Oracle AutoVue AutoVueX ActiveX Control ExportEdaBom Arbitrary File Overwrite

2011-11-07T00:00:00
ID SAINT:4A1AFC0EE746F0F1A7525F322366F15F
Type saint
Reporter SAINT Corporation
Modified 2011-11-07T00:00:00

Description

Added: 11/07/2011
BID: 50332
OSVDB: 76539

Background

Oracle AutoVue Enterprise Visualization is a suite of Oracle products designed to deliver a web-based capability to access, view, digitally annotate and collaborate on technical and business documents, without requiring specialized computer-aided design (CAD) tools. AutoVue includes tools for Electronic Design Automation (EDA), a category of software tools for designing electronic systems such as printed circuit boards and integrated circuits.

Problem

A file creation vulnerability exists in Oracle AutoVue ActiveX control. The vulnerability is due to an unrestricted **sFileName** parameter in the ExportEdaBom() function, which can be used to create or overwrite any file on the system. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted web page.

Resolution

Update Oracle AutoVue when a patch becomes available. As a workaround, set the kill bit for **AutoVueX.ocx** ActiveX control associated with **CLSID {B6FCC215-D303-11D1-BC6C-0000C078797F}**.

References

<http://retrogod.altervista.org/9sg_autovue.html>
<http://secunia.com/advisories/46473>

Limitations

Exploit works on Oracle AutoVue 20.0.2.

Target user must open the exploit file in Internet Explorer.

Platforms

Windows