8.5.2

CVSS 8.6 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

LOW

Availability impact

LOW

network

low complexity

oracle

nessus

NVD

Published: 2016-07-21

Updated: 2017-09-01

Summary

Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Outside IN Technology 8.5.2 Oracle Outside IN Technology 8.5.0 Oracle Outside IN Technology 8.5.1	3

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS16-108.NASL
description	The remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using
last seen	2020-06-01
modified	2020-06-02
plugin id	93467
published	2016-09-13
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93467
title	MS16-108: Security Update for Microsoft Exchange Server (3185883)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(93467); script_version("1.11"); script_cvs_date("Date: 2019/11/19"); script_cve_id( "CVE-2015-6014", "CVE-2016-0138", "CVE-2016-3378", "CVE-2016-3379", "CVE-2016-3574", "CVE-2016-3575", "CVE-2016-3576", "CVE-2016-3577", "CVE-2016-3578", "CVE-2016-3579", "CVE-2016-3580", "CVE-2016-3581", "CVE-2016-3582", "CVE-2016-3583", "CVE-2016-3590", "CVE-2016-3591", "CVE-2016-3592", "CVE-2016-3593", "CVE-2016-3594", "CVE-2016-3595", "CVE-2016-3596" ); script_bugtraq_id( 81233, 91908, 91914, 91921, 91923, 91924, 91925, 91927, 91929, 91931, 91933, 91934, 91935, 91936, 91937, 91939, 91940, 91942, 92806, 92833, 92836 ); script_xref(name:"MSFT", value:"MS16-108"); script_xref(name:"MSKB", value:"3184711"); script_xref(name:"MSKB", value:"3184728"); script_xref(name:"MSKB", value:"3184736"); script_name(english:"MS16-108: Security Update for Microsoft Exchange Server (3185883)"); script_summary(english:"Checks the version of ExSetup.exe."); script_set_attribute(attribute:"synopsis", value: "The remote Microsoft Exchange Server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using 'send as' rights, to disclose confidential user information. (CVE-2016-0138) - An open redirect vulnerability exists due to improper handling of open redirect requests. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to redirect the user to a malicious website that spoofs a legitimate one. (CVE-2016-3378) - An elevation of privilege vulnerability exists due to improper handling of meeting invitation requests. An unauthenticated, remote attacker can exploit this, via a specially crafted Outlook meeting invitation request, to gain elevated privileges. (CVE-2016-3379)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-108"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Exchange Server 2007, 2010, 2013, and 2016."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6014"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/09/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ms_bulletin_checks_possible.nasl", "microsoft_exchange_installed.nbin"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); include("install_func.inc"); get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); bulletin = 'MS16-108'; kbs = make_list("3184711", "3184728", "3184736"); if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); install = get_single_install(app_name:"Microsoft Exchange"); path = install["path"]; version = install["version"]; release = install["RELEASE"]; if (release != 80 && release != 140 && release != 150 && release != 151) audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version); if (!empty_or_null(install["SP"])) sp = install["SP"]; if (!empty_or_null(install["CU"])) cu = install["CU"]; if (((release == 150 \|\| release == 151) && isnull(cu)) \|\| (release == 150 && cu != 4 && cu != 12 && cu != 13) \|\| (release == 151 && cu != 1 && cu != 2)) audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version); if (release == 80) { kb = "3184711"; if (!empty_or_null(sp) && sp == 3) fixedver = "8.3.485.1"; } else if (release == 140) { kb = "3184728"; if (!empty_or_null(sp) && sp == 3) fixedver = "14.3.319.2"; } else if (release == 150) # 2013 SP1 AKA CU4 { kb = "3184736"; if (cu == 4) fixedver = "15.0.847.50"; else if (cu == 12) fixedver = "15.0.1178.9"; else if (cu == 13) fixedver = "15.0.1210.6"; } else if (release == 151) # Exchange Server 2016 { kb = "3184736"; if (cu == 1) fixedver = "15.1.396.37"; else if (cu == 2) fixedver = "15.1.466.37"; } if (fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:"Bin"), file:"ExSetup.exe", version:fixedver, bulletin:bulletin, kb:kb)) { set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Seebug

bulletinFamily	exploit
description	### Description Partially controlled memory write vulnerability exists in Mac Word file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic leads to an out of bounds memory overwrite resulting in code execution. ### Tested Versions Oracle Outside In Technology Content Access SDK 8.5.1. ### Product URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html ### Details When parsing a Mac Word document a single-byte value from a file is used as a starting value for a counter which is used in arithmetic operations for memory access. No size checks are performed after the arithmetic operations resulting in an out of bounds 4 byte memory write. Although the file is identified by OIT CA SDK as FIMACWORD5, leading to it being parsed by libvsword library, the vulnerability can be triggered by the example `parsepst` application supplied with the SDK. Technical information below: Vulnerability is present in function at address 0xB74A83AC in libvs_word.so library (with image base at 0xB74A2000), specifically starting in the following basic block: ``` .text:B74A937C loc_B74A937C: ; CODE XREF: sub_B74A83AC+FC1j .text:B74A937C movzx edx, di [1] .text:B74A937F movzx eax, si .text:B74A9382 movzx ecx, word ptr [ebp+eax2+0A30h] .text:B74A938A mov [ebp+edx2+0A30h], cx .text:B74A9392 shl edx, 4 [2] .text:B74A9395 add edx, ebp [3] .text:B74A9397 add edx, 800h [4] .text:B74A939D shl eax, 4 .text:B74A93A0 add eax, ebp .text:B74A93A2 add eax, 800h .text:B74A93A7 mov ecx, [eax+0Eh] .text:B74A93AA mov [edx+0Eh], ecx [5] .text:B74A93AD mov ecx, [eax+12h] .text:B74A93B0 mov [edx+12h], ecx [6] .text:B74A93B3 mov ecx, [eax+16h] .text:B74A93B6 mov [edx+16h], ecx [7] .text:B74A93B9 mov eax, [eax+1Ah] .text:B74A93BC mov [edx+1Ah], eax [8] .text:B74A93BF add edi, 1 .text:B74A93C2 add esi, 1 .text:B74A93C5 sub word ptr [esp+12Ch+var_9C+2], 1 .text:B74A93CE jnz short loc_B74A936F ``` Initial value of `di` register comes from a byte at offset 0x29d in the supplied testcase and is used as a starting value for a counter. Value is zero extended into edx at [1] and is then used in arithmetic operations at [2], [3] and [4]. Final value is used as a pointer to a structure and values of `ecx` and `eax` registers get written to appropriate structure fields at [5], [6], [7] and [8]. Upper limit for the counter value is 0x100. No bounds checking is being made after pointer arithmetic resulting in a possible out of bounds memory overwrite. While parsing the first supplied testcase, out of bounds write results in a pointer previously initialized to NULL to become non-NULL leading to an invalid free() during the cleanup after the file has been parsed. In the case of the second supplied testcase, the same vulnerability results in a function pointer overwrite leading to an even simpler exploitable condition. ### Timeline * 2015–10-19 - Discovery * 2016-04-20 - Initial Vendor Notification * 2016-07-19 - Public Disclosure
id	SSV:96707
last seen	2017-11-19
modified	2017-10-16
published	2017-10-16
reporter	Root
title	Oracle OIT ContentAccess libvs_word+63AC Code Execution Vulnerability(CVE-2016-3592)

Talos

id	TALOS-2016-0158
last seen	2019-05-29
published	2016-07-19
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0158
title	Oracle OIT ContentAccess libvs_word+63AC Code Execution Vulnerability

Summary

Vulnerable Configurations

Nessus

Seebug

Talos

References