CVE-2019-2705
Information
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.5.3 and 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Outside In Technology as well as unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data.
Crash Dump:
Stack
wvcore.dll!oit::ParameterMap::removeListener + 0x9 (id: e0e)
sccdu.dll + 0x6D5DD (id: 570, no function symbol available)
sccdu.dll + 0x6CA80 (no function symbol available)
sccdu.dll + 0x6CADB (no function symbol available)
Registers
eax = 0x1 xmm0 = 0x0
ebx = 0x568 xmm1 = 0x0
ecx = 0xA4C2F70 xmm2 = 0x0
edx = 0x0 xmm3 = 0x0
esi = 0xA4A0E40 xmm4 = 0x0
edi = 0xA4A0F88 xmm5 = 0x0
esp = 0xF3EC48 xmm6 = 0x0
ebp = 0xF3F004 xmm7 = 0x3FF0000000000000
Disassembly of stack frame 1 at wvcore.dll!oit::ParameterMap::removeListener + 0x9
579b94bf 7d2c jge wvcore!oit::ParameterMap::notifyListeners+0x5d (579b94ed)
579b94c1 8b400c mov eax,dword ptr [eax+0Ch]
579b94c4 8b0cb0 mov ecx,dword ptr [eax+esi*4]
579b94c7 85c9 test ecx,ecx
579b94c9 740d je wvcore!oit::ParameterMap::notifyListeners+0x48 (579b94d8)
579b94cb 8b01 mov eax,dword ptr [ecx]
579b94cd 57 push edi
579b94ce ff7500 push dword ptr [ebp]
579b94d1 ff10 call dword ptr [eax]
579b94d3 85db test ebx,ebx
579b94d5 0f44d8 cmove ebx,eax
579b94d8 46 inc esi
579b94d9 3b7734 cmp esi,dword ptr [edi+34h]
579b94dc 7cd2 jl wvcore!oit::ParameterMap::notifyListeners+0x20 (579b94b0)
579b94de 5f pop edi
579b94df 5e pop esi
579b94e0 5d pop ebp
579b94e1 8bc3 mov eax,ebx
579b94e3 5b pop ebx
579b94e4 81c4a0000000 add esp,0A0h
579b94ea c20400 ret 4
579b94ed 6a01 push 1
579b94ef 6a00 push 0
579b94f1 6a00 push 0
579b94f3 6a00 push 0
579b94f5 687cfaa757 push offset wvcore!oit::ArrayList<oit::WString *>::`vbtable'+0x208 (57a7fa7c)
579b94fa 6889000000 push 89h
579b94ff 8d4c2428 lea ecx,[esp+28h]
579b9503 e89825ffff call wvcore!oit::Exception::Exception (579abaa0)
579b9508 68242dac57 push offset wvcore!oit::Win32SystemException::`vbtable'+0x12578 (57ac2d24)
579b950d 8d442414 lea eax,[esp+14h]
579b9511 50 push eax
579b9512 e8bd320b00 call wvcore!oit::Win32SystemException::clone+0x6384 (57a6c7d4)
579b9517 6a01 push 1
579b9519 6a00 push 0
579b951b 6a00 push 0
579b951d 6a00 push 0
579b951f 6830faa757 push offset wvcore!oit::ArrayList<oit::WString *>::`vbtable'+0x1bc (57a7fa30)
579b9524 6889000000 push 89h
579b9529 8d4c2428 lea ecx,[esp+28h]
579b952d e86e25ffff call wvcore!oit::Exception::Exception (579abaa0)
579b9532 68242dac57 push offset wvcore!oit::Win32SystemException::`vbtable'+0x12578 (57ac2d24)
579b9537 8d442414 lea eax,[esp+14h]
579b953b 50 push eax
579b953c e893320b00 call wvcore!oit::Win32SystemException::clone+0x6384 (57a6c7d4)
579b9541 cc int 3
579b9542 cc int 3
579b9543 cc int 3
579b9544 cc int 3
579b9545 cc int 3
579b9546 cc int 3
579b9547 cc int 3
579b9548 cc int 3
579b9549 cc int 3
579b954a cc int 3
579b954b cc int 3
579b954c cc int 3
579b954d cc int 3
579b954e cc int 3
579b954f cc int 3
wvcore!oit::ParameterMap::removeListener:
579b9550 81ec40010000 sub esp,140h
579b9556 33d2 xor edx,edx
579b9558 56 push esi
579b9559 8b7134 mov esi,dword ptr [ecx+34h] // current instruction
579b955c 85f6 test esi,esi
579b955e 7e32 jle wvcore!oit::ParameterMap::removeListener+0x42 (579b9592)
579b9560 57 push edi
579b9561 8bbc244c010000 mov edi,dword ptr [esp+14Ch]
579b9568 85d2 test edx,edx
579b956a 0f88cb000000 js wvcore!oit::ParameterMap::removeListener+0xeb (579b963b)
579b9570 3bd6 cmp edx,esi
579b9572 0f8dc3000000 jge wvcore!oit::ParameterMap::removeListener+0xeb (579b963b)
579b9578 8b4130 mov eax,dword ptr [ecx+30h]
579b957b 3b5008 cmp edx,dword ptr [eax+8]
579b957e 0f8d8d000000 jge wvcore!oit::ParameterMap::removeListener+0xc1 (579b9611)
579b9584 8b400c mov eax,dword ptr [eax+0Ch]
579b9587 393c90 cmp dword ptr [eax+edx*4],edi
579b958a 7410 je wvcore!oit::ParameterMap::removeListener+0x4c (579b959c)
579b958c 42 inc edx
579b958d 3bd6 cmp edx,esi
579b958f 7cd7 jl wvcore!oit::ParameterMap::removeListener+0x18 (579b9568)
579b9591 5f pop edi
579b9592 5e pop esi
579b9593 81c440010000 add esp,140h
579b9599 c20400 ret 4
579b959c 3bd6 cmp edx,esi
579b959e 7d47 jge wvcore!oit::ParameterMap::removeListener+0x97 (579b95e7)
579b95a0 8b4130 mov eax,dword ptr [ecx+30h]
579b95a3 3b5008 cmp edx,dword ptr [eax+8]
579b95a6 7d15 jge wvcore!oit::ParameterMap::removeListener+0x6d (579b95bd)
579b95a8 8b400c mov eax,dword ptr [eax+0Ch]
579b95ab 5f pop edi
579b95ac 5e pop esi
579b95ad c7049000000000 mov dword ptr [eax+edx*4],0
579b95b4 81c440010000 add esp,140h
579b95ba c20400 ret 4
579b95bd 6a01 push 1
579b95bf 6a00 push 0
579b95c1 6a00 push 0
579b95c3 6a00 push 0
579b95c5 687cfaa757 push offset wvcore!oit::ArrayList<oit::WString *>::`vbtable'+0x208 (57a7fa7c)
579b95ca 6889000000 push 89h
579b95cf 8d4c2420 lea ecx,[esp+20h]
579b95d3 e8c824ffff call wvcore!oit::Exception::Exception (579abaa0)
579b95d8 68242dac57 push offset wvcore!oit::Win32SystemException::`vbtable'+0x12578 (57ac2d24)
579b95dd 8d44240c lea eax,[esp+0Ch]
579b95e1 50 push eax
579b95e2 e8ed310b00 call wvcore!oit::Win32SystemException::clone+0x6384 (57a6c7d4)
579b95e7 6a01 push 1
579b95e9 6a00 push 0
579b95eb 6a00 push 0
579b95ed 6a00 push 0
579b95ef 688000a857 push offset wvcore!oit::ArrayList<oit::PipelineStage *>::`vbtable'+0xa8 (57a80080)
PoC
Attached
Attachments:
id_000053_00
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-2705
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html