Oracle Hyperion Strategic Finance ActiveX control buffer overflow (OracleHyperionActivexBo)

Vuln ID: 71163
Risk Level: High risk vulnerability  High OracleHyperionActivexBo
Platforms: Oracle Hyperion Strategic Finance: 11.1.2.1.0, Oracle Formula One ActiveX control (TTF16.ocx): 6.3.5.1
Description:

The Oracle Hyperion Strategic Finance Formula One ActiveX control (TTF16.ocx). is vulnerable to a heap-based buffer overflow. By persuading a victim to visit a specially-crafted Web page that passes an overly long argument to the insecure SetDevNames() method using the DriverName parameter, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the victim's browser to crash.
Remedy:

No remedy available as of May 1, 2013.
False Positives:
False Negatives:
Required Permission: Windows login
Additional Information:

References:

Offensive Security Exploit Database [11-07-2011]
Oracle Hyperion Strategic Finance 12.x Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow
http://www.exploit-db.com/exploits/18092/

Oracle Web site
Oracle Hyperion Strategic Finance ActiveX control
http://www.oracle.com/us/solutions/ent-performance-bi/hyperion-strategic-finance-066540.html

ISS X-Force
Oracle Hyperion Strategic Finance ActiveX control buffer overflow
http://www.iss.net/security_center/static/71163.php

CVE CVE-2011-5167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5167
X-Force Logo
Know Your Risks		 Mitre.org CVE Logo
Common Vulnerabilties & Exposures