CVE Identifier: CVE-2017-7221 Vendor: OpenText Affected products: OpenText Documentum Content Server (all versions) Researcher: Andrey B. Panfilov Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Fix: not available PoC: http://ift.tt/2pgp1Lt Description: all versions of Documentum Content Server contain dm_bp_transition docbase method ("stored procedure”) which is written on basic, implementation of this docbase methods does not properly validate user input which allows attacker to execute arbitrary code with superuser privileges. Related code snippet is: ==========================================8<======================================== 'Evaluate the user-defined entry criteria If (result = True And run_entry = "T") Then If (debug = True) Then PrintToLog sess, "Run user defined entry criteria." End If ' ' researcher comment: ' userEntryID parameter is controlled by attacker ' result = RunProcedure(userEntryID, 1, sess, sysID,_ user_name, targetState) End If ... ' ' researcher comment: ' procID parameter is controlled by attacker ' Function RunProcedure(procID As String, procNo As Integer,_ sessID As String, objID As String, userName As String,_ targetState As String) As Boolean ... StartIt: If (procID <> "0000000000000000") Then result = CheckStatus("", 1, "loading procedure " & procID, True, errorMsg) ' ' researcher comment: ' here basic interpreter loads content of user-provided script ' from underlying repostiory using following technique: ' ' checking that it is dealing with dm_procedure object ' (check was introduced in CVE-2014-2513): ' id,c,dm_procedure where r_object_id='procID' ' ' getting content of basic script ' fetch,c,procID ' getpath,c,l ' result = external(procID) If (result = True) Then If (procNo = 1) Then '
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment