|
|
|
|
| |
Credit:
The information has been provided by Joshua J. Drake.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/
|
| |
Vulnerable Systems:
* Outside In on Windows Server 2003 SP2. version 8.1.5.4282
* Outside In on Windows Server 2003 SP2. version 8.1.9.4417
* Outside In on Windows Server 2003 SP2. version 8.2.2.4866
* Outside In on Windows Server 2003 SP2. version 8.3.0.5129
* Good Mobile Messaging Server for Exchange version 4.9.3.41
* Good Mobile Messaging Server for Exchange version 5.0.4.28
* Good Mobile Messaging Server for Exchange version 5.0.4.28
Two vulnerabilities exist due to a lack of bounds checking when processing specially crafted Microsoft Excel spreadsheet files. The two issues exist in two distinct functions. The two vulnerabilities are nearly identical, with the differentiating factor being the value of a flag bit within a record of the file. If the bit is set, the code path to the first vulnerable function is taken.
Otherwise, the code path to the second vulnerable function is taken. The cause of the vulnerability is the same in each case. An array of structures, stored on the stack, is manipulated in a loop without validating the bounds of the array. By crafting a file containing a properly malformed record, it is possible to write outside the bounds of this array. The resulting stack corruption can lead to arbitrary code execution.
Exploitation of these vulnerabilities allows attackers to execute arbitrary code. In order to exploit these vulnerabilities, the attacker must somehow supply a malformed document to an application that will process the document with Outside In Technology. Likewise, the privileges gained will also depend on the software using the library. In the case of Good Mobile Messaging Server, an attacker can send an electronic mail message with an Excel spreadsheet attachment to a user. When the user chooses to view the spreadsheet, the vulnerable condition will be triggered. Upon successful exploitation, the attacker will gain the privileges of the "GoodAdmin" user. This is a special user account which, in some configurations, may be a member of the "Administrator" group. Regardless of the user's "Administrator" status, the user will always have full privileges to "Read" and "Send As" all users on the Microsoft Exchange server. This could allow an attacker to conduct further social engineering attacks.
Patch Availability:
Oracle has released a patch which addresses this issue. For more information, consult their advisory at the following URL:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Good Technology has released a patch which addresses this issue. For more information, consult their advisory at the following URL:
http://www.good.com/faq/18431.html
Workaround
In order to prevent exploitation of this vulnerability, iDefense recommends using file system access control lists (ACLs) to prevent reading the affected module.
For Good Mobile Messaging Server, Good Software recommends deleting the GdFileConv.exe file and restarting the Messaging Server.
CVE Information:
CVE-2009-1009
Disclosure Timeline:
01/30/2009 - GoodLink contact identified
01/30/2009 - Security contact research begins
02/05/2009 - Oracle contact identified
02/09/2009 - Initial Oracle Reply
02/09/2009 - Initial Vendor Notification
02/10/2009 - Initial GoodLink Reply
02/11/2009 - Oracle validation
02/16/2009 - GoodLink customer alert sent
02/16/2009 - GoodLink validation
02/19/2009 - Oracle requests PoC
02/19/2009 - PoC sent to Oracle
02/25/2009 - GoodLink status update
02/27/2009 - Oracle status update
03/06/2009 - GoodLink status update
04/14/2009 - Oracle patch released
05/13/2009 - CVE Corelation requested from Oracle
05/14/2009 - Coordinated Public Disclosure
05/14/2009 - GoodLink ready for disclosure coordinated with iDefense
|
|
|
|
|
