Oracle OIT IX SDK libvs_pdf Kids List Information Leak(CVE-2016-3574)
2017-10-16T00:00:00
ID SSV:96703 Type seebug Reporter Root Modified 2017-10-16T00:00:00
Description
DESCRIPTION
When parsing a specially crafted PDF document, the parser is expecting a pointer where string is located leading to a read access violation with a controlled source operand.
While parsing a malformed PDF file, with an object that contains malformed /Kids reference, the value right after the /Kids element is interpreted as a string, where an array of references should be located. This leads to parser expecting a pointer where the string copied from the file is located resulting in an arbitrary read access violation. In a properly formatted PDF file, an array of at least one reference must follow after /Kids element.
In the supplied testcase, an ASCII value after the /Kids element is placed on the heap and is later referenced by the parser, and wrongfully interpreted as a pointer. The bug appears in libvs_pdf.so (with base address 0x0xB74BF000):
.text:B74E71DB mov eax, [eax] [1]
.text:B74E71DD mov edi, [esp+5Ch+var_24]
.text:B74E71E1 mov eax, [eax+edi*4] [2]
.text:B74E71E4 mov [esp+5Ch+var_4C], eax
.text:B74E71E8 mov ecx, [esp+5Ch+var_34]
.text:B74E71EC mov edx, [esp+5Ch+var_48]
At [1], eax points to the string copied from the file into the heap. First four bytes of the string are used in the memory access calculation at [2] causing an arbitrary ReadAV.
If the value calculated at [2] ends up pointing to valid memory, the read will succeed at the controlled address. The read value is later again used as a pointer during a cmp instruction.
If the value after the /Kids element is a pure integer, a different code path is reached and the integer value is interpreted as a pointer resulting in a fully controlled arbitrary read at:
.text:B74E718A mov eax, [esp+5Ch+var_18]
.text:B74E718E mov eax, [eax]
.text:B74E7190 xor edx, edx
.text:B74E7192 mov edi, [eax+4] [1]
.text:B74E7195 test edi, edi
.text:B74E7197 jz loc_B74E72A2
Value of eax at [1] in the above basic block is the integer value following the /Kids element in the file making a fully controlled arbitrary read. Further more, the read value ends up being used as a pointer at the start of the basic block mentioned first leading to a double controlled dereference.
With the integer value following the /Kids element equal to 1094795585 (or 0x41414141) the application crashes in the following way :
Program received signal SIGSEGV, Segmentation fault.
0xb74e7192 in ?? () from /home/ea/oit_pdf/sdk/demo/libvs_pdf.so
Missing separate debuginfos, use: debuginfo-install libgcc-4.9.2-6.fc21.i686 libstdc++-4.9.2-6.fc21.i686
(gdb) exploitable
Description: Access violation on source operand
Short description: SourceAv (19/22)
Hash: 9240766c9eb6b90a82dca46b72483f92.6ab7c7b29ce914720061150720510f77
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation.
Other tags: AccessViolation (21/22)
(gdb) x/i $pc
=> 0xb74e7192: mov edi,DWORD PTR [eax+0x4]
(gdb) i r
eax 0x41414141 1094795585
ecx 0x0 0
edx 0x0 0
ebx 0xb74f6998 -1219532392
esp 0xbfffdce0 0xbfffdce0
ebp 0xf 0xf
esi 0x80a46f8 134891256
edi 0x809e7c0 134866880
eip 0xb74e7192 0xb74e7192
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
It is possible that by carefully setting the value of the initially dereferenced pointer, more interesting code paths could be reached and, coupled with other bugs, lead to further abuse.
TIMELINE
2016-04-12 - Vendor Notification
2016-07-19 – Public Disclosure
{"type": "seebug", "viewCount": 1, "enchantments": {"score": {"value": 5.8, "vector": "NONE", "modified": "2017-11-19T12:24:29", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-3574"]}, {"type": "talos", "idList": ["TALOS-2016-0096"]}, {"type": "nessus", "idList": ["SMB_NT_MS16-108.NASL"]}, {"type": "mscve", "idList": ["MS:ADV160006"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2016-2881720"]}], "modified": "2017-11-19T12:24:29", "rev": 2}, "vulnersScore": 5.8}, "reporter": "Root", "title": "Oracle OIT IX SDK libvs_pdf Kids List Information Leak(CVE-2016-3574)", "cvelist": ["CVE-2016-3574"], "bulletinFamily": "exploit", "sourceHref": "", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:PARTIAL/A:PARTIAL/"}, "references": [], "enchantments_done": [], "modified": "2017-10-16T00:00:00", "description": "### DESCRIPTION\r\nWhen parsing a specially crafted PDF document, the parser is expecting a pointer where string is located leading to a read access violation with a controlled source operand.\r\n\r\n### TESTED VERSIONS\r\nOracle Outside In IX SDK 8.5.1\r\n\r\n### PRODUCT URLs\r\nhttp://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html\r\n\r\n### DETAILS\r\nWhile parsing a malformed PDF file, with an object that contains malformed /Kids reference, the value right after the /Kids element is interpreted as a string, where an array of references should be located. This leads to parser expecting a pointer where the string copied from the file is located resulting in an arbitrary read access violation. In a properly formatted PDF file, an array of at least one reference must follow after `/Kids` element.\r\n\r\nIn the supplied testcase, an ASCII value after the /Kids element is placed on the heap and is later referenced by the parser, and wrongfully interpreted as a pointer. The bug appears in libvs_pdf.so (with base address 0x0xB74BF000):\r\n```\r\n.text:B74E71DB mov eax, [eax] [1]\r\n.text:B74E71DD mov edi, [esp+5Ch+var_24]\r\n.text:B74E71E1 mov eax, [eax+edi*4] [2]\r\n.text:B74E71E4 mov [esp+5Ch+var_4C], eax\r\n.text:B74E71E8 mov ecx, [esp+5Ch+var_34]\r\n.text:B74E71EC mov edx, [esp+5Ch+var_48]\r\n```\r\n\r\nAt [1], `eax` points to the string copied from the file into the heap. First four bytes of the string are used in the memory access calculation at [2] causing an arbitrary ReadAV.\r\n\r\nIf the value calculated at [2] ends up pointing to valid memory, the read will succeed at the controlled address. The read value is later again used as a pointer during a `cmp` instruction.\r\n\r\nIf the value after the /Kids element is a pure integer, a different code path is reached and the integer value is interpreted as a pointer resulting in a fully controlled arbitrary read at:\r\n```\r\n.text:B74E718A mov eax, [esp+5Ch+var_18]\r\n.text:B74E718E mov eax, [eax]\r\n.text:B74E7190 xor edx, edx\r\n.text:B74E7192 mov edi, [eax+4] [1]\r\n.text:B74E7195 test edi, edi\r\n.text:B74E7197 jz loc_B74E72A2\r\n```\r\n\r\nValue of `eax` at [1] in the above basic block is the integer value following the `/Kids` element in the file making a fully controlled arbitrary read. Further more, the read value ends up being used as a pointer at the start of the basic block mentioned first leading to a double controlled dereference.\r\n\r\nWith the integer value following the `/Kids` element equal to 1094795585 (or 0x41414141) the application crashes in the following way :\r\n```\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xb74e7192 in ?? () from /home/ea/oit_pdf/sdk/demo/libvs_pdf.so\r\nMissing separate debuginfos, use: debuginfo-install libgcc-4.9.2-6.fc21.i686 libstdc++-4.9.2-6.fc21.i686\r\n(gdb) exploitable\r\nDescription: Access violation on source operand\r\nShort description: SourceAv (19/22)\r\nHash: 9240766c9eb6b90a82dca46b72483f92.6ab7c7b29ce914720061150720510f77\r\nExploitability Classification: UNKNOWN\r\nExplanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation.\r\nOther tags: AccessViolation (21/22)\r\n(gdb) x/i $pc\r\n=> 0xb74e7192: mov edi,DWORD PTR [eax+0x4]\r\n(gdb) i r \r\neax 0x41414141 1094795585\r\necx 0x0 0\r\nedx 0x0 0\r\nebx 0xb74f6998 -1219532392\r\nesp 0xbfffdce0 0xbfffdce0\r\nebp 0xf 0xf\r\nesi 0x80a46f8 134891256\r\nedi 0x809e7c0 134866880\r\neip 0xb74e7192 0xb74e7192\r\neflags 0x10246 [ PF ZF IF RF ]\r\ncs 0x73 115\r\nss 0x7b 123\r\nds 0x7b 123\r\nes 0x7b 123\r\nfs 0x0 0\r\ngs 0x33 51\r\n(gdb) \r\n```\r\n\r\nIt is possible that by carefully setting the value of the initially dereferenced pointer, more interesting code paths could be reached and, coupled with other bugs, lead to further abuse.\r\n\r\n### TIMELINE\r\n* 2016-04-12 - Vendor Notification \r\n* 2016-07-19 \u2013 Public Disclosure", "href": "https://www.seebug.org/vuldb/ssvid-96703", "id": "SSV:96703", "status": "cve,details", "lastseen": "2017-11-19T12:24:29", "sourceData": "", "published": "2017-10-16T00:00:00"}
{"cve": [{"lastseen": "2020-10-03T12:10:45", "description": "Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 8.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 4.7}, "published": "2016-07-21T10:14:00", "title": "CVE-2016-3574", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3574"], "modified": "2017-09-01T01:29:00", "cpe": ["cpe:/a:oracle:outside_in_technology:8.5.1", "cpe:/a:oracle:outside_in_technology:8.5.0", "cpe:/a:oracle:outside_in_technology:8.5.2"], "id": "CVE-2016-3574", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3574", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:N/C:C/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:outside_in_technology:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:outside_in_technology:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:outside_in_technology:8.5.2:*:*:*:*:*:*:*"]}], "talos": [{"lastseen": "2020-07-01T21:25:29", "bulletinFamily": "info", "cvelist": ["CVE-2016-3574"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0096\n\n## Oracle OIT IX SDK libvs_pdf Kids List Information Leak\n\n##### July 19, 2016\n\n##### CVE Number\n\nCVE-2016-3574\n\n### DESCRIPTION\n\nWhen parsing a specially crafted PDF document, the parser is expecting a pointer where string is located leading to a read access violation with a controlled source operand.\n\n### TESTED VERSIONS\n\n * Oracle Outside In IX SDK 8.5.1\n\n### PRODUCT URLs\n\nhttp://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html\n\n### DETAILS\n\nWhile parsing a malformed PDF file, with an object that contains malformed /Kids reference, the value right after the /Kids element is interpreted as a string, where an array of references should be located. This leads to parser expecting a pointer where the string copied from the file is located resulting in an arbitrary read access violation. In a properly formatted PDF file, an array of at least one reference must follow after `/Kids` element.\n\nIn the supplied testcase, an ASCII value after the /Kids element is placed on the heap and is later referenced by the parser, and wrongfully interpreted as a pointer. The bug appears in libvs_pdf.so (with base address 0x0xB74BF000):\n \n \n .text:B74E71DB mov eax, [eax]\t\t\t\t[1]\n .text:B74E71DD mov edi, [esp+5Ch+var_24]\n .text:B74E71E1 mov eax, [eax+edi*4]\t\t\t[2]\n .text:B74E71E4 mov [esp+5Ch+var_4C], eax\n .text:B74E71E8 mov ecx, [esp+5Ch+var_34]\n .text:B74E71EC mov edx, [esp+5Ch+var_48]\n \n\nAt [1], `eax` points to the string copied from the file into the heap. First four bytes of the string are used in the memory access calculation at [2] causing an arbitrary ReadAV.\n\nIf the value calculated at [2] ends up pointing to valid memory, the read will succeed at the controlled address. The read value is later again used as a pointer during a `cmp` instruction.\n\nIf the value after the /Kids element is a pure integer, a different code path is reached and the integer value is interpreted as a pointer resulting in a fully controlled arbitrary read at:\n \n \n .text:B74E718A mov eax, [esp+5Ch+var_18]\n .text:B74E718E mov eax, [eax]\n .text:B74E7190 xor edx, edx\n .text:B74E7192 mov edi, [eax+4] \t\t[1]\n .text:B74E7195 test edi, edi\n .text:B74E7197 jz loc_B74E72A2\n \n\nValue of `eax` at [1] in the above basic block is the integer value following the `/Kids` element in the file making a fully controlled arbitrary read. Further more, the read value ends up being used as a pointer at the start of the basic block mentioned first leading to a double controlled dereference.\n\nWith the integer value following the `/Kids` element equal to 1094795585 (or 0x41414141) the application crashes in the following way :\n \n \n Program received signal SIGSEGV, Segmentation fault.\n 0xb74e7192 in ?? () from /home/ea/oit_pdf/sdk/demo/libvs_pdf.so\n Missing separate debuginfos, use: debuginfo-install libgcc-4.9.2-6.fc21.i686 libstdc++-4.9.2-6.fc21.i686\n (gdb) exploitable\n Description: Access violation on source operand\n Short description: SourceAv (19/22)\n Hash: 9240766c9eb6b90a82dca46b72483f92.6ab7c7b29ce914720061150720510f77\n Exploitability Classification: UNKNOWN\n Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation.\n Other tags: AccessViolation (21/22)\n (gdb) x/i $pc\n => 0xb74e7192:\tmov edi,DWORD PTR [eax+0x4]\n (gdb) i r \n eax 0x41414141\t1094795585\n ecx 0x0\t0\n edx 0x0\t0\n ebx 0xb74f6998\t-1219532392\n esp 0xbfffdce0\t0xbfffdce0\n ebp 0xf\t0xf\n esi 0x80a46f8\t134891256\n edi 0x809e7c0\t134866880\n eip 0xb74e7192\t0xb74e7192\n eflags 0x10246\t[ PF ZF IF RF ]\n cs 0x73\t115\n ss 0x7b\t123\n ds 0x7b\t123\n es 0x7b\t123\n fs 0x0\t0\n gs 0x33\t51\n (gdb) \n \n\nIt is possible that by carefully setting the value of the initially dereferenced pointer, more interesting code paths could be reached and, coupled with other bugs, lead to further abuse.\n\n### TIMELINE\n\n2016-04-12 - Vendor Notification \n2016-07-19 \u2013 Public Disclosure \n\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0097\n\nPrevious Report\n\nTALOS-2016-0186\n", "edition": 10, "modified": "2016-07-19T00:00:00", "published": "2016-07-19T00:00:00", "id": "TALOS-2016-0096", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0096", "title": "Oracle OIT IX SDK libvs_pdf Kids List Information Leak", "type": "talos", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:N/C:C/I:P/A:P"}}], "mscve": [{"lastseen": "2020-08-07T11:48:19", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3592", "CVE-2016-3574", "CVE-2016-3580", "CVE-2016-3596", "CVE-2016-3583", "CVE-2016-3577", "CVE-2016-3591", "CVE-2016-3593", "CVE-2016-3581", "CVE-2016-3578", "CVE-2016-3575", "CVE-2015-6014", "CVE-2016-3576", "CVE-2016-3595", "CVE-2016-3582", "CVE-2016-3579", "CVE-2016-3594", "CVE-2016-3590"], "description": "This security update addresses the following vulnerabilities, which are described in [Oracle Critical Patch Update Advisory \u2013 July 2016](<http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html>)\n\nRemote Code Execution: CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3595, CVE-2016-3594, CVE-2015-6014, CVE-2016-3593, CVE-2016-3592, CVE-2016-3596, CVE-2016-3591\n\nInformation Disclosure: CVE-2016-3574\n\nDenial of Service: CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590\n", "edition": 2, "modified": "2016-09-13T07:00:00", "id": "MS:ADV160006", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV160006", "published": "2016-09-13T07:00:00", "title": "Oracle Outside In Vulnerabilities", "type": "mscve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:43:52", "description": "The remote Microsoft Exchange Server is missing a security update. It\nis, therefore, affected by multiple vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n the Oracle Outside In libraries. An unauthenticated,\n remote attacker can exploit these, via a specially\n crafted email, to execute arbitrary code.\n (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581,\n CVE-2016-3582, CVE-2016-3583, CVE-2016-3591,\n CVE-2016-3592, CVE-2016-3593, CVE-2016-3594,\n CVE-2016-3595, CVE-2016-3596)\n\n - An unspecified information disclosure vulnerability\n exists in the Oracle Outside In libraries that allows an\n attacker to disclose sensitive information.\n (CVE-2016-3574)\n\n - Multiple denial of service vulnerabilities exists in the\n Oracle Outside In libraries. (CVE-2016-3576,\n CVE-2016-3577, CVE-2016-3578, CVE-2016-3579,\n CVE-2016-3580, CVE-2016-3590)\n\n - An information disclosure vulnerability exists due to\n improper parsing of certain unstructured file formats.\n An unauthenticated, remote attacker can exploit this,\n via a crafted email using 'send as' rights, to disclose\n confidential user information. (CVE-2016-0138)\n\n - An open redirect vulnerability exists due to improper\n handling of open redirect requests. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to click a specially crafted URL, to redirect the user\n to a malicious website that spoofs a legitimate one.\n (CVE-2016-3378)\n\n - An elevation of privilege vulnerability exists due to\n improper handling of meeting invitation requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted Outlook meeting invitation request,\n to gain elevated privileges. (CVE-2016-3379)", "edition": 31, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-09-13T00:00:00", "title": "MS16-108: Security Update for Microsoft Exchange Server (3185883)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3379", "CVE-2016-3592", "CVE-2016-3574", "CVE-2016-0138", "CVE-2016-3580", "CVE-2016-3596", "CVE-2016-3583", "CVE-2016-3577", "CVE-2016-3591", "CVE-2016-3593", "CVE-2016-3581", "CVE-2016-3578", "CVE-2016-3575", "CVE-2015-6014", "CVE-2016-3576", "CVE-2016-3595", "CVE-2016-3582", "CVE-2016-3378", "CVE-2016-3579", "CVE-2016-3594", "CVE-2016-3590"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS16-108.NASL", "href": "https://www.tenable.com/plugins/nessus/93467", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93467);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/19\");\n\n script_cve_id(\n \"CVE-2015-6014\",\n \"CVE-2016-0138\",\n \"CVE-2016-3378\",\n \"CVE-2016-3379\",\n \"CVE-2016-3574\",\n \"CVE-2016-3575\",\n \"CVE-2016-3576\",\n \"CVE-2016-3577\",\n \"CVE-2016-3578\",\n \"CVE-2016-3579\",\n \"CVE-2016-3580\",\n \"CVE-2016-3581\",\n \"CVE-2016-3582\",\n \"CVE-2016-3583\",\n \"CVE-2016-3590\",\n \"CVE-2016-3591\",\n \"CVE-2016-3592\",\n \"CVE-2016-3593\",\n \"CVE-2016-3594\",\n \"CVE-2016-3595\",\n \"CVE-2016-3596\"\n );\n script_bugtraq_id(\n 81233,\n 91908,\n 91914,\n 91921,\n 91923,\n 91924,\n 91925,\n 91927,\n 91929,\n 91931,\n 91933,\n 91934,\n 91935,\n 91936,\n 91937,\n 91939,\n 91940,\n 91942,\n 92806,\n 92833,\n 92836\n );\n script_xref(name:\"MSFT\", value:\"MS16-108\");\n script_xref(name:\"MSKB\", value:\"3184711\");\n script_xref(name:\"MSKB\", value:\"3184728\");\n script_xref(name:\"MSKB\", value:\"3184736\");\n\n script_name(english:\"MS16-108: Security Update for Microsoft Exchange Server (3185883)\");\n script_summary(english:\"Checks the version of ExSetup.exe.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Microsoft Exchange Server is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Microsoft Exchange Server is missing a security update. It\nis, therefore, affected by multiple vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n the Oracle Outside In libraries. An unauthenticated,\n remote attacker can exploit these, via a specially\n crafted email, to execute arbitrary code.\n (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581,\n CVE-2016-3582, CVE-2016-3583, CVE-2016-3591,\n CVE-2016-3592, CVE-2016-3593, CVE-2016-3594,\n CVE-2016-3595, CVE-2016-3596)\n\n - An unspecified information disclosure vulnerability\n exists in the Oracle Outside In libraries that allows an\n attacker to disclose sensitive information.\n (CVE-2016-3574)\n\n - Multiple denial of service vulnerabilities exists in the\n Oracle Outside In libraries. (CVE-2016-3576,\n CVE-2016-3577, CVE-2016-3578, CVE-2016-3579,\n CVE-2016-3580, CVE-2016-3590)\n\n - An information disclosure vulnerability exists due to\n improper parsing of certain unstructured file formats.\n An unauthenticated, remote attacker can exploit this,\n via a crafted email using 'send as' rights, to disclose\n confidential user information. (CVE-2016-0138)\n\n - An open redirect vulnerability exists due to improper\n handling of open redirect requests. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to click a specially crafted URL, to redirect the user\n to a malicious website that spoofs a legitimate one.\n (CVE-2016-3378)\n\n - An elevation of privilege vulnerability exists due to\n improper handling of meeting invitation requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted Outlook meeting invitation request,\n to gain elevated privileges. (CVE-2016-3379)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-108\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Exchange Server 2007,\n2010, 2013, and 2016.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-6014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS16-108';\nkbs = make_list(\"3184711\", \"3184728\", \"3184736\");\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\ninstall = get_single_install(app_name:\"Microsoft Exchange\");\n\npath = install[\"path\"];\nversion = install[\"version\"];\nrelease = install[\"RELEASE\"];\nif (release != 80 && release != 140 && release != 150 && release != 151)\n audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);\n\nif (!empty_or_null(install[\"SP\"]))\n sp = install[\"SP\"];\nif (!empty_or_null(install[\"CU\"]))\n cu = install[\"CU\"];\n\nif (((release == 150 || release == 151) && isnull(cu)) ||\n (release == 150 && cu != 4 && cu != 12 && cu != 13) ||\n (release == 151 && cu != 1 && cu != 2))\n audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);\n\nif (release == 80)\n{\n kb = \"3184711\";\n if (!empty_or_null(sp) && sp == 3)\n fixedver = \"8.3.485.1\";\n}\nelse if (release == 140)\n{\n kb = \"3184728\";\n if (!empty_or_null(sp) && sp == 3)\n fixedver = \"14.3.319.2\";\n}\nelse if (release == 150) # 2013 SP1 AKA CU4\n{\n kb = \"3184736\";\n if (cu == 4)\n fixedver = \"15.0.847.50\";\n else if (cu == 12)\n fixedver = \"15.0.1178.9\";\n else if (cu == 13)\n fixedver = \"15.0.1210.6\";\n}\nelse if (release == 151) # Exchange Server 2016\n{\n kb = \"3184736\";\n if (cu == 1)\n fixedver = \"15.1.396.37\";\n else if (cu == 2)\n fixedver = \"15.1.466.37\";\n}\n\nif (fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:\"Bin\"), file:\"ExSetup.exe\", version:fixedver, bulletin:bulletin, kb:kb))\n{\n set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2019-05-29T18:21:07", "bulletinFamily": "software", "cvelist": ["CVE-2015-5600", "CVE-2016-5465", "CVE-2015-4000", "CVE-2016-3446", "CVE-2016-3508", "CVE-2016-3547", "CVE-2016-3529", "CVE-2016-5452", "CVE-2016-5445", "CVE-2016-1548", "CVE-2016-2518", "CVE-2016-3485", "CVE-2016-3444", "CVE-2015-1792", "CVE-2014-3566", "CVE-2016-3552", "CVE-2015-0235", "CVE-2016-3615", "CVE-2015-1793", "CVE-2016-3491", "CVE-2016-3553", "CVE-2016-3477", "CVE-2016-3613", "CVE-2016-5477", "CVE-2016-3488", "CVE-2015-3197", "CVE-2016-3592", "CVE-2016-3573", "CVE-2016-3494", "CVE-2016-5466", "CVE-2016-5019", "CVE-2015-3236", "CVE-2016-3544", "CVE-2014-3572", "CVE-2016-0705", "CVE-2016-3545", "CVE-2016-3611", "CVE-2015-7181", "CVE-2015-0206", "CVE-2015-1789", "CVE-2016-3597", "CVE-2016-3598", "CVE-2016-5455", "CVE-2016-3574", "CVE-2015-8138", "CVE-2016-3500", "CVE-2016-5472", "CVE-2016-4051", "CVE-2016-3445", "CVE-2016-5454", "CVE-2016-3554", "CVE-2016-5458", "CVE-2015-3195", "CVE-2016-0798", "CVE-2016-3570", "CVE-2016-3432", "CVE-2016-3515", "CVE-2016-2108", "CVE-2016-5447", "CVE-2016-3474", "CVE-2016-3528", "CVE-2016-5440", "CVE-2016-3580", "CVE-2014-3571", "CVE-2016-5450", "CVE-2016-3496", "CVE-2016-3555", "CVE-2016-3596", "CVE-2016-1938", "CVE-2016-5468", "CVE-2016-3481", "CVE-2016-3563", "CVE-2016-0799", "CVE-2016-3539", "CVE-2016-3507", "CVE-2016-3584", "CVE-2016-3519", "CVE-2016-5460", "CVE-2016-3472", "CVE-2016-3583", "CVE-2016-5471", "CVE-2016-3511", "CVE-2016-3479", "CVE-2016-3499", "CVE-2013-2064", "CVE-2014-0224", "CVE-2016-5467", "CVE-2016-0635", "CVE-2016-3498", "CVE-2016-2105", "CVE-2016-3560", "CVE-2016-3514", "CVE-2016-5453", "CVE-2016-3440", "CVE-2016-4052", "CVE-2015-3194", "CVE-2016-2107", "CVE-2016-3607", "CVE-2016-3556", "CVE-2016-3512", "CVE-2016-3532", "CVE-2015-7501", "CVE-2016-1550", "CVE-2016-3475", "CVE-2015-3253", "CVE-2016-0701", "CVE-2016-3476", "CVE-2016-3588", "CVE-2016-3424", "CVE-2016-3471", "CVE-2016-1182", "CVE-2015-7704", "CVE-2016-3585", "CVE-2016-5444", "CVE-2016-3538", "CVE-2014-8275", "CVE-2016-3452", "CVE-2015-7979", "CVE-2016-3549", "CVE-2016-0797", "CVE-2015-7182", "CVE-2016-0702", "CVE-2015-2808", "CVE-2014-3570", "CVE-2016-5451", "CVE-2015-7575", "CVE-2016-3577", "CVE-2016-3591", "CVE-2016-3567", "CVE-2016-3467", "CVE-2016-3537", "CVE-2016-3593", "CVE-2016-3606", "CVE-2016-5456", "CVE-2016-3468", "CVE-2016-3540", "CVE-2016-2109", "CVE-2016-3559", "CVE-2016-5476", "CVE-2015-2721", "CVE-2016-3530", "CVE-2015-3193", "CVE-2014-9708", "CVE-2016-5473", "CVE-2016-3568", "CVE-2016-3453", "CVE-2016-5464", "CVE-2016-5462", "CVE-2016-3490", "CVE-2016-3572", "CVE-2016-3513", "CVE-2012-3137", "CVE-2015-0228", "CVE-2016-3509", "CVE-2015-3237", "CVE-2016-3565", "CVE-2016-5437", "CVE-2016-3534", "CVE-2016-3503", "CVE-2015-7183", "CVE-2016-3550", "CVE-2015-1788", "CVE-2016-3525", "CVE-2016-3587", "CVE-2016-3561", "CVE-2016-3504", "CVE-2016-3581", "CVE-2016-3501", "CVE-2016-5457", "CVE-2016-1547", "CVE-2015-3183", "CVE-2016-3614", "CVE-2012-3410", "CVE-2016-5461", "CVE-2016-5439", "CVE-2015-0204", "CVE-2016-5449", "CVE-2016-3578", "CVE-2016-3527", "CVE-2016-0800", "CVE-2016-3489", "CVE-2016-3483", "CVE-2016-3433", "CVE-2016-5459", "CVE-2016-1181", "CVE-2016-3450", "CVE-2016-3524", "CVE-2016-5442", "CVE-2016-3564", "CVE-2016-5470", "CVE-2013-2566", "CVE-2016-2176", "CVE-2015-1790", "CVE-2016-3542", "CVE-2016-1978", "CVE-2016-3575", "CVE-2016-3531", "CVE-2016-3502", "CVE-2016-3459", "CVE-2016-5446", "CVE-2016-3480", "CVE-2016-3533", "CVE-2016-5469", "CVE-2016-3526", "CVE-2016-5448", "CVE-2016-3486", "CVE-2016-3448", "CVE-2016-5474", "CVE-2016-5436", "CVE-2016-3523", "CVE-2016-5441", "CVE-2016-5475", "CVE-2016-3576", "CVE-2016-3595", "CVE-2016-3610", "CVE-2016-3458", "CVE-2016-3484", "CVE-2016-3586", "CVE-2016-3520", "CVE-2016-3451", "CVE-2016-3582", "CVE-2015-5300", "CVE-2016-3497", "CVE-2016-3589", "CVE-2016-3517", "CVE-2016-3608", "CVE-2016-3510", "CVE-2016-3493", "CVE-2016-3536", "CVE-2016-3548", "CVE-2016-3506", "CVE-2016-3571", "CVE-2016-3487", "CVE-2016-3546", "CVE-2016-5463", "CVE-2016-3541", "CVE-2016-3081", "CVE-2016-3521", "CVE-2015-0205", "CVE-2016-4053", "CVE-2016-3579", "CVE-2016-5443", "CVE-2016-3557", "CVE-2016-3558", "CVE-2016-2106", "CVE-2016-3594", "CVE-2016-3478", "CVE-2016-3522", "CVE-2016-3535", "CVE-2016-3543", "CVE-2016-3612", "CVE-2014-3569", "CVE-2016-3470", "CVE-2016-3518", "CVE-2016-3516", "CVE-2015-1791", "CVE-2016-3569", "CVE-2016-3482", "CVE-2016-3590", "CVE-2015-8104", "CVE-2016-3609", "CVE-2016-3566", "CVE-2016-3469"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 276 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using versions 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "modified": "2016-10-18T00:00:00", "published": "2016-07-19T00:00:00", "id": "ORACLE:CPUJUL2016-2881720", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - July 2016", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-04T21:16:01", "bulletinFamily": "software", "cvelist": ["CVE-2012-3137", "CVE-2012-3410", "CVE-2013-2064", "CVE-2013-2566", "CVE-2014-0224", "CVE-2014-3566", "CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-8275", "CVE-2014-9708", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206", "CVE-2015-0228", "CVE-2015-0235", "CVE-2015-1788", "CVE-2015-1789", "CVE-2015-1790", "CVE-2015-1791", "CVE-2015-1792", "CVE-2015-1793", "CVE-2015-2721", "CVE-2015-2808", "CVE-2015-3183", "CVE-2015-3193", "CVE-2015-3194", "CVE-2015-3195", "CVE-2015-3197", "CVE-2015-3236", "CVE-2015-3237", "CVE-2015-3253", "CVE-2015-4000", "CVE-2015-5300", "CVE-2015-5600", "CVE-2015-7181", "CVE-2015-7182", "CVE-2015-7183", "CVE-2015-7501", "CVE-2015-7575", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-8104", "CVE-2015-8138", "CVE-2016-0635", "CVE-2016-0701", "CVE-2016-0702", "CVE-2016-0705", "CVE-2016-0797", "CVE-2016-0798", "CVE-2016-0799", "CVE-2016-0800", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1550", "CVE-2016-1938", "CVE-2016-1978", "CVE-2016-2105", "CVE-2016-2106", "CVE-2016-2107", "CVE-2016-2108", "CVE-2016-2109", "CVE-2016-2176", "CVE-2016-2518", "CVE-2016-3081", "CVE-2016-3424", "CVE-2016-3432", "CVE-2016-3433", "CVE-2016-3440", "CVE-2016-3444", "CVE-2016-3445", "CVE-2016-3446", "CVE-2016-3448", "CVE-2016-3450", "CVE-2016-3451", "CVE-2016-3452", "CVE-2016-3453", "CVE-2016-3458", "CVE-2016-3459", "CVE-2016-3467", "CVE-2016-3468", "CVE-2016-3469", "CVE-2016-3470", "CVE-2016-3471", "CVE-2016-3472", "CVE-2016-3474", "CVE-2016-3475", "CVE-2016-3476", "CVE-2016-3477", "CVE-2016-3478", "CVE-2016-3479", "CVE-2016-3480", "CVE-2016-3481", "CVE-2016-3482", "CVE-2016-3483", "CVE-2016-3484", "CVE-2016-3485", "CVE-2016-3486", "CVE-2016-3487", "CVE-2016-3488", "CVE-2016-3489", "CVE-2016-3490", "CVE-2016-3491", "CVE-2016-3493", "CVE-2016-3494", "CVE-2016-3496", "CVE-2016-3497", "CVE-2016-3498", "CVE-2016-3499", "CVE-2016-3500", "CVE-2016-3501", "CVE-2016-3502", "CVE-2016-3503", "CVE-2016-3504", "CVE-2016-3506", "CVE-2016-3507", "CVE-2016-3508", "CVE-2016-3509", "CVE-2016-3510", "CVE-2016-3511", "CVE-2016-3512", "CVE-2016-3513", "CVE-2016-3514", "CVE-2016-3515", "CVE-2016-3516", "CVE-2016-3517", "CVE-2016-3518", "CVE-2016-3519", "CVE-2016-3520", "CVE-2016-3521", "CVE-2016-3522", "CVE-2016-3523", "CVE-2016-3524", "CVE-2016-3525", "CVE-2016-3526", "CVE-2016-3527", "CVE-2016-3528", "CVE-2016-3529", "CVE-2016-3530", "CVE-2016-3531", "CVE-2016-3532", "CVE-2016-3533", "CVE-2016-3534", "CVE-2016-3535", "CVE-2016-3536", "CVE-2016-3537", "CVE-2016-3538", "CVE-2016-3539", "CVE-2016-3540", "CVE-2016-3541", "CVE-2016-3542", "CVE-2016-3543", "CVE-2016-3544", "CVE-2016-3545", "CVE-2016-3546", "CVE-2016-3547", "CVE-2016-3548", "CVE-2016-3549", "CVE-2016-3550", "CVE-2016-3552", "CVE-2016-3553", "CVE-2016-3554", "CVE-2016-3555", "CVE-2016-3556", "CVE-2016-3557", "CVE-2016-3558", "CVE-2016-3559", "CVE-2016-3560", "CVE-2016-3561", "CVE-2016-3563", "CVE-2016-3564", "CVE-2016-3565", "CVE-2016-3566", "CVE-2016-3567", "CVE-2016-3568", "CVE-2016-3569", "CVE-2016-3570", "CVE-2016-3571", "CVE-2016-3572", "CVE-2016-3573", "CVE-2016-3574", "CVE-2016-3575", "CVE-2016-3576", "CVE-2016-3577", "CVE-2016-3578", "CVE-2016-3579", "CVE-2016-3580", "CVE-2016-3581", "CVE-2016-3582", "CVE-2016-3583", "CVE-2016-3584", "CVE-2016-3585", "CVE-2016-3586", "CVE-2016-3587", "CVE-2016-3588", "CVE-2016-3589", "CVE-2016-3590", "CVE-2016-3591", "CVE-2016-3592", "CVE-2016-3593", "CVE-2016-3594", "CVE-2016-3595", "CVE-2016-3596", "CVE-2016-3597", "CVE-2016-3598", "CVE-2016-3606", "CVE-2016-3607", "CVE-2016-3608", "CVE-2016-3609", "CVE-2016-3610", "CVE-2016-3611", "CVE-2016-3612", "CVE-2016-3613", "CVE-2016-3614", "CVE-2016-3615", "CVE-2016-4051", "CVE-2016-4052", "CVE-2016-4053", "CVE-2016-5019", "CVE-2016-5436", "CVE-2016-5437", "CVE-2016-5439", "CVE-2016-5440", "CVE-2016-5441", "CVE-2016-5442", "CVE-2016-5443", "CVE-2016-5444", "CVE-2016-5445", "CVE-2016-5446", "CVE-2016-5447", "CVE-2016-5448", "CVE-2016-5449", "CVE-2016-5450", "CVE-2016-5451", "CVE-2016-5452", "CVE-2016-5453", "CVE-2016-5454", "CVE-2016-5455", "CVE-2016-5456", "CVE-2016-5457", "CVE-2016-5458", "CVE-2016-5459", "CVE-2016-5460", "CVE-2016-5461", "CVE-2016-5462", "CVE-2016-5463", "CVE-2016-5464", "CVE-2016-5465", "CVE-2016-5466", "CVE-2016-5467", "CVE-2016-5468", "CVE-2016-5469", "CVE-2016-5470", "CVE-2016-5471", "CVE-2016-5472", "CVE-2016-5473", "CVE-2016-5474", "CVE-2016-5475", "CVE-2016-5476", "CVE-2016-5477"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\nCritical Patch Updates and Security Alerts for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 276 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.\n", "modified": "2016-10-18T00:00:00", "published": "2016-07-19T00:00:00", "id": "ORACLE:CPUJUL2016", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - July 2016", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
