Oracle Business Intelligence emagent.exe nmehl_getURIParams Remote Code Execution Vulnerability

ID ZDI-11-022
Type zdi
Reporter AbdulAziz Hariri
Modified 2011-11-09T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Business Intelligence One. Authentication is not required to exploit this vulnerability.

The flaw exists within the emagent.exe component which listens by default on TCP port 3938. When handling an HTTP request in oranmemso.dll the function nmehl_getURIParams blindly copies user supplied data into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user.