CVE-2019-2609
Information
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.5.3 and 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.
Crash Dump:
Stack
sccdu.dll + 0xF18C (id: 6e2, no function symbol available)
Registers
eax = 0x12E11000 xmm0 = 0x0
ebx = 0x15693454 xmm1 = 0x0
ecx = 0x40E01000 xmm2 = 0x0
edx = 0x2EFC9FE8 xmm3 = 0x0
esi = 0x40E01000 xmm4 = 0x0
edi = 0x77024F20 xmm5 = 0x0
esp = 0x9AE25C xmm6 = 0x0
ebp = 0xBB33948 xmm7 = 0x3FF0000000000000
Disassembly of stack frame 1 at sccdu.dll + 0xF18C
57fef0a9 e842410000 call sccdu!OIFreeFrame+0xa90 (57ff31f0)
57fef0ae 8bf0 mov esi,eax
57fef0b0 81c424010000 add esp,124h
57fef0b6 89742420 mov dword ptr [esp+20h],esi
57fef0ba 85f6 test esi,esi
57fef0bc 0f8471090000 je sccdu!DUIsCellTextVertFlow+0x2293 (57fefa33)
57fef0c2 8b542414 mov edx,dword ptr [esp+14h]
57fef0c6 8b4204 mov eax,dword ptr [edx+4]
57fef0c9 89442450 mov dword ptr [esp+50h],eax
57fef0cd 8b06 mov eax,dword ptr [esi]
57fef0cf 8b4008 mov eax,dword ptr [eax+8]
57fef0d2 8b8090020000 mov eax,dword ptr [eax+290h]
57fef0d8 85c0 test eax,eax
57fef0da 7407 je sccdu!DUIsCellTextVertFlow+0x1943 (57fef0e3)
57fef0dc 48 dec eax
57fef0dd 89442454 mov dword ptr [esp+54h],eax
57fef0e1 eb08 jmp sccdu!DUIsCellTextVertFlow+0x194b (57fef0eb)
57fef0e3 c744245400000000 mov dword ptr [esp+54h],0
57fef0eb 66834c246402 or word ptr [esp+64h],2
57fef0f1 837a0c00 cmp dword ptr [edx+0Ch],0
57fef0f5 8b02 mov eax,dword ptr [edx]
57fef0f7 8b3d34400558 mov edi,dword ptr [sccdu!oit::GenInfo::usingTabUI+0x1994 (58054034)]
57fef0fd 89442458 mov dword ptr [esp+58h],eax
57fef101 0f84d9010000 je sccdu!DUIsCellTextVertFlow+0x1b40 (57fef2e0)
57fef107 668b4208 mov ax,word ptr [edx+8]
57fef10b 0fb7f8 movzx edi,ax
57fef10e 6689442466 mov word ptr [esp+66h],ax
57fef113 69c7b80b0000 imul eax,edi,0BB8h
57fef119 897c2424 mov dword ptr [esp+24h],edi
57fef11d 50 push eax
57fef11e 6a00 push 0
57fef120 89442438 mov dword ptr [esp+38h],eax
57fef124 ff1534400558 call dword ptr [sccdu!oit::GenInfo::usingTabUI+0x1994 (58054034)]
57fef12a 50 push eax
57fef12b ff1544400558 call dword ptr [sccdu!oit::GenInfo::usingTabUI+0x19a4 (58054044)]
57fef131 8bf0 mov esi,eax
57fef133 89742468 mov dword ptr [esp+68h],esi
57fef137 85f6 test esi,esi
57fef139 750b jne sccdu!DUIsCellTextVertFlow+0x19a6 (57fef146)
57fef13b 53 push ebx
57fef13c 6a1e push 1Eh
57fef13e e87db70100 call sccdu!EmbeddedDUCreateFrameEx+0x1180 (5800a8c0)
57fef143 83c408 add esp,8
57fef146 ff742430 push dword ptr [esp+30h]
57fef14a 89742470 mov dword ptr [esp+70h],esi
57fef14e 6a00 push 0
57fef150 56 push esi
57fef151 e842390600 call sccdu!oit::GenInfo::usingTabUI+0x3f8 (58052a98)
57fef156 83c40c add esp,0Ch
57fef159 85ff test edi,edi
57fef15b 7422 je sccdu!DUIsCellTextVertFlow+0x19df (57fef17f)
57fef15d 8b6c2424 mov ebp,dword ptr [esp+24h]
57fef161 8dbe80030000 lea edi,[esi+380h]
57fef167 57 push edi
57fef168 ff33 push dword ptr [ebx]
57fef16a e801eb0400 call sccdu!DUSetStyleDefaultVal (5803dc70)
57fef16f 83c408 add esp,8
57fef172 81c7b80b0000 add edi,0BB8h
57fef178 4d dec ebp
57fef179 75ec jne sccdu!DUIsCellTextVertFlow+0x19c7 (57fef167)
57fef17b 8b6c241c mov ebp,dword ptr [esp+1Ch]
57fef17f 8b542414 mov edx,dword ptr [esp+14h]
57fef183 8b3d34400558 mov edi,dword ptr [sccdu!oit::GenInfo::usingTabUI+0x1994 (58054034)]
57fef189 8b4210 mov eax,dword ptr [edx+10h]
57fef18c 83b8b00b000000 cmp dword ptr [eax+0BB0h],0 // current instruction
57fef193 0f8447010000 je sccdu!DUIsCellTextVertFlow+0x1b40 (57fef2e0)
57fef199 6a18 push 18h
57fef19b 6a00 push 0
57fef19d ffd7 call edi
57fef19f 50 push eax
57fef1a0 ff1544400558 call dword ptr [sccdu!oit::GenInfo::usingTabUI+0x19a4 (58054044)]
57fef1a6 8986b00b0000 mov dword ptr [esi+0BB0h],eax
57fef1ac 85c0 test eax,eax
57fef1ae 750b jne sccdu!DUIsCellTextVertFlow+0x1a1b (57fef1bb)
57fef1b0 53 push ebx
57fef1b1 6a1e push 1Eh
57fef1b3 e808b70100 call sccdu!EmbeddedDUCreateFrameEx+0x1180 (5800a8c0)
57fef1b8 83c408 add esp,8
57fef1bb 8b542414 mov edx,dword ptr [esp+14h]
57fef1bf 8b4210 mov eax,dword ptr [edx+10h]
57fef1c2 8b80b00b0000 mov eax,dword ptr [eax+0BB0h]
57fef1c8 83780c00 cmp dword ptr [eax+0Ch],0
57fef1cc 0f84cf000000 je sccdu!DUIsCellTextVertFlow+0x1b01 (57fef2a1)
57fef1d2 0fb74008 movzx eax,word ptr [eax+8]
57fef1d6 69c0b80b0000 imul eax,eax,0BB8h
57fef1dc 50 push eax
57fef1dd 6a00 push 0
57fef1df ffd7 call edi
57fef1e1 50 push eax
57fef1e2 ff1544400558 call dword ptr [sccdu!oit::GenInfo::usingTabUI+0x19a4 (58054044)]
57fef1e8 8b8eb00b0000 mov ecx,dword ptr [esi+0BB0h]
57fef1ee 89410c mov dword ptr [ecx+0Ch],eax
57fef1f1 8b86b00b0000 mov eax,dword ptr [esi+0BB0h]
57fef1f7 83780c00 cmp dword ptr [eax+0Ch],0
57fef1fb 750b jne sccdu!DUIsCellTextVertFlow+0x1a68 (57fef208)
57fef1fd 53 push ebx
57fef1fe 6a1e push 1Eh
57fef200 e8bbb60100 call sccdu!EmbeddedDUCreateFrameEx+0x1180 (5800a8c0)
57fef205 83c408 add esp,8
57fef208 8b8eb00b0000 mov ecx,dword ptr [esi+0BB0h]
57fef20e 8b410c mov eax,dword ptr [ecx+0Ch]
57fef211 894110 mov dword ptr [ecx+10h],eax
57fef214 33c9 xor ecx,ecx
57fef216 8b442414 mov eax,dword ptr [esp+14h]
57fef21a 8b4010 mov eax,dword ptr [eax+10h]
57fef21d 8b80b00b0000 mov eax,dword ptr [eax+0BB0h]
57fef223 663b4808 cmp cx,word ptr [eax+8]
57fef227 7348 jae sccdu!DUIsCellTextVertFlow+0x1ad1 (57fef271)
57fef229 33ff xor edi,edi
57fef22b 33ed xor ebp,ebp
57fef22d 8d4900 lea ecx,[ecx]
57fef230 8b86b00b0000 mov eax,dword ptr [esi+0BB0h]
57fef236 8b4010 mov eax,dword ptr [eax+10h]
57fef239 0580030000 add eax,380h
PoC
Attached
Attachments:
id_000014_00.pdf
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-2609
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html