Vulnerabilities > CVE-2016-3577 - Unspecified vulnerability in Oracle Outside in Technology 8.5.0/8.5.1/8.5.2

047910
CVSS 8.6 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
LOW
Availability impact
LOW
network
low complexity
oracle
nessus
NVD
Published: 2016-07-21
Updated: 2017-09-01

Summary

Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596.

Vulnerable Configurations

Part Description Count
Application
Oracle
3

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS16-108.NASL
descriptionThe remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using
last seen2020-06-01
modified2020-06-02
plugin id93467
published2016-09-13
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/93467
titleMS16-108: Security Update for Microsoft Exchange Server (3185883)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93467);
  script_version("1.11");
  script_cvs_date("Date: 2019/11/19");

  script_cve_id(
    "CVE-2015-6014",
    "CVE-2016-0138",
    "CVE-2016-3378",
    "CVE-2016-3379",
    "CVE-2016-3574",
    "CVE-2016-3575",
    "CVE-2016-3576",
    "CVE-2016-3577",
    "CVE-2016-3578",
    "CVE-2016-3579",
    "CVE-2016-3580",
    "CVE-2016-3581",
    "CVE-2016-3582",
    "CVE-2016-3583",
    "CVE-2016-3590",
    "CVE-2016-3591",
    "CVE-2016-3592",
    "CVE-2016-3593",
    "CVE-2016-3594",
    "CVE-2016-3595",
    "CVE-2016-3596"
  );
  script_bugtraq_id(
    81233,
    91908,
    91914,
    91921,
    91923,
    91924,
    91925,
    91927,
    91929,
    91931,
    91933,
    91934,
    91935,
    91936,
    91937,
    91939,
    91940,
    91942,
    92806,
    92833,
    92836
  );
  script_xref(name:"MSFT", value:"MS16-108");
  script_xref(name:"MSKB", value:"3184711");
  script_xref(name:"MSKB", value:"3184728");
  script_xref(name:"MSKB", value:"3184736");

  script_name(english:"MS16-108: Security Update for Microsoft Exchange Server (3185883)");
  script_summary(english:"Checks the version of ExSetup.exe.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Microsoft Exchange Server is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Microsoft Exchange Server is missing a security update. It
is, therefore, affected by multiple vulnerabilities :

  - Multiple remote code execution vulnerabilities exist in
    the Oracle Outside In libraries. An unauthenticated,
    remote attacker can exploit these, via a specially
    crafted email, to execute arbitrary code.
    (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581,
    CVE-2016-3582, CVE-2016-3583, CVE-2016-3591,
    CVE-2016-3592, CVE-2016-3593, CVE-2016-3594,
    CVE-2016-3595, CVE-2016-3596)

  - An unspecified information disclosure vulnerability
    exists in the Oracle Outside In libraries that allows an
    attacker to disclose sensitive information.
    (CVE-2016-3574)

  - Multiple denial of service vulnerabilities exists in the
    Oracle Outside In libraries. (CVE-2016-3576,
    CVE-2016-3577, CVE-2016-3578, CVE-2016-3579,
    CVE-2016-3580, CVE-2016-3590)

  - An information disclosure vulnerability exists due to
    improper parsing of certain unstructured file formats.
    An unauthenticated, remote attacker can exploit this,
    via a crafted email using 'send as' rights, to disclose
    confidential user information. (CVE-2016-0138)

  - An open redirect vulnerability exists due to improper
    handling of open redirect requests. An unauthenticated,
    remote attacker can exploit this, by convincing a user
    to click a specially crafted URL, to redirect the user
    to a malicious website that spoofs a legitimate one.
    (CVE-2016-3378)

  - An elevation of privilege vulnerability exists due to
    improper handling of meeting invitation requests. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted Outlook meeting invitation request,
    to gain elevated privileges. (CVE-2016-3379)");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-108");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Exchange Server 2007,
2010, 2013, and 2016.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6014");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/09/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ms_bulletin_checks_possible.nasl", "microsoft_exchange_installed.nbin");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("install_func.inc");

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS16-108';
kbs = make_list("3184711", "3184728", "3184736");

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

install = get_single_install(app_name:"Microsoft Exchange");

path = install["path"];
version = install["version"];
release = install["RELEASE"];
if (release != 80 && release != 140 && release != 150 && release != 151)
  audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);

if (!empty_or_null(install["SP"]))
  sp = install["SP"];
if (!empty_or_null(install["CU"]))
  cu = install["CU"];

if (((release == 150 || release == 151) && isnull(cu)) ||
   (release == 150 && cu != 4 && cu != 12 && cu != 13) ||
   (release == 151 && cu != 1 && cu != 2))
  audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);

if (release == 80)
{
  kb = "3184711";
  if (!empty_or_null(sp) && sp == 3)
    fixedver = "8.3.485.1";
}
else if (release == 140)
{
  kb = "3184728";
  if (!empty_or_null(sp) && sp == 3)
    fixedver = "14.3.319.2";
}
else if (release == 150) # 2013 SP1 AKA CU4
{
  kb = "3184736";
  if (cu == 4)
    fixedver = "15.0.847.50";
  else if (cu == 12)
    fixedver = "15.0.1178.9";
  else if (cu == 13)
    fixedver = "15.0.1210.6";
}
else if (release == 151) # Exchange Server 2016
{
  kb = "3184736";
  if (cu == 1)
    fixedver = "15.1.396.37";
  else if (cu == 2)
    fixedver = "15.1.466.37";
}

if (fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:"Bin"), file:"ExSetup.exe", version:fixedver, bulletin:bulletin, kb:kb))
{
  set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Seebug

bulletinFamilyexploit
description### DESCRIPTION A stack overflow leading to a crash due to unbounded recusive function call is present in the PDF file format parsing code of the IX SDK. ### TESTED VERSIONS Oracle Outside In IX sdk 8.5.1 ### PRODUCT URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html ### DETAILS While parsing a malformed PDF file which contains a reference to the Root element with malformed or missing an xref table a recursive call to a function is made each time with the same parameters eventualy leading to a crash due to process stack exhaustion. Technical information below: During a call to VwStreamOpen function in libvs_pdf.so library, code dealing with Root element is reached (image base is at 0xB74BF000): ``` .text:B74ED100 loc_B74ED100: .text:B74ED100 lea ebp, [esp+6BCh+var_BC] .text:B74ED107 cld .text:B74ED108 mov ecx, 8 .text:B74ED10D xor eax, eax .text:B74ED10F mov edi, ebp .text:B74ED111 rep stosd .text:B74ED113 lea ecx, [esp+6BCh+var_34] .text:B74ED11A mov eax, [esp+6BCh+arg_10] .text:B74ED121 mov [esp+6BCh+s], eax .text:B74ED124 lea edx, (aRoot - 0B74F6998h)[ebx] ; "Root" .text:B74ED12A mov eax, esi .text:B74ED12C call sub_B74D653E .text:B74ED131 mov edx, eax .text:B74ED133 test ax, ax .text:B74ED136 jnz loc_B74E ``` Function `sub_B74D653E` in turn calls a function `sub_B74D5EEC` in which the unbounded recursive call can happen: ``` .text:B74D6095 lea edx, [esp+5ACh+var_14] .text:B74D609C lea eax, [esp+5ACh+var_C0] .text:B74D60A3 mov ecx, ebp .text:B74D60A5 call sub_B74D5EEC .text:B74D60AA test ax, ax .text:B74D60AD jnz short loc_B74 ``` The supplied minimized testcase triggers the recursive call and leads to a crash due to stack exhaustion. The sample program `ixsample` supplied with the SDK can be used to reproduce the crash. ### TIMELINE * 2016-04-12 - Vendor Notification * 2016-07-19 - Public Disclosure
idSSV:96700
last seen2017-11-19
modified2017-10-16
published2017-10-16
reporterRoot
titleOracle OIT IX SDK libvs_pdf Root xref Denial of Service Vulnerabiity(CVE-2016-3577)

Talos

idTALOS-2016-0099
last seen2019-05-29
published2016-07-19
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0099
titleOracle OIT IX SDK libvs_pdf Root xref Denial of Service Vulnerabiity

References