[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Re: [VulnWatch] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
- To: Ioannis Migadakis <jmig@xxxxxxx>
- Subject: [Full-Disclosure] Re: [VulnWatch] Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
- From: "Jay D. Dyson" <jdyson@xxxxxxxxxxx>
- Date: Thu, 8 Apr 2004 15:40:19 -0400
Quick question - from your advisory . . .
On Thu, Apr 08, 2004 at 02:48:43PM +0200, Ioannis Migadakis wrote:
> Platform: All Oracle supported platforms -
> Sun Solaris
> HP/UX
> HP Tru64
> IBM AIX
> Linux
> Windows
> Severity: Critical - Remote Code Execution
> Category: Heap Overflow
> Exploitation: Remote
>
bracket dot dot dot bracket
> 77FCBF00 MOV DWORD PTR DS:[ESI], ECX
> 77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI
>
>
> ECX and ESI are overwritten with the attacker supplied values. By
> controlling the values of the registers ECX and ESI, it is possible to
> write an arbitrary dword to any address. It all comes to the WHERE -
> WHAT situation described in many security related documents. Also the
> buffer is quite large - Oracle9iAS Web Cache uses 4 KB for the HTTP
> headers as default buffer size. Using different variations of the exploit
> technique it is possible to overwrite different CPU registers.
>
Have you attempted to verify exploitability on anything other than windows?
. . . or, are the other architectures just listed as vulnerable to hype up
your ego?
--
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee"-. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@xxxxxxxxxxx ------<) | = |-'
`--' `--' `-------- Si latinam satis simiis doces, --------' `------'
`--- quandoque unus aliquid profundum dicet ---'
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html