lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAM8W6xyRLDva5ay=tw7xB7F3JFkMtv-pQKyMg7NVa9UjWw-Axg@mail.gmail.com>
Date: Sun, 24 Sep 2017 11:50:44 +0200
From: Etnies <kuba25101990@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] OpenText Documentum Administrator and Webtop - XML External
	Entity Injection

Title: OpenText Documentum Administrator and Webtop - XML External
Entity Injection
Author: Jakub Palaczynski, Pawel Gocyla
Date: 24. September 2017
CVE (Administrator): CVE-2017-14526
CVE (Webtop): CVE-2017-14527

Affected software:
==================
Documentum Administrator
Documentum Webtop

Exploit was tested on:
======================
Documentum Administrator version 7.2.0180.0055
Documentum Webtop version 6.8.0160.0073
Other versions may also be vulnerable.

XML External Entity Injection - 4 instances:
============================================

Please note that examples below are for Documentum Administrator, but
the same exploitation takes place in Webtop.
This vulnerability allows for:
- listing directories and retrieving content of files from the filesystem
- stealing hashes of user that runs Documentum (if installed on Windows)
- DoS

1. Instance 1 and 2:
Authenticated users can exploit XXE vulnerability by browsing "Tools >
Preferences". It generates request to
/xda/com/documentum/ucf/server/transport/impl/GAIRConnector which
contains two XML structures. Both accept DTD and parse it which allows
exploitation.

2. Instance 3:
Authenticated users can exploit XXE vulnerability by using "File >
Import". Users can import XML files and use "MediaProfile" to open
file which triggers vulnerability.

3. Instance 4:
Authenticated users can exploit XXE vulnerability by using "File >
Check In". Users can use XML check in file and use "MediaProfile" to
open it which triggers vulnerability.

Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774

Contact:
========
Jakub[dot]Palaczynski[at]gmail[dot]com
pawellgocyla[at]gmail[dot]com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ