CVE-2019-2610
Information
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.5.3 and 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.
Crash Dump:
Stack
sccdu.dll + 0xF18C (id: 6e2, no function symbol available)
Registers
eax = 0x281D4000 xmm0 = 0x0
ebx = 0x1E7A3454 xmm1 = 0x0
ecx = 0x2F169000 xmm2 = 0x0
edx = 0x281D1FE8 xmm3 = 0x0
esi = 0x2F169000 xmm4 = 0x0
edi = 0x77024F20 xmm5 = 0x0
esp = 0x1EE20C xmm6 = 0x0
ebp = 0xA641948 xmm7 = 0x3FF0000000000000
Disassembly of stack frame 1 at sccdu.dll + 0xF18C
57f7f0a9 e842410000 call sccdu!OIFreeFrame+0xa90 (57f831f0)
57f7f0ae 8bf0 mov esi,eax
57f7f0b0 81c424010000 add esp,124h
57f7f0b6 89742420 mov dword ptr [esp+20h],esi
57f7f0ba 85f6 test esi,esi
57f7f0bc 0f8471090000 je sccdu!DUIsCellTextVertFlow+0x2293 (57f7fa33)
57f7f0c2 8b542414 mov edx,dword ptr [esp+14h]
57f7f0c6 8b4204 mov eax,dword ptr [edx+4]
57f7f0c9 89442450 mov dword ptr [esp+50h],eax
57f7f0cd 8b06 mov eax,dword ptr [esi]
57f7f0cf 8b4008 mov eax,dword ptr [eax+8]
57f7f0d2 8b8090020000 mov eax,dword ptr [eax+290h]
57f7f0d8 85c0 test eax,eax
57f7f0da 7407 je sccdu!DUIsCellTextVertFlow+0x1943 (57f7f0e3)
57f7f0dc 48 dec eax
57f7f0dd 89442454 mov dword ptr [esp+54h],eax
57f7f0e1 eb08 jmp sccdu!DUIsCellTextVertFlow+0x194b (57f7f0eb)
57f7f0e3 c744245400000000 mov dword ptr [esp+54h],0
57f7f0eb 66834c246402 or word ptr [esp+64h],2
57f7f0f1 837a0c00 cmp dword ptr [edx+0Ch],0
57f7f0f5 8b02 mov eax,dword ptr [edx]
57f7f0f7 8b3d3440fe57 mov edi,dword ptr [sccdu!oit::GenInfo::usingTabUI+0x1994 (57fe4034)]
57f7f0fd 89442458 mov dword ptr [esp+58h],eax
57f7f101 0f84d9010000 je sccdu!DUIsCellTextVertFlow+0x1b40 (57f7f2e0)
57f7f107 668b4208 mov ax,word ptr [edx+8]
57f7f10b 0fb7f8 movzx edi,ax
57f7f10e 6689442466 mov word ptr [esp+66h],ax
57f7f113 69c7b80b0000 imul eax,edi,0BB8h
57f7f119 897c2424 mov dword ptr [esp+24h],edi
57f7f11d 50 push eax
57f7f11e 6a00 push 0
57f7f120 89442438 mov dword ptr [esp+38h],eax
57f7f124 ff153440fe57 call dword ptr [sccdu!oit::GenInfo::usingTabUI+0x1994 (57fe4034)]
57f7f12a 50 push eax
57f7f12b ff154440fe57 call dword ptr [sccdu!oit::GenInfo::usingTabUI+0x19a4 (57fe4044)]
57f7f131 8bf0 mov esi,eax
57f7f133 89742468 mov dword ptr [esp+68h],esi
57f7f137 85f6 test esi,esi
57f7f139 750b jne sccdu!DUIsCellTextVertFlow+0x19a6 (57f7f146)
57f7f13b 53 push ebx
57f7f13c 6a1e push 1Eh
57f7f13e e87db70100 call sccdu!EmbeddedDUCreateFrameEx+0x1180 (57f9a8c0)
57f7f143 83c408 add esp,8
57f7f146 ff742430 push dword ptr [esp+30h]
57f7f14a 89742470 mov dword ptr [esp+70h],esi
57f7f14e 6a00 push 0
57f7f150 56 push esi
57f7f151 e842390600 call sccdu!oit::GenInfo::usingTabUI+0x3f8 (57fe2a98)
57f7f156 83c40c add esp,0Ch
57f7f159 85ff test edi,edi
57f7f15b 7422 je sccdu!DUIsCellTextVertFlow+0x19df (57f7f17f)
57f7f15d 8b6c2424 mov ebp,dword ptr [esp+24h]
57f7f161 8dbe80030000 lea edi,[esi+380h]
57f7f167 57 push edi
57f7f168 ff33 push dword ptr [ebx]
57f7f16a e801eb0400 call sccdu!DUSetStyleDefaultVal (57fcdc70)
57f7f16f 83c408 add esp,8
57f7f172 81c7b80b0000 add edi,0BB8h
57f7f178 4d dec ebp
57f7f179 75ec jne sccdu!DUIsCellTextVertFlow+0x19c7 (57f7f167)
57f7f17b 8b6c241c mov ebp,dword ptr [esp+1Ch]
57f7f17f 8b542414 mov edx,dword ptr [esp+14h]
57f7f183 8b3d3440fe57 mov edi,dword ptr [sccdu!oit::GenInfo::usingTabUI+0x1994 (57fe4034)]
57f7f189 8b4210 mov eax,dword ptr [edx+10h]
57f7f18c 83b8b00b000000 cmp dword ptr [eax+0BB0h],0 // current instruction
57f7f193 0f8447010000 je sccdu!DUIsCellTextVertFlow+0x1b40 (57f7f2e0)
57f7f199 6a18 push 18h
57f7f19b 6a00 push 0
57f7f19d ffd7 call edi
57f7f19f 50 push eax
57f7f1a0 ff154440fe57 call dword ptr [sccdu!oit::GenInfo::usingTabUI+0x19a4 (57fe4044)]
57f7f1a6 8986b00b0000 mov dword ptr [esi+0BB0h],eax
57f7f1ac 85c0 test eax,eax
57f7f1ae 750b jne sccdu!DUIsCellTextVertFlow+0x1a1b (57f7f1bb)
57f7f1b0 53 push ebx
57f7f1b1 6a1e push 1Eh
57f7f1b3 e808b70100 call sccdu!EmbeddedDUCreateFrameEx+0x1180 (57f9a8c0)
57f7f1b8 83c408 add esp,8
57f7f1bb 8b542414 mov edx,dword ptr [esp+14h]
57f7f1bf 8b4210 mov eax,dword ptr [edx+10h]
57f7f1c2 8b80b00b0000 mov eax,dword ptr [eax+0BB0h]
57f7f1c8 83780c00 cmp dword ptr [eax+0Ch],0
57f7f1cc 0f84cf000000 je sccdu!DUIsCellTextVertFlow+0x1b01 (57f7f2a1)
57f7f1d2 0fb74008 movzx eax,word ptr [eax+8]
57f7f1d6 69c0b80b0000 imul eax,eax,0BB8h
57f7f1dc 50 push eax
57f7f1dd 6a00 push 0
57f7f1df ffd7 call edi
57f7f1e1 50 push eax
57f7f1e2 ff154440fe57 call dword ptr [sccdu!oit::GenInfo::usingTabUI+0x19a4 (57fe4044)]
57f7f1e8 8b8eb00b0000 mov ecx,dword ptr [esi+0BB0h]
57f7f1ee 89410c mov dword ptr [ecx+0Ch],eax
57f7f1f1 8b86b00b0000 mov eax,dword ptr [esi+0BB0h]
57f7f1f7 83780c00 cmp dword ptr [eax+0Ch],0
57f7f1fb 750b jne sccdu!DUIsCellTextVertFlow+0x1a68 (57f7f208)
57f7f1fd 53 push ebx
57f7f1fe 6a1e push 1Eh
57f7f200 e8bbb60100 call sccdu!EmbeddedDUCreateFrameEx+0x1180 (57f9a8c0)
57f7f205 83c408 add esp,8
57f7f208 8b8eb00b0000 mov ecx,dword ptr [esi+0BB0h]
57f7f20e 8b410c mov eax,dword ptr [ecx+0Ch]
57f7f211 894110 mov dword ptr [ecx+10h],eax
57f7f214 33c9 xor ecx,ecx
57f7f216 8b442414 mov eax,dword ptr [esp+14h]
57f7f21a 8b4010 mov eax,dword ptr [eax+10h]
57f7f21d 8b80b00b0000 mov eax,dword ptr [eax+0BB0h]
57f7f223 663b4808 cmp cx,word ptr [eax+8]
57f7f227 7348 jae sccdu!DUIsCellTextVertFlow+0x1ad1 (57f7f271)
57f7f229 33ff xor edi,edi
57f7f22b 33ed xor ebp,ebp
57f7f22d 8d4900 lea ecx,[ecx]
57f7f230 8b86b00b0000 mov eax,dword ptr [esi+0BB0h]
57f7f236 8b4010 mov eax,dword ptr [eax+10h]
57f7f239 0580030000 add eax,380h
PoC
Attached
Attachments:
id_000004_00
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-2610
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html