Oracle AutoVue SetMarkupMode ActiveX Overflow

Added: 07/17/2012
CVE: CVE-2012-0549
BID: 53077
OSVDB: 81439


Oracle AutoVue Enterprise Visualization is a suite of Oracle products designed to deliver a web-based capability to access, view, digitally annotate and collaborate on technical and business documents, without requiring specialized computer-aided design (CAD) tools. AutoVue includes tools for Electronic Design Automation (EDA), a category of software tools for designing electronic systems such as printed circuit boards and integrated circuits.


The SetMarkupMode method of an ActiveX control provided by Oracle AutoVue does not properly sanitize its input parameters. If a user with this control installed were to visit a malicious web site, this vulnerability could be exploited to gain code execution on the victim's system.


Apply the updates detailed in the Oracle April 2012 CPU. Or, set the kill bit for AutoVueX.ocx ActiveX control associated with CLSID {B6FCC215-D303-11D1-BC6C-0000C078797F}.



This exploit has been tested against Oracle AutoVue 20.0.2 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). The HTML page must be opened using Internet Explorer 8 or 9 on the target. JRE 6 must be installed on Windows 7.



Back to exploit index