Vulnerabilities > CVE-2016-3581 - Remote Security vulnerability in Oracle Outside in Technology 8.5.0/8.5.1/8.5.2

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
oracle
critical
nessus
NVD
Published: 2016-07-21
Updated: 2017-09-01

Summary

Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596.

Vulnerable Configurations

Part Description Count
Application
Oracle
3

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS16-108.NASL
descriptionThe remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using
last seen2020-06-01
modified2020-06-02
plugin id93467
published2016-09-13
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/93467
titleMS16-108: Security Update for Microsoft Exchange Server (3185883)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93467);
  script_version("1.11");
  script_cvs_date("Date: 2019/11/19");

  script_cve_id(
    "CVE-2015-6014",
    "CVE-2016-0138",
    "CVE-2016-3378",
    "CVE-2016-3379",
    "CVE-2016-3574",
    "CVE-2016-3575",
    "CVE-2016-3576",
    "CVE-2016-3577",
    "CVE-2016-3578",
    "CVE-2016-3579",
    "CVE-2016-3580",
    "CVE-2016-3581",
    "CVE-2016-3582",
    "CVE-2016-3583",
    "CVE-2016-3590",
    "CVE-2016-3591",
    "CVE-2016-3592",
    "CVE-2016-3593",
    "CVE-2016-3594",
    "CVE-2016-3595",
    "CVE-2016-3596"
  );
  script_bugtraq_id(
    81233,
    91908,
    91914,
    91921,
    91923,
    91924,
    91925,
    91927,
    91929,
    91931,
    91933,
    91934,
    91935,
    91936,
    91937,
    91939,
    91940,
    91942,
    92806,
    92833,
    92836
  );
  script_xref(name:"MSFT", value:"MS16-108");
  script_xref(name:"MSKB", value:"3184711");
  script_xref(name:"MSKB", value:"3184728");
  script_xref(name:"MSKB", value:"3184736");

  script_name(english:"MS16-108: Security Update for Microsoft Exchange Server (3185883)");
  script_summary(english:"Checks the version of ExSetup.exe.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Microsoft Exchange Server is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Microsoft Exchange Server is missing a security update. It
is, therefore, affected by multiple vulnerabilities :

  - Multiple remote code execution vulnerabilities exist in
    the Oracle Outside In libraries. An unauthenticated,
    remote attacker can exploit these, via a specially
    crafted email, to execute arbitrary code.
    (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581,
    CVE-2016-3582, CVE-2016-3583, CVE-2016-3591,
    CVE-2016-3592, CVE-2016-3593, CVE-2016-3594,
    CVE-2016-3595, CVE-2016-3596)

  - An unspecified information disclosure vulnerability
    exists in the Oracle Outside In libraries that allows an
    attacker to disclose sensitive information.
    (CVE-2016-3574)

  - Multiple denial of service vulnerabilities exists in the
    Oracle Outside In libraries. (CVE-2016-3576,
    CVE-2016-3577, CVE-2016-3578, CVE-2016-3579,
    CVE-2016-3580, CVE-2016-3590)

  - An information disclosure vulnerability exists due to
    improper parsing of certain unstructured file formats.
    An unauthenticated, remote attacker can exploit this,
    via a crafted email using 'send as' rights, to disclose
    confidential user information. (CVE-2016-0138)

  - An open redirect vulnerability exists due to improper
    handling of open redirect requests. An unauthenticated,
    remote attacker can exploit this, by convincing a user
    to click a specially crafted URL, to redirect the user
    to a malicious website that spoofs a legitimate one.
    (CVE-2016-3378)

  - An elevation of privilege vulnerability exists due to
    improper handling of meeting invitation requests. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted Outlook meeting invitation request,
    to gain elevated privileges. (CVE-2016-3379)");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-108");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Exchange Server 2007,
2010, 2013, and 2016.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6014");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/09/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ms_bulletin_checks_possible.nasl", "microsoft_exchange_installed.nbin");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("install_func.inc");

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS16-108';
kbs = make_list("3184711", "3184728", "3184736");

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

install = get_single_install(app_name:"Microsoft Exchange");

path = install["path"];
version = install["version"];
release = install["RELEASE"];
if (release != 80 && release != 140 && release != 150 && release != 151)
  audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);

if (!empty_or_null(install["SP"]))
  sp = install["SP"];
if (!empty_or_null(install["CU"]))
  cu = install["CU"];

if (((release == 150 || release == 151) && isnull(cu)) ||
   (release == 150 && cu != 4 && cu != 12 && cu != 13) ||
   (release == 151 && cu != 1 && cu != 2))
  audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);

if (release == 80)
{
  kb = "3184711";
  if (!empty_or_null(sp) && sp == 3)
    fixedver = "8.3.485.1";
}
else if (release == 140)
{
  kb = "3184728";
  if (!empty_or_null(sp) && sp == 3)
    fixedver = "14.3.319.2";
}
else if (release == 150) # 2013 SP1 AKA CU4
{
  kb = "3184736";
  if (cu == 4)
    fixedver = "15.0.847.50";
  else if (cu == 12)
    fixedver = "15.0.1178.9";
  else if (cu == 13)
    fixedver = "15.0.1210.6";
}
else if (release == 151) # Exchange Server 2016
{
  kb = "3184736";
  if (cu == 1)
    fixedver = "15.1.396.37";
  else if (cu == 2)
    fixedver = "15.1.466.37";
}

if (fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:"Bin"), file:"ExSetup.exe", version:fixedver, bulletin:bulletin, kb:kb))
{
  set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Seebug

bulletinFamilyexploit
description### Description While parsing a specially crafted TIFF file, a parser confussion can lead to a heap buffer overflow resulting in out of bounds memory overwrite leading to arbitrary code execution. ### Tested Versions Oracle Outside In IX sdk 8.5.1 ### Product URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html ### Details While parsing a specially crafted TIFF file with ExtraSamples tag present, a parser confusion can lead to insuficient heap memory allocation which later results in a buffer overflow corrupting the heap structures which can be abused to achieve arbitrary code execution. As per the file format documentation ExtraSamples influences how many actual bits per sample there are in the file. Size of the allocation is based directly on on ImageWidth value (at offset 0x6c in the supplied testcase) and is the allocation happens in the following basic block in `libvs_tiff.so` (image base is 0xB74E1000): ``` .text:B74F3DE4 mov edx, [esp+11Ch+var_A8] .text:B74F3DE8 mov eax, [edx+30h] .text:B74F3DEB mov [ebp+4A8h], eax .text:B74F3DF1 mov eax, [edx+30h] [1] .text:B74F3DF4 mov [esp+11Ch+s], eax .text:B74F3DF7 call _SYSNativeAlloc ``` At [1], the size of the allocation is read from a structure on the heap which comes from the file directly. In the supplied testcase (minimal.tiff) this will be 0x20 bytes, resulting in 0x28 byte chunk being allocated. The overflow happens in the following code in `libvs_tiff6.so`: ``` .text:B74EC5A8 add eax, [esp+26Ch+var_188] .text:B74EC5AF movzx eax, byte ptr [eax+esi] [1] .text:B74EC5B3 mov edx, [esp+26Ch+var_250] .text:B74EC5B7 mov [edx+ecx], al [2] .text:B74EC5BA .text:B74EC5BA loc_B74EC5BA: ; CODE XREF: VwStreamRead+9F6j .text:B74EC5BA mov ecx, [esp+26Ch+var_220] .text:B74EC5BE movzx eax, word ptr [ecx+0D8h] .text:B74EC5C5 add esi, eax [3] .text:B74EC5C7 cmp [ecx+3CCh], esi [4] .text:B74EC5CD jbe loc_B74EC09B ``` In the above code, at [1] a byte value is read from the heap and is written to a destination buffer at [2]. At [2], `edx` points at the begining of the previously allocated buffer (as discussed above) and `ecx` serves as offset, incremented by 1 in each iteration of the loop. This block of code is executed in a bigger loop, the rest of which is ommited for brevity. At [3], `esi`, which is a loop counter (also an index into a buffer at [1]), is incremented by value in `eax` which comes directly from SamplesPerPixel value in the file (2 in the supplied minimal.tiff). Finally, at [4], the `esi` counter is compared to a max value in `ecx+0x3CC`. If the maximum value of the counter (`ecx+0x3cc` at [4] above) is greater than the allocated buffer a heap overflow can occur. Upper bound of this loop is calcualted in the following basic block: ``` .text:B74E8AEF loc_B74E8AEF: .text:B74E8AEF mov ecx, [esp+8Ch+arg_4] .text:B74E8AF6 movzx eax, word ptr [ecx+60h] [1] .text:B74E8AFA imul eax, [ecx+30h] [2] .text:B74E8AFE movzx edx, word ptr [ecx+0D8h] [3] .text:B74E8B05 imul eax, edx [4] .text:B74E8B08 add eax, 7 [5] .text:B74E8B0B shr eax, 3 [6] .text:B74E8B0E mov [ecx+3CCh], eax [7] .text:B74E8B14 cmp word ptr [ecx+0F8h], 0 .text:B74E8B1C jnz loc_B74 ``` At [1], the initial value is comes from BitsPerSample value from the file and is multiplied by a value coming from ImageWidth at [2]. At [3], a SamplesPerPixel value is retrieved and is multiplied with previous result at [4]. After 7 is added at [5], the final value is divided by 8 at [6]. The final value is written into heap structure pointed to by `ecx` at offset 0x3CC at [7]. In short, the upper bound for the loop in which the overflow happens is: ``` max = (( BitsPerSample * ImageWidth * SamplesPerPixel ) + 7) >> 3 ``` In the supplied testcase, the upper bound for the loop is 0x80, and since increment in each iteration is 2 this leads to a buffer overflow of 0x40 bytes where only 0x28 were allocated, leading to an application crash. In summary, both the size of the allocation and size of the overwrite are under direct control. The supplied testcase `PoC.tiff` demonstrates a more controled buffer overwrite where adjecent heap chunks are overwriten with ASCII A's resulting in the following crash: ``` Breakpoint 4, 0xb74ec5ba in VwStreamRead () from /home/ea/oit_office/sdk/demo/libvs_tif6.so edx 0x80d8920 135104800 ecx 0x0 0 esi 0x0 0 al 0x4b 75 Quit (gdb) disable (gdb) c Continuing. Export successful: 1 output file(s) created. *** Error in `/home/ea/oit_office/sdk/demo/ixsample': double free or corruption (out): 0x080d8948 *** ======= Backtrace: ========= /usr/lib/libc.so.6(+0x6ce09)[0xb7e20e09] /usr/lib/libc.so.6(+0x74406)[0xb7e28406] /usr/lib/libc.so.6(cfree+0x56)[0xb7e2c676] /home/ea/oit_office/sdk/demo/libwv_core.so(SYSNativeFree+0x1f)[0xb7a507e7] ... Program received signal SIGABRT, Aborted. 0xb7fdbbc0 in __kernel_vsyscall () (gdb) x/x 0x80d8920 0x80d8920: 0xaaaa41aa (gdb) x/x 0x80d8920-4 0x80d891c: 0x00000029 <- size of the overflown buffer (gdb) x/x 0x080d8948 0x80d8948: 0x41414141 (gdb) x/x 0x080d8948-4 0x80d8944: 0x41414141 <- size corrupted (gdb) ``` Breakpoint 4 is placed in the loop where the overwrite happens and here shows the initial values. The pointer to the allocated memory is `0x80d8920`. After the crash, by examining the memory around it, we can see that the adjecent heap chunk has been overwriten. The essential difference between the original TIFF file and the supplied minimal testcase is that the minimal testcase contains the ExtraSamples tag, which influences the calculations, as well as the different values for both BitsPerSample and SamplesPerPixel values. This issue can be triggered by running the supplied testcase in the `ixsample` application supplied with the SDK. ### Timeline * 2016-04-12 - Vendor Notification * 2016-07-19 – Public Disclosure
idSSV:96706
last seen2017-11-19
modified2017-10-16
published2017-10-16
reporterRoot
titleOracle OIT IX SDK TIFF ExtraSamples Code Execution Vulnerabiity(CVE-2016-3581)

Talos

idTALOS-2016-0103
last seen2019-05-29
published2016-07-19
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0103
titleOracle OIT IX SDK TIFF ExtraSamples Code Execution Vulnerabiity

References