Information

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.5.3 and 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.

Crash Dump:

Stack

sccch.dll + 0x48EF26D (id: 636, no function symbol available) [[f:\dd\vctools\crt\crtw32\string\i386\memcpy.asm @ 188]]
sccch.dll + 0x3AB1 (id: cbb, no function symbol available)
vspcx.dll + 0x34CF (no function symbol available)

Registers

eax   =  0x8AFCED9	xmm0  =                                0x0
ebx   =  0x7FD8ED0	xmm1  =                                0x0
ecx   =     0xFED9	xmm2  =                                0x0
edx   =     0xFFE1	xmm3  =                                0x0
esi   =  0x8AED000	xmm4  =                                0x0
edi   =  0xD4A9324	xmm5  =                                0x0
esp   =   0x3AF368	xmm6  =  0x84F56A63ED29089336C3DBE2FDD67F1
ebp   =     0xFFE1	xmm7  =                                0x1

Disassembly of stack frame 1 at sccch.dll + 0x48EF26D

7339f19f 	8b44240c	mov eax,dword ptr [esp+0Ch]
7339f1a3 	5e	pop esi
7339f1a4 	5f	pop edi
7339f1a5 	c3	ret
MSVCR120!memmove [f:\dd\vctools\crt\crtw32\string\i386\MEMCPY.ASM @ 137]:
7339f1a6 	57	push edi
7339f1a7 	56	push esi
7339f1a8 	8b742410	mov esi,dword ptr [esp+10h]
7339f1ac 	8b4c2414	mov ecx,dword ptr [esp+14h]
7339f1b0 	8b7c240c	mov edi,dword ptr [esp+0Ch]
7339f1b4 	8bc1	mov eax,ecx
7339f1b6 	8bd1	mov edx,ecx
7339f1b8 	03c6	add eax,esi
7339f1ba 	3bfe	cmp edi,esi
7339f1bc 	7608	jbe MSVCR120!memmove+0x20 (7339f1c6)
7339f1be 	3bf8	cmp edi,eax
7339f1c0 	0f8283290000	jb MSVCR120!TrailUpVec+0x50 (733a1b49)
7339f1c6 	0fba25b4f7467301	bt dword ptr [MSVCR120!__favor (7346f7b4)],1
7339f1ce 	0f82f7fcffff	jb MSVCR120!memmove+0x2a (7339eecb)
7339f1d4 	81f980000000	cmp ecx,80h
7339f1da 	0f839c230000	jae MSVCR120!memmove+0x3d (733a157c)
7339f1e0 	f7c703000000	test edi,3
7339f1e6 	0f85f0290000	jne MSVCR120!memmove+0x228 (733a1bdc)
7339f1ec 	c1e902	shr ecx,2
7339f1ef 	83e203	and edx,3
7339f1f2 	83f908	cmp ecx,8
7339f1f5 	7315	jae MSVCR120!memmove+0x21e (7339f20c)
7339f1f7 	ff248db0f03973	jmp dword ptr MSVCR120!UnwindUpVec (7339f0b0)[ecx*4]
7339f1fe 	ff2495d0f03973	jmp dword ptr MSVCR120!TrailUpVec (7339f0d0)[edx*4]
7339f205 	8b44240c	mov eax,dword ptr [esp+0Ch]
7339f209 	5e	pop esi
7339f20a 	5f	pop edi
7339f20b 	c3	ret
7339f20c 	f3a5	rep movs dword ptr es:[edi],dword ptr [esi]
7339f20e 	ff2495d0f03973	jmp dword ptr MSVCR120!TrailUpVec (7339f0d0)[edx*4]
7339f215 	8b448efc	mov eax,dword ptr [esi+ecx*4-4]
7339f219 	89448ffc	mov dword ptr [edi+ecx*4-4],eax
7339f21d 	8d048d00000000	lea eax,[ecx*4]
7339f224 	03f0	add esi,eax
7339f226 	03f8	add edi,eax
7339f228 	ebd4	jmp MSVCR120!UnwindUpVec+0x63 (7339f1fe)
7339f22a 	8b448ef8	mov eax,dword ptr [esi+ecx*4-8]
7339f22e 	89448ff8	mov dword ptr [edi+ecx*4-8],eax
7339f232 	ebe1	jmp MSVCR120!UnwindUpVec+0x50 (7339f215)
7339f234 	8b448ef4	mov eax,dword ptr [esi+ecx*4-0Ch]
7339f238 	89448ff4	mov dword ptr [edi+ecx*4-0Ch],eax
7339f23c 	ebec	jmp MSVCR120!UnwindUpVec+0x48 (7339f22a)
7339f23e 	8b448ef0	mov eax,dword ptr [esi+ecx*4-10h]
7339f242 	89448ff0	mov dword ptr [edi+ecx*4-10h],eax
7339f246 	ebec	jmp MSVCR120!UnwindUpVec+0x40 (7339f234)
7339f248 	8b448eec	mov eax,dword ptr [esi+ecx*4-14h]
7339f24c 	89448fec	mov dword ptr [edi+ecx*4-14h],eax
7339f250 	ebec	jmp MSVCR120!UnwindUpVec+0x38 (7339f23e)
7339f252 	8b448ee8	mov eax,dword ptr [esi+ecx*4-18h]
7339f256 	89448fe8	mov dword ptr [edi+ecx*4-18h],eax
7339f25a 	ebec	jmp MSVCR120!UnwindUpVec+0x30 (7339f248)
7339f25c 	8a06	mov al,byte ptr [esi]
7339f25e 	8807	mov byte ptr [edi],al
7339f260 	8a4601	mov al,byte ptr [esi+1]
7339f263 	884701	mov byte ptr [edi+1],al
7339f266 	8b44240c	mov eax,dword ptr [esp+0Ch]
7339f26a 	5e	pop esi
7339f26b 	5f	pop edi
7339f26c 	c3	ret
7339f26d 	f3a4	rep movs byte ptr es:[edi],byte ptr [esi] // current instruction
7339f26f 	e9d7030000	jmp MSVCR120!TrailUpVec+0x10 (7339f64b)
7339f274 	f7c703000000	test edi,3
7339f27a 	0f85a8040000	jne MSVCR120!memcpy+0x228 (7339f728)
7339f280 	f7c603000000	test esi,3
7339f286 	0f85a6030000	jne MSVCR120!memcpy+0x213 (7339f632)
7339f28c 	0fbae702	bt edi,2
7339f290 	730d	jae MSVCR120!memcpy+0x8f (7339f29f)
7339f292 	8b06	mov eax,dword ptr [esi]
7339f294 	83e904	sub ecx,4
7339f297 	8d7604	lea esi,[esi+4]
7339f29a 	8907	mov dword ptr [edi],eax
7339f29c 	8d7f04	lea edi,[edi+4]
7339f29f 	0fbae703	bt edi,3
7339f2a3 	7311	jae MSVCR120!memcpy+0xa6 (7339f2b6)
7339f2a5 	f30f7e0e	movq xmm1,mmword ptr [esi]
7339f2a9 	83e908	sub ecx,8
7339f2ac 	8d7608	lea esi,[esi+8]
7339f2af 	660fd60f	movq mmword ptr [edi],xmm1
7339f2b3 	8d7f08	lea edi,[edi+8]
7339f2b6 	f7c607000000	test esi,7
7339f2bc 	7463	je MSVCR120!memcpy+0x111 (7339f321)
7339f2be 	0fbae603	bt esi,3
7339f2c2 	0f83b1000000	jae MSVCR120!memcpy+0x16a (7339f379)
7339f2c8 	660f6f4ef4	movdqa xmm1,xmmword ptr [esi-0Ch]
7339f2cd 	8d76f4	lea esi,[esi-0Ch]
7339f2d0 	660f6f5e10	movdqa xmm3,xmmword ptr [esi+10h]
7339f2d5 	83e930	sub ecx,30h
7339f2d8 	660f6f4620	movdqa xmm0,xmmword ptr [esi+20h]
7339f2dd 	660f6f6e30	movdqa xmm5,xmmword ptr [esi+30h]
7339f2e2 	8d7630	lea esi,[esi+30h]
7339f2e5 	83f930	cmp ecx,30h
7339f2e8 	660f6fd3	movdqa xmm2,xmm3
7339f2ec 	660f3a0fd90c	palignr xmm3,xmm1,0Ch
7339f2f2 	660f7f1f	movdqa xmmword ptr [edi],xmm3
7339f2f6 	660f6fe0	movdqa xmm4,xmm0
7339f2fa 	660f3a0fc20c	palignr xmm0,xmm2,0Ch
7339f300 	660f7f4710	movdqa xmmword ptr [edi+10h],xmm0
7339f305 	660f6fcd	movdqa xmm1,xmm5
7339f309 	660f3a0fec0c	palignr xmm5,xmm4,0Ch
7339f30f 	660f7f6f20	movdqa xmmword ptr [edi+20h],xmm5
7339f314 	8d7f30	lea edi,[edi+30h]
7339f317 	7db7	jge MSVCR120!memcpy+0xc0 (7339f2d0)
7339f319 	8d760c	lea esi,[esi+0Ch]
7339f31c 	e9ae000000	jmp MSVCR120!memcpy+0x1c0 (7339f3cf)
7339f321 	660f6f4ef8	movdqa xmm1,xmmword ptr [esi-8]
7339f326 	8d76f8	lea esi,[esi-8]
7339f329 	8d09	lea ecx,[ecx]
7339f32b 	660f6f5e10	movdqa xmm3,xmmword ptr [esi+10h]
7339f330 	83e930	sub ecx,30h

PoC

Attached


Attachments:
id_000025_00.pdf

References:
https://nvd.nist.gov/vuln/detail/CVE-2019-2613
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html