Talos Vulnerability Report

TALOS-2016-0156

Oracle OIT ContentAccess libvs_word Denial of Service Vulnerability

July 19, 2016

Report ID

CVE-2016-3590

Description

A partially controlled memory write vulnerability exists in Mac Word file format of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic creates a bitwise OR on out of bounds memory address, resulting in memory corruption and likely program termination.

Tested Versions

  • Oracle Outside In Technology Content Access SDK 8.5.1.

Product URLs

http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html

Details

When parsing a Mac Word document a single-byte value from a file is used as a max value for a counter which is used in arithmetic operations for memory access. No size checks are performed after the arithmetic operations resulting in an out of bound memory access. Calculated memory address is used as a destination operand in or byte instruction.

Although the file is identified by OIT CA SDK as FI_MACWORD5, leading to it being parsed by libvs_word library, the vulnerability can be triggered by the example parsepst application supplied with the SDK.

The vulnerability is present in function at address sub_B74A83AC, specifically starting in the following basic block:

.text:B74AAA7F                 mov     eax, edi					[1]
.text:B74AAA81                 shl     eax, 4 					[2]
.text:B74AAA84                 mov     esi, [esp+12Ch+arg_4]
.text:B74AAA8B                 add     eax, [esi+25Ch]			[3]
.text:B74AAA91                 or      byte ptr [eax+810h], 8 	[4]
.text:B74AAA98

At [1] value in edi is a counter with upper value coming from a file being parsed. At [2] and [3] additional arithmetic is performed with the value of the counter as an argument. Final value of eax is calculated at [3] and at [4] is being used as a destination operand resulting in a bit being set at the calculated address.

No bounds checking is performed and with a high upper value of the counter out of bounds memory can be written.

While parsing the supplied testcase, out of bounds access results in a pointer previously initialized to NULL to become non-NULL leading to an invalid free() during the cleanup after the file has been parsed.

The byte used as an counter upper bound is located at offset 0x334 in the supplied testcase.

In a hypothetical situation, more interesting data structures could be located in the addresses being accessed out of bounds potentially leading to abuse.

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.

Timeline

2016-04-12 - Discovered
2016-04-19 - Initial Vendor Contact
2016-07-19 - Public Release