Re: [VulnWatch] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache

["Jay D. Dyson" <jdyson () bugtraq org>]

Quick question - from your advisory . . .

On Thu, Apr 08, 2004 at 02:48:43PM +0200, Ioannis Migadakis wrote:
>      Platform: All Oracle supported platforms - 
>                Sun Solaris
>                HP/UX
>                HP Tru64
>                IBM AIX
>                Linux
>                Windows
>      Severity: Critical - Remote Code Execution
>      Category: Heap Overflow 
>  Exploitation: Remote
bracket dot dot dot bracket
> 77FCBF00   MOV DWORD PTR DS:[ESI], ECX
> 77FCBF02   MOV DWORD PTR DS:[ECX+4], ESI
>
>
> ECX and ESI are overwritten with the attacker supplied values. By 
> controlling the values of the registers ECX and ESI, it is possible to 
> write an arbitrary dword to any address. It all comes to the WHERE - 
> WHAT situation described in many security related documents. Also the
> buffer is quite large - Oracle9iAS Web Cache uses 4 KB for the HTTP 
> headers as default buffer size. Using different variations of the exploit 
> technique it is possible to overwrite different CPU registers.

Have you attempted to verify exploitability on anything other than windows?

. . . or, are the other architectures just listed as vulnerable to hype up
your ego?

-- 
- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () bugtraq org ------<) |    = |-'
  `--' `--'  `-------- Si latinam satis simiis doces, --------'  `------'
              `--- quandoque unus aliquid profundum dicet ---'
          

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html