Oracle Hyperion Financial Management ActiveX Heap Overflow

Added: 11/21/2011
BID: 50565
OSVDB: 76913

Background

Oracle Hyperion Financial Management is a web-based financial consolidation, reporting and analysis solution.

Problem

Hyperion Financial Management webapp installs an ActiveX control on the target system. This control is marked as safe for scripting and initialization, which allows any website to utilize it. The SetDevNames function does not properly validate its parameters. A malicious website could instantiate the ActiveX control and pass a specially crafted long value to SetDevNames, which would trigger a heap overflow. If used in combination with a heap spray, this may allow an attacker to gain remote execution privilege on the target system.

Resolution

No update is available for this vulnerability at the time of publishing this exploit. The ActiveX control can have its kill bit set by following the instruction detailed here. Please note that this may prevent the web client from functioning properly.

References

http://retrogod.altervista.org/9sg_ttf16.html
http://secunia.com/advisories/46764/

Limitations

This exploit has been tested against Oracle Hyperion Strategic Finance 11.1.2.1.0 on Windows XP SP3 English (DEP OptIn) with KB2586448.

Platforms

Windows

Back to exploit index