Information

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.5.3 and 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.

Crash Dump:

Stack

MSVCR120.dll!strstr + 0x17F (this frame is irrelevant to this bug) [[f:\dd\vctools\crt\crtw32\string\i386\strstr_sse.inc @ 373]]
impsz2.dll + 0x1D22 (id: deb, no function symbol available)
impsz2.dll + 0x1F31 (id: 56b, no function symbol available)
impsz2.dll + 0x11D8 (no function symbol available)
vsgdsf.dll + 0xA563 (no function symbol available)
sccda.dll + 0x-1CDD2 (no function symbol available)
sccex.dll + 0x-3B4F24 (no function symbol available)
pxsample.exe + 0x6DC058DA (no function symbol available)
pxsample.exe + 0x110D (no function symbol available)
pxsample.exe + 0x1282 (no function symbol available)

Registers

eax   =  0x89B9010	xmm0  = 0x53502125000065626F64412D53502125
ebx   =        0x0	xmm1  =                                0x0
ecx   =       0x10	xmm2  =                                0x0
edx   = 0x53502125	xmm3  =                                0x0
esi   =  0x8906328	xmm4  =                                0x0
edi   = 0x6C02604C	xmm5  =                                0x0
esp   =   0xB9EBB4	xmm6  = 0x40E8366885E3095FDD486A29E4929F57
ebp   =   0xB9EC04	xmm7  =                                0x1

Disassembly of stack frame 2 at impsz2.dll + 0x1D22

6c021c5d 	c745cc80000000	mov dword ptr [ebp-34h],80h
6c021c64 	eb6e	jmp impsz2!EscapeSetup+0x3f4 (6c021cd4)
6c021c66 	6a00	push 0
6c021c68 	6a00	push 0
6c021c6a 	8b4508	mov eax,dword ptr [ebp+8]
6c021c6d 	8b4804	mov ecx,dword ptr [eax+4]
6c021c70 	51	push ecx
6c021c71 	e88a0b0000	call impsz2!IMSGetFilterVersion+0x310 (6c022800)
6c021c76 	83c40c	add esp,0Ch
6c021c79 	6a01	push 1
6c021c7b 	8d55dc	lea edx,[ebp-24h]
6c021c7e 	52	push edx
6c021c7f 	684460026c	push offset impsz2!ImportEmbeddedGR+0x24e4 (6c026044)
6c021c84 	8b4508	mov eax,dword ptr [ebp+8]
6c021c87 	8b4804	mov ecx,dword ptr [eax+4]
6c021c8a 	51	push ecx
6c021c8b 	e86a0b0000	call impsz2!IMSGetFilterVersion+0x30a (6c0227fa)
6c021c90 	83c410	add esp,10h
6c021c93 	83f801	cmp eax,1
6c021c96 	7533	jne impsz2!EscapeSetup+0x3eb (6c021ccb)
6c021c98 	817ddcc5d0d3c6	cmp dword ptr [ebp-24h],0C6D3D0C5h
6c021c9f 	752a	jne impsz2!EscapeSetup+0x3eb (6c021ccb)
6c021ca1 	837de4fe	cmp dword ptr [ebp-1Ch],0FFFFFFFEh
6c021ca5 	7508	jne impsz2!EscapeSetup+0x3cf (6c021caf)
6c021ca7 	83c8ff	or eax,0FFFFFFFFh
6c021caa 	e9a6000000	jmp impsz2!EscapeSetup+0x475 (6c021d55)
6c021caf 	837de000	cmp dword ptr [ebp-20h],0
6c021cb3 	740e	je impsz2!EscapeSetup+0x3e3 (6c021cc3)
6c021cb5 	837de400	cmp dword ptr [ebp-1Ch],0
6c021cb9 	7408	je impsz2!EscapeSetup+0x3e3 (6c021cc3)
6c021cbb 	8b55e0	mov edx,dword ptr [ebp-20h]
6c021cbe 	8955cc	mov dword ptr [ebp-34h],edx
6c021cc1 	eb08	jmp impsz2!EscapeSetup+0x3eb (6c021ccb)
6c021cc3 	83c8ff	or eax,0FFFFFFFFh
6c021cc6 	e98a000000	jmp impsz2!EscapeSetup+0x475 (6c021d55)
6c021ccb 	eb07	jmp impsz2!EscapeSetup+0x3f4 (6c021cd4)
6c021ccd 	33c0	xor eax,eax
6c021ccf 	e981000000	jmp impsz2!EscapeSetup+0x475 (6c021d55)
6c021cd4 	6800010000	push 100h
6c021cd9 	e8c20a0000	call impsz2!IMSGetFilterVersion+0x2b0 (6c0227a0)
6c021cde 	83c404	add esp,4
6c021ce1 	8945d4	mov dword ptr [ebp-2Ch],eax
6c021ce4 	837dd400	cmp dword ptr [ebp-2Ch],0
6c021ce8 	7468	je impsz2!EscapeSetup+0x472 (6c021d52)
6c021cea 	6a00	push 0
6c021cec 	8b45cc	mov eax,dword ptr [ebp-34h]
6c021cef 	50	push eax
6c021cf0 	8b4d08	mov ecx,dword ptr [ebp+8]
6c021cf3 	8b5104	mov edx,dword ptr [ecx+4]
6c021cf6 	52	push edx
6c021cf7 	e8040b0000	call impsz2!IMSGetFilterVersion+0x310 (6c022800)
6c021cfc 	83c40c	add esp,0Ch
6c021cff 	8b45d4	mov eax,dword ptr [ebp-2Ch]
6c021d02 	50	push eax
6c021d03 	8b4d08	mov ecx,dword ptr [ebp+8]
6c021d06 	51	push ecx
6c021d07 	e864000000	call impsz2!EscapeSetup+0x490 (6c021d70)
6c021d0c 	83c408	add esp,8
6c021d0f 	85c0	test eax,eax
6c021d11 	7533	jne impsz2!EscapeSetup+0x466 (6c021d46)
6c021d13 	684c60026c	push offset impsz2!ImportEmbeddedGR+0x24ec (6c02604c)
6c021d18 	8b55d4	mov edx,dword ptr [ebp-2Ch]
6c021d1b 	52	push edx
6c021d1c 	ff15ec50026c	call dword ptr [impsz2!ImportEmbeddedGR+0x158c (6c0250ec)] // call
6c021d22 	83c408	add esp,8 // return address
6c021d25 	85c0	test eax,eax
6c021d27 	7516	jne impsz2!EscapeSetup+0x45f (6c021d3f)
6c021d29 	685860026c	push offset impsz2!ImportEmbeddedGR+0x24f8 (6c026058)
6c021d2e 	8b45d4	mov eax,dword ptr [ebp-2Ch]
6c021d31 	50	push eax
6c021d32 	ff15ec50026c	call dword ptr [impsz2!ImportEmbeddedGR+0x158c (6c0250ec)]
6c021d38 	83c408	add esp,8
6c021d3b 	85c0	test eax,eax
6c021d3d 	7407	je impsz2!EscapeSetup+0x466 (6c021d46)
6c021d3f 	c745c801000000	mov dword ptr [ebp-38h],1
6c021d46 	8d4dd4	lea ecx,[ebp-2Ch]
6c021d49 	51	push ecx
6c021d4a 	e8110a0000	call impsz2!IMSGetFilterVersion+0x270 (6c022760)
6c021d4f 	83c404	add esp,4
6c021d52 	8b45c8	mov eax,dword ptr [ebp-38h]
6c021d55 	8b4dfc	mov ecx,dword ptr [ebp-4]
6c021d58 	33cd	xor ecx,ebp
6c021d5a 	e8c50a0000	call impsz2!IMSGetFilterVersion+0x334 (6c022824)
6c021d5f 	8be5	mov esp,ebp
6c021d61 	5d	pop ebp
6c021d62 	c3	ret
6c021d63 	cc	int 3
6c021d64 	cc	int 3
6c021d65 	cc	int 3
6c021d66 	cc	int 3
6c021d67 	cc	int 3
6c021d68 	cc	int 3
6c021d69 	cc	int 3
6c021d6a 	cc	int 3
6c021d6b 	cc	int 3
6c021d6c 	cc	int 3
6c021d6d 	cc	int 3
6c021d6e 	cc	int 3
6c021d6f 	cc	int 3
6c021d70 	55	push ebp
6c021d71 	8bec	mov ebp,esp
6c021d73 	83ec18	sub esp,18h
6c021d76 	c745ec00000000	mov dword ptr [ebp-14h],0
6c021d7d 	c645ff00	mov byte ptr [ebp-1],0
6c021d81 	8b4508	mov eax,dword ptr [ebp+8]
6c021d84 	83780800	cmp dword ptr [eax+8],0
6c021d88 	7470	je impsz2!EscapeSetup+0x51a (6c021dfa)
6c021d8a 	c745f400000000	mov dword ptr [ebp-0Ch],0
6c021d91 	8b4d08	mov ecx,dword ptr [ebp+8]
6c021d94 	8b550c	mov edx,dword ptr [ebp+0Ch]
6c021d97 	035108	add edx,dword ptr [ecx+8]
6c021d9a 	52	push edx
6c021d9b 	e87e0a0000	call impsz2!IMSGetFilterVersion+0x32e (6c02281e)
6c021da0 	83c404	add esp,4

PoC

Attached


Attachments:
id_000046_00

References:
https://nvd.nist.gov/vuln/detail/CVE-2019-2612
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html