Re: Oracle security alert #66 - new information available

Hi Norm,

sounds like you had a good break!

>OK, I understand that bit, but I thought Windows and Unix had some
>form of memory protection to prevent this from happeing ?

The process, in this case webcached is being used to corrupt its own heap memory. The dynamically loaded DLL's are still loaded into memory carved from the webcached heap - at least that's how i understand it. You are right about memory protection but that is against accessing other processes memory - i think.

>And strangely enough, I can follow this as well. The problem I have
>is, how the bleeding hell can a 'penetrator' know what DLLs are loaded
>and where they are in memory to be able to set up a carefully (or even
>very carefully) crafted string ?

That bit is easy, he probably loaded a copy of webcached on his own system and ran (on Solaris) truss to see what the daemon loaded as it starts up. There are similar tools on Linux (strace) and on windows (cannot remember the name) Or he could have used gdb or on Windows IDA Pro is the tool of hackers. Using something like IDA Pro he could examine exactly what's loaded and where.

>PS. Oracle 10G installed ok on Mandrake 10. Shame that MDK10 doesn't
>see anything on the companion disc where MDK9.2 did. One day maybe,
>one day.

Glad you got 10g up and running on mandrake 10 - maybe you can now claim Howards Denis prize if of course you can script it all..:-)

cheers

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.