Full Disclosure mailing list archives
Re: [VulnWatch] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
From: "Jay D. Dyson" <jdyson () bugtraq org>
Date: Thu, 8 Apr 2004 15:40:19 -0400
Quick question - from your advisory . . . On Thu, Apr 08, 2004 at 02:48:43PM +0200, Ioannis Migadakis wrote:
Platform: All Oracle supported platforms - Sun Solaris HP/UX HP Tru64 IBM AIX Linux Windows Severity: Critical - Remote Code Execution Category: Heap Overflow Exploitation: Remote
bracket dot dot dot bracket
77FCBF00 MOV DWORD PTR DS:[ESI], ECX 77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI ECX and ESI are overwritten with the attacker supplied values. By controlling the values of the registers ECX and ESI, it is possible to write an arbitrary dword to any address. It all comes to the WHERE - WHAT situation described in many security related documents. Also the buffer is quite large - Oracle9iAS Web Cache uses 4 KB for the HTTP headers as default buffer size. Using different variations of the exploit technique it is possible to overwrite different CPU registers.
Have you attempted to verify exploitability on anything other than windows? . . . or, are the other architectures just listed as vulnerable to hype up your ego? -- - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () bugtraq org ------<) | = |-' `--' `--' `-------- Si latinam satis simiis doces, --------' `------' `--- quandoque unus aliquid profundum dicet ---' _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [VulnWatch] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache Jay D. Dyson (Apr 08)