CVE-2019-2613
Information
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.5.3 and 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.
Crash Dump:
Stack
sccch.dll + 0x48EF26D (id: 636, no function symbol available) [[f:\dd\vctools\crt\crtw32\string\i386\memcpy.asm @ 188]]
sccch.dll + 0x3AB1 (id: cbb, no function symbol available)
vspcx.dll + 0x34CF (no function symbol available)
Registers
eax = 0x8AFCED9 xmm0 = 0x0
ebx = 0x7FD8ED0 xmm1 = 0x0
ecx = 0xFED9 xmm2 = 0x0
edx = 0xFFE1 xmm3 = 0x0
esi = 0x8AED000 xmm4 = 0x0
edi = 0xD4A9324 xmm5 = 0x0
esp = 0x3AF368 xmm6 = 0x84F56A63ED29089336C3DBE2FDD67F1
ebp = 0xFFE1 xmm7 = 0x1
Disassembly of stack frame 1 at sccch.dll + 0x48EF26D
7339f19f 8b44240c mov eax,dword ptr [esp+0Ch]
7339f1a3 5e pop esi
7339f1a4 5f pop edi
7339f1a5 c3 ret
MSVCR120!memmove [f:\dd\vctools\crt\crtw32\string\i386\MEMCPY.ASM @ 137]:
7339f1a6 57 push edi
7339f1a7 56 push esi
7339f1a8 8b742410 mov esi,dword ptr [esp+10h]
7339f1ac 8b4c2414 mov ecx,dword ptr [esp+14h]
7339f1b0 8b7c240c mov edi,dword ptr [esp+0Ch]
7339f1b4 8bc1 mov eax,ecx
7339f1b6 8bd1 mov edx,ecx
7339f1b8 03c6 add eax,esi
7339f1ba 3bfe cmp edi,esi
7339f1bc 7608 jbe MSVCR120!memmove+0x20 (7339f1c6)
7339f1be 3bf8 cmp edi,eax
7339f1c0 0f8283290000 jb MSVCR120!TrailUpVec+0x50 (733a1b49)
7339f1c6 0fba25b4f7467301 bt dword ptr [MSVCR120!__favor (7346f7b4)],1
7339f1ce 0f82f7fcffff jb MSVCR120!memmove+0x2a (7339eecb)
7339f1d4 81f980000000 cmp ecx,80h
7339f1da 0f839c230000 jae MSVCR120!memmove+0x3d (733a157c)
7339f1e0 f7c703000000 test edi,3
7339f1e6 0f85f0290000 jne MSVCR120!memmove+0x228 (733a1bdc)
7339f1ec c1e902 shr ecx,2
7339f1ef 83e203 and edx,3
7339f1f2 83f908 cmp ecx,8
7339f1f5 7315 jae MSVCR120!memmove+0x21e (7339f20c)
7339f1f7 ff248db0f03973 jmp dword ptr MSVCR120!UnwindUpVec (7339f0b0)[ecx*4]
7339f1fe ff2495d0f03973 jmp dword ptr MSVCR120!TrailUpVec (7339f0d0)[edx*4]
7339f205 8b44240c mov eax,dword ptr [esp+0Ch]
7339f209 5e pop esi
7339f20a 5f pop edi
7339f20b c3 ret
7339f20c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
7339f20e ff2495d0f03973 jmp dword ptr MSVCR120!TrailUpVec (7339f0d0)[edx*4]
7339f215 8b448efc mov eax,dword ptr [esi+ecx*4-4]
7339f219 89448ffc mov dword ptr [edi+ecx*4-4],eax
7339f21d 8d048d00000000 lea eax,[ecx*4]
7339f224 03f0 add esi,eax
7339f226 03f8 add edi,eax
7339f228 ebd4 jmp MSVCR120!UnwindUpVec+0x63 (7339f1fe)
7339f22a 8b448ef8 mov eax,dword ptr [esi+ecx*4-8]
7339f22e 89448ff8 mov dword ptr [edi+ecx*4-8],eax
7339f232 ebe1 jmp MSVCR120!UnwindUpVec+0x50 (7339f215)
7339f234 8b448ef4 mov eax,dword ptr [esi+ecx*4-0Ch]
7339f238 89448ff4 mov dword ptr [edi+ecx*4-0Ch],eax
7339f23c ebec jmp MSVCR120!UnwindUpVec+0x48 (7339f22a)
7339f23e 8b448ef0 mov eax,dword ptr [esi+ecx*4-10h]
7339f242 89448ff0 mov dword ptr [edi+ecx*4-10h],eax
7339f246 ebec jmp MSVCR120!UnwindUpVec+0x40 (7339f234)
7339f248 8b448eec mov eax,dword ptr [esi+ecx*4-14h]
7339f24c 89448fec mov dword ptr [edi+ecx*4-14h],eax
7339f250 ebec jmp MSVCR120!UnwindUpVec+0x38 (7339f23e)
7339f252 8b448ee8 mov eax,dword ptr [esi+ecx*4-18h]
7339f256 89448fe8 mov dword ptr [edi+ecx*4-18h],eax
7339f25a ebec jmp MSVCR120!UnwindUpVec+0x30 (7339f248)
7339f25c 8a06 mov al,byte ptr [esi]
7339f25e 8807 mov byte ptr [edi],al
7339f260 8a4601 mov al,byte ptr [esi+1]
7339f263 884701 mov byte ptr [edi+1],al
7339f266 8b44240c mov eax,dword ptr [esp+0Ch]
7339f26a 5e pop esi
7339f26b 5f pop edi
7339f26c c3 ret
7339f26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi] // current instruction
7339f26f e9d7030000 jmp MSVCR120!TrailUpVec+0x10 (7339f64b)
7339f274 f7c703000000 test edi,3
7339f27a 0f85a8040000 jne MSVCR120!memcpy+0x228 (7339f728)
7339f280 f7c603000000 test esi,3
7339f286 0f85a6030000 jne MSVCR120!memcpy+0x213 (7339f632)
7339f28c 0fbae702 bt edi,2
7339f290 730d jae MSVCR120!memcpy+0x8f (7339f29f)
7339f292 8b06 mov eax,dword ptr [esi]
7339f294 83e904 sub ecx,4
7339f297 8d7604 lea esi,[esi+4]
7339f29a 8907 mov dword ptr [edi],eax
7339f29c 8d7f04 lea edi,[edi+4]
7339f29f 0fbae703 bt edi,3
7339f2a3 7311 jae MSVCR120!memcpy+0xa6 (7339f2b6)
7339f2a5 f30f7e0e movq xmm1,mmword ptr [esi]
7339f2a9 83e908 sub ecx,8
7339f2ac 8d7608 lea esi,[esi+8]
7339f2af 660fd60f movq mmword ptr [edi],xmm1
7339f2b3 8d7f08 lea edi,[edi+8]
7339f2b6 f7c607000000 test esi,7
7339f2bc 7463 je MSVCR120!memcpy+0x111 (7339f321)
7339f2be 0fbae603 bt esi,3
7339f2c2 0f83b1000000 jae MSVCR120!memcpy+0x16a (7339f379)
7339f2c8 660f6f4ef4 movdqa xmm1,xmmword ptr [esi-0Ch]
7339f2cd 8d76f4 lea esi,[esi-0Ch]
7339f2d0 660f6f5e10 movdqa xmm3,xmmword ptr [esi+10h]
7339f2d5 83e930 sub ecx,30h
7339f2d8 660f6f4620 movdqa xmm0,xmmword ptr [esi+20h]
7339f2dd 660f6f6e30 movdqa xmm5,xmmword ptr [esi+30h]
7339f2e2 8d7630 lea esi,[esi+30h]
7339f2e5 83f930 cmp ecx,30h
7339f2e8 660f6fd3 movdqa xmm2,xmm3
7339f2ec 660f3a0fd90c palignr xmm3,xmm1,0Ch
7339f2f2 660f7f1f movdqa xmmword ptr [edi],xmm3
7339f2f6 660f6fe0 movdqa xmm4,xmm0
7339f2fa 660f3a0fc20c palignr xmm0,xmm2,0Ch
7339f300 660f7f4710 movdqa xmmword ptr [edi+10h],xmm0
7339f305 660f6fcd movdqa xmm1,xmm5
7339f309 660f3a0fec0c palignr xmm5,xmm4,0Ch
7339f30f 660f7f6f20 movdqa xmmword ptr [edi+20h],xmm5
7339f314 8d7f30 lea edi,[edi+30h]
7339f317 7db7 jge MSVCR120!memcpy+0xc0 (7339f2d0)
7339f319 8d760c lea esi,[esi+0Ch]
7339f31c e9ae000000 jmp MSVCR120!memcpy+0x1c0 (7339f3cf)
7339f321 660f6f4ef8 movdqa xmm1,xmmword ptr [esi-8]
7339f326 8d76f8 lea esi,[esi-8]
7339f329 8d09 lea ecx,[ecx]
7339f32b 660f6f5e10 movdqa xmm3,xmmword ptr [esi+10h]
7339f330 83e930 sub ecx,30h
PoC
Attached
Attachments:
id_000025_00.pdf
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-2613
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html