Vulnerabilities > CVE-2000-0826 - Buffer Overflow vulnerability in Mobius Documentdirect for the Internet 1.2

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
mobius
critical
nessus

Summary

Buffer overflow in ddicgi.exe program in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long GET request.

Vulnerable Configurations

Part Description Count
Application
Mobius
1

Nessus

NASL familyCGI abuses
NASL idDDICGI.NASL
descriptionThe file
last seen2020-06-01
modified2020-06-02
plugin id11728
published2003-06-11
reporterThis script is Copyright (C) 2003-2018 John Lampe
sourcehttps://www.tenable.com/plugins/nessus/11728
titleMobius DocumentDirect ddicgi.exe Long GET Request Overflow
code
#
# This script was written by John [email protected] 
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
# - Revised plugin title (4/15/009)

include("compat.inc");

if(description)
{
 script_id(11728);
 script_version ("1.25");

 script_cve_id("CVE-2000-0826");
 script_bugtraq_id(1657);

 script_name(english:"Mobius DocumentDirect ddicgi.exe Long GET Request Overflow");
 script_summary(english: "Checks for the ddicgi.exe file");
 
 script_set_attribute(attribute:"synopsis", value:
"It might be possible to execute arbitrary code on the remote server.");
 script_set_attribute(attribute:"description", value:
"The file 'ddicgi.exe' exists on this web server.  Some versions of this
file are vulnerable to remote exploit. 

An attacker may use this file to gain access to confidential data or
escalate their privileges on the web server. 

** It seems that Nessus crashed your web server.");
 script_set_attribute(attribute:"see_also", value:
"https://seclists.org/bugtraq/2000/Sep/184");
 script_set_attribute(attribute:"solution", value:
"Remove it from the cgi-bin or scripts directory.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"vuln_publication_date", value:
"2000/09/08");
 script_set_attribute(attribute:"plugin_publication_date", value:
"2003/06/11");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_DENIAL);
 script_copyright(english:"This script is Copyright (C) 2003-2020 John Lampe");
 script_family(english: "CGI abuses");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

#
# The script code starts here
#

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);

if(!get_port_state(port))exit(0);

if (! is_cgi_installed_ka(item:"/ddrint/bin/ddicgi.exe", port:port)) exit(0);
if(http_is_dead(port:port))exit(0);

req = strcat('GET /ddrint/bin/ddicgi.exe?', crap(1553), '=X HTTP/1.0\r\n\r\n');
soc = open_sock_tcp(port);
if (! soc) exit(0);
send(socket:soc, data:req);
r = http_recv(socket:soc);
close(soc);

if(http_is_dead(port:port, retry: 3)) security_hole(port);