Oracle Outside In Library OOXML Overflow

Added: 02/03/2012
CVE: CVE-2012-0110
BID: 51452
OSVDB: 78411

Background

Oracle Outside In is a a suite of software development kits that allows developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats.

Problem

Outside In versions 8.3.5 through 8.3.7 fail to properly validate fields in OpenOffice XML (OOXML) documents. If a user opens a malicious OOXML document in a piece of software that uses the vulnerable SDK, an attacker could take over execution of the target's system.

Resolution

Because Outside In is an SDK, 3rd party applications distribute the libraries. Check with your application provider to make sure you are running the latest version of the affected software.

References

http://www.zerodayinitiative.com/advisories/ZDI-12-017/
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
http://www.kb.cert.org/vuls/id/738961

Limitations

This exploit has been tested against Avantstar Quick View Plus 11.1.0 Standard Edition and ACD Systems Canvas 12 running on Windows XP SP3 English (DEP OptIn). The 'zip' utility must be installed on the system that is running the exploit.

Platforms

Avantstar Quick View Plus 11.1.0 Standard
ACD Systems Canvas 12

Back to exploit index