• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Oracle9iAS Web Cache Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

A buffer overflow condition exists in Oracle 9iAS Web Cache 2.0.0.1.0. It can be triggered by sending a very long URL request to any of the four services provided by Web Cache. By default, the four services and the ports they are provided on are:

1100 - Incoming web cache proxy
4000 - Administrative interface
4001 - Web XML invalidation port
4002 - Statistics port

It is possible that earlier versions of Web Cache are also vulnerable.

If a request is submitted containing / + 'A' x 3095 + 'N' x 4, the process will terminate. A state dump will reveal the following:

eax=00000c1d ebx=00000000 ecx=00000c1d edx=026f0041
esi=01baac86 edi=0040deb6
eip=4e4e4e4e esp=0632fe08 ebp=41414141 iopl=0
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000216

If a request longer than 3570 characters is sent, the process simply exits without a stack dump. For example:
GET /<'A' x 3571> HTTP/1.0

Since a function stack frame is overwritten, it is likely possible to execute arbitrary code on the target server. This may be possible by replacing the return address with a pointer to supplied instructions. If successful, a remote attacker may gain access to the server.

While this vulnerability has been addressed in Oracle 91AS Web Cache 2.0.0.2.0, it has been reported that versions for Microsoft Windows NT are still vulnerable.

Affected Products:

• Oracle Oracle9i Application Server Web Cache 2.0.0.0.1
• Oracle Oracle9i Application Server Web Cache 2.0.0.0.2 NT

References:

• Oracle: Oracle Support Metalink

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.