8.5.2

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

oracle

critical

nessus

NVD

Published: 2016-07-21

Updated: 2017-09-01

Summary

Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Outside IN Technology 8.5.0 Oracle Outside IN Technology 8.5.1 Oracle Outside IN Technology 8.5.2	3

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS16-108.NASL
description	The remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using
last seen	2020-06-01
modified	2020-06-02
plugin id	93467
published	2016-09-13
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93467
title	MS16-108: Security Update for Microsoft Exchange Server (3185883)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(93467); script_version("1.11"); script_cvs_date("Date: 2019/11/19"); script_cve_id( "CVE-2015-6014", "CVE-2016-0138", "CVE-2016-3378", "CVE-2016-3379", "CVE-2016-3574", "CVE-2016-3575", "CVE-2016-3576", "CVE-2016-3577", "CVE-2016-3578", "CVE-2016-3579", "CVE-2016-3580", "CVE-2016-3581", "CVE-2016-3582", "CVE-2016-3583", "CVE-2016-3590", "CVE-2016-3591", "CVE-2016-3592", "CVE-2016-3593", "CVE-2016-3594", "CVE-2016-3595", "CVE-2016-3596" ); script_bugtraq_id( 81233, 91908, 91914, 91921, 91923, 91924, 91925, 91927, 91929, 91931, 91933, 91934, 91935, 91936, 91937, 91939, 91940, 91942, 92806, 92833, 92836 ); script_xref(name:"MSFT", value:"MS16-108"); script_xref(name:"MSKB", value:"3184711"); script_xref(name:"MSKB", value:"3184728"); script_xref(name:"MSKB", value:"3184736"); script_name(english:"MS16-108: Security Update for Microsoft Exchange Server (3185883)"); script_summary(english:"Checks the version of ExSetup.exe."); script_set_attribute(attribute:"synopsis", value: "The remote Microsoft Exchange Server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using 'send as' rights, to disclose confidential user information. (CVE-2016-0138) - An open redirect vulnerability exists due to improper handling of open redirect requests. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to redirect the user to a malicious website that spoofs a legitimate one. (CVE-2016-3378) - An elevation of privilege vulnerability exists due to improper handling of meeting invitation requests. An unauthenticated, remote attacker can exploit this, via a specially crafted Outlook meeting invitation request, to gain elevated privileges. (CVE-2016-3379)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-108"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Exchange Server 2007, 2010, 2013, and 2016."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6014"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/09/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ms_bulletin_checks_possible.nasl", "microsoft_exchange_installed.nbin"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); include("install_func.inc"); get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); bulletin = 'MS16-108'; kbs = make_list("3184711", "3184728", "3184736"); if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); install = get_single_install(app_name:"Microsoft Exchange"); path = install["path"]; version = install["version"]; release = install["RELEASE"]; if (release != 80 && release != 140 && release != 150 && release != 151) audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version); if (!empty_or_null(install["SP"])) sp = install["SP"]; if (!empty_or_null(install["CU"])) cu = install["CU"]; if (((release == 150 \|\| release == 151) && isnull(cu)) \|\| (release == 150 && cu != 4 && cu != 12 && cu != 13) \|\| (release == 151 && cu != 1 && cu != 2)) audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version); if (release == 80) { kb = "3184711"; if (!empty_or_null(sp) && sp == 3) fixedver = "8.3.485.1"; } else if (release == 140) { kb = "3184728"; if (!empty_or_null(sp) && sp == 3) fixedver = "14.3.319.2"; } else if (release == 150) # 2013 SP1 AKA CU4 { kb = "3184736"; if (cu == 4) fixedver = "15.0.847.50"; else if (cu == 12) fixedver = "15.0.1178.9"; else if (cu == 13) fixedver = "15.0.1210.6"; } else if (release == 151) # Exchange Server 2016 { kb = "3184736"; if (cu == 1) fixedver = "15.1.396.37"; else if (cu == 2) fixedver = "15.1.466.37"; } if (fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:"Bin"), file:"ExSetup.exe", version:fixedver, bulletin:bulletin, kb:kb)) { set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Seebug

bulletinFamily	exploit
description	### Description Partially controlled memory write vulnerability exists in Mac Works Database file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic causes an out of bounds memory write which can lead to denial of service or possibly code execution. ### Tested Versions Oracle Outside In Technology Content Access SDK 8.5.1. ### Product URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html ### Details When parsing a Mac Works Database document memory is being written in a loop using a counter in destination address calculations. No size checks are performed after the arithmetic operations resulting in a partially controlled 2 byte overwrite. Although the file is identified by as a MWKD document, leading to it being parsed by libvs_mwkd library, the vulnerability can be triggered by the example `parsepst` application supplied with the SDK. Technical information below: Vulnerability is present in `VwStreamReadRecord` function in libvs_mwkd.so library (with image base at 0xB7F89000), specifically starting in the following basic block: ``` .text:B7F8ACF6 movzx eax, [esp+3Ch+var_12] .text:B7F8ACFB mov edx, [edi+31Ch] .text:B7F8AD01 mov ecx, ebp .text:B7F8AD03 mov [edx+eax], cl .text:B7F8AD06 movzx eax, word ptr [esp+3Ch+var_10] [1] .text:B7F8AD0B movzx esi, [esp+3Ch+var_12] [2] .text:B7F8AD10 mov [edi+eax2+298h], si [3] .text:B7F8AD18 add word ptr [esp+3Ch+var_10], 1 .text:B7F8AD1E add esi, 1 .text:B7F8AD21 mov [esp+3Ch+var_12], si .text:B7F8AD26 cmp bp, 0F9h .text:B7F8AD2B ja loc_B7F8AE1A .text:B7F8AD31 test bp, bp .text:B7F8AD34 jz loc_B7F8ADEB .text:B7F8AD3A mov [esp+3Ch+var_1A], 0 .text:B7F8AD41 jmp short loc_B7F8AD71 ``` At [1] and [2] pre-calculated values of `eax` and `esi` are read from the stack and zero extended. At [3] `eax` is being used in destination address calculation and the value of `si` is being written there. Initial values of `eax` and `esi` are related, `eax` serving as a counter. No bounds checking is in place resulting in a possible 2 byte out of bounds overwrite. In the supplied testcase, last seven bytes can be used to influence the written value. The supplied testcase crashes the `parsepst` program upon a `free()` on an invalid pointer. The overwritten pointer is allocated in the `VStreamOpen` function and it's least significant byte is later overwritten as a result of out of bounds memory write. A specially crafted file could be used to shift the to-be-freed pointer to an attacker controlled area which can then be used to subvert the `free()` and achieve code execution. ### Timeline 2016-04-12 - Discovered * 2016-04-29 - Initial Vendor Communication * 2016-07-19 - Public Release
id	SSV:96697
last seen	2017-11-19
modified	2017-10-16
published	2017-10-16
reporter	Root
title	Oracle OIT ContentAccess libvs_mwkd VwStreamReadRecord Memory Corruption Vulnerability(CVE-2016-3591)

Talos

id	TALOS-2016-0157
last seen	2019-05-29
published	2016-07-19
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0157
title	Oracle OIT ContentAccess libvs_mwkd VwStreamReadRecord Memory Corruption Vulnerability

Summary

Vulnerable Configurations

Nessus

Seebug

Talos

References