Vulnerabilities > CVE-2016-3583 - Remote Security vulnerability in Oracle Outside in Technology 8.5.0/8.5.1/8.5.2

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
oracle
critical
nessus

Summary

Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596.

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS16-108.NASL
descriptionThe remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using
last seen2020-06-01
modified2020-06-02
plugin id93467
published2016-09-13
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/93467
titleMS16-108: Security Update for Microsoft Exchange Server (3185883)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93467);
  script_version("1.11");
  script_cvs_date("Date: 2019/11/19");

  script_cve_id(
    "CVE-2015-6014",
    "CVE-2016-0138",
    "CVE-2016-3378",
    "CVE-2016-3379",
    "CVE-2016-3574",
    "CVE-2016-3575",
    "CVE-2016-3576",
    "CVE-2016-3577",
    "CVE-2016-3578",
    "CVE-2016-3579",
    "CVE-2016-3580",
    "CVE-2016-3581",
    "CVE-2016-3582",
    "CVE-2016-3583",
    "CVE-2016-3590",
    "CVE-2016-3591",
    "CVE-2016-3592",
    "CVE-2016-3593",
    "CVE-2016-3594",
    "CVE-2016-3595",
    "CVE-2016-3596"
  );
  script_bugtraq_id(
    81233,
    91908,
    91914,
    91921,
    91923,
    91924,
    91925,
    91927,
    91929,
    91931,
    91933,
    91934,
    91935,
    91936,
    91937,
    91939,
    91940,
    91942,
    92806,
    92833,
    92836
  );
  script_xref(name:"MSFT", value:"MS16-108");
  script_xref(name:"MSKB", value:"3184711");
  script_xref(name:"MSKB", value:"3184728");
  script_xref(name:"MSKB", value:"3184736");

  script_name(english:"MS16-108: Security Update for Microsoft Exchange Server (3185883)");
  script_summary(english:"Checks the version of ExSetup.exe.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Microsoft Exchange Server is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Microsoft Exchange Server is missing a security update. It
is, therefore, affected by multiple vulnerabilities :

  - Multiple remote code execution vulnerabilities exist in
    the Oracle Outside In libraries. An unauthenticated,
    remote attacker can exploit these, via a specially
    crafted email, to execute arbitrary code.
    (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581,
    CVE-2016-3582, CVE-2016-3583, CVE-2016-3591,
    CVE-2016-3592, CVE-2016-3593, CVE-2016-3594,
    CVE-2016-3595, CVE-2016-3596)

  - An unspecified information disclosure vulnerability
    exists in the Oracle Outside In libraries that allows an
    attacker to disclose sensitive information.
    (CVE-2016-3574)

  - Multiple denial of service vulnerabilities exists in the
    Oracle Outside In libraries. (CVE-2016-3576,
    CVE-2016-3577, CVE-2016-3578, CVE-2016-3579,
    CVE-2016-3580, CVE-2016-3590)

  - An information disclosure vulnerability exists due to
    improper parsing of certain unstructured file formats.
    An unauthenticated, remote attacker can exploit this,
    via a crafted email using 'send as' rights, to disclose
    confidential user information. (CVE-2016-0138)

  - An open redirect vulnerability exists due to improper
    handling of open redirect requests. An unauthenticated,
    remote attacker can exploit this, by convincing a user
    to click a specially crafted URL, to redirect the user
    to a malicious website that spoofs a legitimate one.
    (CVE-2016-3378)

  - An elevation of privilege vulnerability exists due to
    improper handling of meeting invitation requests. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted Outlook meeting invitation request,
    to gain elevated privileges. (CVE-2016-3379)");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-108");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Exchange Server 2007,
2010, 2013, and 2016.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6014");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/09/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ms_bulletin_checks_possible.nasl", "microsoft_exchange_installed.nbin");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("install_func.inc");

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS16-108';
kbs = make_list("3184711", "3184728", "3184736");

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

install = get_single_install(app_name:"Microsoft Exchange");

path = install["path"];
version = install["version"];
release = install["RELEASE"];
if (release != 80 && release != 140 && release != 150 && release != 151)
  audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);

if (!empty_or_null(install["SP"]))
  sp = install["SP"];
if (!empty_or_null(install["CU"]))
  cu = install["CU"];

if (((release == 150 || release == 151) && isnull(cu)) ||
   (release == 150 && cu != 4 && cu != 12 && cu != 13) ||
   (release == 151 && cu != 1 && cu != 2))
  audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);

if (release == 80)
{
  kb = "3184711";
  if (!empty_or_null(sp) && sp == 3)
    fixedver = "8.3.485.1";
}
else if (release == 140)
{
  kb = "3184728";
  if (!empty_or_null(sp) && sp == 3)
    fixedver = "14.3.319.2";
}
else if (release == 150) # 2013 SP1 AKA CU4
{
  kb = "3184736";
  if (cu == 4)
    fixedver = "15.0.847.50";
  else if (cu == 12)
    fixedver = "15.0.1178.9";
  else if (cu == 13)
    fixedver = "15.0.1210.6";
}
else if (release == 151) # Exchange Server 2016
{
  kb = "3184736";
  if (cu == 1)
    fixedver = "15.1.396.37";
  else if (cu == 2)
    fixedver = "15.1.466.37";
}

if (fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:"Bin"), file:"ExSetup.exe", version:fixedver, bulletin:bulletin, kb:kb))
{
  set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Seebug

bulletinFamilyexploit
description### Description While parsing a specially crafted GIF file, an integer overflow vulnerability and result in out of bounds heap memory overwrite potentially leading to arbitrary code execution. ### Tested Versions Oracle Outside In IX sdk 8.5.1 ### Product URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html ### Details While parsing a GIF file with a ImageWidth in IMAGEDESCRIPTOR set to 0xFFFF an integer loop counter checking on truncated integer size results in an integer overflow which leading to unbounded memory write in two branches of the same function. The first integer overflow occurs while parsing the supplied testcase and following basic block in `libvs_gif.so` is reached (image base being 0xB7F81000): ``` .text:B7F82832 loc_B7F82832: .text:B7F82832 movzx eax, byte ptr [edx] [1] .text:B7F82835 shl al, 4 .text:B7F82838 or al, [edx+1] .text:B7F8283B mov [edi], al [6] .text:B7F8283D add edi, 1 .text:B7F82840 add edx, 2 [2] .text:B7F82843 mov eax, edx [3] .text:B7F82845 sub ax, word ptr [esp+10h+var_10] [4] .text:B7F82849 cmp ax, [ebp+60h] [5] .text:B7F8284D jb short loc_B7F8 ``` In the above code, at [1], `ebx` points to a buffer on the heap. At [2], each time the code loops, `edx` is incremented by 2. At [3] pointer from `edx` is moved to `eax` for further comparison. At [4], value of `var_10` contains a saved pointer to the start of the heap buffer (the original value of edx when entering the basic block for the first time). Also at [4], lower two bytes of `var_10` are substracted from `ax` (which effectively contains lower two bytes of current buffer pointer) effectively calculating the offset into the buffer. This offset is then compared at [5] to a value at `ebp+0x60` which is actually the ImageWidth from the file. Since value at `ebp+0x60` is always 0xFFFF, 16 bit integer arithmetic is in place, and `edx` is always incremented by 2, the jump condition at the end of the block will always be satisfied. Thus the integer overflow resulting from substraction at [4] turns this into an infinite loop. In the supplied testcase (integer_overflow.gif), the overwrite eventually hits either an unmapped region of memory or a read-only page resulting in a crash. The only change to the original file is ImageWidth (at offset 0x32) which is set to 0xFFFF. Added garbage at the end of the file is there to align the heap so the application crashes on WriteAV at [6] otherwise it crashes with ReadAV at [1] A similar integer overflow can be triggered if the LocalColorTableFlag is set in the IMAGEDESCRIPTOR PackedFields (at offset 0x36 in integer_overflow2.gif). In this case, the other branch in the function at 0xB7F8280C is taken and code ends up in the following basic block: ``` .text:B7F8285F loc_B7F8285F: .text:B7F8285F movzx ecx, byte ptr [esi] .text:B7F82862 shl cl, 7 .text:B7F82865 movzx eax, byte ptr [esi+1] .text:B7F82869 shl al, 6 .text:B7F8286C or cl, al .text:B7F8286E movzx eax, byte ptr [esi+4] .text:B7F82872 shl al, 3 .text:B7F82875 or cl, al .text:B7F82877 movzx eax, byte ptr [esi+6] .text:B7F8287B add al, al .text:B7F8287D or cl, al .text:B7F8287F movzx edx, byte ptr [esi+2] .text:B7F82883 shl dl, 5 .text:B7F82886 movzx eax, byte ptr [esi+3] .text:B7F8288A shl al, 4 .text:B7F8288D or dl, al .text:B7F8288F movzx eax, byte ptr [esi+5] .text:B7F82893 add al, al .text:B7F82895 add al, al .text:B7F82897 or dl, al .text:B7F82899 or dl, [esi+7] .text:B7F8289C or cl, dl .text:B7F8289E mov [edi], cl .text:B7F828A0 add edi, 1 .text:B7F828A3 add esi, 8 .text:B7F828A6 mov eax, esi .text:B7F828A8 sub ax, word ptr [esp+10h+var_10] .text:B7F828AC cmp [ebp+60h], ax [1] .text:B7F828B0 ja short loc_B7F8 ``` At [1], the same comparison is made as in the previously described integer overflow. The supplied testcase (integer_overflow2.gif) has a few more bytes changed, to accommodate for added LocalColorTableFlag. Both issues can be triggered with the supplied testcase in the `ixsample` application supplied with the SDK. ### Timeline * 2016-04-12 - Vendor Notification * 2016-07-19 – Public Disclosure
idSSV:96704
last seen2017-11-19
modified2017-10-16
published2017-10-16
reporterRoot
titleOracle OIT IX SDK GIF ImageWidth Code Execution Vulnerabiity(CVE-2016-3583)

Talos

idTALOS-2016-0105
last seen2019-05-29
published2016-07-19
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0105
titleOracle OIT IX SDK GIF ImageWidth Code Execution Vulnerabiity