Oracle Application Server shared library buffer overflow
Date: Tue, 10 Apr 2001 21:40:26 +0700 From: Security Research Team <security@RELAYGROUP.COM> Subject: Oracle Application Server shared library buffer overflowAn exploitable buffer overflow has been identified in a shared library which is being shipped with Oracle Application Server 18.104.22.168, and used by iPlanet Web Server if it is configured as external web-listener.
: safer0016_oas_advisory.txt,v 1.3 2001/03/27 10:27:16 vanja Exp $
S.A.F.E.R. Security Bulletin 0016
TITLE : Oracle Application Server shared library buffer overflow
DATE : April 10, 2001
NATURE : Remote execution of code, Denial of Service
AFFECTED : Oracle application server 22.214.171.124 + iWS 4.0/4.1 webserver, running on Sparc/Solaris 2.7
We have been able to reproduce this on 2 different machines, with very similar setup. Oracle has been contacted, but they haven't been able to reproduce this problem. We would appreciate if people using OAS/iWS could test this against their servers and let both us know the results as other versions of the software might be vulnerable as well.
Oracle Security Team would appreciate the results to be sent to: email@example.com
An exploitable buffer overflow has been identified in a shared library which is being shipped with Oracle Application Server 126.96.36.199, and used by iPlanet Web Server if it is configured as external web-listener.
iWS has to be configured as external 'web listener' for Oracle Application Server, so that iWS will load a shared library (/ows/4.0/lib/ndwfn4.so) to handle requests for OAS. Overflow happens when a long string is requested with prefix that has been 'linked' to OAS (by default it is /jsp/). which is then passed to the library routines to be processed. Buffer size is around 2050-60 bytes.
Checking if you are vulnerable:
A request similar to:
GET /jsp/<A x 2050> HTTP/1.0
(perl -e 'print "GET /jsp/","A"x2050," HTTP/1.0nn"' | nc victim 80)
will trigger the overflow (iWS webserver should core-dump and be restarted by watchdog; externally it will be seen as a dropped connection).
It is also possible that other versions of OAS/iWS/Solaris are vulnerable.
We have developed a working exploit for this problem which will be publicly released.
No fixes are available at the time of this writing.
Fyodor Yarochkin <firstname.lastname@example.org>
This advisory will also be made available at http://www.safermag.com/advisories/
S.A.F.E.R. - Security Alert For Enterprise Resources