Discovered by David Litchfield <email@example.com> and Mark Litchfield <firstname.lastname@example.org> and publicized in an @stake Advisory (A090800-1) on September 8, 2000.
Mobius DocumentDirect for the Internet 1.2
Microsoft Windows NT 4.0
A number of unchecked static buffers exist in Mobius' DocumentDirect for the Internet program. Depending on the data entered, arbitrary code execution or a denial of service attack could be launched under the privilege level of the corresponding service.
Buffer Overflow #1 - Issuing the following GET request will overflow DDICGI.EXE:
GET /ddrint/bin/ddicgi.exe?[string at least 1553 characters long]=X HTTP/1.0
Buffer Overflow #2 - Entering a username consisting of at least 208 characters in the web authorization form will cause DDIPROC.EXE to overflow. If random data were to be used, a denial of service attack would be launched against the DocumentDirect Process Manager which would halt all services relating to it.
Buffer Overflow #3 - Issuing the following GET request will cause an access validation error in DDICGI.EXE:
GET /ddrint/bin/ddicgi.exe HTTP/1.0\r\nUser-Agent: [long string of characters]\r\n\r\n
WildCoyote <email@example.com> has released the following exploits: