ODMA Incident Report

X000802: ODMA Connection Manager Passes Malformed Document IDs

Last updated 2000-08-05-15:34 -0700 (pdt)

Category: Vulnerability - Dangerous Incident ID: X000802

Priority: 5 - Serious Status: Investigate Further and Document

Component: ODMA32.dll and Odma.dll, distributed versions up to 2.0.0 Repaired in: none

Related information:

X000801

Assigned To: Dennis E. Hamilton Reported By:
Dennis E. Hamilton 2000-08-04

Date Opened: 2000-08-04 Date Closed: none

Summary:

The ODMA Connection Manager provides inadequate screening for validity against malformed ODMA Document IDs created by ODMA-compliant software. Malformed Document IDs submitted to the Connection Manager can be passed to a DMS integration in their malformed state.

There are no reported production incidents attributable to this particular defect. It is documented as a warning for future trouble-shooting and for maintenance of Connection Manager implementations.

This vulnerability is identified as dangerous for the following reasons:

It can occur as the result of a difficult-to-isolate coincidence of contributing flaws between an ODMA-compliant DMS and an ODMA-aware application.

It can occur when ODMA Document IDs are transported from one session to another via data, message text, or other transfer, possibly between different character-set/code-page regimes, and where malformed material is not properly validated before use by the ODMA-aware application.

It is a potential means for disruption of ODMA and a DMS other than the source of the malformed Document ID.

Analysis:

The ODMA Connection Manager examines the ODMA Document IDs that are provided as parameters for a number of ODMA 2.0 API functions. Examination of the Document ID determines the DMS ID of the DMS integration to use in performing the requested operation.

Implementations of the ODMA Connection Manager up through Odma.dll version 2.0.0 and ODMA32.dll 2.0.0 use the following procedure for selecting the proper DMS:

If the lpszDocId parameter to the requested operation is a NULL or other invalid pointer, the Connection Manager may fail (see Incident Report X000801). If not, the Connection Manager will have treated NULL[ ] as "", a string of length 0.

If strlen(lpszDocId) < 9, the ODMA Connection Manager will reject the request.

When the Document Id has at least 9 characters, the ODMA Connection Manager simply ignores the first 7 characters. They are assumed to be ::ODMA\ without actual confirmation.

Starting immediately after the 7th character, the Connection Manager reads, as the DMS ID, all characters prior to whichever occurs first:

the Null character, '\0', marking the end of the string,

a \ character, or

the 16th character of the string

The DMS ID string derived in this fashion will have 0 to 8 characters, followed by a terminating Null character, '\0'. It cannot contain any \ character. For example, the Document ID string xxAMDOs\y will be parsed as having a Null DMS ID string, ""; ??DM:MYODMASAMPLEDOCUMENT will be parsed as having DMS ID string "ODMASAMP".

If the derived DMS ID string identifies a DMS integration that is registered with the Connection Manager being used, the requested operation will be performed with that DMS and the supplied ODMA Document ID will be delivered to the corresponding operation of the DMS, along with the other parameters of the request.

If the derived DMS ID string does not identify an usable DMS integration, or the Connection Manager rejects the string earlier (as in step 2), the requested operation will not be performed. Instead, the Connection Manager will return an ODMSTATUS value of ODM_E_FAIL or ODM_E_DOCID, as allowed. All parameters of the operations are left intact, and no output parameters will have been supplied.

In the special case of a rejected ODMQueryInterface operation, *ppvObj will be set to NULL and the HRESULT will be one of E_FAIL or E_INVALIDARG.

Actions:

Identify and report those ODMA Connection Manager functions that accept malformed Document ID strings.

Confirm that using a Null string for the DMS ID will not disrupt the Connection Manager use of the Windows Registry when searching for a DMS integration to use.

Demonstrate that these failures actually occur with the current ODMA 2.0 connection manager implementations, Odma.dll version 2.0.0 and ODMA32.dll version 2.0.0.

Describe appropriate work-around and safeguard techniques.

Schedule correction in the next rebuild of ODMA Connection Manager implementations.

Please provide any relevant information and feedback to the ODMA Tech List or directly to the AIIM DMware Technical Coordinator.

created 2000-08-05-12:47 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 00-11-10 10:18 $
$$Revision: 5 $

Category: Vulnerability - Dangerous	Incident ID: X000802
Priority: 5 - Serious	Status: Investigate Further and Document
Component: `ODMA32.dll` and `Odma.dll`, distributed versions up to 2.0.0	Repaired in: none Related information: X000801
Assigned To: Dennis E. Hamilton	Reported By: Dennis E. Hamilton 2000-08-04
Date Opened: 2000-08-04	Date Closed: none