Vulnerabilities > CVE-2016-3592 - Unspecified vulnerability in Oracle Outside in Technology 8.5.0/8.5.1/8.5.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
LOW Availability impact
LOW Summary
Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS16-108.NASL |
description | The remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 93467 |
published | 2016-09-13 |
reporter | This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/93467 |
title | MS16-108: Security Update for Microsoft Exchange Server (3185883) |
code |
|
Seebug
bulletinFamily | exploit |
description | ### Description Partially controlled memory write vulnerability exists in Mac Word file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic leads to an out of bounds memory overwrite resulting in code execution. ### Tested Versions Oracle Outside In Technology Content Access SDK 8.5.1. ### Product URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html ### Details When parsing a Mac Word document a single-byte value from a file is used as a starting value for a counter which is used in arithmetic operations for memory access. No size checks are performed after the arithmetic operations resulting in an out of bounds 4 byte memory write. Although the file is identified by OIT CA SDK as FIMACWORD5, leading to it being parsed by libvsword library, the vulnerability can be triggered by the example `parsepst` application supplied with the SDK. Technical information below: Vulnerability is present in function at address 0xB74A83AC in libvs_word.so library (with image base at 0xB74A2000), specifically starting in the following basic block: ``` .text:B74A937C loc_B74A937C: ; CODE XREF: sub_B74A83AC+FC1j .text:B74A937C movzx edx, di [1] .text:B74A937F movzx eax, si .text:B74A9382 movzx ecx, word ptr [ebp+eax*2+0A30h] .text:B74A938A mov [ebp+edx*2+0A30h], cx .text:B74A9392 shl edx, 4 [2] .text:B74A9395 add edx, ebp [3] .text:B74A9397 add edx, 800h [4] .text:B74A939D shl eax, 4 .text:B74A93A0 add eax, ebp .text:B74A93A2 add eax, 800h .text:B74A93A7 mov ecx, [eax+0Eh] .text:B74A93AA mov [edx+0Eh], ecx [5] .text:B74A93AD mov ecx, [eax+12h] .text:B74A93B0 mov [edx+12h], ecx [6] .text:B74A93B3 mov ecx, [eax+16h] .text:B74A93B6 mov [edx+16h], ecx [7] .text:B74A93B9 mov eax, [eax+1Ah] .text:B74A93BC mov [edx+1Ah], eax [8] .text:B74A93BF add edi, 1 .text:B74A93C2 add esi, 1 .text:B74A93C5 sub word ptr [esp+12Ch+var_9C+2], 1 .text:B74A93CE jnz short loc_B74A936F ``` Initial value of `di` register comes from a byte at offset 0x29d in the supplied testcase and is used as a starting value for a counter. Value is zero extended into edx at [1] and is then used in arithmetic operations at [2], [3] and [4]. Final value is used as a pointer to a structure and values of `ecx` and `eax` registers get written to appropriate structure fields at [5], [6], [7] and [8]. Upper limit for the counter value is 0x100. No bounds checking is being made after pointer arithmetic resulting in a possible out of bounds memory overwrite. While parsing the first supplied testcase, out of bounds write results in a pointer previously initialized to NULL to become non-NULL leading to an invalid free() during the cleanup after the file has been parsed. In the case of the second supplied testcase, the same vulnerability results in a function pointer overwrite leading to an even simpler exploitable condition. ### Timeline * 2015–10-19 - Discovery * 2016-04-20 - Initial Vendor Notification * 2016-07-19 - Public Disclosure |
id | SSV:96707 |
last seen | 2017-11-19 |
modified | 2017-10-16 |
published | 2017-10-16 |
reporter | Root |
title | Oracle OIT ContentAccess libvs_word+63AC Code Execution Vulnerability(CVE-2016-3592) |
Talos
id | TALOS-2016-0158 |
last seen | 2019-05-29 |
published | 2016-07-19 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0158 |
title | Oracle OIT ContentAccess libvs_word+63AC Code Execution Vulnerability |
References
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91937
- http://www.securityfocus.com/bid/91937
- http://www.securitytracker.com/id/1036370
- http://www.securitytracker.com/id/1036370
- http://www-01.ibm.com/support/docview.wss?uid=swg21988009
- http://www-01.ibm.com/support/docview.wss?uid=swg21988009
- http://www-01.ibm.com/support/docview.wss?uid=swg21988718
- http://www-01.ibm.com/support/docview.wss?uid=swg21988718