Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[Full-Disclosure] Re: [VulnWatch] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
From: Jay D. Dyson (jdysonbugtraq.org)
Date: Thu Apr 08 2004 - 14:40:19 CDT
Quick question - from your advisory . . .
On Thu, Apr 08, 2004 at 02:48:43PM +0200, Ioannis Migadakis wrote:
> Platform: All Oracle supported platforms -
> Sun Solaris
> HP Tru64
> IBM AIX
> Severity: Critical - Remote Code Execution
> Category: Heap Overflow
> Exploitation: Remote
bracket dot dot dot bracket
> 77FCBF00 MOV DWORD PTR DS:[ESI], ECX
> 77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI
> ECX and ESI are overwritten with the attacker supplied values. By
> controlling the values of the registers ECX and ESI, it is possible to
> write an arbitrary dword to any address. It all comes to the WHERE -
> WHAT situation described in many security related documents. Also the
> buffer is quite large - Oracle9iAS Web Cache uses 4 KB for the HTTP
> headers as default buffer size. Using different variations of the exploit
> technique it is possible to overwrite different CPU registers.
Have you attempted to verify exploitability on anything other than windows?
. . . or, are the other architectures just listed as vulnerable to hype up
( ( _______
)) )) .-"There's always time for a good cup of coffee"-. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdysonbugtraq.org ------<) | = |-'
`--' `--' `-------- Si latinam satis simiis doces, --------' `------'
`--- quandoque unus aliquid profundum dicet ---'
Full-Disclosure - We believe in it.