Oracle Hyperion ActiveX BO (Nov 18, 2011)
Oracle’s Hyperion is composed of various business performance management and business intelligence software. The Hyperion Financial line of products includes financial reporting and analysis components. Installation of Hyperion Financial on Windows systems will result in the installation of several ActiveX controls, one of which is named TTF16.ocx. This ActiveX control is associated with CLSID B0475003-7740-11D1-BDC3-0020AF9F8E6E, and ProgID TTF161.TTF1.6. The control is marked as scriptable, and as such, can be instantiated via a web page by using the
The TTF161.TTF1.6 control exposes several methods, one of which is a method named SetDevNames, which is used to set the default printer. An example code snippet illustrating the use of this function is shown:
SetDevNames('drivername', 'devicename', 'port')
A code execution vulnerability exists in Oracle’s Hyperion Financial TTF161.TTF1.6 ActiveX control. The vulnerability exists because of a heap buffer overflow during execution of the SetDevNames method. The method allocates a heap buffer of size determined by the number of characters in the given attributes. The method then converts the parameters into Unicode strings which results in doubling of their size. The Unicode strings are then copied into the allocated buffer. If any of the three parameters is not an empty string, a heap buffer overflow will occur.
In order to exploit this vulnerability, the attacker needs to entice the target user to visit a malicious web page. Any code execution resulting from exploitation will occur in the security context of the currently logged-in user. An unsuccessful code execution attempt may result in abnormal termination of the web browser.
SonicWALL has released an IPS signature that detects and blocks exploitation attempts targeting this vulnerability. The following signature has been released:
- 7161 – Oracle Hyperion Strategic TTF16 ActiveX Buffer Overflow
