Today EMC announced another one CVE: CVE-2015-4544 – Unprivileged Content Server users may potentially escalate their privileges to become a superuser by creating and performing malicious operations on dm_job objects. This is due to improper authorization checks being performed on such objects and some of their attributes. The previous fix for CVE-2014-4626 was incomplete.
And by the “good” tradition fixes actually contain no fixes 🙂 Interesting thing, that EMC tried to fix this vulnerability for 10 months (“Customers on EMC Documentum Content Server prior to 7.0 with extended support agreement are requested to raise hotfix requests through EMC Customer Support.” sounds weird, doesn’t it?), below is an original conversation about CVE-2014-4626:
Sent: Friday, November 07, 2014 3:00 AM
To: CERT Coordination Center
Cc: CERT Coordination Center
Subject: Re: EMC Documentum vulnerability reports VU#315340
Could you please forward my response directly to EMC without any
Fire the security expert – hi is an idiot.
Now clarification for CERT (not to be disclosed for EMC).
I’m not going to describe each security issue individually because
“reproducible” means reproducible, but as example I want to provide a brief
explanation for VRF#HUFU6FNP [VU#315340].
Abstract: “Any user is able to elevate privileges, hijack Content Server
filesystem, execute any commands by creating malicious dm_job objects”
The problem is that non-privileged user is able to create dm_job objects and
execute corresponding docbase methods (some examples of “malicious” methods
are given in VRF#HUFU6FNP, also see VRF#HUFV0UZN), the word “create” here
does mean some sequence of commands which result to existence of dm_job
object. PoC in VRF#HUFU6FNP describes attack on scheduler – scheduler does
not schedule jobs unless they are owned by superuser, so, the command
sequence in that case was: “create dm_job and update dm_job”, EMC thinks
that they have fixed vulnerability, but they just fixed the sequence given
in PoC, another sequence is “create dm_sysobject, update dm_sysobject &
change dm_sysobject” – see VRF#HUGC34JH, it’s already known attack, so I
suspect backdoor here. Also, I could provide third PoC related to this
report, but I do not think that would be useful for EMC.