[<prev] [next>] [day] [month] [year] [list]
Message-ID: <84EE54DB-840F-4F5C-AC02-62130C4A0241@panfilov.tel>
Date: Sat, 14 Oct 2017 00:40:37 +1100
From: "Andrey B. Panfilov" <andrew@...filov.tel>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
"'bugtraq@...urityfocus.com'" <bugtraq@...urityfocus.com>
Subject: [FD] Multiple vulnerabilities in OpenText Documentum Content Server
CVE Identifier: CVE-2017-15012
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:
Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
does not properly validate input of PUT_FILE RPC-command which allows any
authenticated user to hijack arbitrary file from Content Server filesystem,
because some files on Content Server filesystem are security-sensitive
this security flaw leads to privilege escalation
CVE Identifier: CVE-2017-15013
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:
Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
contains following design gap, which allows authenticated user to gain privileges
of superuser: Content Server stores information about uploaded files in dmr_content
objects, which are queryable and "editable" (before release 7.2P02 any authenticated
user was able to edit dmr_content objects, now any authenticated user may delete
dmr_content object and them create new one with the old identifier) by
authenticated users, this allows any authenticated user to replace content of
security-sensitive dmr_content objects (for example, dmr_content related to
dm_method objects) and gain superuser privileges
CVE Identifier: CVE-2017-15014
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Fix: not available
Description:
Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
contains following design gap, which allows authenticated user to download arbitrary
content files regardless attacker's repository permissions:
when authenticated user upload content to repository he performs following steps:
- calls START_PUSH RPC-command
- uploads file to content server
- calls END_PUSH_V2 RPC-command, here Content Server returns DATA_TICKET (integer),
purposed to identify the location of the uploaded file on Content Server filesystem
- further user creates dmr_content object in repository, which has value of data_ticket equal
to the value of DATA_TICKET received at the end of END_PUSH_V2 call
As the result of such design any authenticated user may create his own dmr_content object,
pointing to already existing content of Content Server filesystem
CVE Identifier: CVE-2017-15276
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:
Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
contains following design gap, which allows authenticated user to gain privileges
of superuser: Content Server allows to upload content using batches (TAR archives),
when unpacking TAR archives Content Server fails to verify contents of TAR archive which
causes path traversal vulnerability via symlinks, because some files on Content Server
filesystem are security-sensitive this security flaw leads to privilege escalation
View attachment "CVE-2017-15276.py" of type "text/x-python-script" (7605 bytes)
View attachment "CVE-2017-15014.py" of type "text/x-python-script" (5510 bytes)
View attachment "CVE-2017-15013.py" of type "text/x-python-script" (10288 bytes)
View attachment "CVE-2017-15012.py" of type "text/x-python-script" (5553 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists