Reported September 8, 2000 by @stake
- Mobius DocumentDirect 1.2
DocumentDirect is a Web-based document management system. Several unchecked buffers exists within the components of the product that could allow arbitrary code to execute on the server.
DEMONSTRATION
By sending a field identifier name of at least 1533 characters to the DDICGI.EXE program (as shown in the GET request below) a buffer with overflow returning execution to the memory address 0x41414141:
- GET /ddrint/bin/ddicgi.exe?AAAAAAAAAA...AAAAA=X HTTP/1.0
By sending a username of at least 208 characters to the authentication Web form, an overflow will occur.
If a excessively long string is sent in association with the User-Agent parameter an access violation will occur.
- GET /ddrint/bin/ddicgi.exe HTTP/1.0\r\nUser-Agent: \[long string\]\r\n\r\n
VENDOR RESPONSE
According to @stake, Mobius informed its customers of the matter and has provided an updated version to remedy the problems.
CREDIT
Discovered by @stake
Reported September 8, 2000 by @stake
- Mobius DocumentDirect 1.2
DocumentDirect is a Web-based document management system. Several unchecked buffers exists within the components of the product that could allow arbitrary code to execute on the server.
DEMONSTRATION
By sending a field identifier name of at least 1533 characters to the DDICGI.EXE program (as shown in the GET request below) a buffer with overflow returning execution to the memory address 0x41414141:
- GET /ddrint/bin/ddicgi.exe?AAAAAAAAAA...AAAAA=X HTTP/1.0
By sending a username of at least 208 characters to the authentication Web form, an overflow will occur.
If an excessively long string is sent in association with the User-Agent parameter an access violation will occur.
- GET /ddrint/bin/ddicgi.exe HTTP/1.0\r\nUser-Agent: \[long string\]\r\n\r\n
VENDOR RESPONSE
According to @stake, Mobius informed its customers of the matter and has provided an updated version to remedy the problems.
CREDIT
Discovered by @stake