Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:96699
HistoryOct 16, 2017 - 12:00 a.m.

Oracle OIT ImageExport libvs_bmp BMP BI_RLE8 Width Code Execution Vulnerability(CVE-2016-3596)

2017-10-1600:00:00
Root
www.seebug.org
11

0.003 Low

EPSS

Percentile

68.6%

JSON

Description

When parsing a specially crafted BMP file, an erroneous memory copy operation can cause a heap buffer overflow leading to arbitrary code execution.

Tested Versions

Oracle Outside In Technology Content Access SDK 8.5.1.

Product URLs

http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html

Details

While parsing a specially crafted BMP file, an unchecked value specifying bitmap width is used to calculate the size for the memory write operation. Compression method must be set to 0x01 or BI_RLE8. While reading the file, a piece of memory on the heap is effectively overwritten by zeros. The size of this overwrite is unchecked and comes straight from the bitmap width. This can lead to heap data structures overwrite with NULL bytes. In the supplied testcase, the out of bounds null byte write overwrites a function pointer which leads to a crash. By carefully tweaking the size of the overwrite, a function pointer on the heap can be manipulated and arbitrary code execution achieved.

The supplied testcase has compression method bit set to 0x1 at offset 0x1E. BMP image data has the width field set to 0x4141 which gets used in the size of the overflow. The overflow happens in the function VwStreamRead in libvs_bmp.so (image base being 0xb7f80000), specifically in the following basic block:

.text:B7F826A9 loc_B7F826A9:
.text:B7F826A9 mov     byte ptr [ebp+0], 0
.text:B7F826AD add     ebp, 1
.text:B7F826B0 lea     eax, [edx+ebp]
.text:B7F826B3 cmp     word ptr [esp+1DCh+var_150], ax
.text:B7F826BB ja      short loc_B7F82

Notice that the basic block loops back to itself as long as ax is less than esp+1DCh+var_150 which contains the bitmap width value. Initial value of ebp is a heap pointer and memory starting at ebp gets overwritten by zeros without bounds checking, resulting in heap corruption.

The vulnerability can be triggered with the supplied testcase in the ixsample application supplied with the SDK. The same vulnerability can be triggered through a specially crafted ICO file that contains the same BMP data.

Timeline

  • 2015-10-19 - Discovery
  • 2016-04-20 - Initial Vendor Communication
  • 2016-07-19 - Public Release

Related

talos 1
prion 17
ibm 3
cvelist 17
cve 17
mscve 1
nessus 1
oracle 1
talos
talos
Oracle OIT ImageExport libvs_bmp BMP BI_RLE8 Width Code Execution Vulnerability
2016-07-19 00:00:00
prion
prion
Design/Logic Flaw
2016-07-21 10:14:00
Design/Logic Flaw
2016-07-21 10:14:00
Design/Logic Flaw
2016-07-21 10:14:00
ibm
ibm
Security Bulletin: Multiple Oracle Outside In Technology (OIT) July 2016 CPU in IBM Content Collector for Email
2018-06-17 12:17:03
Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation (CVE-2016-3574, CVE-2016-3575, etc)
2018-06-17 05:15:44
Security Bulletin: Vulnerabilies (17 total) in Oracle Outside In Technology (OIT) affect FileNet Content Manager and IBM Content Foundation
2018-06-17 12:16:38
cvelist
cvelist
CVE-2016-3574
2016-07-21 10:00:00
CVE-2016-3576
2016-07-21 10:00:00
CVE-2016-3590
2016-07-21 10:00:00
cve
cve
CVE-2016-3576
2016-07-21 10:14:00
CVE-2016-3577
2016-07-21 10:14:00
CVE-2016-3581
2016-07-21 10:14:00
mscve
mscve
Oracle Outside In Vulnerabilities
2016-09-13 07:00:00
nessus
nessus
MS16-108: Security Update for Microsoft Exchange Server (3185883)
2016-09-13 00:00:00
oracle
oracle
Oracle Critical Patch Update - July 2016
2016-07-19 00:00:00

0.003 Low

EPSS

Percentile

68.6%

JSON
Related for SSV:96699
talos1prion17ibm3cvelist17cve17mscve1nessus1oracle1