dcsimg

Oracle Application Server shared library buffer overflow

By ServerWatch Staff (Send Email)
Posted Apr 10, 2001


Date:         Tue, 10 Apr 2001 21:40:26 +0700
From: Security Research Team <security@RELAYGROUP.COM>
Subject:      Oracle Application Server shared library buffer overflow
An exploitable buffer overflow has been identified in a shared library which is being shipped with Oracle Application Server 4.0.8.2, and used by iPlanet Web Server if it is configured as external web-listener.

: safer0016_oas_advisory.txt,v 1.3 2001/03/27 10:27:16 vanja Exp $


S.A.F.E.R. Security Bulletin 0016


TITLE : Oracle Application Server shared library buffer overflow
DATE : April 10, 2001
NATURE : Remote execution of code, Denial of Service
AFFECTED : Oracle application server 4.0.8.2 + iWS 4.0/4.1 webserver, running on Sparc/Solaris 2.7

NOTE:

We have been able to reproduce this on 2 different machines, with very similar setup. Oracle has been contacted, but they haven't been able to reproduce this problem. We would appreciate if people using OAS/iWS could test this against their servers and let both us know the results as other versions of the software might be vulnerable as well.

Oracle Security Team would appreciate the results to be sent to: secalert_us@oracle.com

PROBLEM:

An exploitable buffer overflow has been identified in a shared library which is being shipped with Oracle Application Server 4.0.8.2, and used by iPlanet Web Server if it is configured as external web-listener.

DETAILS:

iWS has to be configured as external 'web listener' for Oracle Application Server, so that iWS will load a shared library (/ows/4.0/lib/ndwfn4.so) to handle requests for OAS. Overflow happens when a long string is requested with prefix that has been 'linked' to OAS (by default it is /jsp/). which is then passed to the library routines to be processed. Buffer size is around 2050-60 bytes.

Checking if you are vulnerable:

A request similar to:

GET /jsp/<A x 2050> HTTP/1.0

(perl -e 'print "GET /jsp/","A"x2050," HTTP/1.0nn"' | nc victim 80)

will trigger the overflow (iWS webserver should core-dump and be restarted by watchdog; externally it will be seen as a dropped connection).

It is also possible that other versions of OAS/iWS/Solaris are vulnerable.

EXPLOIT:

We have developed a working exploit for this problem which will be publicly released.

FIXES:

No fixes are available at the time of this writing.

CREDITS:

Fyodor Yarochkin <fyodor@relaygroup.com>

This advisory will also be made available at http://www.safermag.com/advisories/


S.A.F.E.R. - Security Alert For Enterprise Resources

Copyright (c) 2001 The Relay Group http://www.safermag.com ---- security@relaygroup.com


Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.