10.1.3.5

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

oracle

nessus

exploit available

NVD

Published: 2011-01-19

Updated: 2018-10-10

Summary

Unspecified vulnerability in the Oracle Document Capture component in Oracle Fusion Middleware 10.1.3.4 and 10.1.3.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Internal Operations. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from the original researcher that remote attackers can overwrite or delete arbitrary files via a full pathname in the second argument to the DownloadSingleMessageToFile method in the EMPOP3Lib ActiveX component (empop3.dll).

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Fusion Middleware 10.1.3.5 Oracle Fusion Middleware 10.1.3.4	2

Exploit-Db

description	Oracle Document Capture empop3.dll Insecure Methods. CVE-2010-3591. Remote exploit for windows platform
file	exploits/windows/remote/16055.txt
id	EDB-ID:16055
last seen	2016-02-01
modified	2011-01-26
platform	windows
port
published	2011-01-26
reporter	Evdokimov Dmitriy
source	https://www.exploit-db.com/download/16055/
title	Oracle Document Capture empop3.dll Insecure Methods
type	remote

description	Oracle Document Capture Actbar2.ocx Insecure Method. CVE-2010-3591. Remote exploit for windows platform
id	EDB-ID:16053
last seen	2016-02-01
modified	2011-01-26
published	2011-01-26
reporter	Evdokimov Dmitriy
source	https://www.exploit-db.com/download/16053/
title	Oracle Document Capture Actbar2.ocx Insecure Method

Nessus

NASL family	Windows
NASL id	ORACLE_DOCUMENT_CAPTURE_ACTIVEX.NASL
description	The Oracle Document Capture client installed on the remote host is potentially affected by multiple vulnerabilities : - An unspecified vulnerability exists in the Import Export utility. An attacker can exploit this to affect integrity. (CVE-2010-3598) - An information disclosure vulnerability exists related to the EasyMail ActiveX control. (CVE-2010-3595) - Insecure methods in the
last seen	2020-06-01
modified	2020-06-02
plugin id	51873
published	2011-02-04
reporter	This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/51873
title	Oracle Document Capture Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(51873); script_version("1.15"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id( "CVE-2010-3591", "CVE-2010-3592", "CVE-2010-3595", "CVE-2010-3598", "CVE-2010-3599" ); script_bugtraq_id(45846, 45849, 45851, 45856, 45871); script_xref(name:"EDB-ID", value:"16052"); script_xref(name:"EDB-ID", value:"16053"); script_xref(name:"EDB-ID", value:"16055"); script_xref(name:"EDB-ID", value:"16056"); script_xref(name:"Secunia", value:"42976"); script_name(english:"Oracle Document Capture Multiple Vulnerabilities"); script_summary(english:"Checks for Document Capture ActiveX controls."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has one or more ActiveX controls installed that are affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The Oracle Document Capture client installed on the remote host is potentially affected by multiple vulnerabilities : - An unspecified vulnerability exists in the Import Export utility. An attacker can exploit this to affect integrity. (CVE-2010-3598) - An information disclosure vulnerability exists related to the EasyMail ActiveX control. (CVE-2010-3595) - Insecure methods in the 'Actbar2.ocx' and 'empop3.dll' ActiveX controls can be exploited to overwrite arbitrary files. (CVE-2010-3591) - An error in the 'WriteJPG()' method in the NCSEcw.dll ActiveX control can be exploited to overwrite arbitrary files or potentially cause a buffer overflow. (CVE-2010-3599) - An unspecified vulnerability exists in the Internal Operations component. (CVE-2010-3592) Note that the NCSEcw.dll control is actually from the ERDAS ECW/JP2 SDK developer toolkit from Intergraph."); # https://web.archive.org/web/20110831133022/http://dsecrg.ru/pages/vul/show.php?id=306 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a54d748d"); # https://web.archive.org/web/20110919025431/http://dsecrg.ru/pages/vul/show.php?id=307 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c14789b4"); script_set_attribute(attribute:"see_also", value:"http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"); # https://www.hexagongeospatial.com/en/technical-documents/ecw-jp2-sdk-security-advisory script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?347627fe"); script_set_attribute(attribute:"solution", value: "If using Oracle's Document Capture client, apply the patch from Oracle to disable the ActiveX controls. If using a different application that includes the NCSEcw.dll control, set the kill bit for the affect control as discussed in Hexagon Geospatial's advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-3599"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/01/18"); script_set_attribute(attribute:"patch_publication_date", value:"2011/01/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/04"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("global_settings.inc"); include("smb_func.inc"); include("smb_activex_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/Registry/Enumerated"); if (activex_init() != ACX_OK) exit(1, "activex_init() failed."); clsids = make_list( '{4932CEF4-2CAA-11D2-A165-0060081C43D9}', '{F647CBE5-3C01-402A-B3F0-502A77054A24}', '{10696DE0-CF47-4ad4-B1AE-CC1F4021D65B}', '{68AC0D5F-0424-11D5-822F-00C04F6BA8D9}', '{DAFA4BF6-C807-463c-8745-C9E0C90CF84F}', '{D63891F1-E026-11D3-A6C3-005004055C6C}' ); # Determine if any of the controls are installed. info = ''; installs = 0; foreach clsid (clsids) { file = activex_get_filename(clsid:clsid); if (isnull(file)) { activex_end(); exit(1, "activex_get_filename() returned NULL."); } if (!file) continue; installs++; # Get its version version = activex_get_fileversion(clsid:clsid); if (!version) version = 'unknown'; if (report_paranoia > 1 \|\| activex_get_killbit(clsid:clsid) == 0) { info += '\n Class Identifier : ' + clsid + '\n Filename : ' + file + '\n Installed version : ' + version + '\n'; if (!thorough_tests) break; } } activex_end(); # Report findings. if (installs) { if (info) { if (report_paranoia > 1) { if (installs == 1) s = " was"; else s = "s were"; report = info + '\n' + 'Note, though, that Nessus did not check whether the kill bit' + s + '\n' + 'set for the control\'s CLSID because of the Report Paranoia setting' + '\n' + 'in effect when this scan was run.\n'; } else { if (installs == 1) s = "its kill bit is not set so it is"; else s = "their kill bits are not set so they are"; report = info + '\n' + 'Moreover, ' + s + ' accessible via Internet\n' + 'Explorer.\n'; } if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report); else security_hole(kb_smb_transport()); exit(0); } else { if (installs == 1) exit(0, "The control is installed but its kill bit is set."); else exit(0, installs+" instances of the controls are installed but their kill bits are set."); } } else exit(0, "None of the affected controls are installed.");

Packetstorm

data source	https://packetstormsecurity.com/files/download/97866/DSECRG-11-004.txt
id	PACKETSTORM:97866
last seen	2016-12-05
published	2011-01-25
reporter	Sh2kerr
source	https://packetstormsecurity.com/files/97866/Oracle-Document-Capture-Actbar2.ocx-Insecure-Method.html
title	Oracle Document Capture Actbar2.ocx Insecure Method

data source	https://packetstormsecurity.com/files/download/97868/DSECRG-11-005.txt
id	PACKETSTORM:97868
last seen	2016-12-05
published	2011-01-25
reporter	Sh2kerr
source	https://packetstormsecurity.com/files/97868/Oracle-Document-Capture-empop3.dll-Insecure-Methods.html
title	Oracle Document Capture empop3.dll Insecure Methods

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:70620
last seen	2017-11-19
modified	2014-07-01
published	2014-07-01
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-70620
title	Oracle Document Capture Actbar2.ocx Insecure Method

bulletinFamily	exploit
description	No description provided by source.
id	SSV:70622
last seen	2017-11-19
modified	2014-07-01
published	2014-07-01
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-70622
title	Oracle Document Capture empop3.dll Insecure Methods

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Packetstorm

Seebug

References