OpenText Documentum Administrator / Webtop XXE Injection Vulnerability

ID 1337DAY-ID-28639
Type zdt
Reporter Jakub Palaczynski
Modified 2017-09-27T00:00:00


OpenText Documentum Administrator version 7.2.0180.0055 and Documentum Webtop version 6.8.0160.0073 suffer from XML external entity injection vulnerabilities.

                                            Title: OpenText Documentum Administrator and Webtop - XML External
Entity Injection
Author: Jakub Palaczynski, Pawel Gocyla
Date: 24. September 2017
CVE (Administrator): CVE-2017-14526
CVE (Webtop): CVE-2017-14527

Affected software:
Documentum Administrator
Documentum Webtop

Exploit was tested on:
Documentum Administrator version 7.2.0180.0055
Documentum Webtop version 6.8.0160.0073
Other versions may also be vulnerable.

XML External Entity Injection - 4 instances:

Please note that examples below are for Documentum Administrator, but
the same exploitation takes place in Webtop.
This vulnerability allows for:
- listing directories and retrieving content of files from the filesystem
- stealing hashes of user that runs Documentum (if installed on Windows)
- DoS

1. Instance 1 and 2:
Authenticated users can exploit XXE vulnerability by browsing "Tools >
Preferences". It generates request to
/xda/com/documentum/ucf/server/transport/impl/GAIRConnector which
contains two XML structures. Both accept DTD and parse it which allows

2. Instance 3:
Authenticated users can exploit XXE vulnerability by using "File >
Import". Users can import XML files and use "MediaProfile" to open
file which triggers vulnerability.

3. Instance 4:
Authenticated users can exploit XXE vulnerability by using "File >
Check In". Users can use XML check in file and use "MediaProfile" to
open it which triggers vulnerability.



# [2018-02-15]  #