Oracle Hyperion ActiveX BO (Nov 18, 2011)


Oracle’s Hyperion is composed of various business performance management and business intelligence software. The Hyperion Financial line of products includes financial reporting and analysis components. Installation of Hyperion Financial on Windows systems will result in the installation of several ActiveX controls, one of which is named TTF16.ocx. This ActiveX control is associated with CLSID B0475003-7740-11D1-BDC3-0020AF9F8E6E, and ProgID TTF161.TTF1.6. The control is marked as scriptable, and as such, can be instantiated via a web page by using the tag or through scripting. The following examples demonstrate example instantiation code snippets:

  Or var ctrl = new ActiveXObject("TTF161.TTF1.6"); 

The TTF161.TTF1.6 control exposes several methods, one of which is a method named SetDevNames, which is used to set the default printer. An example code snippet illustrating the use of this function is shown:

SetDevNames('drivername', 'devicename', 'port')

A code execution vulnerability exists in Oracle’s Hyperion Financial TTF161.TTF1.6 ActiveX control. The vulnerability exists because of a heap buffer overflow during execution of the SetDevNames method. The method allocates a heap buffer of size determined by the number of characters in the given attributes. The method then converts the parameters into Unicode strings which results in doubling of their size. The Unicode strings are then copied into the allocated buffer. If any of the three parameters is not an empty string, a heap buffer overflow will occur.

In order to exploit this vulnerability, the attacker needs to entice the target user to visit a malicious web page. Any code execution resulting from exploitation will occur in the security context of the currently logged-in user. An unsuccessful code execution attempt may result in abnormal termination of the web browser.

SonicWALL has released an IPS signature that detects and blocks exploitation attempts targeting this vulnerability. The following signature has been released:

  • 7161 – Oracle Hyperion Strategic TTF16 ActiveX Buffer Overflow
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Pin It on Pinterest