| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Oct 2017 00:40:37 +1100 From: "Andrey B. Panfilov" <andrew@...filov.tel> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>, "'bugtraq@...urityfocus.com'" <bugtraq@...urityfocus.com> Subject: Multiple vulnerabilities in OpenText Documentum Content Server CVE Identifier: CVE-2017-15012 Vendor: OpenText Affected products: OpenText Documentum Content Server (all versions) Researcher: Andrey B. Panfilov CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Fix: not available Description: Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) does not properly validate input of PUT_FILE RPC-command which allows any authenticated user to hijack arbitrary file from Content Server filesystem, because some files on Content Server filesystem are security-sensitive this security flaw leads to privilege escalation CVE Identifier: CVE-2017-15013 Vendor: OpenText Affected products: OpenText Documentum Content Server (all versions) Researcher: Andrey B. Panfilov CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Fix: not available Description: Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) contains following design gap, which allows authenticated user to gain privileges of superuser: Content Server stores information about uploaded files in dmr_content objects, which are queryable and "editable" (before release 7.2P02 any authenticated user was able to edit dmr_content objects, now any authenticated user may delete dmr_content object and them create new one with the old identifier) by authenticated users, this allows any authenticated user to replace content of security-sensitive dmr_content objects (for example, dmr_content related to dm_method objects) and gain superuser privileges CVE Identifier: CVE-2017-15014 Vendor: OpenText Affected products: OpenText Documentum Content Server (all versions) Researcher: Andrey B. Panfilov CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Fix: not available Description: Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) contains following design gap, which allows authenticated user to download arbitrary content files regardless attacker's repository permissions: when authenticated user upload content to repository he performs following steps: - calls START_PUSH RPC-command - uploads file to content server - calls END_PUSH_V2 RPC-command, here Content Server returns DATA_TICKET (integer), purposed to identify the location of the uploaded file on Content Server filesystem - further user creates dmr_content object in repository, which has value of data_ticket equal to the value of DATA_TICKET received at the end of END_PUSH_V2 call As the result of such design any authenticated user may create his own dmr_content object, pointing to already existing content of Content Server filesystem CVE Identifier: CVE-2017-15276 Vendor: OpenText Affected products: OpenText Documentum Content Server (all versions) Researcher: Andrey B. Panfilov CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Fix: not available Description: Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) contains following design gap, which allows authenticated user to gain privileges of superuser: Content Server allows to upload content using batches (TAR archives), when unpacking TAR archives Content Server fails to verify contents of TAR archive which causes path traversal vulnerability via symlinks, because some files on Content Server filesystem are security-sensitive this security flaw leads to privilege escalation View attachment "CVE-2017-15276.py" of type "text/x-python-script" (7605 bytes) View attachment "CVE-2017-15014.py" of type "text/x-python-script" (5510 bytes) View attachment "CVE-2017-15013.py" of type "text/x-python-script" (10288 bytes) View attachment "CVE-2017-15012.py" of type "text/x-python-script" (5553 bytes)
Powered by blists - more mailing lists