Talos Vulnerability Report

TALOS-2016-0157

Oracle OIT ContentAccess libvs_mwkd VwStreamReadRecord Memory Corruption Vulnerability

July 19, 2016
CVE Number

CVE-2016-3591

Description

Partially controlled memory write vulnerability exists in Mac Works Database file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic causes an out of bounds memory write which can lead to denial of service or possibly code execution.

Tested Versions

  • Oracle Outside In Technology Content Access SDK 8.5.1.

Product URLs

http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html

Details

When parsing a Mac Works Database document memory is being written in a loop using a counter in destination address calculations. No size checks are performed after the arithmetic operations resulting in a partially controlled 2 byte overwrite.

Although the file is identified by as a MWKD document, leading to it being parsed by libvs_mwkd library, the vulnerability can be triggered by the example parsepst application supplied with the SDK.

Technical information below:

Vulnerability is present in VwStreamReadRecord function in libvs_mwkd.so library (with image base at 0xB7F89000), specifically starting in the following basic block:

.text:B7F8ACF6                 movzx   eax, [esp+3Ch+var_12]
.text:B7F8ACFB                 mov     edx, [edi+31Ch]
.text:B7F8AD01                 mov     ecx, ebp
.text:B7F8AD03                 mov     [edx+eax], cl
.text:B7F8AD06                 movzx   eax, word ptr [esp+3Ch+var_10]	[1]
.text:B7F8AD0B                 movzx   esi, [esp+3Ch+var_12] 			[2]
.text:B7F8AD10                 mov     [edi+eax*2+298h], si 			[3]
.text:B7F8AD18                 add     word ptr [esp+3Ch+var_10], 1
.text:B7F8AD1E                 add     esi, 1
.text:B7F8AD21                 mov     [esp+3Ch+var_12], si
.text:B7F8AD26                 cmp     bp, 0F9h
.text:B7F8AD2B                 ja      loc_B7F8AE1A
.text:B7F8AD31                 test    bp, bp
.text:B7F8AD34                 jz      loc_B7F8ADEB
.text:B7F8AD3A                 mov     [esp+3Ch+var_1A], 0
.text:B7F8AD41                 jmp     short loc_B7F8AD71

At [1] and [2] pre-calculated values of eax and esi are read from the stack and zero extended. At [3] eax is being used in destination address calculation and the value of si is being written there. Initial values of eax and esi are related, eax serving as a counter. No bounds checking is in place resulting in a possible 2 byte out of bounds overwrite.

In the supplied testcase, last seven bytes can be used to influence the written value. The supplied testcase crashes the parsepst program upon a free() on an invalid pointer. The overwritten pointer is allocated in the VStreamOpen function and it’s least significant byte is later overwritten as a result of out of bounds memory write.

A specially crafted file could be used to shift the to-be-freed pointer to an attacker controlled area which can then be used to subvert the free() and achieve code execution.

Timeline

2016-04-12 - Discovered
2016-04-29 - Initial Vendor Communication
2016-07-19 - Public Release

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.