CVE-2016-0914

Yet another one “nothing fixed“:

ESA-2016-069: EMC Documentum WebTop and WebTop Clients Improper Authorization Vulnerability

EMC Identifier: ESA-2016-069

CVE Identifier: CVE-2016-0914

Severity Rating: CVSS v3 Base Score: 5.0 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected products:
* EMC Documentum WebTop 6.8 and 6.8.1
* EMC Documentum Administrator 7.0, 7.1, 7.2
* EMC Documentum TaskSpace 6.7 SP3
* EMC Documentum Capital Projects 1.9 and 1.10

Summary:
EMC Documentum WebTop and WebTop dependent products contain a fix for improper authorization vulnerability that could potentially be exploited by malicious users to compromise the affected system.
Details:
Remote authenticated WebTop and WebTop Client users may gain access to the IAPI/IDQL interface in WebTop without proper authorization. Malicious users could exploit this vulnerability to run IAPI/IDQL commands on the affected systems using their own privilege.

Resolution:
The following product releases contain resolution to this vulnerability:
EMC Documentum WebTop 6.8 Patch 13 and later
* EMC Documentum WebTop 6.8.1 patch 02 and later
* EMC Documentum Administrator 7.2 Patch 13 and later
* EMC Documentum Capital Projects 1.9 Patch 23 and later
* EMC Documentum Capital Projects 1.10 Patch 10 and later

PoC: https://gist.github.com/andreybpanfilov/785173c085d818c4fbf913075a5ad421

Demo:

dfc.diagnostics.resources.enable

Previously I tried to describe the difference between dynamic and non-dynamic DFC preferences as the existence of some special code which is capable to modify DFC’s state in runtime, however there are some dumb cases which can’t be covered by this definition, for example com.documentum.fc.client.impl.session.StrongSessionHandle.PreferencesObserver and com.documentum.fc.client.impl.collection.CollectionHandle.PreferencesObserver classes are designed to apply changes of dfc.diagnostics.resources.enable DFC preference in runtime, but the dfc.diagnostics.resources.enable preference is marked as non-dynamic – looks like a stupid mistake, doesn’t it? In order to eliminate this gap I have created another one jsp:

🙂

EMC have shared CS 7.3

Have no idea what does mean IA acronym (internet access, internal affairs?) however:

  • AIX/Oracle got resurrected – seems that money triumph over evilstupidity
  • JMS is now on wildfly 9.0.1
  • bundled JVM version is 1.8.0_66
  • Linux/PostgreSQL is corrupted – try _old directory
  • composer.jar from Linux/Oracle is corrupted, borrow it from Linux/PostgreSQL
  • docker images seem to be corrupted too:
    docker load < centpgrccs 
    6941bfcbbfca: Loading layer [==================================================>] 1.024 kB/1.024 kB
    41459f052977: Loading layer [==================================================>] 224.7 MB/224.7 MB
    open /var/lib/docker/tmp/docker-import-813028725/dd1a6e7bc38e7d74bc5bb7be41e1d1d4f8d17d04cacef4cf93e3cc1ed16ce39e/json: no such file or directory
    
    
    [root@rhel72docker01 ~]# docker load < centpgseamlesscs 
    open /var/lib/docker/tmp/docker-import-785439904/be8abba669364a4895c80b2e4c06d8b391faffc54a190abc6aa91ed13d423140/json: no such file or directory
    
  • UPD

    By tradition I forgot to read installation guide before performing installation (actually it would be just a waste of time), in order to install Linux/PostgreSQL you need following:

    • PostgreSQL database
    • /etc/odbcinst.ini
    • /etc/odbc.ini
    • connection_string environment variable pointing to ODBC’s name
    • POSTGRESQL_HOME environment variable pointing to installation directory of PostgreSQL client libraries (for example, if psql is located in /usr/bin/psql POSTGRESQL_HOME should be /usr)
    • remove $DM_HOME/bin/liblber-2.4.so.2

    UPD2

    CS distribution media contains special java utility (MigrationUtil, sources are available) which allows to change hostname, installation owner and even docbase identifier and name of already installed repository, it seems that EMC considers idea about distributing CS as ready to run docker image seriously.

    UPD3

    MigrationUtil mentioned previously have turn out to be a piece of dog crap – you may use it only if you want to corrupt your database.

    UPD4

    Have no idea how is it possible to do docker without understanding it’s basic concepts – docker images are tar archives, not zip: