Vulnerabilities > CVE-2013-5791 - Stack Buffer Overflow vulnerability in Oracle Fusion Middleware 8.4/8.4.1
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.4.0 and 8.4.1 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters. NOTE: the previous information is from the October 2013 CPU. Oracle has not commented on claims from a third party that the issue is a stack-based buffer overflow in the Microsoft Access 1.x parser in vsacs.dll before 8.4.0.108 and before 8.4.1.52, which allows attackers to execute arbitrary code via a long field (aka column) name. Per http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html 'Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS Base Score would increase to 6.8.'
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
| description | Oracle Outside In MDB - File Parsing Stack Based Buffer Overflow PoC. CVE-2013-5791. Dos exploit for windows platform |
| file | exploits/windows/dos/31222.py |
| id | EDB-ID:31222 |
| last seen | 2016-02-03 |
| modified | 2014-01-27 |
| platform | windows |
| port | |
| published | 2014-01-27 |
| reporter | Citadelo |
| source | https://www.exploit-db.com/download/31222/ |
| title | Oracle Outside In MDB - File Parsing Stack Based Buffer Overflow PoC |
| type | dos |
Msbulletin
| bulletin_id | MS13-105 |
| bulletin_url | |
| date | 2013-12-10T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2915705 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution |
Nessus
NASL family CGI abuses NASL id WEBSPHERE_PORTAL_CVE-2013-5791.NASL description The version of IBM WebSphere Portal on the remote host is affected by multiple remote code execution vulnerabilities in the Outside In Technology component : - A stack overflow in the Filters subcomponent of the OS/2 Metafile Parser. (CVE-2013-5763) - A stack overflow in the Microsoft Access database file format parser. (CVE-2013-5791) A remote attacker can use specially crafted files to cause a buffer overflow and execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 73499 published 2014-04-14 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73499 title IBM WebSphere Portal Outside In Technology Multiple Overflows (PI07290) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(73499); script_version("1.7"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2013-5763", "CVE-2013-5791"); script_bugtraq_id(63076, 63741); script_xref(name:"EDB-ID", value:"31222"); script_xref(name:"CERT", value:"953241"); script_name(english:"IBM WebSphere Portal Outside In Technology Multiple Overflows (PI07290)"); script_summary(english:"Checks for installed patches."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has web portal software installed that is affected by multiple remote code execution vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of IBM WebSphere Portal on the remote host is affected by multiple remote code execution vulnerabilities in the Outside In Technology component : - A stack overflow in the Filters subcomponent of the OS/2 Metafile Parser. (CVE-2013-5763) - A stack overflow in the Microsoft Access database file format parser. (CVE-2013-5791) A remote attacker can use specially crafted files to cause a buffer overflow and execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21660640"); script_set_attribute(attribute:"see_also", value:"http://xforce.iss.net/xforce/xfdb/87925"); script_set_attribute(attribute:"see_also", value:"http://xforce.iss.net/xforce/xfdb/88557"); script_set_attribute(attribute:"solution", value: "IBM has published Interim Fix PI07290. This fix is a part of 7.0.0.2 CF27 and 8.0.0.1 CF10. Refer to IBM's advisory for more information."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:S/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-5791"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/15"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/14"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_portal"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("websphere_portal_installed.nbin"); script_require_keys("installed_sw/IBM WebSphere Portal", "Settings/ParanoidReport"); exit(0); } include("websphere_portal_version.inc"); # A workaround is available if (report_paranoia < 2) audit(AUDIT_PARANOID); websphere_portal_check_version( ranges:make_list( "6.0.0.0, 6.0.0.1", "6.1.0.0, 6.1.0.6, CF27", "6.1.5.0, 6.1.5.3, CF27", "7.0.0.0, 7.0.0.2, CF25", "8.0.0.0, 8.0.0.1, CF08" ), fix:"PI07290", severity:SECURITY_NOTE );NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS13-105.NASL description The version of Microsoft Exchange installed on the host is affected by the following vulnerabilities : - A code execution vulnerability exists that could allow an attacker to execute arbitrary code in the context of the OWA service account. (CVE-2013-1330) - A cross-site scripting vulnerability exists in OWA in which an attacker could elevate their privileges and run a script in the context of the current user. (CVE-2013-5072) - Two code execution vulnerabilities exist in the WebReady Document Viewing feature of Outlook Web Access. Code execution is limited to the LocalService account. In addition, a denial of service vulnerability exists in the DLP feature of Exchange 2013. (CVE-2013-5763, CVE-2013-5791) last seen 2020-06-01 modified 2020-06-02 plugin id 71320 published 2013-12-11 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71320 title MS13-105: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(71320); script_version("1.15"); script_cvs_date("Date: 2019/01/10 15:44:14"); script_cve_id( "CVE-2013-1330", "CVE-2013-5072", "CVE-2013-5763", "CVE-2013-5791" ); script_bugtraq_id(62221, 63076, 63741, 64085); script_xref(name:"CERT", value:"953241"); script_xref(name:"CERT", value:"959313"); script_xref(name:"EDB-ID", value:"31222"); script_xref(name:"MSFT", value:"MS13-105"); script_xref(name:"MSKB", value:"2880833"); script_xref(name:"MSKB", value:"2905616"); script_xref(name:"MSKB", value:"2903911"); script_xref(name:"MSKB", value:"2903903"); script_name(english:"MS13-105: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705)"); script_summary(english:"Checks version of vshwp2.dll."); script_set_attribute(attribute:"synopsis", value:"The remote mail server has multiple vulnerabilities."); script_set_attribute( attribute:"description", value: "The version of Microsoft Exchange installed on the host is affected by the following vulnerabilities : - A code execution vulnerability exists that could allow an attacker to execute arbitrary code in the context of the OWA service account. (CVE-2013-1330) - A cross-site scripting vulnerability exists in OWA in which an attacker could elevate their privileges and run a script in the context of the current user. (CVE-2013-5072) - Two code execution vulnerabilities exist in the WebReady Document Viewing feature of Outlook Web Access. Code execution is limited to the LocalService account. In addition, a denial of service vulnerability exists in the DLP feature of Exchange 2013. (CVE-2013-5763, CVE-2013-5791)" ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-105"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Exchange 2007 SP3, 2010 SP2 and SP3, 2013 CU2 and CU3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/09/10"); script_set_attribute(attribute:"patch_publication_date", value:"2013/12/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc."); script_dependencies("ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); port = kb_smb_transport(); bulletin = 'MS13-105'; kbs = make_list( '2880833', # Exchange 2013 CU2 & CU3 '2905616', # Exchange 2010 SP3 - Rollup 4 '2903911', # Exchange 2007 SP3 - Rollup 12 '2903903' # Exchange 2010 SP2 - Rollup 8 ); if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit('SMB/Registry/Enumerated'); version = get_kb_item_or_exit('SMB/Exchange/Version'); sp = int(get_kb_item('SMB/Exchange/SP')); # bail out if one of the following affected configurations is not seen if (version != 80 && version != 140 && version != 150) # not 2007, 2010 audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version); else if (version == 80 && sp != 3) # not 2007 SP3 audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', '2007 SP' + sp); else if (version == 140 && sp != 2 && sp != 3) # not 2010 SP2 or SP3 audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', '2010 SP' + sp); else if (version == 150 && sp != 0) # not 2013 CU2 or CU3 (no SP) audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', '2013 SP' + sp); exch_root = get_kb_item_or_exit('SMB/Exchange/Path', exit_code:1); if (exch_root[strlen(exch_root) - 1] != "\") # add a trailing backslash if necessary exch_root += "\"; share = hotfix_path2share(path:exch_root); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if (version == 80 && sp == 3) # 2007 SP3 kb = '2903911'; else if (version == 140 && sp == 2) # 2010 SP2 kb = '2903903'; else if (version == 140 && sp == 3) # 2010 SP3 kb = '2905616'; else if (version == 150) # 2013 CU2 and CU3 kb = '2880833'; # If Exchange 2013 is installed, make sure it is CU2 or CU3 before continuing if (version == 150) { exe = exch_root + "Bin\msexchangerepl.exe"; ret = hotfix_get_fversion(path:exe); if (ret['error'] != HCF_OK) { hotfix_check_fversion_end(); audit(AUDIT_FN_FAIL, 'hotfix_get_fversion'); } exe_ver = join(ret['value'], sep:'.'); if ( exe_ver !~ "^15\.0\.712\." && # 2013 CU2 exe_ver !~ "^15\.0\.775\." # 2013 CU3 ) { hotfix_check_fversion_end(); audit(AUDIT_INST_VER_NOT_VULN, 'Exchange 2013', exe_ver); } } ooi_path = exch_root + "ClientAccess\Owa\Bin\DocumentViewing"; file = 'vshwp2.dll'; if (hotfix_is_vulnerable(path:ooi_path, file:file, version:'8.4.1.18', bulletin:bulletin, kb:kb)) { set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE); set_kb_item(name:'www/'+port+'/XSS', value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Packetstorm
| data source | https://packetstormsecurity.com/files/download/124963/oracleoutside-overflow.txt |
| id | PACKETSTORM:124963 |
| last seen | 2016-12-05 |
| published | 2014-01-27 |
| reporter | Citadelo |
| source | https://packetstormsecurity.com/files/124963/Oracle-Outside-In-Buffer-Overflow.html |
| title | Oracle Outside In Buffer Overflow |
Seebug
| bulletinFamily | exploit |
| description | No description provided by source. |
| id | SSV:84560 |
| last seen | 2017-11-19 |
| modified | 2014-07-01 |
| published | 2014-07-01 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-84560 |
| title | Oracle Outside In MDB - File Parsing Stack Based Buffer Overflow PoC |
References
- http://secunia.com/advisories/56237
- http://secunia.com/advisories/56241
- http://secunia.com/advisories/56243
- http://www.citadelo.com/en/ms13-105-oracle-outside-in-mdb-parsing-vulnerability-cve-2013-5791/
- http://www.exploit-db.com/exploits/31222
- http://www.kb.cert.org/vuls/id/953241
- http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
- http://www.securityfocus.com/bid/63076
- http://www.securitytracker.com/id/1029190
- http://www-01.ibm.com/support/docview.wss?uid=swg21660640
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-105