CVE-2017-5586
published 2017-02-22CVE-2017-5586: OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to…
PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
22.55%
97.4th percentile
OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the BeanShell (bsh) and Apache Commons Collections (ACC) libraries.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opentext | documentum_d2 | — | — |
| opentext | documentum_d2 | — | — |
| opentext | documentum_d2 | — | — |
| opentext | documentum_d2 | — | — |
| opentext | documentum_d2 | — | — |
| opentext | documentum_d2 | — | — |
| opentext | documentum_d2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
53 41 56 45 44 7C
- →Detect HTTP POST requests to the D2 servlet endpoint with the parameter origD2BocsServletName=Checkin combined with Content-Type: application/octet-stream, which is the exploit delivery mechanism for the malicious serialized Java object. ↗
- →Inspect raw TCP/HTTP payloads to D2 for the magic byte sequence 'SAVED' followed by byte 0x7C (pipe character, decimal 124) at the start of the serialized stream body — this is the exploit's custom framing header prepended before the Java serialized object. ↗
- →Alert on Java deserialization payloads (magic bytes 0xACED 0x0005) arriving via HTTP POST to /servlet/DoOperation on Documentum D2 instances, as the exploit wraps a PriorityQueue/BeanShell gadget chain inside a ContentStoreResult object. ↗
- →Flag HTTP requests to /servlet/DoOperation containing query parameters _username=dmc_wdk_preferences_owner and _password=webtop, which are hardcoded credentials used by the exploit. ↗
- ·The exploit targets Documentum D2 version 4.x specifically; the vulnerable endpoint is /servlet/DoOperation. Versions outside the 4.x branch are not confirmed affected by this CVE. ↗
- ·The vulnerability is exploitable without authentication (CVSS PR:N, UI:N) over the network, meaning no prior credentials are required to deliver the malicious serialized payload. ↗
- ·The root cause is that D2 accepts serialized Java objects from untrusted sources and bundles vulnerable BeanShell (bsh) and Apache Commons Collections libraries, which provide the gadget chains for arbitrary code execution. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/141105/OpenText-Documentum-D2-4.x-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96216https://www.exploit-db.com/exploits/41366/http://packetstormsecurity.com/files/141105/OpenText-Documentum-D2-4.x-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96216https://www.exploit-db.com/exploits/41366/
2017-02-22
Published