CVE-2004-0385
CVSS10.0
发布时间 :2004-06-01 00:00:00
修订时间 :2016-10-17 22:44:52
NMCOPS    

[原文]Heap-based buffer overflow in Oracle 9i Application Server Web Cache 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.0 allows remote attackers to execute arbitrary code via a long HTTP request method header to the Web Cache listener. NOTE: due to the vagueness of the Oracle advisory, it is not clear whether there are additional issues besides this overflow, although the advisory alludes to multiple "vulnerabilities."


[CNNVD]Oracle 9iAS/10g应用服务器WEB缓冲远程堆溢出漏洞(CNNVD-200406-035)

        
        Oracle Web Cache是Oracle应用服务程序套件中的一部分,Web Cache设计用于在Oracle Web服务器前端作为缓冲反向代理服务器。
        Oracle Web Cache所有平台存在一个堆溢出问题,远程攻击者可以利用这个漏洞以服务进程的权限在系统上执行任意指令。
        Web Cache应用进程从客户端接收到HTTP/HTTPS请求并传递给Oracle HTTP服务器。"webcached"进程在处理非法HTTP/HTTPS请求时存在一个堆溢出问题,通过发送包含超长头作为HTTP请求方法可触发此溢出。根据RFC2616,合法的HTTP请求方法为GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT。
        针对基于Windows安装的Web缓冲应用,通过提交432字节长的HTTP请求方法头请求,可使ntdll.RtlAllocateHeap引起异常错误:
        77FCBF00 MOV DWORD PTR DS:[ESI], ECX
        77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI
        精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:oracle:application_server_web_cache:9.0.4.0.0Oracle Oracle9iAS Web Cache 9.0.4.0.0
cpe:/a:oracle:application_server_web_cache:9.0.2.3.0Oracle Oracle9iAS Web Cache 9.0.2.3.0
cpe:/a:oracle:application_server_web_cache:9.0.3.1.0Oracle Oracle9iAS Web Cache 9.0.3.1.0
cpe:/a:oracle:e-business_suite:11iOracle E-Business Suite 11i
cpe:/a:oracle:application_server_web_cache:9.0.0.4.0Oracle Oracle9iAS Web Cache 9.0.0.4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0385
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0385
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200406-035
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0078.html
(UNKNOWN)  VULNWATCH  20040408 Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
http://marc.info/?l=bugtraq&m=107945649127635&w=2
(UNKNOWN)  BUGTRAQ  20040316 new security alert #66 issued in Oracle web cache
http://marc.info/?l=bugtraq&m=108144419001770&w=2
(UNKNOWN)  BUGTRAQ  20040408 Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf
(VENDOR_ADVISORY)  CONFIRM  http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf
http://www.inaccessnetworks.com/ian/services/secadv01.txt
(VENDOR_ADVISORY)  MISC  http://www.inaccessnetworks.com/ian/services/secadv01.txt
http://www.kb.cert.org/vuls/id/413006
(VENDOR_ADVISORY)  CERT-VN  VU#413006
http://www.securityfocus.com/bid/9868
(UNKNOWN)  BID  9868
http://xforce.iss.net/xforce/xfdb/15463
(UNKNOWN)  XF  oracle-web-cache-vulnerabilities(15463)

- 漏洞信息

Oracle 9iAS/10g应用服务器WEB缓冲远程堆溢出漏洞
危急 边界条件错误
2004-06-01 00:00:00 2005-10-20 00:00:00
远程  
        
        Oracle Web Cache是Oracle应用服务程序套件中的一部分,Web Cache设计用于在Oracle Web服务器前端作为缓冲反向代理服务器。
        Oracle Web Cache所有平台存在一个堆溢出问题,远程攻击者可以利用这个漏洞以服务进程的权限在系统上执行任意指令。
        Web Cache应用进程从客户端接收到HTTP/HTTPS请求并传递给Oracle HTTP服务器。"webcached"进程在处理非法HTTP/HTTPS请求时存在一个堆溢出问题,通过发送包含超长头作为HTTP请求方法可触发此溢出。根据RFC2616,合法的HTTP请求方法为GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT。
        针对基于Windows安装的Web缓冲应用,通过提交432字节长的HTTP请求方法头请求,可使ntdll.RtlAllocateHeap引起异常错误:
        77FCBF00 MOV DWORD PTR DS:[ESI], ECX
        77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI
        精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Oracle
        ------
        Oracle已经为此发布了一个安全公告(OracleSA#66)以及相应补丁:
        OracleSA#66:Vulnerabilities in Oracle Application Server Web Cache
        链接:
        http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf

        参看MetaLink Document ID 265310.1下载补丁:
        
        http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=265310.1

- 漏洞信息 (F33042)

secadv01.txt (PacketStormID:F33042)
2004-04-09 00:00:00
Ioannis Migadakis  inaccessnetworks.com
advisory,web,overflow,arbitrary,code execution
CVE-2004-0385
[点击下载]

InAccess Networks Security Advisory - A heap overflow vulnerability exists in Oracle 9iAS / 10g Application Server Web Cache that allows for arbitrary code execution.

InAccess Networks
                     www.inaccessnetworks.com

                        Security Advisory





Advisory Name: Heap Overflow in Oracle 9iAS / 10g Application Server 
               Web Cache 
 Release Date: 8 April 2004
  Application: Oracle Web Cache - all versions except 9.0.4.0.0 for 
               Windows, AIX & Tru64 which already contain fixes
     Platform: All Oracle supported platforms - 
               Sun Solaris
               HP/UX
               HP Tru64
               IBM AIX
               Linux
               Windows
     Severity: Critical - Remote Code Execution
     Category: Heap Overflow 
 Exploitation: Remote
       Author: Ioannis Migadakis [jmig@inaccessnetworks.com]
                                 [jmig@mail.gr]
Vendor Status: Oracle has released Security Alert #66 and 
               patches are available for supported products. 
               See http://otn.oracle.com/deploy/security/alerts.htm

CVE Candidate: CAN-2004-0385                  
    Reference: www.inaccessnetworks.com/ian/services/secadv01.txt 




About Web Cache
---------------

>From Oracle's Web Site 

"Oracle Web Cache is the software industry's leading application 
acceleration solution. Designed for enterprise grid computing, OracleAS 
Web Cache leverages state-of-the-art caching and compression 
technologies  to optimize application performance and more efficiently 
utilize low-cost, existing hardware resources."



>From Oracle's 9iAS Web Cache - Technical FAQ 

"An integrated component of Oracle's application server infrastructure, 
Oracle9iAS Web Cache is an innovative content delivery solution 
designed  to accelerate dynamic Web-based applications and reduce 
hardware costs."


>From Oracle's Security Alert #66 Rev.1

"...a typical Core or Mid-Tier default installation of Oracle 
Application  Server includes Web Cache."






Vulnerability Summary
---------------------

A heap overflow vulnerability exists in Oracle Web Cache - all 
platforms. The vulnerability can be exploited remotely and the attacker
can execute code of his choice. Some firewalls may not protect against 
this vulnerability. Patches are available from Oracle's Web Site and 
should be applied immediately. The risk to exposure is high.






Vulnerability Details
---------------------

Web Cache application processes HTTP/HTTPS requests from clients and 
passes them to Oracle HTTP Server(s).  


        HTTP/HTTPS     -------------          ------------- 
 client ---------->    - Web Cache -  ----->  -HTTP Server-    
         Request       -------------          -------------
       

By default Web Cache listens for incoming connections on port 7777 for 
HTTP and 4443 for HTTPS. These ports are configured by the 
administrator of the system and in real world installations they become
the well known ports 80 and 443 and they are available through the 
firewall to all. 


A heap overflow condition exists in "webcached" process when an invalid
HTTP/HTTPS request is made. The overflow can be triggered by sending an
overly long header as the HTTP Request Method. From RFC 2616 valid 
values for the HTTP Request Method are GET, HEAD, POST, PUT, DELETE, 
TRACE, CONNECT.   


By supplying an HTTP Request Method header of 432 bytes long against 
a Windows based Web Cache installation the following exception is 
caused within ntdll.RtlAllocateHeap. 


77FCBF00   MOV DWORD PTR DS:[ESI], ECX
77FCBF02   MOV DWORD PTR DS:[ECX+4], ESI


ECX and ESI are overwritten with the attacker supplied values. By 
controlling the values of the registers ECX and ESI, it is possible to 
write an arbitrary dword to any address. It all comes to the WHERE - 
WHAT situation described in many security related documents. Also the
buffer is quite large - Oracle9iAS Web Cache uses 4 KB for the HTTP 
headers as default buffer size. Using different variations of the exploit 
technique it is possible to overwrite different CPU registers.


The vulnerability exists in all Oracle supported platforms. On Windows
the Web Cache is running under the Security Context of Local SYSTEM 
account and in a successful exploitation of the vulnerability, a full 
remote system compromise is possible. On Unix & Linux the Web Cache 
process normally is running as user ORACLE and in a successful 
exploitation of the vulnerability a complete compromise of the data 
may be possible.  


CERT has assigned VU#643985 for this vulnerability. 






HTTP/HTTPS Method Heap Overflow & Firewalls 
-------------------------------------------

This vulnerability can bypass a large number of firewalls, so a 
firewall can not be considered as a measure for protection against this
vulnerability.


If the firewall uses Statefull Packet Inspection / Packet filtering and
operates in layers 3 & 4 (e.g. it can understand the difference between
port 80 and 21 but not between HTTP GET and HTTP POST) then this 
firewall does not offer any protection against this vulnerability. 


If the firewall uses some proxy features operating in the -so called- 
"application" layer (7) (e.g. it can understand the difference between 
HTTP GET and HTTP POST)  then this firewall does offer protection 
against this vulnerability. 


The above are true for HTTP where a large number of HTTP proxies / 
firewalls exists. Unfortunately for HTTPS the majority of the firewalls
do not offer protection against this vulnerability since HTTPS is 
nothing more to them than TCP port 443. 


After all, Oracle in Security Alert #66 correctly says "Firewalls 
deployed  within a corporate Intranet or between a corporate Intranet 
and the Internet do not protect against these vulnerabilities." 






Credit
------

Discovery: Ioannis Migadakis a.k.a. JMIG






Vulnerability History
---------------------


    DATE                                INFO
-------------    ------------------------------------------------------
17 April 2003    Vulnerability Discovered
22 April 2003    Contacted CERT
23 April 2003    Contacted Oracle                 
23 April 2003    CERT Replied - Assign VU#643985
12 March 2004    Oracle Security Alert #66 Rev.1 Released                
 2 April 2004    Oracle Security Alert #66 Rev.2 Released with Credits
 8 April 2004    Public Advisory Released to 
                 bugtraq@securityfocus.com 
                 vulnwatch@vulnwatch.org
                 full-disclosure@lists.netsys.com






About inAccess Networks
-----------------------
inAccess Networks designs broadband access systems for the converging
telecommunication market and operates an OEM Design and a Network
Design team. 
Network Design team works with Service Providers and Enterprise
customers for large scale network design, network optimization,
security and quality assurance.
     
                 




                     










-------------------------------------------------------------
http://www.mail.gr/ - Get Your Private Free Email Address!
http://www.ringtone.gr/ - Ringtones & Logos for your mobile!
    

- 漏洞信息

15438
Oracle Web Cache HTTP Request Method Header Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2004-04-09 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Oracle Application Server Web Cache HTTP Request Method Heap Overrun Vulnerability
Boundary Condition Error 9868
Yes No
2004-03-12 12:00:00 2009-07-12 03:06:00
These issues were discovered by Ioannis Migadakis.

- 受影响的程序版本

Oracle Oracle9i Application Server Web Cache 9.0.3 .1
Oracle Oracle9i Application Server Web Cache 9.0.2 .3
Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+ Oracle iStore 11i 11i.IBE.O
Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+ Oracle Oracle9i Application Server 1.0.2 .2
Oracle Application Server Web Cache 10g 9.0.4 .0
+ Oracle Oracle10g Application Server 9.0.4 .0

- 漏洞讨论

Oracle Application Server Web Cache is prone to a remotely exploitable heap overrun when handling excessive data specified in HTTP Requests.

This issue could be triggered through the HTTP or HTTPS ports of the service, which are user-configurable (by default HTTP is 7777/TCP and 4443/TCP is for HTTPS). It has been reported that these ports are normally reconfigured to 80/TCP and 443/TCP for HTTP and HTTPS respectively when making the service remotely accessible.

The vulnerability affects all platforms that the software runs on and may be exploited to execute arbitrary code in the context of the server process.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Oracle Application Server Web Cache 10g (9.0.4.0) includes fixes for Windows, Tru64 and AIX (release pending). Other platforms for this release are still vulnerable. Users should upgrade to this release if they are using one of the platforms that includes fixes. Other fixes for this release are pending.

Oracle has released a Patch Availability Matrix which details available and pending fixes for various platforms and releases. Further details may be found in the attached advisory.

Oracle has released an update to their original advisory clarifying the E-Business statement and adding the appropriate credits. Please see the referenced advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站