ S.A.F.E.R. - Security Alert For Enterprise Resources Copyright (c) 2001 The Relay Group http://www.safermag.com ---- [EMAIL PROTECTED] __________________________________________________________