Oracle Outside In Library OOXML Overflow

2012-02-03T00:00:00
ID SAINT:5041480F77B9A8B9C44B9CB9BA67AD02
Type saint
Reporter SAINT Corporation
Modified 2012-02-03T00:00:00

Description

Added: 02/03/2012
CVE: CVE-2012-0110
BID: 51452
OSVDB: 78411

Background

Oracle Outside In is a a suite of software development kits that allows developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats.

Problem

Outside In versions 8.3.5 through 8.3.7 fail to properly validate fields in OpenOffice XML (OOXML) documents. If a user opens a malicious OOXML document in a piece of software that uses the vulnerable SDK, an attacker could take over execution of the target's system.

Resolution

Because Outside In is an SDK, 3rd party applications distribute the libraries. Check with your application provider to make sure you are running the latest version of the affected software.

References

<http://www.zerodayinitiative.com/advisories/ZDI-12-017/>
<http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html>
<http://www.kb.cert.org/vuls/id/738961>

Limitations

This exploit has been tested against Avantstar Quick View Plus 11.1.0 Standard Edition and ACD Systems Canvas 12 running on Windows XP SP3 English (DEP OptIn). The 'zip' utility must be installed on the system that is running the exploit.

Platforms

Avantstar Quick View Plus 11.1.0 Standard
ACD Systems Canvas 12