Vulnerabilities > CVE-2017-3293 - Remote Security vulnerability in Oracle Outside in Technology 8.5.2/8.5.3

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
oracle
nessus

Summary

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters ). Supported versions that are affected are 8.5.2 and 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data as well as unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower. CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts).

Vulnerable Configurations

Part Description Count
Application
Oracle
2

Nessus

NASL familyWindows
NASL idWEBSPHERE_PORTAL_CVE-2017-1120.NASL
descriptionThe version of IBM WebSphere Portal installed on the remote Windows host is 8.5.0 prior to 8.5.0.0 CF14 or 9.0.0 prior to CF14. It is, therefore, affected by multiple vulnerabilities : - Multiple cross-site scripting (XSS) vulnerabilities exist in the web UI due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user
last seen2020-06-01
modified2020-06-02
plugin id99236
published2017-07-03
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/99236
titleIBM WebSphere Portal 8.5.0 < 8.5.0 CF14 / 9.0.0 < 9.0.0 CF14 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99236);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/12");

  script_cve_id(
    "CVE-2017-1120",
    "CVE-2017-1156",
    "CVE-2017-1217",
    "CVE-2017-3266",
    "CVE-2017-3267",
    "CVE-2017-3268",
    "CVE-2017-3269",
    "CVE-2017-3270",
    "CVE-2017-3271",
    "CVE-2017-3293",
    "CVE-2017-3294",
    "CVE-2017-3295"
  );
  script_bugtraq_id(
    95507,
    95513,
    95522,
    95524,
    95529,
    95532,
    95534,
    95536,
    95539,
    97075,
    98340,
    99350
  );

  script_name(english:"IBM WebSphere Portal 8.5.0 < 8.5.0 CF14 / 9.0.0 < 9.0.0 CF14 Multiple Vulnerabilities");
  script_summary(english:"Checks for the installed patch.");

  script_set_attribute(attribute:"synopsis", value:
"The web portal software installed on the remote Windows host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of IBM WebSphere Portal installed on the remote Windows
host is 8.5.0 prior to 8.5.0.0 CF14 or 9.0.0 prior to CF14. It is,
therefore, affected by multiple vulnerabilities :

  - Multiple cross-site scripting (XSS) vulnerabilities
    exist in the web UI due to improper validation of
    user-supplied input before returning it to users. An
    unauthenticated, remote attacker can exploit these, via
    a specially crafted request, to execute arbitrary script
    code in a user's browser session. (CVE-2017-1120,
    CVE-2017-1217)

  - A cross-site redirection vulnerability exists due to
    improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to follow a specially crafted link,
    to redirect the unsuspecting user from an intended
    trusted website to an arbitrary website of the
    attacker's choosing, which then can be used to conduct
    further attacks. (CVE-2017-1156)

  - A use-after-free error exists in the Outside In Filters
    subcomponent when handling PageHeight and PageWidth
    values in VSDX files. An unauthenticated, remote
    attacker can exploit this to deference already freed
    memory, resulting in the execution of arbitrary code.
    (CVE-2017-3266)

  - Multiple unspecified flaws exist in the Outside In
    Filters subcomponent that allow an unauthenticated,
    remote attacker to cause a denial of service condition.
    (CVE-2017-3267, CVE-2017-3268, CVE-2017-3270)

  - Multiple unspecified flaws exist in the Outside In
    Filters subcomponent that allow an unauthenticated,
    remote attacker to impact confidentiality, integrity,
    and availability. (CVE-2017-3269, CVE-2017-3271,
    CVE-2017-3293)

  - A denial of service vulnerability exists in the Outside
    In Filters subcomponent, specifically in the Content
    Access functionality within the vspdf.dll library, when
    parsing the /Pages key in a Catalog Dictionary. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted PDF file, to crash an application
    linked to the library. (CVE-2017-3294)

  - A denial of service vulnerability exists in the Outside
    In Filters subcomponent, specifically in the Content
    Access functionality within the vspdf.dll library, when
    parsing the /Matrix entry in a /CalRGB element within a
    PDF file. An unauthenticated, remote attacker can
    exploit this, via a specially crafted PDF file that
    triggers an invalid read, to crash an application linked
    to the library. (CVE-2017-3295)");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg24037786#CF14");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22000152");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22000153");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22001394");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22004348");
  script_set_attribute(attribute:"solution", value:
"Upgrade to IBM WebSphere Portal version 8.5.0 CF14 / 9.0.0 CF14 or
later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3293");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/06/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_portal");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("websphere_portal_installed.nbin");
  script_require_keys("installed_sw/IBM WebSphere Portal");

  exit(0);
}

include("websphere_portal_version.inc");

websphere_portal_check_version(
  ranges:make_list(
    "9.0.0.0, 9.0.0.0, CF14",
    "8.5.0.0, 8.5.0.0, CF14"
    ),
  fix:"PI73835",
  severity:SECURITY_HOLE,
  xss:TRUE
);

Seebug

bulletinFamilyexploit
description### Summary An exploitable Use After Free vulnerability exists in the RTF parser functionality of Oracle Outside In Technology SDK. A specially crafted RTF document can cause a reuse of a reference to the previously freed memory which can be manipulated into achieving arbitrary code execution. ### Tested Versions Oracle Outside In Technology 8.5.3. ### Product URLs http://www.oracle.com/us/technologies/embedded/025613.htm ### CVSSv3 Score 8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:C/A:C) ### Details Oracle Outside In Technology SDK is a widely used file format access and filtering framework. It’s used in many enterprise software distributions for accessing, parsing, filtering and converting numerous file formats. While parsing a specially crafted RTF document, a reference to a freed object is reused. If during the window of time after the object is freed and before its reference is reused, the same memory area is properly manipulated, it may result in arbitrary reading or writing of memory that could ultimately result in arbitrary code execution. The minimized testcase that triggers this vulnerability is as follows: ``` {\rtf1 \ansi { \info \par } { \footer \posx { \par } } { \footer } } ``` In the above example testcase, `\par` directive causes allocation of memory for an object which is subsequently freed. When document rendering reaches the second `\footer` directive the same memory area is reused without new allocation. This results in accessing the freed memory. With proper memory manipulation, the attacker can cause the same area of memory to be allocated for a different object. With control of the allocated memory. The memory allocation and object initialization is done in the function at 0xb6031310 in `libde_wp.so` shared library (with image base 0xb6022000): ``` [----------------------------------registers-----------------------------------] EAX: 0xad496ac0 (0xad496ac0) EBX: 0xb6073934 --> 0x517f0 ECX: 0xb5f52bac --> 0x10000 EDX: 0x4 ESI: 0xb5f52bac --> 0x10000 EDI: 0xad4c7f38 --> 0x1 EBP: 0xad499f58 --> 0x1 ESP: 0xbfffb1f0 --> 0x0 EIP: 0xb60352b6 (mov DWORD PTR [esp+0x28],eax) EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xb60352aa: xor edx,edx 0xb60352ac: mov eax,0x4 0xb60352b1: call 0xb6031310 => 0xb60352b6: mov DWORD PTR [esp+0x28],eax 0xb60352ba: mov edx,DWORD PTR [esp+0x28] 0xb60352be: test edx,edx 0xb60352c0: jne 0xb6034e40 0xb60352c6: jmp 0xb6034caa [------------------------------------stack-------------------------------------] 0000| 0xbfffb1f0 --> 0x0 0004| 0xbfffb1f4 --> 0x0 0008| 0xbfffb1f8 --> 0xb603edae (<OIWCloseFatal>: push ebx) 0012| 0xbfffb1fc --> 0xb601b4f0 --> 0xb70d9edc --> 0xc002 0016| 0xbfffb200 --> 0xb5f53d8c --> 0x0 0020| 0xbfffb204 --> 0x0 0024| 0xbfffb208 --> 0x0 0028| 0xbfffb20c --> 0xb5f52bac --> 0x10000 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 16, 0xb60352b6 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so gdb-peda$ bt #0 0xb60352b6 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #1 0xb603bb0f in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #2 0xb603ccd3 in PWPreviewGetPage () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #3 0xb603fb58 in OIW_PLMCallback () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #4 0xb6057bf8 in PLPageRetrieve () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #5 0xb605b3cd in PLMH_MapDrawToRect () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #6 0xb603df4d in DEProc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #7 0xb6f46192 in GAPSetOutputInfoImgExNP () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so #8 0xb6f52869 in GAPMetafileToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so #9 0xb6fb10c8 in GAGraphicToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #10 0xb6fcdfec in EUDoConversionIX () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #11 0xb6fc9522 in VwImageExportWriteFunc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #12 0xb6fc2852 in VwExportWriteFuncEx () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #13 0xb6fe2bb5 in VwExportWrite () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libex_img.so #14 0xb7d63e61 in FARunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_fa.so #15 0xb7fa4602 in EXRunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_ex.so #16 0x08048b7b in main () gdb-peda$ ``` In the above output, we can see that allocated buffer is at 0xad496ac0. The buffer is later freed at 0xb602de67 in the same library by calling `SYSNativeFree` which is a wrapper around `free()`: ``` gdb-peda$ awatch *0xad496ac0 Hardware access (read/write) watchpoint 17: *0xad496ac0 gdb-peda$ c Continuing. [----------------------------------registers-----------------------------------] EAX: 0x4 EBX: 0xb6073934 --> 0x517f0 ECX: 0x7 EDX: 0x0 ESI: 0xad496ac0 (0xad496ac0) EDI: 0xad496ac0 (0xad496ac0) EBP: 0x1 ESP: 0xbfffa930 --> 0xb5f53e04 --> 0x0 EIP: 0xb602de5c (mov DWORD PTR [esp],esi) EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xb602de52: je 0xb602de5a 0xb602de54: mov DWORD PTR [esi+0xc80],edx 0xb602de5a: mov esi,DWORD PTR [edi] => 0xb602de5c: mov DWORD PTR [esp],esi 0xb602de5f: call 0xb6027384 <SYSNativeUnlock@plt> 0xb602de64: mov DWORD PTR [esp],esi 0xb602de67: call 0xb6027424 <SYSNativeFree@plt> 0xb602de6c: add esp,0x10 [------------------------------------stack-------------------------------------] 0000| 0xbfffa930 --> 0xb5f53e04 --> 0x0 0004| 0xbfffa934 --> 0x1 0008| 0xbfffa938 --> 0x10001 0012| 0xbfffa93c --> 0xb6073934 --> 0x517f0 0016| 0xbfffa940 --> 0xb6073934 --> 0x517f0 0020| 0xbfffa944 --> 0xb601b9b0 --> 0xb601ba00 --> 0xb601b4f0 --> 0xb70d9edc --> 0xc002 0024| 0xbfffa948 --> 0xb5f38ac0 (0xb5f38ac0) 0028| 0xbfffa94c --> 0xb602e243 (mov ecx,edi) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Hardware access (read/write) watchpoint 17: *0xad496ac0 Value = 0xad496ac0 0xb602de5c in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so gdb-peda$ bt #0 0xb602de5c in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #1 0xb602e243 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #2 0xb603336f in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #3 0xb6035dc0 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #4 0xb6036abe in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #5 0xb603b31e in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #6 0xb603ccd3 in PWPreviewGetPage () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #7 0xb603fb58 in OIW_PLMCallback () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #8 0xb6057bf8 in PLPageRetrieve () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #9 0xb605b3cd in PLMH_MapDrawToRect () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #10 0xb603df4d in DEProc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #11 0xb6f46192 in GAPSetOutputInfoImgExNP () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so #12 0xb6f52869 in GAPMetafileToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so #13 0xb6fb10c8 in GAGraphicToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #14 0xb6fcdfec in EUDoConversionIX () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #15 0xb6fc9522 in VwImageExportWriteFunc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #16 0xb6fc2852 in VwExportWriteFuncEx () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #17 0xb6fe2bb5 in VwExportWrite () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libex_img.so #18 0xb7d63e61 in FARunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_fa.so #19 0xb7fa4602 in EXRunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_ex.so #20 0x08048b7b in main () gdb-peda$ ``` The first Use After Free condition occurs at 0xb6036062. During normal execution, the process will not crash because the memory still contains the same valid data, even though it is freed. If a debugging allocator is used (such as libduma), the freed page will be kept busy, but will be marked unreadable in order to catch this kind of issue. In that case, resuming the execution results in the following crash: ``` gdb-peda$ c Continuing. Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0xad496ac0 (0xad496ac0) EBX: 0xb6073934 --> 0x517f0 ECX: 0x4c ('L') EDX: 0xbfffb22c --> 0xb6073934 --> 0x517f0 ESI: 0xad385ac0 (0xad385ac0) EDI: 0x0 EBP: 0xad34dac0 (0xad34dac0) ESP: 0xbfffafd0 --> 0xbfffb058 --> 0x0 EIP: 0xb6036062 (cmp DWORD PTR [eax+0x40],0xffffffff) EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xb603604e: je 0xb60362ec 0xb6036054: cmp WORD PTR [esi+0x9dc],0x0 0xb603605c: js 0xb60362ec => 0xb6036062: cmp DWORD PTR [eax+0x40],0xffffffff 0xb6036066: je 0xb60362ec 0xb603606c: lea edx,[esi+0x30] 0xb603606f: mov DWORD PTR [esp+0x4c],edx 0xb6036073: add eax,0x40 [------------------------------------stack-------------------------------------] 0000| 0xbfffafd0 --> 0xbfffb058 --> 0x0 0004| 0xbfffafd4 --> 0x0 0008| 0xbfffafd8 --> 0x1d4 0012| 0xbfffafdc --> 0xb7c685b4 ("LOGetString") 0016| 0xbfffafe0 --> 0x1 0020| 0xbfffafe4 --> 0xb6020fa8 --> 0xb6076d51 --> 0xb6022000 --> 0x464c457f 0024| 0xbfffafe8 --> 0x16 0028| 0xbfffafec --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0xb6036062 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so gdb-peda$ vmmap $eax Start End Perm Name 0xad46b000 0xad499000 ---p mapped gdb-peda$ bt #0 0xb6036062 in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #1 0xb6036abe in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #2 0xb603b31e in ?? () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #3 0xb603ccd3 in PWPreviewGetPage () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #4 0xb603fb58 in OIW_PLMCallback () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #5 0xb6057bf8 in PLPageRetrieve () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #6 0xb605b3cd in PLMH_MapDrawToRect () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #7 0xb603df4d in DEProc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libde_wp.so #8 0xb6f46192 in GAPSetOutputInfoImgExNP () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so #9 0xb6f52869 in GAPMetafileToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_du.so #10 0xb6fb10c8 in GAGraphicToHandle () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #11 0xb6fcdfec in EUDoConversionIX () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #12 0xb6fc9522 in VwImageExportWriteFunc () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #13 0xb6fc2852 in VwExportWriteFuncEx () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_img.so #14 0xb6fe2bb5 in VwExportWrite () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libex_img.so #15 0xb7d63e61 in FARunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_fa.so #16 0xb7fa4602 in EXRunExport () from /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/libsc_ex.so #17 0x08048b7b in main () gdb-peda$ ``` In the above output, it should be observed that the pointer being dereferenced in the `cmp` instruction is the same as previously freed, and the process has crashed because the page permissions deny read access. By further manipulating the document by placing an object of precise size between the point of free and point of reuse, further memory corruption can be achieved potentially resulting in arbitrary code execution. The vulnerability can be triggered by running the `ixsample` binary, included in the SDK, with the above mentioned testcase. Although the supplied testcase doesn’t cause a crash, the use after free can be caught with Valgrind for example. ### Crash Information Example output from Valgrind: ``` $ valgrind $IX ./5f06aa03c157a4f7522d42320f523e93.rtf asd ==17551== Memcheck, a memory error detector ==17551== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==17551== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==17551== Command: /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/sdk/demo/ixsample ./5f06aa03c157a4f7522d42320f523e93.rtf asd ==17551== Creating file: "asd" ==17551== Invalid read of size 4 ==17551== at 0x5912062: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5912ABD: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x591731D: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5918CD2: PWPreviewGetPage (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x591BB57: OIW_PLMCallback (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5933BF7: PLPageRetrieve (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x59373CC: PLMH_MapDrawToRect (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5919F4C: DEProc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5170191: GAPSetOutputInfoImgExNP (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so) ==17551== by 0x517C868: GAPMetafileToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so) ==17551== by 0x508B0C7: GAGraphicToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so) ==17551== by 0x50A7FEB: EUDoConversionIX (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so) ==17551== Address 0x5d37fd0 is 64 bytes inside a block of size 5,440 free'd ==17551== at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==17551== by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so) ==17551== ==17551== Invalid read of size 4 ==17551== at 0x5905DB7: WPUCompSccvwPos (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== Address 0x5d37fd0 is 64 bytes inside a block of size 5,440 free'd ==17551== at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==17551== by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so) ==17551== ==17551== Invalid read of size 4 ==17551== at 0x5912062: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5912A63: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x591731D: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5918CD2: PWPreviewGetPage (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x591BB57: OIW_PLMCallback (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5933BF7: PLPageRetrieve (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x59373CC: PLMH_MapDrawToRect (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5919F4C: DEProc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5170191: GAPSetOutputInfoImgExNP (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so) ==17551== by 0x517C868: GAPMetafileToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so) ==17551== by 0x508B0C7: GAGraphicToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so) ==17551== by 0x50A7FEB: EUDoConversionIX (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so) ==17551== Address 0x5d37fd0 is 64 bytes inside a block of size 5,440 free'd ==17551== at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==17551== by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so) ==17551== ==17551== Invalid read of size 1 ==17551== at 0x59174BE: ??? (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5918CD2: PWPreviewGetPage (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x591BB57: OIW_PLMCallback (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5933BF7: PLPageRetrieve (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x59373CC: PLMH_MapDrawToRect (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5919F4C: DEProc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libde_wp.so) ==17551== by 0x5170191: GAPSetOutputInfoImgExNP (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so) ==17551== by 0x517C868: GAPMetafileToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_du.so) ==17551== by 0x508B0C7: GAGraphicToHandle (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so) ==17551== by 0x50A7FEB: EUDoConversionIX (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so) ==17551== by 0x50A3521: VwImageExportWriteFunc (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so) ==17551== by 0x509C851: VwExportWriteFuncEx (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libsc_img.so) ==17551== Address 0x5d394b0 is 5,408 bytes inside a block of size 5,440 free'd ==17551== at 0x402C2CD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==17551== by 0x4809C16: SYSNativeFree (in /home/ea/triage/oit_pdf/ix-8-5-3-linux-x86-32/redist/libwv_core.so) ==17551== Export successful: 1 output file(s) created. ==17551== ==17551== HEAP SUMMARY: ==17551== in use at exit: 28 bytes in 2 blocks ==17551== total heap usage: 19,458 allocs, 19,456 frees, 25,394,878 bytes allocated ==17551== ==17551== LEAK SUMMARY: ==17551== definitely lost: 0 bytes in 0 blocks ==17551== indirectly lost: 0 bytes in 0 blocks ==17551== possibly lost: 0 bytes in 0 blocks ==17551== still reachable: 28 bytes in 2 blocks ==17551== suppressed: 0 bytes in 0 blocks ==17551== Rerun with --leak-check=full to see details of leaked memory ==17551== ==17551== For counts of detected and suppressed errors, rerun with: -v ==17551== ERROR SUMMARY: 12 errors from 4 contexts (suppressed: 0 from 0) ``` ### Timeline * 2016-10-10 - Vendor Disclosure * 2017-01-17 - Public Release ### CREDIT * Discovered by Aleksandar Nikolic of Cisco Talos.
idSSV:96585
last seen2017-11-19
modified2017-09-26
published2017-09-26
reporterRoot
titleOracle Outside In Technology RTF Parsing Code Execution Vulnerability(CVE-2017-3293)

Talos

idTALOS-2016-0215
last seen2019-05-29
published2017-01-17
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0215
titleOracle Outside In Technology RTF Parsing Code Execution Vulnerability