17th Feb 2003 [SBWID-5992]
COMMAND
	Oracle9i Application Server Format String Vulnerability
SYSTEMS AFFECTED
	All platforms; Oracle9i Application Server Release 9.0.2
PROBLEM
	Thanks to  David  Litchfield  [david@ngssoftware]  and  Mark  Litchfield
	[[email protected]]  of  NGSSoftware   Insight   Security   Research,
	advisory [#NISR16022003d] :
	Oracle's 9i Application Server offers a  highly  functional  web  server
	designed  to  seamlessly  integrate  with  an  Oracle  backend  database
	server. Based on Apache the server  offers  many  environments  for  web
	based applications such as Java/JSP,  PL/SQL,  Perl  and  FastCGI.  With
	their latest release of the Application Server, 9.0.2, Oracle has  added
	support for WebDAV,  Web  Distributed  Authoring  and  Versioning,  that
	turns the Web into a file sharing system.
	 Details
	 ******* 
	DAV is turned on by default. Whilst this is bad in  and  of  itself,  as
	attackers can anonymously upload files to the server,  an  attacker  can
	exploit a format string bug in the one of the logging functions.  If  an
	attacker uses the COPY method and supplies a destination URI  that  uses
	a different scheme or port then a 502 Bad Gateway response is  returned.
	This is logged and in doing so  the  format  string  can  be  exploited.
	Although the  Apache  mod  dav  module  is  not  vulnerable  itself  the
	vulnerable code is there - it is just  not  ever  executed.  Oracle  has
	modified the moddav module and changed it so bad gateway  responses  are
	logged - and thus they are vulnerable. Looking at the moddav source
	From mod_dav.c revision 1.157
	
	..
	..
	lookup = dav_lookup_uri(dest, r);
	if (lookup.rnew == NULL)
	{
	      if (lookup.err.status == HTTP_BAD_REQUEST)
	      {
	            ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO,
	r,lookup.err.desc);
	            return HTTP_BAD_REQUEST;
	      }
	      return dav_error_response(r, lookup.err.status, lookup.err.desc);
	}
	..
	..
	
	This code  calls  the  dav_lookup_uri()  function  in  dav_util.c.  From
	dav_util.c revision 1.84
	
	..
	dav_lookup_result dav_lookup_uri(const char *uri, request_rec * r)
	{
	..
	..
	if (strcasecmp(comp.scheme, scheme) != 0 || comp.port != port)
	{
	      result.err.status = HTTP_BAD_GATEWAY;
	      result.err.desc = ap_psprintf(r->pool,
	      "Destination URI refers to different "
	      "scheme or port (%s://hostname:%d)\n"
	      "(want: %s://hostname:%d)",
	      comp.scheme ? comp.scheme : scheme,
	      comp.port ? comp.port : port,
	      scheme, port);
	      return result;
	..
	..
	}
	
	When dav_lookup_uri() returns to mod_dav.c the format strings occurs
	
	..
	lookup = dav_lookup_uri(dest, r);
	if (lookup.rnew == NULL)
	{
	      if (lookup.err.status == HTTP_BAD_REQUEST)
	      {
	      // THIS IS THE FIRST FORMAT STRING VULNERABILITY
	      ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO,
	r,lookup.err.desc);
	..
	..
	}
	
	Of course the code should have read
	
	ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO,
	r,"%s",lookup.err.desc);
	
	to not be vulnerable.
	By crafting a specially formed format string and sending to  the  server
	an attacker can overwrite arbitrary address with arbitrary values  which
	can allow an attacker to gain control of the  web  server.  To  do  this
	they could overwrite a saved return address on the stack,  an  exception
	handler or pointer to a function  with  an  address  that  points  to  a
	buffer that contains the arbitrary code to execute.
SOLUTION
	 Fix Information
	 ***************
	NGSSoftware alerted Oracle  to  this  vulnerability  on  24th  September
	2002. Oracle has developed a patch which is available from
	
	http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf
	
	A check for these issues has been  added  to  OraScan,  a  comprehensive
	automated vulnerability assessment tool for Oracle  Application  Servers
	of which more information is available from the NGSSite
	
	http://www.nextgenss.com/software/orascan.html
	
	
	 Further Information
	 *******************
	For further information about the scope and effects of buffer overflows,
	please see
	http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
	http://www.ngssoftware.com/papers/ntbufferoverflow.html
	http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
	http://www.ngssoftware.com/papers/unicodebo.pdf
	 About NGSSoftware
	 *****************
	NGSSoftware design, research and develop intelligent, advanced application
	security assessment scanners. Based in the United Kingdom, NGSSoftware have
	offices in the South of London and the East Coast of Scotland. NGSSoftware's
	sister company NGSConsulting, offers best of breed security consulting
	services, specialising in application, host and network security
	assessments.
	http://www.ngssoftware.com/
	http://www.ngsconsulting.com/
	Telephone +44 208 401 0070
	Fax +44 208 401 0076
	[email protected]