Vulnerabilities > CVE-2016-3593 - Unspecified vulnerability in Oracle Outside in Technology 8.5.0/8.5.1/8.5.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
LOW Availability impact
LOW Summary
Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS16-108.NASL |
description | The remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 93467 |
published | 2016-09-13 |
reporter | This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/93467 |
title | MS16-108: Security Update for Microsoft Exchange Server (3185883) |
code |
|
Seebug
bulletinFamily | exploit |
description | ### Description A partially controlled memory corruption vulnerability exists in Mac Works Database file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic leads to an out of bounds memory overwrite resulting in arbitrary code execution. ### Tested Versions Oracle Outside In Technology Content Access SDK 8.5.1. ### Product URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html ### Details When parsing a Mac Works Database document memory is being written in a loop using a counter in destination address calculations. No size checks are performed after the arithmetic operations resulting in an out of bounds memory write. Although the file is identified by as a MWKD document, leading to it being parsed by libvs_mwkd library, the vulnerability can be triggered by the example `parsepst` application supplied with the SDK. Technical information below: Vulnerability is present in `VwStreamSection` function in libvs_mwkd.so library (with image base at 0xB7F89000), specifically starting in the following basic block: ``` .text:B7F8A723 movzx eax, si .text:B7F8A726 mov ecx, [esp+9Ch+var_64] .text:B7F8A72A mov [ecx+eax], dl [1] .text:B7F8A72D add esi, 1 .text:B7F8A730 add ebp, 1 .text:B7F8A733 cmp word ptr [esp+9Ch+var_70], bp .text:B7F8A738 jz short loc_B7F8A761 ``` Values of `si` and `bp` are used as counter with an upper value read from a byte at file offset 0x5ee in the supplied testcase. Contents of `dl` are then written into the destination address at [1]. No bounds checking is performed, leading to an out of bounds memory overwrite. In a supplied testcase, memory corruption resulting from this vulnerability overwrites the value of a function pointer which is later dereferenced in a `call` instruction at 0xb7d87d71 in libsc_ch.so library (with base address of 0xb7d6f000). ### Timeline * 2015-10-10 - Discovery * 2016-04-20 - Initial Vendor Notification * 2016-07-19 - Public Release |
id | SSV:96710 |
last seen | 2017-11-19 |
modified | 2017-10-16 |
published | 2017-10-16 |
reporter | Root |
title | Oracle OIT ContentAccess libvs_mwkd VwStreamSection Code Execution Vulnerability(CVE-2016-3593) |
Talos
id | TALOS-2016-0159 |
last seen | 2019-05-29 |
published | 2016-07-19 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0159 |
title | Oracle OIT ContentAccess libvs_mwkd VwStreamSection Code Execution Vulnerability |
References
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91908
- http://www.securityfocus.com/bid/91908
- http://www.securitytracker.com/id/1036370
- http://www.securitytracker.com/id/1036370
- http://www-01.ibm.com/support/docview.wss?uid=swg21988009
- http://www-01.ibm.com/support/docview.wss?uid=swg21988009
- http://www-01.ibm.com/support/docview.wss?uid=swg21988718
- http://www-01.ibm.com/support/docview.wss?uid=swg21988718