Talos Vulnerability Report

TALOS-2016-0159

Oracle OIT ContentAccess libvs_mwkd VwStreamSection Code Execution Vulnerability

July 19, 2016

Report ID

CVE-2016-3593

Description

A partially controlled memory corruption vulnerability exists in Mac Works Database file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic leads to an out of bounds memory overwrite resulting in arbitrary code execution.

Tested Versions

  • Oracle Outside In Technology Content Access SDK 8.5.1.

Product URLs

http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html

Details

When parsing a Mac Works Database document memory is being written in a loop using a counter in destination address calculations. No size checks are performed after the arithmetic operations resulting in an out of bounds memory write.

Although the file is identified by as a MWKD document, leading to it being parsed by libvs_mwkd library, the vulnerability can be triggered by the example parsepst application supplied with the SDK.

Technical information below:

Vulnerability is present in VwStreamSection function in libvs_mwkd.so library (with image base at 0xB7F89000), specifically starting in the following basic block:

.text:B7F8A723                 movzx   eax, si
.text:B7F8A726                 mov     ecx, [esp+9Ch+var_64]
.text:B7F8A72A                 mov     [ecx+eax], dl 				[1]
.text:B7F8A72D                 add     esi, 1
.text:B7F8A730                 add     ebp, 1
.text:B7F8A733                 cmp     word ptr [esp+9Ch+var_70], bp
.text:B7F8A738                 jz      short loc_B7F8A761

Values of si and bp are used as counter with an upper value read from a byte at file offset 0x5ee in the supplied testcase. Contents of dl are then written into the destination address at [1]. No bounds checking is performed, leading to an out of bounds memory overwrite.

In a supplied testcase, memory corruption resulting from this vulnerability overwrites the value of a function pointer which is later dereferenced in a call instruction at 0xb7d87d71 in libsc_ch.so library (with base address of 0xb7d6f000).

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.

Timeline

2015-10-10 - Discovery
2016-04-20 - Initial Vendor Notification
2016-07-19 - Public Release