accept no compromises

OpenText Documentum Administrator / Webtop XXE Injection

OpenText Documentum Administrator / Webtop XXE Injection
Posted Sep 27, 2017
Authored by Jakub Palaczynski, Pawel Gocyla

OpenText Documentum Administrator version 7.2.0180.0055 and Documentum Webtop version 6.8.0160.0073 suffer from XML external entity injection vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2017-14526, CVE-2017-14527
MD5 | 0cf5e2fc80eb45dd8b9bba4f36f8f1b5

OpenText Documentum Administrator / Webtop XXE Injection

Change Mirror Download
Title: OpenText Documentum Administrator and Webtop - XML External
Entity Injection
Author: Jakub Palaczynski, Pawel Gocyla
Date: 24. September 2017
CVE (Administrator): CVE-2017-14526
CVE (Webtop): CVE-2017-14527

Affected software:
==================
Documentum Administrator
Documentum Webtop

Exploit was tested on:
======================
Documentum Administrator version 7.2.0180.0055
Documentum Webtop version 6.8.0160.0073
Other versions may also be vulnerable.

XML External Entity Injection - 4 instances:
============================================

Please note that examples below are for Documentum Administrator, but
the same exploitation takes place in Webtop.
This vulnerability allows for:
- listing directories and retrieving content of files from the filesystem
- stealing hashes of user that runs Documentum (if installed on Windows)
- DoS

1. Instance 1 and 2:
Authenticated users can exploit XXE vulnerability by browsing "Tools >
Preferences". It generates request to
/xda/com/documentum/ucf/server/transport/impl/GAIRConnector which
contains two XML structures. Both accept DTD and parse it which allows
exploitation.

2. Instance 3:
Authenticated users can exploit XXE vulnerability by using "File >
Import". Users can import XML files and use "MediaProfile" to open
file which triggers vulnerability.

3. Instance 4:
Authenticated users can exploit XXE vulnerability by using "File >
Check In". Users can use XML check in file and use "MediaProfile" to
open it which triggers vulnerability.

Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774

Contact:
========
Jakub[dot]Palaczynski[at]gmail[dot]com
pawellgocyla[at]gmail[dot]com


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    11 Files
  • 19
    Oct 19th
    3 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close