-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDefense Security Advisory 05.14.09 http://labs.idefense.com/intelligence/vulnerabilities/ May 14, 2009 I. BACKGROUND Oracle Corp.'s Outside In Technology is a document conversion engine supporting a large number of binary file formats. Prior to Oracle's acquisition, the software was maintained by Stellent Inc. The software appears to have originated from "QuickView" for Windows 98, but later spun off. It is used by various software packages, one of which is Motorola Inc.'s Good Mobile Messaging Server. For more information, visit the vendors' sites at the URLs provided below. http://www.oracle.com/technology/products/content-management/oit/oit_all.html http://www.good.com/corp/index.php II. DESCRIPTION Remote exploitation of multiple integer overflow vulnerabilities in Oracle Corp.'s Outside In Technology, as included in various vendors' software distributions, allows attacker to execute arbitrary code. These vulnerabilities exist in the handling of an optional data stream stored within various files. Both issues are integer overflows, and are within the same function. Within the vulnerable function, an integer value is read from the Microsoft Office file. This value is later used in several arithmetic integer calculations. Since no validation is performed, integer overflows can occur. The result is the allocation of a buffer that is too small to hold the data that is subsequently read from the file. A heap buffer overflow occurs, leading to an exploitable condition. III. ANALYSIS Exploitation of these vulnerabilities allows attackers to execute arbitrary code. In order to exploit these vulnerabilities, the attacker must somehow supply a malformed document to an application that will process the document with Outside In Technology. Likewise, the privileges gained will also depend on the software using the library. In the case of Good Mobile Messaging Server, an attacker can send an electronic mail message with a specially crafted Office document attachment to a user. When the user chooses to view the document, the vulnerable condition will be triggered. Upon successful exploitation, the attacker will gain the privileges of the "GoodAdmin" user. This is a special user account which, in some configurations, may be a member of the "Administrator" group. Regardless of the user's "Administrator" status, the user will always have full privileges to "Read" and "Send As" all users on the Microsoft Exchange server. This could allow an attacker to conduct further social engineering attacks. Other software packages using Outside In were not investigated. IV. DETECTION iDefense confirmed the existence of these vulnerabilities using the follow versions of Outside In on Windows Server 2003. Multiple modules were confirmed to contain the vulnerable code; vsmpp, vspp97, vsvisio, vsw6, vsw97, vsxl5. Other modules may also be affected. 8.1.5.4282 8.1.9.4417 8.2.2.4866 8.3.0.5129 Additionally the following versions of Good Mobile Messaging Server for Exchange ship with vulnerable versions of the affected modules. 4.9.3.41 5.0.4.28 6.0.0.106 All versions of Outside In, including versions for operating systems other than Windows, are assumed to be vulnerable. Additionally, all software that includes or uses Outside In is assumed to be vulnerable. Earlier versions, including those branded with other names, are vulnerable as well. V. WORKAROUND In order to prevent exploitation of this vulnerability, iDefense recommends using file system access control lists (ACLs) to prevent reading the affected modules. For Good Mobile Messaging Server, Good Software recommends deleting the GdFileConv.exe file and restarting the Messaging Server. VI. VENDOR RESPONSE Oracle has released a patch which addresses this issue. For more information, consult their advisory at the following URL: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html Good Technology has released a patch which addresses this issue. For more information, consult their advisory at the following URL: http://www.good.com/faq/18431.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-1011 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/30/2009 - GoodLink contact identified 01/30/2009 - Security contact research begins 02/05/2009 - Oracle contact identified 02/09/2009 - Initial Oracle Reply 02/09/2009 - Initial Vendor Notification 02/10/2009 - Initial GoodLink Reply 02/11/2009 - Oracle validation 02/16/2009 - GoodLink customer alert sent 02/16/2009 - GoodLink validation 02/19/2009 - Oracle requests PoC 02/19/2009 - PoC sent to Oracle 02/25/2009 - GoodLink status update 02/27/2009 - Oracle status update 03/06/2009 - GoodLink status update 04/14/2009 - Oracle patch released 05/13/2009 - CVE Corelation requested from Oracle 05/14/2009 - Coordinated Public Disclosure 05/14/2009 - GoodLink ready for disclosure coordinated with iDefense IX. CREDIT This vulnerability was discovered by Joshua J. Drake, iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@xxxxxxxxxxxx for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKDci2bjs6HoxIfBkRAgoMAJ9LZYN8mlXP7dHp866JUjOllL/2igCfYTU/ xIe37mYPMzb4hra6BAUZrn8= =az7z -----END PGP SIGNATURE-----
