CVE-2019-2608
Information
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.5.3 and 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology.
Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data as well as unauthorized read access to a subset of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.
Crash Dump:
Stack
sccdu.dll + 0x3115C (id: 73f, no function symbol available)
sccdu.dll + 0x3B621 (id: 696, no function symbol available)
Registers
eax = 0x48FB4F40 xmm0 = 0x4086800000000000
ebx = 0x1CDC8454 xmm1 = 0x402F000000000000
ecx = 0x1F930 xmm2 = 0x4096800000000000
edx = 0xFA6 xmm3 = 0x40D5180000000000
esi = 0x3A0A4DC8 xmm4 = 0x0
edi = 0x3 xmm5 = 0x0
esp = 0xB3D728 xmm6 = 0x4096800000000000
ebp = 0xB3D830 xmm7 = 0x0
Disassembly of stack frame 1 at sccdu.dll + 0x3115C
57fa1088 8bf0 mov esi,eax
57fa108a 89442410 mov dword ptr [esp+10h],eax
57fa108e f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
57fa1090 8b402c mov eax,dword ptr [eax+2Ch]
57fa1093 83f803 cmp eax,3
57fa1096 7431 je sccdu!EmbeddedDUCreateFrameEx+0x7989 (57fa10c9)
57fa1098 83f802 cmp eax,2
57fa109b 742c je sccdu!EmbeddedDUCreateFrameEx+0x7989 (57fa10c9)
57fa109d 8b74240c mov esi,dword ptr [esp+0Ch]
57fa10a1 56 push esi
57fa10a2 53 push ebx
57fa10a3 e8b89cffff call sccdu!EmbeddedDUCreateFrameEx+0x1620 (57f9ad60)
57fa10a8 8b4d10 mov ecx,dword ptr [ebp+10h]
57fa10ab 83c408 add esp,8
57fa10ae 8b09 mov ecx,dword ptr [ecx]
57fa10b0 8b4910 mov ecx,dword ptr [ecx+10h]
57fa10b3 8b4968 mov ecx,dword ptr [ecx+68h]
57fa10b6 2bc8 sub ecx,eax
57fa10b8 8b06 mov eax,dword ptr [esi]
57fa10ba 894c2414 mov dword ptr [esp+14h],ecx
57fa10be 8b400c mov eax,dword ptr [eax+0Ch]
57fa10c1 8b8814010000 mov ecx,dword ptr [eax+114h]
57fa10c7 eb14 jmp sccdu!EmbeddedDUCreateFrameEx+0x799d (57fa10dd)
57fa10c9 8b74240c mov esi,dword ptr [esp+0Ch]
57fa10cd 56 push esi
57fa10ce 53 push ebx
57fa10cf e81c9cffff call sccdu!EmbeddedDUCreateFrameEx+0x15b0 (57f9acf0)
57fa10d4 8bc8 mov ecx,eax
57fa10d6 83c408 add esp,8
57fa10d9 8b442410 mov eax,dword ptr [esp+10h]
57fa10dd 0fb7b83c010000 movzx edi,word ptr [eax+13Ch]
57fa10e4 0fb7903a010000 movzx edx,word ptr [eax+13Ah]
57fa10eb 8b842484000000 mov eax,dword ptr [esp+84h]
57fa10f2 250000ffff and eax,0FFFF0000h
57fa10f7 897c2410 mov dword ptr [esp+10h],edi
57fa10fb 3d00000300 cmp eax,30000h
57fa1100 7576 jne sccdu!EmbeddedDUCreateFrameEx+0x7a38 (57fa1178)
57fa1102 8b442414 mov eax,dword ptr [esp+14h]
57fa1106 3bc1 cmp eax,ecx
57fa1108 0f8ecd000000 jle sccdu!EmbeddedDUCreateFrameEx+0x7a9b (57fa11db)
57fa110e 2bc1 sub eax,ecx
57fa1110 89442418 mov dword ptr [esp+18h],eax
57fa1114 85c0 test eax,eax
57fa1116 0f8ebf000000 jle sccdu!EmbeddedDUCreateFrameEx+0x7a9b (57fa11db)
57fa111c b9ffff0000 mov ecx,0FFFFh
57fa1121 663bd1 cmp dx,cx
57fa1124 7444 je sccdu!EmbeddedDUCreateFrameEx+0x7a2a (57fa116a)
57fa1126 663bf9 cmp di,cx
57fa1129 743f je sccdu!EmbeddedDUCreateFrameEx+0x7a2a (57fa116a)
57fa112b 8bca mov ecx,edx
57fa112d 0fb7ff movzx edi,di
57fa1130 894c2410 mov dword ptr [esp+10h],ecx
57fa1134 3bcf cmp ecx,edi
57fa1136 7732 ja sccdu!EmbeddedDUCreateFrameEx+0x7a2a (57fa116a)
57fa1138 2b7c2410 sub edi,dword ptr [esp+10h]
57fa113c 99 cdq
57fa113d 2bc2 sub eax,edx
57fa113f 69c9d8010000 imul ecx,ecx,1D8h
57fa1145 8bd0 mov edx,eax
57fa1147 d1fa sar edx,1
57fa1149 47 inc edi
57fa114a 8d9b00000000 lea ebx,[ebx]
57fa1150 8b8360010000 mov eax,dword ptr [ebx+160h]
57fa1156 8d89d8010000 lea ecx,[ecx+1D8h]
57fa115c 01940160feffff add dword ptr [ecx+eax-1A0h],edx // current instruction
57fa1163 4f dec edi
57fa1164 75ea jne sccdu!EmbeddedDUCreateFrameEx+0x7a10 (57fa1150)
57fa1166 8b442418 mov eax,dword ptr [esp+18h]
57fa116a 837e0800 cmp dword ptr [esi+8],0
57fa116e 746b je sccdu!EmbeddedDUCreateFrameEx+0x7a9b (57fa11db)
57fa1170 99 cdq
57fa1171 2bc2 sub eax,edx
57fa1173 d1f8 sar eax,1
57fa1175 50 push eax
57fa1176 eb59 jmp sccdu!EmbeddedDUCreateFrameEx+0x7a91 (57fa11d1)
57fa1178 3d00000200 cmp eax,20000h
57fa117d 755c jne sccdu!EmbeddedDUCreateFrameEx+0x7a9b (57fa11db)
57fa117f 8b442414 mov eax,dword ptr [esp+14h]
57fa1183 3bc1 cmp eax,ecx
57fa1185 7e54 jle sccdu!EmbeddedDUCreateFrameEx+0x7a9b (57fa11db)
57fa1187 8bf8 mov edi,eax
57fa1189 2bf9 sub edi,ecx
57fa118b 85ff test edi,edi
57fa118d 7e4c jle sccdu!EmbeddedDUCreateFrameEx+0x7a9b (57fa11db)
57fa118f b9ffff0000 mov ecx,0FFFFh
57fa1194 663bd1 cmp dx,cx
57fa1197 7431 je sccdu!EmbeddedDUCreateFrameEx+0x7a8a (57fa11ca)
57fa1199 8b442410 mov eax,dword ptr [esp+10h]
57fa119d 663bc1 cmp ax,cx
57fa11a0 7428 je sccdu!EmbeddedDUCreateFrameEx+0x7a8a (57fa11ca)
57fa11a2 0fb7c8 movzx ecx,ax
57fa11a5 8bc2 mov eax,edx
57fa11a7 3bc1 cmp eax,ecx
57fa11a9 771f ja sccdu!EmbeddedDUCreateFrameEx+0x7a8a (57fa11ca)
57fa11ab 2bc8 sub ecx,eax
57fa11ad 69d0d8010000 imul edx,eax,1D8h
57fa11b3 41 inc ecx
57fa11b4 8b8360010000 mov eax,dword ptr [ebx+160h]
57fa11ba 8d92d8010000 lea edx,[edx+1D8h]
57fa11c0 01bc0260feffff add dword ptr [edx+eax-1A0h],edi
57fa11c7 49 dec ecx
57fa11c8 75ea jne sccdu!EmbeddedDUCreateFrameEx+0x7a74 (57fa11b4)
57fa11ca 837e0800 cmp dword ptr [esi+8],0
57fa11ce 740b je sccdu!EmbeddedDUCreateFrameEx+0x7a9b (57fa11db)
57fa11d0 57 push edi
57fa11d1 56 push esi
57fa11d2 53 push ebx
57fa11d3 e8c84afeff call sccdu!OIFreeFrame+0x3540 (57f85ca0)
57fa11d8 83c40c add esp,0Ch
57fa11db 8b760c mov esi,dword ptr [esi+0Ch]
57fa11de 8974240c mov dword ptr [esp+0Ch],esi
57fa11e2 85f6 test esi,esi
57fa11e4 0f8556feffff jne sccdu!EmbeddedDUCreateFrameEx+0x7900 (57fa1040)
57fa11ea 5f pop edi
PoC
Attached
Attachments:
id_000047_00
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-2608
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html