[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : DocumentDirect for the Internet (A090800-1)

Title: DocumentDirect for the Internet (A090800-1)
Released by: @stake
Date: 8th September 2000
Printable version: Click here
                              @stake Inc.


                           Security Advisory

Advisory Name: DocumentDirect for the Internet (A090800-1)

 Release Date: 09/08/2000

  Application: Mobius DocumentDirect for the Internet 1.2

     Platform: Windows NT 4.0

     Severity: There are several buffer overflow conditions

               that could result in execution of arbitrary

               code or a denial of service.

      Authors: David Litchfield [dlitchfield@atstake.com]

               Mark Litchfield [mlitchfield@atstake.com]

 Contributors: Frank Swiderski [fes@atstake.com]

               Chris Eng [ceng@atstake.com]

Vendor Status: Fixed version of software available

          Web: www.atstake.com/research/advisories/2000/a090800-1.txt


Mobius' DocumentDirect for the Internet is a custom CGI

application for Windows NT 4.0 that enables Internet-based viewing

of documents.  Clients access the document management system using a

standard web browser.  DocumentDirect's interface is customizable for

each enterprise's environment.  Authorization is supported via a sign-on

ID and password, and fine-grained control can be exercised over the

content made available to each individual user.  It supports multiple

document types, including PostScript, PDF, and various word processing

and image file formats.

There are several different buffer overflow conditions in the

DocumentDirect for the Internet web application that could result in

the execution of arbitrary code, or at the very least, a denial of

service against the DocumentDirect Process Manager.

Detailed Description:

There are a several methods that can be used to overflow various

static buffers in the DocumentDirect web application.  The simplest

is to issue the following HTTP command, which overflows a buffer in


GET /ddrint/bin/ddicgi.exe?AAAAAAAAAA...AAAAA=X HTTP/1.0

In this instance, if the field ID consists of at least 1553 A's,

the flow of execution returns immediately to 0x41414141.  A properly

crafted string could easily result in the execution of malicious code.

A second overflow occurs when an overly long username is passed

to DocumentDirect's web authorization form.  A minimum of 208 characters

are required in the username field in order to overwrite the saved return

address.  There is a continuation of execution issue, as the code must

be permitted to return from several nested functions before exploit

code is run.  However, a carefully selected exploit string could be

written to evade these limitations.  This overflow occurs in DDIPROC.EXE

rather than DDICGI.EXE, so an improperly written exploit will kill

the DocumentDirect Process Manager, resulting in a denial of service

for any DocumentDirect applications that are dependent on the Process

Manager.  It is not clear whether or not the Process Manager would be

adversely affected if code was executed as a result of the overflow.

A third overflow occurs when the "User-Agent" parameter contains

an excessivly long string.  The overflow causes an access violation in

DDICGI.EXE.  An example is:

GET /ddrint/bin/ddicgi.exe HTTP/1.0\r\nUser-Agent: AAA...AAA\r\n\r\n

It should be noted that any arbitrary code that is run as a

result of these buffer overflows will execute in the context of the

application containing the overflow.  While DDICGI.EXE executes as a

cgi-bin type application and typically executes as the equivalent to

"nobody", other applications such as the Process Manager may be

executing with elevated privileges.

A cursory examination of the DocumentDirect for the Internet

executable reveals liberal usage of static character buffers.  As such,

there are probably numerous additional overflow conditions that @stake

did not uncover in this initial audit.

Temporary Solution:

If a web access control product is currently in use, restrict

access to DocumentDirect to only those IP addresses associated with

known DocumentDirect users.  If DocumentDirect is hosted on a dedicated

webserver, create a firewall rule or a router ACL to restrict inbound

access to that machine until a fix is released.

Another temporary workaround would be to implement HTTP basic

authentication on the /ddrint/bin directory.  By doing this, users

would need to authenticate before accessing the CGI application.  This

way, if someone did attempt to exploit one of the vulnerabilities, it

could be traced back to an individual user via the webserver logs.

As these problems exist in a compiled binary, the temporary

solutions are awkward without vendor involvement.  Some other examples

of temporary solutions would include binary editing of the application

at hand or creating wrapper programs to sanitize the string lengths

being handed to said application.

Vendor Response:

Vendor has contacted all of its customers and offered an

upgraded fixed version of the software.

For more advisories: http://www.atstake.com/research/index.html

PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.

(C) 1999-2000 All rights reserved.