Talos Vulnerability Report

TALOS-2016-0158

Oracle OIT ContentAccess libvs_word+63AC Code Execution Vulnerability

July 19, 2016

Report ID

CVE-2016-3592

Description

Partially controlled memory write vulnerability exists in Mac Word file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic leads to an out of bounds memory overwrite resulting in code execution.

Tested Versions

  • Oracle Outside In Technology Content Access SDK 8.5.1.

Product URLs

http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html

Details

When parsing a Mac Word document a single-byte value from a file is used as a starting value for a counter which is used in arithmetic operations for memory access. No size checks are performed after the arithmetic operations resulting in an out of bounds 4 byte memory write.

Although the file is identified by OIT CA SDK as FI_MACWORD5, leading to it being parsed by libvs_word library, the vulnerability can be triggered by the example parsepst application supplied with the SDK.

Technical information below:

Vulnerability is present in function at address 0xB74A83AC in libvs_word.so library (with image base at 0xB74A2000), specifically starting in the following basic block:

.text:B74A937C loc_B74A937C:                           ; CODE XREF: sub_B74A83AC+FC1j
.text:B74A937C                 movzx   edx, di 			[1]
.text:B74A937F                 movzx   eax, si
.text:B74A9382                 movzx   ecx, word ptr [ebp+eax*2+0A30h]
.text:B74A938A                 mov     [ebp+edx*2+0A30h], cx
.text:B74A9392                 shl     edx, 4			[2]
.text:B74A9395                 add     edx, ebp			[3]
.text:B74A9397                 add     edx, 800h		[4]
.text:B74A939D                 shl     eax, 4
.text:B74A93A0                 add     eax, ebp
.text:B74A93A2                 add     eax, 800h
.text:B74A93A7                 mov     ecx, [eax+0Eh]
.text:B74A93AA                 mov     [edx+0Eh], ecx	[5]
.text:B74A93AD                 mov     ecx, [eax+12h]
.text:B74A93B0                 mov     [edx+12h], ecx	[6]
.text:B74A93B3                 mov     ecx, [eax+16h]
.text:B74A93B6                 mov     [edx+16h], ecx	[7]
.text:B74A93B9                 mov     eax, [eax+1Ah]
.text:B74A93BC                 mov     [edx+1Ah], eax	[8]
.text:B74A93BF                 add     edi, 1
.text:B74A93C2                 add     esi, 1
.text:B74A93C5                 sub     word ptr [esp+12Ch+var_9C+2], 1
.text:B74A93CE                 jnz     short loc_B74A936F

Initial value of di register comes from a byte at offset 0x29d in the supplied testcase and is used as a starting value for a counter. Value is zero extended into edx at [1] and is then used in arithmetic operations at [2], [3] and [4]. Final value is used as a pointer to a structure and values of ecx and eax registers get written to appropriate structure fields at [5], [6], [7] and [8]. Upper limit for the counter value is 0x100. No bounds checking is being made after pointer arithmetic resulting in a possible out of bounds memory overwrite.

While parsing the first supplied testcase, out of bounds write results in a pointer previously initialized to NULL to become non-NULL leading to an invalid free() during the cleanup after the file has been parsed. In the case of the second supplied testcase, the same vulnerability results in a function pointer overwrite leading to an even simpler exploitable condition.

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.

Timeline

2015–10-19 - Discovery
2016-04-20 - Initial Vendor Notification
2016-07-19 - Public Disclosure