Unchecked Buffers in DocumentDirect Run Arbitrary Code

 

Reported September 8, 2000 by
@stake

VERSIONS AFFECTED
  • Mobius DocumentDirect 1.2

DESCRIPTION

DocumentDirect is a Web-based document management system. Several unchecked buffers exists within the components of the product that could allow arbitrary code to execute on the server.

DEMONSTRATION

By sending a field identifier name of at least 1533 characters to the DDICGI.EXE program (as shown in the GET request below) a buffer with overflow returning execution to the memory address 0x41414141:

  • GET /ddrint/bin/ddicgi.exe?AAAAAAAAAA...AAAAA=X HTTP/1.0

By sending a username of at least 208 characters to the authentication Web form, an overflow will occur.

If a excessively long string is sent in association with the User-Agent parameter an access violation will occur.

  • GET /ddrint/bin/ddicgi.exe HTTP/1.0\r\nUser-Agent: \[long string\]\r\n\r\n

VENDOR RESPONSE

According to @stake, Mobius informed its customers of the matter and has provided an updated version to remedy the problems.

CREDIT
Discovered by @stake

 

Reported September 8, 2000 by
@stake

VERSIONS AFFECTED
  • Mobius DocumentDirect 1.2

DESCRIPTION

DocumentDirect is a Web-based document management system. Several unchecked buffers exists within the components of the product that could allow arbitrary code to execute on the server.

DEMONSTRATION

By sending a field identifier name of at least 1533 characters to the DDICGI.EXE program (as shown in the GET request below) a buffer with overflow returning execution to the memory address 0x41414141:

  • GET /ddrint/bin/ddicgi.exe?AAAAAAAAAA...AAAAA=X HTTP/1.0

By sending a username of at least 208 characters to the authentication Web form, an overflow will occur.

If an excessively long string is sent in association with the User-Agent parameter an access violation will occur.

  • GET /ddrint/bin/ddicgi.exe HTTP/1.0\r\nUser-Agent: \[long string\]\r\n\r\n

VENDOR RESPONSE

According to @stake, Mobius informed its customers of the matter and has provided an updated version to remedy the problems.

CREDIT
Discovered by @stake

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish