Category: Vulnerability - Dangerous Incident ID: X000802 Priority: 5 - Serious Status: Investigate Further and Document Component:
Odma.dll, distributed versions up to 2.0.0
Repaired in: none
- Related information:
Assigned To: Dennis E. Hamilton Reported By:
Dennis E. Hamilton 2000-08-04
Date Opened: 2000-08-04 Date Closed: none
The ODMA Connection Manager provides inadequate screening for validity against malformed ODMA Document IDs created by ODMA-compliant software. Malformed Document IDs submitted to the Connection Manager can be passed to a DMS integration in their malformed state.
There are no reported production incidents attributable to this particular defect. It is documented as a warning for future trouble-shooting and for maintenance of Connection Manager implementations.
This vulnerability is identified as dangerous for the following reasons:
- It can occur as the result of a difficult-to-isolate coincidence of contributing flaws between an ODMA-compliant DMS and an ODMA-aware application.
- It can occur when ODMA Document IDs are transported from one session to another via data, message text, or other transfer, possibly between different character-set/code-page regimes, and where malformed material is not properly validated before use by the ODMA-aware application.
- It is a potential means for disruption of ODMA and a DMS other than the source of the malformed Document ID.
The ODMA Connection Manager examines the ODMA Document IDs that are provided as parameters for a number of ODMA 2.0 API functions. Examination of the Document ID determines the DMS ID of the DMS integration to use in performing the requested operation.
Implementations of the ODMA Connection Manager up through
Odma.dllversion 2.0.0 and
ODMA32.dll2.0.0 use the following procedure for selecting the proper DMS:
- If the
lpszDocIdparameter to the requested operation is a
NULLor other invalid pointer, the Connection Manager may fail (see Incident Report X000801). If not, the Connection Manager will have treated
"", a string of length
strlen(lpszDocId) < 9, the ODMA Connection Manager will reject the request.
- When the Document Id has at least 9 characters, the ODMA Connection Manager simply ignores the first 7 characters. They are assumed to be
::ODMA\without actual confirmation.
- Starting immediately after the 7th character, the Connection Manager reads, as the DMS ID, all characters prior to whichever occurs first:
- the Null character,
'\0', marking the end of the string,
- the 16th character of the string
- The DMS ID string derived in this fashion will have 0 to 8 characters, followed by a terminating Null character,
'\0'. It cannot contain any
\character. For example, the Document ID string
xxAMDOs\ywill be parsed as having a Null DMS ID string,
??DM:MYODMASAMPLEDOCUMENTwill be parsed as having DMS ID string
- If the derived DMS ID string identifies a DMS integration that is registered with the Connection Manager being used, the requested operation will be performed with that DMS and the supplied ODMA Document ID will be delivered to the corresponding operation of the DMS, along with the other parameters of the request.
- If the derived DMS ID string does not identify an usable DMS integration, or the Connection Manager rejects the string earlier (as in step 2), the requested operation will not be performed. Instead, the Connection Manager will return an
ODM_E_DOCID, as allowed. All parameters of the operations are left intact, and no output parameters will have been supplied.
- In the special case of a rejected
*ppvObjwill be set to
HRESULTwill be one of
- Identify and report those ODMA Connection Manager functions that accept malformed Document ID strings.
- Confirm that using a Null string for the DMS ID will not disrupt the Connection Manager use of the Windows Registry when searching for a DMS integration to use.
- Demonstrate that these failures actually occur with the current ODMA 2.0 connection manager implementations,
Odma.dllversion 2.0.0 and
- Describe appropriate work-around and safeguard techniques.
- Schedule correction in the next rebuild of ODMA Connection Manager implementations.
Please provide any relevant information and feedback to the ODMA Tech List or directly to the AIIM DMware Technical Coordinator.
created 2000-08-05-12:47 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 00-11-10 10:18 $
$$Revision: 5 $