AOH :: HP Unsorted M :: VA3540.HTM

Multiple Vendor Outside In Spreadsheet Buffer Overflow Vulnerability



iDefense Security Advisory 05.14.09: Multiple Vendor Outside In Spreadsheet Buffer Overflow Vulnerability
iDefense Security Advisory 05.14.09: Multiple Vendor Outside In Spreadsheet Buffer Overflow Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 05.14.09
http://labs.idefense.com/intelligence/vulnerabilities/ 
May 14, 2009

I. BACKGROUND

Oracle Corp.'s Outside In Technology is a document conversion engine
supporting a large number of binary file formats. Prior to Oracle's
acquisition, the software was maintained by Stellent Inc. The software
appears to have originated from "QuickView" for Windows 98, but later
spun off. It is used by various software packages, one of which is
Motorola Inc.'s Good Mobile Messaging Server. For more information,
visit the vendors' sites at the URLs provided below.

http://www.oracle.com/technology/products/content-management/oit/oit_all.html 

http://www.good.com/corp/index.php 

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Oracle Corp.'s
Outside In Technology, as included in various vendors' software
distributions, allows attacker to execute arbitrary code.

This vulnerability exists due to the lack of bounds checking when
processing certain records within a Microsoft Excel spreadsheet. Upon
entering the vulnerable function, data is copied from a heap buffer
into a stack buffer without ensuring that the data will fit. By
crafting an Excel spreadsheet file properly, it is possible to write
beyond the bounds of the stack buffer. The resulting stack corruption
leads to arbitrary code execution.

III. ANALYSIS

Exploitation of this vulnerability allows attackers to execute arbitrary
code. In order to exploit this vulnerability, the attacker must somehow
supply a malformed document to an application that will process the
document with Outside In Technology. Likewise, the privileges gained
will also depend on the software using the library.

In the case of Good Mobile Messaging Server, an attacker can send an
electronic mail message with an Excel spreadsheet attachment to a user.
When the user chooses to view the spreadsheet, the vulnerable condition
will be triggered. Upon successful exploitation, the attacker will gain
the privileges of the "GoodAdmin" user. This is a special user account
which, in some configurations, may be a member of the "Administrator"
group. Regardless of the user's "Administrator" status, the user will
always have full privileges to "Read" and "Send As" all users on the
Microsoft Exchange server. This could allow an attacker to conduct
further social engineering attacks.

Other software packages using Outside In were not investigated.

It is interesting to note that this vulnerability was fixed some time
between the release of version 8.1.5 and version 8.1.9. No public
record exists documenting the existence of this vulnerability.

IV. DETECTION

iDefense confirmed the existence of this vulnerability using the follow
versions of Outside In on Windows Server 2003.

  8.1.5.4282

Additionally the following versions of Good Mobile Messaging Server for
Exchange ship with vulnerable versions of vsxl5.dll.

  4.9.3.41

All prior versions of Outside In, including versions for operating
systems other than Windows, are assumed to be vulnerable. Additionally,
all software that includes or uses affected versions of Outside In is
assumed to be vulnerable. Earlier versions, including those branded
with other names, are vulnerable as well.

iDefense confirmed that the following versions are not affected:

  8.1.9.4417 (shipped with GMMS 5.0.4.28 and GMMS 6.0.0.106)
  8.2.2.4866
  8.3.0.5129

V. WORKAROUND

In order to prevent exploitation of this vulnerability, iDefense
recommends using file system access control lists (ACLs) to prevent
reading the affected module.

For Good Mobile Messaging Server, Good Software recommends deleting the
GdFileConv.exe file and restarting the Messaging Server.

VI. VENDOR RESPONSE

Oracle has released a patch which addresses this issue. For more
information, consult their advisory at the following URL:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html 

Good Technology has released a patch which addresses this issue. For
more information, consult their advisory at the following URL:

http://www.good.com/faq/18431.html 

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2009-1009 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for 
security problems.

VIII. DISCLOSURE TIMELINE

01/30/2009  - GoodLink contact identified
01/30/2009  - Security contact research begins
02/05/2009  - Oracle contact identified
02/09/2009  - Initial Oracle Reply
02/09/2009  - Initial Vendor Notification
02/10/2009  - Initial GoodLink Reply
02/11/2009  - Oracle validation
02/16/2009  - GoodLink customer alert sent
02/16/2009  - GoodLink validation
02/19/2009  - Oracle requests PoC
02/19/2009  - PoC sent to Oracle
02/25/2009  - GoodLink status update
02/27/2009  - Oracle status update
03/06/2009  - GoodLink status update
04/14/2009  - Oracle patch released
05/13/2009  - CVE Corelation requested from Oracle
05/14/2009  - Coordinated Public Disclosure
05/14/2009  - GoodLink ready for disclosure coordinated with iDefense

IX. CREDIT

This vulnerability was discovered by Joshua J. Drake, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php 

Free tools, research and upcoming events
http://labs.idefense.com/ 

X. LEGAL NOTICES

Copyright =A9 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission. 

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 

iD8DBQFKDc5Sbjs6HoxIfBkRAmuQAKCIbWEf7snT1hbZim+Tcug/6P0vZACdFPij
TvLxJSUqv/vKW37aj1rG7g8=Rbbs
-----END PGP SIGNATURE-----

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.