Vulnerabilities > CVE-2016-3577 - Unspecified vulnerability in Oracle Outside in Technology 8.5.0/8.5.1/8.5.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
LOW Availability impact
LOW Summary
Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS16-108.NASL |
description | The remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 93467 |
published | 2016-09-13 |
reporter | This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/93467 |
title | MS16-108: Security Update for Microsoft Exchange Server (3185883) |
code |
|
Seebug
bulletinFamily | exploit |
description | ### DESCRIPTION A stack overflow leading to a crash due to unbounded recusive function call is present in the PDF file format parsing code of the IX SDK. ### TESTED VERSIONS Oracle Outside In IX sdk 8.5.1 ### PRODUCT URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html ### DETAILS While parsing a malformed PDF file which contains a reference to the Root element with malformed or missing an xref table a recursive call to a function is made each time with the same parameters eventualy leading to a crash due to process stack exhaustion. Technical information below: During a call to VwStreamOpen function in libvs_pdf.so library, code dealing with Root element is reached (image base is at 0xB74BF000): ``` .text:B74ED100 loc_B74ED100: .text:B74ED100 lea ebp, [esp+6BCh+var_BC] .text:B74ED107 cld .text:B74ED108 mov ecx, 8 .text:B74ED10D xor eax, eax .text:B74ED10F mov edi, ebp .text:B74ED111 rep stosd .text:B74ED113 lea ecx, [esp+6BCh+var_34] .text:B74ED11A mov eax, [esp+6BCh+arg_10] .text:B74ED121 mov [esp+6BCh+s], eax .text:B74ED124 lea edx, (aRoot - 0B74F6998h)[ebx] ; "Root" .text:B74ED12A mov eax, esi .text:B74ED12C call sub_B74D653E .text:B74ED131 mov edx, eax .text:B74ED133 test ax, ax .text:B74ED136 jnz loc_B74E ``` Function `sub_B74D653E` in turn calls a function `sub_B74D5EEC` in which the unbounded recursive call can happen: ``` .text:B74D6095 lea edx, [esp+5ACh+var_14] .text:B74D609C lea eax, [esp+5ACh+var_C0] .text:B74D60A3 mov ecx, ebp .text:B74D60A5 call sub_B74D5EEC .text:B74D60AA test ax, ax .text:B74D60AD jnz short loc_B74 ``` The supplied minimized testcase triggers the recursive call and leads to a crash due to stack exhaustion. The sample program `ixsample` supplied with the SDK can be used to reproduce the crash. ### TIMELINE * 2016-04-12 - Vendor Notification * 2016-07-19 - Public Disclosure |
id | SSV:96700 |
last seen | 2017-11-19 |
modified | 2017-10-16 |
published | 2017-10-16 |
reporter | Root |
title | Oracle OIT IX SDK libvs_pdf Root xref Denial of Service Vulnerabiity(CVE-2016-3577) |
Talos
id | TALOS-2016-0099 |
last seen | 2019-05-29 |
published | 2016-07-19 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0099 |
title | Oracle OIT IX SDK libvs_pdf Root xref Denial of Service Vulnerabiity |
References
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91924
- http://www.securityfocus.com/bid/91924
- http://www.securitytracker.com/id/1036370
- http://www.securitytracker.com/id/1036370
- http://www-01.ibm.com/support/docview.wss?uid=swg21988009
- http://www-01.ibm.com/support/docview.wss?uid=swg21988009
- http://www-01.ibm.com/support/docview.wss?uid=swg21988718
- http://www-01.ibm.com/support/docview.wss?uid=swg21988718