Re: Oracle security alert #66 - new information available

Pete Finnigan <plsql_at_petefinnigan.com> wrote in message news:<fsBrhkBQX7gARxCb_at_peterfinnigan.demon.co.uk>...
> Hi Everyone
>
> I have just updated my Oracle security alerts page and added a link
> to the new advisory that Ioannis Migadakis (a.k.a jmig) has released.
<SNIP>
> Kind regards
>
> Pete

OK, I'll bite.

I saw this example on the 'finder's webpage' :

<QUOTE>
By supplying an HTTP Request Method header of 432 bytes long against a Windows based Web Cache installation the following exception is caused within ntdll.RtlAllocateHeap.

77FCBF00 MOV DWORD PTR DS:[ESI], ECX
77FCBF02 MOV DWORD PTR DS:[ECX+4], ESI </QUOTE>

OK, I'm stupid, I think, but I can't see how any of these buffer overflow things workl. I realise - having been a C programmer - that if I define a buffer followed by some other variables, that I can easily overwrite the other variables by storing (or reading) too much data into the buffer.

My problem is how does this allow me to execute some chosen code of my own ?

In the example above, how exactly can the perpetrator overwrite the values of ECX and ESI which makes it write a DWORD to that chosen address in memory ?

Keep it simple enough for me to understand please :o)

(My own code *always* reads the buffer length minus 1 for the NULL terminator, so I don't have to worry do I ? (Famous last words !))

Cheers from behind the firewall and posting from Google.

Norman. Received on Tue Apr 20 2004 - 06:41:02 CDT