CVE-2017-7221
published 2017-04-25CVE-2017-7221: OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary…
PriorityP260high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.20%
89.7th percentile
OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created dm_procedure object, as demonstrated by use of a backspace character in an injected string. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513.
Detection & IOCsextracted from sources · hover to see the quote
commandexecute do_method with method='dm_bp_transition', arguments='repo repo dmadmin "" 0000000000000000 0000000000000000 0000000000000000 0801d920804e5416 0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000'↗
commandexecute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='repo repo dmadmin "" 0000000000000000 0000000000000000 0000000000000000 "0801fd08805c9dfe,'' union select r_object_id from dm_sysobject where r_object_id=''0801fd08805c9dfe" 0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000'↗
commandexecute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='repo repo dmadmin "" 0000000000000000 0000000000000000 0000000000000000 "0801fd08805c9dfe,'' union all select r_object_id from dm_sysobject where r_object_id=''0801fd08805c9dfe" 0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000'↗
- →Detect SQL injection bypass attempts in dm_bp_transition ARGUMENTS containing 'union select' or 'union all select' combined with a trailing comma after an object ID (e.g., '<id>,' union ...). ↗
- →Detect bypass of keyword-based SQL injection filters using 'UNION ALL' instead of 'UNION' in dm_bp_transition ARGUMENTS. ↗
- →Alert on creation of dm_sysobject or dm_document objects with .ebs file content attached by non-privileged users, as this is the attack staging step (bypassing the dm_procedure creation restriction). ↗
- →Inspect dmbasic binary for the presence of the 'id,%s,dm_procedure where r_object_id = '%s'' string; its absence indicates an unpatched or partially patched installation vulnerable to this CVE. ↗
- →The exploit uses ShellSync() within a DMBasic EntryCriteria function to execute OS commands; monitor Content Server process trees for unexpected child processes spawned by dmbasic. ↗
- ·The SQL injection check introduced by the vendor (ESA-2014-064 / CVE-2014-2513 fix) was implemented only in the dmbasic binary, and the first patch to actually ship the updated dmbasic binary was 6.7 SP2 P17; earlier patches (6.7 SP2 P15, 6.7 SP1 P28) do not contain it. ↗
- ·The vendor's keyword-based SQL injection filter (ESA-2015-131/CVE-2015-4533) blocks 'UNION' but not 'UNION ALL', leaving patched systems still exploitable via the ALL keyword variant. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-04-25
Published