From advisories@ATSTAKE.COM Fri Sep 8 14:10:04 2000 From: "@stake Advisories" To: BUGTRAQ@SECURITYFOCUS.COM Date: Fri, 8 Sep 2000 09:18:47 -0400 Subject: [BUGTRAQ] @stake Advisory: DocumentDirect for the Internet (A090800-1) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The vulnerability documented in this advisory is remotely exploitable yet we are releasing it on a Friday. We don't see this as adding any additional risk to DocumentDirect customers. The vendor, Mobius, has assured us that they have contacted all their customers and given them a fixed version of the software. Weld Pond weld@atstake.com @stake Inc. www.atstake.com Security Advisory Advisory Name: DocumentDirect for the Internet (A090800-1) Release Date: 09/08/2000 Application: Mobius DocumentDirect for the Internet 1.2 Platform: Windows NT 4.0 Severity: There are several buffer overflow conditions that could result in execution of arbitrary code or a denial of service. Authors: David Litchfield [dlitchfield@atstake.com] Mark Litchfield [mlitchfield@atstake.com] Contributors: Frank Swiderski [fes@atstake.com] Chris Eng [ceng@atstake.com] Vendor Status: Fixed version of software available Web: www.atstake.com/research/advisories/2000/a090800-1.txt Overview: Mobius' DocumentDirect for the Internet is a custom CGI application for Windows NT 4.0 that enables Internet-based viewing of documents. Clients access the document management system using a standard web browser. DocumentDirect's interface is customizable for each enterprise's environment. Authorization is supported via a sign-on ID and password, and fine-grained control can be exercised over the content made available to each individual user. It supports multiple document types, including PostScript, PDF, and various word processing and image file formats. There are several different buffer overflow conditions in the DocumentDirect for the Internet web application that could result in the execution of arbitrary code, or at the very least, a denial of service against the DocumentDirect Process Manager. Detailed Description: There are a several methods that can be used to overflow various static buffers in the DocumentDirect web application. The simplest is to issue the following HTTP command, which overflows a buffer in DDICGI.EXE: GET /ddrint/bin/ddicgi.exe?AAAAAAAAAA...AAAAA=X HTTP/1.0 In this instance, if the field ID consists of at least 1553 A's, the flow of execution returns immediately to 0x41414141. A properly crafted string could easily result in the execution of malicious code. A second overflow occurs when an overly long username is passed to DocumentDirect's web authorization form. A minimum of 208 characters are required in the username field in order to overwrite the saved return address. There is a continuation of execution issue, as the code must be permitted to return from several nested functions before exploit code is run. However, a carefully selected exploit string could be written to evade these limitations. This overflow occurs in DDIPROC.EXE rather than DDICGI.EXE, so an improperly written exploit will kill the DocumentDirect Process Manager, resulting in a denial of service for any DocumentDirect applications that are dependent on the Process Manager. It is not clear whether or not the Process Manager would be adversely affected if code was executed as a result of the overflow. A third overflow occurs when the "User-Agent" parameter contains an excessivly long string. The overflow causes an access violation in DDICGI.EXE. An example is: GET /ddrint/bin/ddicgi.exe HTTP/1.0\r\nUser-Agent: AAA...AAA\r\n\r\n It should be noted that any arbitrary code that is run as a result of these buffer overflows will execute in the context of the application containing the overflow. While DDICGI.EXE executes as a cgi-bin type application and typically executes as the equivalent to "nobody", other applications such as the Process Manager may be executing with elevated privileges. A cursory examination of the DocumentDirect for the Internet executable reveals liberal usage of static character buffers. As such, there are probably numerous additional overflow conditions that @stake did not uncover in this initial audit. Temporary Solution: If a web access control product is currently in use, restrict access to DocumentDirect to only those IP addresses associated with known DocumentDirect users. If DocumentDirect is hosted on a dedicated webserver, create a firewall rule or a router ACL to restrict inbound access to that machine until a fix is released. Another temporary workaround would be to implement HTTP basic authentication on the /ddrint/bin directory. By doing this, users would need to authenticate before accessing the CGI application. This way, if someone did attempt to exploit one of the vulnerabilities, it could be traced back to an individual user via the webserver logs. As these problems exist in a compiled binary, the temporary solutions are awkward without vendor involvement. Some other examples of temporary solutions would include binary editing of the application at hand or creating wrapper programs to sanitize the string lengths being handed to said application. Vendor Response: Vendor has contacted all of its customers and offered an upgraded fixed version of the software. For more advisories: http://www.atstake.com/research/index.html PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBObjl6lESXwDtLdMhEQIuaACg/uwhNSQJCWnDVM7w86/5XZmueNQAnjO/ S3XpAUs089//RPZZQ3FHKlr4 =F6ie -----END PGP SIGNATURE-----