Unknown
Oracle Document Capture BlackIceDevMode.ocx ActiveX Remote Code Execution Vulnerability
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Unknown
(1 user assessed)
Unknown
(1 user assessed)Unknown
Unknown
Unknown
Oracle Document Capture BlackIceDevMode.ocx ActiveX Remote Code Execution Vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Document Capture. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
Add Assessment
Technical Analysis
.text:100021EA align 10h
.text:100021F0
.text:100021F0 loc_100021F0: ; CODE XREF: sub_10002140+A8j
.text:100021F0 ; sub_10002140+BD1j
.text:100021F0 movzx ecx, word ptr [eax]
.text:100021F3 mov [edx+eax], cx
.text:100021F7 add eax, 2
.text:100021FA test cx, cx
.text:100021FD jnz short loc_100021F0
edx points to a local variable, eax to the user controlled provided annotation. Crash:
(d98.4cc): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\PROGRA~1\BLACKI~1\BLACKI~2\BLACKI~1\BLACKI~1.OCX
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\BLACKI~1\BLACKI~2\BLACKI~1\BLACKI~1.OCX -
eax=03719080 ebx=00000000 ecx=00000041 edx=fe906f80 esi=0201f1e0 edi=00000040
eip=100021f3 esp=0201f174 ebp=0201f38c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
BLACKI_1!DllUnregisterServer+0xfc3:
100021f3 66890c02 mov word ptr [edx+eax],cx ds:0023:02020000=4d5a
0:008> db edx
0:008> db eax
03719080 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03719090 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
037190a0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
037190b0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
037190c0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
037190d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
037190e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
037190f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
In this case the exception is due to a overflow of the stack space. Trying to write after stack generates an exception. But this situation is tricky to exploit in moden versions of IE because heap goes after stack... so generate an exception trends to be tricky. Will give a chance anyway. On the other hand the vulnerable function is protected by stack cookies:
.text:1000221D xor ecx, esp
.text:1000221F call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:10002224 add esp, 60h
.text:10002227 retn 3Ch
.text:10002227 sub_10002140 endp
”`
Finally doesn’t look so bad for exploitation via seh overwrite, but bad luck because the OCX is safeseh = true :( So… sounds difficult to make it exploitable out of ie6/ie7
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
