lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 14 Oct 2017 00:40:37 +1100
From: "Andrey B. Panfilov" <andrew@...filov.tel>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
  "'bugtraq@...urityfocus.com'" <bugtraq@...urityfocus.com>
Subject: Multiple vulnerabilities in OpenText Documentum Content Server

CVE Identifier: CVE-2017-15012
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:

Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
does not properly validate input of PUT_FILE RPC-command which allows any
authenticated user to hijack arbitrary file from Content Server filesystem,
because some files on Content Server filesystem are security-sensitive
this security flaw leads to privilege escalation



CVE Identifier: CVE-2017-15013
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:



Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
contains following design gap, which allows authenticated user to gain privileges
of superuser: Content Server stores information about uploaded files in dmr_content 
objects, which are queryable and "editable" (before release 7.2P02 any authenticated 
user was able to edit dmr_content objects, now any authenticated user may delete
dmr_content object and them create new one with the old identifier) by
authenticated users, this allows any authenticated user to replace content of
security-sensitive dmr_content objects (for example, dmr_content related to 
dm_method objects) and gain superuser privileges



CVE Identifier: CVE-2017-15014
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Fix: not available
Description:


Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
contains following design gap, which allows authenticated user to download arbitrary
content files regardless attacker's repository permissions:

when authenticated user upload content to repository he performs following steps:
- calls START_PUSH RPC-command
- uploads file to content server
- calls END_PUSH_V2 RPC-command, here Content Server returns DATA_TICKET (integer),
  purposed to identify the location of the uploaded file on Content Server filesystem
- further user creates dmr_content object in repository, which has value of data_ticket equal
  to the value of DATA_TICKET received at the end of END_PUSH_V2 call

As the result of such design any authenticated user may create his own dmr_content object,
pointing to already existing content of Content Server filesystem



CVE Identifier: CVE-2017-15276
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:


Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
contains following design gap, which allows authenticated user to gain privileges
of superuser: Content Server allows to upload content using batches (TAR archives), 
when unpacking TAR archives Content Server fails to verify contents of TAR archive which
causes path traversal vulnerability via symlinks, because some files on Content Server
filesystem are security-sensitive this security flaw leads to privilege escalation


View attachment "CVE-2017-15276.py" of type "text/x-python-script" (7605 bytes)

View attachment "CVE-2017-15014.py" of type "text/x-python-script" (5510 bytes)

View attachment "CVE-2017-15013.py" of type "text/x-python-script" (10288 bytes)

View attachment "CVE-2017-15012.py" of type "text/x-python-script" (5553 bytes)

Powered by blists - more mailing lists