OpenText Documentum Administrator / Webtop XXE Injection

`Title: OpenText Documentum Administrator and Webtop - XML External  
Entity Injection  
Author: Jakub Palaczynski, Pawel Gocyla  
Date: 24. September 2017  
CVE (Administrator): CVE-2017-14526  
CVE (Webtop): CVE-2017-14527  
  
Affected software:  
==================  
Documentum Administrator  
Documentum Webtop  
  
Exploit was tested on:  
======================  
Documentum Administrator version 7.2.0180.0055  
Documentum Webtop version 6.8.0160.0073  
Other versions may also be vulnerable.  
  
XML External Entity Injection - 4 instances:  
============================================  
  
Please note that examples below are for Documentum Administrator, but  
the same exploitation takes place in Webtop.  
This vulnerability allows for:  
- listing directories and retrieving content of files from the filesystem  
- stealing hashes of user that runs Documentum (if installed on Windows)  
- DoS  
  
1. Instance 1 and 2:  
Authenticated users can exploit XXE vulnerability by browsing "Tools >  
Preferences". It generates request to  
/xda/com/documentum/ucf/server/transport/impl/GAIRConnector which  
contains two XML structures. Both accept DTD and parse it which allows  
exploitation.  
  
2. Instance 3:  
Authenticated users can exploit XXE vulnerability by using "File >  
Import". Users can import XML files and use "MediaProfile" to open  
file which triggers vulnerability.  
  
3. Instance 4:  
Authenticated users can exploit XXE vulnerability by using "File >  
Check In". Users can use XML check in file and use "MediaProfile" to  
open it which triggers vulnerability.  
  
Fix:  
====  
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774  
  
Contact:  
========  
Jakub[dot]Palaczynski[at]gmail[dot]com  
pawellgocyla[at]gmail[dot]com  
  
  
`